The Gaming Boardroom

Using MSPs to administer your cloud services

Steve Tyler Leave a comment

Using MSPs to administer your cloud services

Summary

The NCSC explains the security trade-offs when organisations outsource cloud administration to Managed Service Providers (MSPs). While MSPs bring expertise, scale and operational efficiencies, delegating administrative access increases your attack surface because MSP systems and credentials can be attractive targets for attackers. The guidance recommends treating MSPs like cloud providers: check they meet the NCSC’s cloud security principles, verify secure administration practices, and use the CISA joint advisory recommendations to audit suppliers and contractual arrangements.

Key Points

  • Cloud security is a shared responsibility: both you and your cloud provider must act.
  • Organisations often outsource cloud operations to MSPs for expertise and cost-efficiency.
  • Granting MSPs administrative access increases attack surface and can expose multiple customers if the MSP is compromised.
  • Confirm MSPs use secure admin practices (separate admin devices/accounts, robust monitoring and access controls) rather than assuming they do.
  • Treat MSPs as you would a cloud provider: assess them against the NCSC’s 14 cloud security principles.
  • Use the CISA joint advisory (AA22-131A) as an audit checklist and ensure appropriate contractual protections are in place.

Content Summary

The article opens by restating the cloud shared responsibility model and why it’s sensible to let cloud providers take on as much security responsibility as possible. It then covers why organisations outsource to MSPs, ranging from licence management to full service provision. The core warning is that outsourcing brings a new, high-value attack surface: MSP administrative systems and credentials. The NCSC urges organisations to verify that MSPs follow secure system administration best practice and to assess them against the NCSC cloud security principles. Finally, the NCSC points readers to the CISA joint advisory for a more detailed set of recommendations to audit existing suppliers and to guide new contracts.

Context and Relevance

This guidance is relevant to any organisation using, or considering, MSPs for cloud services. As attackers continue to target third-party providers to reach multiple customers at once, the risk is current and real — seen in previous campaigns noted by Microsoft, N-able and others. The post fits into broader supply-chain and cloud-security trends: increased outsourcing, tighter budgets, and greater need to verify supplier security practices rather than assume them.

Why should I read this?

Short version: if your organisation uses an MSP (or plans to), this is worth a look. It tells you what to check, why admin access is a big deal, and points you to concrete guidance (the NCSC cloud principles and the CISA advisory) so you can audit suppliers and tighten contracts. Saves you the legwork of hunting down the key checks yourself.

Source

Source: https://www.ncsc.gov.uk/blog-post/using-msps-to-administer-your-cloud-services

Author: Andrew A, Cloud Security Research Lead, NCSC

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.