Itarian as an attack vector

This post may seem a little out there so please get your tinfoil hats. We have been an Itarian user for over 3 years and it provides some very powerful tools that helps us effectively support and secure our customers.

Let me preface my questions with my understanding of some things; admitting my understanding may be flawed in certain areas:

  1. Itarian staff have access to our dashboards
  2. Itarian performs most, if not all, product development outside the US
  3. Itarian does not provide audit logs for connections from remote tools such as remote control or file explorer

Having that as a backdrop, how can we as MSPs that utilize Itarian be sure that staff at Itarian are not using the system to compromise our customers? This is a concern with any RMM product. We as the MSP must trust our vendor and that they will not utilize their systems against us.

Even if Itarian provided audit logs of remote connections, could you fully trust those? Wouldn’t Itarian have the ability to sanitize those logs before sending them out?

So to my questions:

  1. How can we as the MSP verify/prevent that Itarian staff are not utilizing the tools without our knowledge/consent?
  2. Have any MSPs seen security breaches across a subset of customers that cannot be explained? Did an end user’s personal information get released and there is no explanation of how that data was accessed by the attacker?
  3. Would you trust management audit logs from your RMM provider?

Greetings, cellis!

My name is Dylan Page, and I’m the Director of Customer Success with ITarian.

Thank you for posting your concerns, and I’d like to address them here:

Your question is an interesting one, and it relates to all SaaS / cloud applications.

Clearly, one should only subscribe to SaaS / cloud applications from vendors you trust, and who have good reputations. I can tell you how we would never do anything like that, and of course we wouldn’t, but more importantly, one should consider the motives of a SaaS/cloud provider.

As a for-profit business, it would be contrary to our interests to violate our clients’ trust. Moreover, doing anything malicious would be of little value to us while subjecting us to legal / criminal liability.

Long story short, we have little to gain and everything to lose.

Hopefully, this gives you some peace of mind.

Again, thank you for taking the time to reach out to us regarding your concerns.

Dylan,

Thank you for your response! I do understand the profit motive and that would be contrary to your interests. I wanted to post this in a public forum, rather than reaching out privately, to hopefully start a discussion and get others’ insights.

I think the MSP community needs to have some honest and uncomfortable conversations with our vendors, Itarian included, about security and transparency. Trust is key, but can only go so far. We need verification too.

Itarian is working really well for us. The Comodo security suite coupled with the web based RMM and Service desk are a killer combination. It needs some work in the transparency department. I am happy to discuss features we could benefit from offline, but the broader discussion should be had. Itarian is in a great position to lead that discussion and illicit feedback from the customer base on what could be done to add verification so trust can continue.

Thanks!

Proving a negative is an unsolvable problem.

But anything that improves the platform we are open to!

You could ask these questions with just about any vendor or service. Development and operations for many large services is rarely ever limited to a single location or group of people. I would be less worried about motives of a for-profit company, and more worried about quality of code and security of their systems. I’m not singling out Comodo or Itarian, I’m speaking about the entire technology industry in general. These companies will always preach to you that they are secured and protected and you are safe…, that is until they have a breach and you find out that someone left a door open they shouldn’t have, or an employees system was hacked, or someone wrote some poor code that wasn’t properly tested, or a piece of software was using 10 year old code and was never audited or updated.

What sits well with me is how can you show me as your customer that you are committed to security? Are you having third party internal and external network audits done regularly? How often is your code audited by third parties? What internal network security mechanisms are in place - WAFs, VPNs, MFA, etc? What mechanisms are in place to prevent misuse of your platform? Many vendors simply will not disclose this information and its a shame because the customers are the ones left out to dry when things go south.

One thing I would like to see added to Itarian platform - especially in the RMM module, is a multifactor validation mechanism - even for admins - for scheduling or running scripts, updating machine profiles, connecting remotely to endpoints, and disabling or uninstalling comodo security. Just like I need to provide MFA code to login to the platform, I would like to see this as a required step for certain processes in the platform, so in case there was an incident where lets say a browser session was hijacked and someone gained access to my portal, they don’t have free reign to unleash hell on my endpoints.