It’s incredible to see how fast this year is moving and as we round out the first half of 2023, I’m keen to share our plans to continue to invest in Syncro’s security posture over the coming months. It’s been encouraging to receive feedback on our previous updates, and we continue to strive for open communication about our roadmap.
We believe security is fundamental to keep us all protected and all security features will be available to both Core and Team plans.
We have been rigorously focused on reinforcing our internal security posture and improving our compliance. We spent a lot of the last 18 months enhancing our infrastructure and overall processes. For example, we migrated from Heroku to AWS which dramatically improved stability, reliability, security, and performance. Moving forward, here are some additional security enhancements you will see rolling out in Q3 and Q4 this year:
Our Security Initiatives for the 2nd Half of 2023
Single Sign-On (SSO): We recognize the need for seamless and secure access to Syncro. To address this, we’re building SSO, which will allow users to log into Syncro using other trusted identity management services such as O365, Google, Duo, Okta, or any OpenID Connect compliant solution.
IP Allowlist for Global Admins: Building on the IP Allowlist feature, we’re working to expand that functionality to include Global Admins. This feature will enable you to define a list of trusted IPs from where your global admins can access Syncro.
SOC2 Certification: We’re continuing our work towards SOC2 compliance. This certification will give our partners added confidence in our commitment to protecting your information.
Additional Session Security: With the rise in cyber threats, we’re committed to ensuring Syncro remains a reliable bulwark against such attacks. Even in worst-case scenarios, such as a compromised MSP email account or password, or a stolen phone, we are standing up multiple layers of security to prevent unauthorized access. We were one of the first in the RMM space to require MFA, and we plan to continue enforcing security best practices around session security going forward.
For more information about our overall Q3 product priorities, see this post.
As always, your input is essential in shaping the direction of our efforts. We invite you to share your thoughts and suggestions on the community forum, the Facebook group, via email, during our Ask Us Anything sessions, or through any other channel. Every piece of feedback contributes to our roadmap and helps us deliver a more robust and secure platform.
These changes are very much needed, thanks! One thing I’d like to see improvements on around security is audit trails such as being able to see when users log in and out and failed login attempts. SSO can help in this area, but Syncro should still have visible data. There is a lack of audit data on the tickets themselves, which can be a big security concern. There are parts of the ticket that can be changed and it’s not logged anywhere. Scripts can be changed and not logged. Who runs a script is not logged. The ability to sign scripts, and the need to require MFA to do certain actions around scripts would be huge. security@syncromsp.com should go to a ticketing system. I’ve emailed this and never got a response back so my email died somewhere along the way.
I completely agree and hope your reply gets the attention it deserves from the right people at Syncro! It would be a HUGE upgrade to be able to audit changes in our Syncro accounts to make sure they were intended. I also agree with the idea of a second security layer for scripts and everything that can affect multiple users/customers/endpoints in a single click. We do need secure foundations to make sure our accounts are as secure as possible but we also need to make sure to mitigate the damage one can do in the event of a compromised account.
Having more complete logs will not only strengthen security but also help with our daily operations. We had multiple cases for which we wished we had user activity logged in tickets when there are accidental clicks and mistakes but no way to trace back and understand what happened.
agreed, the MFA on the customer portal is terrible.
If the user gets a new phone, they cannot reset the MFA. The user has to be deleted and readded. That simply doesn’t scale in any way that can be considered to be efficient for MSPs.
This was another factor that drove us away from the SyncroPSA to Halo.
The HaloPSA client portal supports Azure SSO for the staff of our clients to login to our client portal (which uses a subdomain of our own domain (not Halo’s)) and using staff members Office 365 credentials.
This means as an MSP, myself and our staff do not need to concern ourselves with creating a specific portal user account or additional passwords, or resetting any MFA codes for the client portal. The entire drama simply disappears.
I should add…the way I saw the problem here isn’t that the MFA for the client portal is so poorly implemented and inefficient. The problem here is the complete lack of comms from Syncro, that they even accepted that there was room for improvement with a rough ETA when that improvement would occur. I simply didn’t have data from Syncro to have any confidence that the MFA for the client portal would actually be improved one day…and we see that there is a known issue for the Azure Sync that Syncro have implemented in the Team plan. Team Plan: Azure AD Sync - Known Issues - Syncro Support Community (syncromsp.com)
Hard to have confidence and faith when Syncro are still NOT testing these new features prior to release.
Who cares about MFA for customer portals, what is the bad guy going to do… Hack in and pay someone else’s bill?
How about working on the request we have been asking for and you have been promising since last year like ACH when using Stripe. They big push for this “security” is that it helps on insurance and you can get SOC2 which makes you more money from sales. Stuff like the ACH thing wouldn’t make you extra money so I guess that’s on the back burner. By the way SSO is not that great in matters of security anyway. If they hack my MicroSUCKS account they could get my Syncro account. No thanks, I’ll keep them separate.
Some business clients like the Client portals. It is a value add to see tickets, lodge tickets, see the knowledge base, documents, staff lists, asset lists etc. Therefore there needs to be a method of authentication, and ideally that method of authentication should not add work to the staff at the MSP. MS SSO solves that (for Office 365 clients).
In our MSP we couldn’t care less about ACH, Stripe and all the world pay blah blah. Almost 100% of our invoices are paid for by direct bank deposit into our account. Maybe 5 to 10 invoices a month get paid for by credit card over the phone or in person at the front counter.
Though I watch how Syncro is handling the requests for better ACH and Stripe support and that topic also doesn’t provide any confidence in me that the PSA is worth relying on.
Internal threats are the most concerning, and Syncro is overlooking the biggest threat to security. The ability for a new hire technician to be able to view the entire SyncroMSP database is a grave concern. We’ve worked 25 years to establish our client base and find it egregious there is no implementation of ACL for limiting technician access to accounts. Protect from the inside with restricted access to accounts and assets.
If the hacker is able to sign into a client portal using Azure SSO, then they already have all they need to impersonate the user.
When AzureSSO is enabled, there is no need for the user to also have a separate or backup username and password to the portal. The entire responsibility for portal authentication is handed to AzureAD.
I’ve been on Clover for years through my bank and because our Mortgage and Auto loans are with them, we get a sweeeeeeet rate of 2.6% average across the board including all the nickel and dime per transaction charges, money in the bank 2 days. They might even pay Syncro a higher commission to get the business from Stripe. IMHO, Stripe accepts the higher risk clients and has to charge more.
I’ve never used SSO, seems like it would lessen security with the same password to access everything which has been number 1 DONT in the do’s and dont’s of security. SSO + 2FA: (not email OTP) for each asset…Okay as long as you have to enter that password the first time. You for sure don’t want to have a SolarW experience. IP ACL? Meh, too time consuming especially for corporate workers at home with dynamic IPs unless you trust the /24 subnet that will limit login to 256 local IP’s.
An immediate 1+ security would be to require Microsoft/Google/Auth 2FA for client portal access.
Off topic but worth a mention, for clients who just don’t get it or resistant to VPN and 2FA, we install EVLWatcher to lock access after x number of tries, and have our office IP’s as always trusted so we can unlock them. It progressively increments the failed logins for a configurable number of failed attempts and lock-out duration until they hit the ceiling and adds the to the permanent block list. The developer is wealthy beyond imagination and only asks you buy him a cup of coffee if you like the product He refuses requests for donations.
