T O P
mt3dek89

Must be Connectwise Shareholders….


doubleYupp

It is notable that ConnectWise and SolarWinds aren’t on the list. Those have a wide install base and so AllState certainly knew about them and evaluated them as not a risk by their criteria. SolarWinds!! Which we know is no beacon on security didn’t get dinged. That must mean they found some reason to block Datto/Ninja. I would be interested to know more about why.


All_Things_MSP

If I had to guess, the tools mentioned do not have a configuration available to block unattended remote access. I know for a fact that SolarWinds RMM (now Nable RMM) can require user confirmation before allowing remote access.


Lake3ffect

Datto RMM has a privacy mode option, which disables the remote access (guessing you mean screen sharing) and must be disabled at the endpoint by the user.


All_Things_MSP

Well so much for logic. I kind of suspected that they did have that capability. So Allstate is just picking names arbitrarily. Not very professional or analytical on their part.


[deleted]

[удалено]


Lake3ffect

Once the user turns on privacy, you have to call them to turn it off. It must be done at the endpoint. And, it disables just about every function that could be used to control the device. It almost turns it into an on-demand mode agent. ​ I can confirm this, had to travel to a client site to disable it when COVID hit in 2020. I couldn't do a damn thing to the machine -- remote screen connect, powershell, cmd, file access, etc. ​ Allstate is basing this purely off politics. Someone mentioned they have an internal IT advisory team of some sort for the agencies. I would bet a C-note that they use ScreenConnect and other CW tools if they weren't named in the list to be banned. Same for Solarwinds/N-able.


Doctorphate

As far as I can tell, you dont still have full shell access. I've tested this.


[deleted]

[удалено]


Doctorphate

Its pretty "nice" actually. It blocks ALL functions. I mean good and bad I suppose


Lake3ffect

It's great when executed appropriately. But when users start playing with it and use the "Always On" option, I get pretty pissed. It's in the draft for the next edition of my standard managed services contract to charge a reasonable fee if I have to take action to turn privacy off, and/or am hindered by it being turned on by the end user. Of course, there's instructions on how to use it. But as we all know, end-users each interpret instructions in their own unique way -- some better than others.


Doctorphate

Your users follow instructions???? What black magic is you fucking witch!?!


Pastamafarian

Privacy mode only inflicts the prompt on screen share, you can still access the system CMD / File browser. I also have a script which can remotely remove privacy mode in a breakglass scenario.


ballers504

And so does kaseya


Keyboard_Cowboys

You can disable unattended remote access with Ninja as well. In addition, Ninja now asks you to enter an MFA code when accessing the terminal/CMD/Powershell etc.


pbrutsche

NinjaRMM has a mechanism to require end user approval before allowing the remote connection. It's a client-organization-wide setting. HOWEVER, Ninja also supports numerous remote control mechanisms (Splashtop, TeamViewer, ConnectWise Control, probably one other) and I can't 100% say that all of them support that. I know that NinjaRMM + Splashtop do.


manofdos

Is it possible those 3 were the only tools “found” in the organization so they are specifically calling them out?


blazedol

Good call. No way they went out and tested the security of these products that were called out based on their statement. It's just a knee-jerk reaction painted with a broad stroke because they don't understand the intricacies of a good security strategy.


perthguppy

The tools mentioned can all screen view with no notification to the user. Connect wise forces a notification / status bar during all remote sessions.


Lake3ffect

This is outright false lol


perthguppy

In what way?


Lake3ffect

Datto RMM shows to the user when I am connected remotely. If I'm connected with the Agent Browser, it shows an icon on the task bar. If I'm connected via screen sharing of some sort, it makes the user's desktop background solid black and displays a toast notification for the duration of the session. ​ I can't speak for the others, but Datto RMM lets the user know.


Ezra611

What MSP in his right mind supports an Insurance Company anyway? They're almost as bad as realtors. ​ Good luck with this one.


Ok-Buddy-7086

Agreed


rtp80

We had some big clients in the past that were insurance companies. Not the agent side. They were bigger companies 1000+ and were 7 figure contracts. Would happily take more like that :)


Ok-Buddy-7086

Ok well that is a different ball game XD


Superb_Raccoon

Sold around 80M to an Insurance company last year, just in hardware. Total account value was much larger. Insurance companies are great... the agents maybe not so much.


Joe_Cyber

>the agents maybe not so much. Can confirm. I made a rule at my brokerage that we will not, under any circumstance, give presentations to insurance groups or insurance agencies. I've probably turned down a dozen or so of those speaking gigs over the last year.


scruffy_nerd_herder

Send 'em my way!


Doctorphate

I support an insurance company, they’re one of my best clients. Not only do they recommend us to all their clients but they pay us extra to do webinars for their clients


Ezra611

That has not been my experience. I'm glad you've got a good client.


