Content, Content

ServiceNow ACL Security Guidance for MSPs and MSSPs

Man walking out of a room through opened door . Pathway of opportunity.  Start up and career concept . This is a 3d rende illustration .

How can hackers most effectively target and breach ServiceNow's software? The answer often involves customers and service providers that misconfigure the popular IT service management (ITSM) software.

Indeed, 70 percent of ServiceNow customer instances suffer from Access Control List (ACL) misconfigurations, according to targeted testing from AppOmni. Those misconfigurations, in turn, can allow probing eyes to potentially fetch Personal Identifiable Information (PII) from ServiceNow instances, the research found.

The misconfigurations are especially risky for midmarket MSPs -- many of which now offer co-managed ServiceNow capabilities to their end-customers. Also, some MSSPs increasingly integrate their security software with ServiceNow dashboards to automate incident response. In theory, ServiceNow misconfigurations between shared ITSM systems could trigger supply chain software attacks that spread upstream or downstream between MSPs/MSSPs and end-customers.

Proper ServiceNow ACL Configuration Settings: ServiceNow has been quick to address the AppOmni report. MSSPs and MSPs seeking guidance should check out the software company's ServiceNow Shared Security Model and Access Control Information.

Customers Misconfigure Software: Cloud Services Amplify the Security Problem

Admittedly, customer error is a major security issue that extends far beyond the ServiceNow customer and partner ecosystem.

Indeed, 90 percent of organizations are susceptible to security breaches due to cloud misconfigurations, according to the “2021 Cloud Security Report: Cloud Configuration Risks Exposed” from application lifecycle security company Aqua Security.

As a result, end-customers are pursuing MSSP and MSP partnerships to address such areas as cloud infrastructure entitlement management (CIEM) and cloud security posture management (CSPM).

Indeed, annual CSPM spending will reach $9 billion by 2026, up from $4 billion in 2020, according to Markets and Markets. That’s a 14.4 percent compound annual growth rate.

MSSPs Embrace Cloud Security Posture Management

On a related note, 41 percent of our Top 250 MSSP survey participants already offer CSPM to their end customers, MSSP Alert research found in September 2021.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.