As a managed service provider (MSP), you’re the frontline defender, keeping your clients safe in the digital space. Your job is crucial—making sure businesses stay secure, resilient, and ready to tackle any cyber threat. But even the best need backup, a partner to help navigate the complexities of cybersecurity.
Recently, Pax8 became the first cloud commerce marketplace to sign the Secure by Design pledge—a major step in our commitment to stronger security. Endorsed by the U.S. Government’s own Cybersecurity and Infrastructure Security Agency (CISA), this pledge is more than just talk. It’s a clear, actionable promise to embed security into every part of what we do.
So, why does this matter to you? By partnering with Pax8 and aligning with Secure by Design, you’re not just enhancing your own protection; you’re boosting the security of your clients too. In this blog, we’ll break down what the Secure by Design pledge is and how it helps you reduce risk while growing your business. Let’s dive into how this commitment can level up your cybersecurity game and position you as the ultimate protector of your clients’ digital worlds.
What is Secure by Design?
The Secure by Design initiative seeks to elevate security practices across the business by embedding security into the fabric of technology. As America’s Cyber Defense Agency, CISA is dedicated to defending the nation against cyber threats and managing risks to the infrastructure that Americans rely on daily. However, the increasing introduction of unsafe technology has made this task more challenging.
Traditionally, the burden of cybersecurity has fallen disproportionately on consumers and small organizations, rather than on the producers of technology. This imbalance has created a pressing need for a new model—one where consumers can trust the safety and integrity of the technology they use every day. This is where Secure by Design comes in. It calls for technology providers to take ownership at the executive level to ensure their products are built with security in mind.
But what does it mean to be Secure by Design? Products designed with Secure by Design principles prioritize customer security as a core business requirement, rather than merely treating it as a technical feature. During the design phase of a product’s development lifecycle, companies should implement these principles to significantly decrease the number of exploitable flaws before the product reaches the market. Out-of-the-box, products should be secure, with additional security features such as multi-factor authentication (MFA), logging, and single sign-on (SSO) available at no extra cost.
The Secure by Design pledge is a voluntary commitment focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). While physical products like IoT devices are not included in the pledge, companies are welcome to demonstrate progress in those areas as well. By participating in the pledge, software manufacturers commit to making a good-faith effort to work towards specific goals over the following year. They are encouraged to publicly document their progress and challenges, fostering a spirit of radical transparency.
The pledge is structured around seven core pillars, each with specific criteria that manufacturers aim to meet. These are designed to complement existing software security best practices developed by CISA, NIST, and other federal agencies. By adopting the Secure by Design principles, companies can significantly enhance the security of their products, thereby building trust and confidence among their customers.
The seven pillars of Secure by Design
Below are the seven pillars of the pledge with an insightful question to help you think about how you can apply Secure by Design concepts within your business:
1. Enforcing multi-factor authentication
MFA is one of the most effective defenses against password-based attacks such as credential stuffing and password theft. By requiring users to provide multiple forms of verification, MFA significantly reduces the success of such attacks.
How can you encourage your clients to adopt MFA to enhance their security posture?
2. Eliminating default passwords
Default passwords are a common vulnerability that can lead to damaging cyberattacks. By replacing default passwords with more secure authentication mechanisms, such as instance-unique passwords or MFA, the risk of exploitation is significantly reduced.
Are your clients aware of the risks associated with default passwords, and how can you help them transition to more secure authentication methods?
3. Reducing entire classes of vulnerability
The vast majority of exploited vulnerabilities today are due to common classes of vulnerabilities such as SQL injection, cross-site scripting, and memory safety issues. By working to reduce these vulnerabilities at scale, software manufacturers can significantly enhance security. For MSPs, this means offering clients products that are less prone to exploitation.
What steps can you take to ensure the products and services you offer are free from common vulnerabilities?
4. Ensuring timely security patches
Timely installation of security patches is crucial for maintaining a secure environment. By making it easier for customers to install patches, such as through automatic updates, the risk of exploitation is minimized. For MSPs, this means providing clients with up-to-date and secure products.
How can you streamline the patch management process to ensure your clients’ systems are updated as soon as possible or within a defined SLA period?
5. Publishing a vulnerability disclosure policy
A vulnerability disclosure policy (VDP) allows security researchers to test products and report vulnerabilities without fear of legal repercussions. This collaborative approach enhances security by identifying and addressing vulnerabilities before they can be exploited.
How can you encourage a culture of transparency and collaboration in your security practices?
6. Demonstrating transparency in vulnerability reporting
Transparency in vulnerability reporting includes accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record. This ensures that customers are aware of vulnerabilities and can take appropriate action. For MSPs, this means providing clients with clear and accurate information about potential security risks as well as providing a comprehensive security offering to meet those risks.
How can you improve your communication with clients about potential security risks and vulnerabilities?
7. Enabling evidence of intrusions
Providing customers with the ability to gather evidence of cybersecurity intrusions is essential for detecting and responding to incidents. By offering capabilities such as audit logs, software manufacturers enable customers to understand and address security incidents. For MSPs, this means offering clients products that support comprehensive security logging and monitoring.
How can you enhance your clients’ ability to detect and respond to cybersecurity incidents?
Radically transparent: the Pax8 plan for communication
Pax8 is dedicated to communicating clearly with you about our work and progress to meet all seven of these pillars in the next year. Through the Pax8 website, blog, and social media, we will share updates and insights. We’ll detail our progress and challenges in order to inspire conversations with your clients about Pax8 as your forward-thinking cloud marketplace partner.
What does Secure by Design mean for you?
Pax8 stands at the forefront of cybersecurity expertise. Our involvement in the Secure by Design pledge reinforces our commitment to cybersecurity for both you and your clients. It signifies our ongoing commitment to sharing those learnings from the seven pillars of Secure by Design with you.
Connect with one of our security experts to explore tailored solutions for your business.