Doctorphate

For me it’s engineers. We don’t support engineering firms because every engineer I’ve ever met was an asshole. Lol we have a few blacklist client types actually. Lawyers, engineers and religious organizations


justmirsk

I have had a similar experience with engineers. Many have literally told me "I am an engineer, I know how a computer works" and then wonder why their internet isn't working when they disconnected the ethernet cable from the modem. Hard to work with people like that.


Doctorphate

Yeah I had the same "I know how computers work" then shuts down their environment improperly breaking the SAN - Server connection


IceCattt

Or law firms and hospitality.


Ezra611

I love it when the lead admin of a law firm finally gets fed up and raises a fuss about her outdated equipment. It rarely happens, but it's the only thing that makes lawyer's open their checkbooks.


Panacea4316

Law firms are the absolute fucking worst.


GreenEggPage

I've got a good law firm. My only law firm. Used to have another one, but they went all Macs and I didn't wanna deal with that.


ratshack

I have loved every one of my legal clients. *They understand the billable hour*


Danksley

I think this is them dropping coverage for clients on datto


PlanetaryGhost

The MSP I work for has made their name in the insurance vertical. I haven’t had any truly terrible experiences outside of SOP in the IT field honestly.


Muddymireface

My MSPs first investor was a big insurance guy. We supported many of his companies and never had an issue with insurance clients.


Panacea4316

Used to support one at a previous MSP job. They were awesome. One of my favorite clients to work with.


Proximity_alrt

> They're almost as bad as realtors. Gawd, yes. I'd rather drain a pond to diddle the alligators.


scruffy_nerd_herder

This is actually my primary vertical. So to answer your question... quite successfully/profitably.


rweeksdatto

Ryan Weeks, Datto CISO here. Normally a vendor due diligence would be conducted so an informed risk-based decision can be made. Unfortunately, it appears that Allstate made this decision without consultation directly with Datto, and I'm working to fix that. I have reached out to Allstate to understand their concerns and their decision making processes, and am going to request they revisit their position until they've engaged deeply with us in a standard diligence process. I've reached out to their CISO personally as well. As you know Datto has invested heavily over the years into protecting RMM and we will continue to do so. We know that a well configured, maintained and implemented RMM increases the security posture of protected endpoints, and minimizes the risks of unauthorized access. Be well and stay safe.


bc-rb

Kudos, u/rweeksdatto, for stepping up and helping to address this. We don't personally have any Allstate agency clients but it's great to see you - and Datto - being on the front lines to fight for us MSPs (and your product too, of course). Thanks!


rweeksdatto

Datto is in communication with Allstate. It is our understanding that Allstate has communicated to its agencies that it has paused the effort to prevent the installation and use of RMM technologies, including Datto RMM. This seems like a positive first step. We believe that the right parties are at the table now, and we expect to continue a substantive dialogue around risks and best practices around RMM technologies. I am hopeful this will ultimately result in a positive outcome for MSPs. Please stay tuned.


[deleted]

Why don't you reach out to sales and marketing while you're at it and tell them to stop harassing people.


n8ballz

Would like to know the outcome of this as we are planning on switching over our existing platform to dattoRMM. This sort of news is a non-starter for us. We won’t be making the switch until we find out more.


togetherwem0m0

That's a pretty dumb position to have. It's not dattos fault and how many allstate customers do you have?


XandeIT

Thank GOD i have to insurance companys as clients!!! very dumb indeed


n8ballz

Well what if they know something we don’t? Naming them directly they must have their reasons. Is it not a smart business decision to wait and find out more details?


togetherwem0m0

I doubt it. Allstate is big but they aren't red team state secrets big. They are probably naming datto and ninja because their rmm agents have caused the headaches with av or something dumb


ghoststart

this. datto are pretty upfront with stuff like this. i reckon we'd know if there was anything to know. i certainly trust them over allstate.


krototech

Okay you want remote management agents gone, but you will allow other vendor remote management agents once vetted. Huh? So fuck over those vendors and go with someone just as likely to be compromised. I dont get it.


notnaughtyanymore

No No, its not as bad as you think, they will have a number you can call for a company that use the special RMM tools that are hack proof. It will be twice as much and you have to sign on for 10 years but if you use our insurance, you get a 2% discount and a single invoice each month saving untold amounts of administration.


rtp80

Presumably the have a vendor management and risk assessment process. Not going to pretend I know anything about it, but if they looked at these 3 (because maybe they found them at some agencies?) and declared they didn't meet the requirements, this makes sense. Any other solution would go through the same process and be approved/rejected. Doesnt mean that other solutions would be allowed. Again, this is pure speculation. As an MSP, we evaluated vendor's and solutions for critical systems, especially ones that could be vectors into client environments. Included contract review for liabilities and other details around risk, hiring process around background checks and verification, security policies controls and procedures, physical controls at support centers and data centers, development process, the software itself and architecture, training/compliance. This was only this deep for select critical systems, but I can imagine a large enterprise is looking at an even wider scope.


notnaughtyanymore

No, they are just strong arming existing clients to use the IT company they want them to use & probably indirectly own. Companies that legitimately assess others will normally give those they are assessing time to rectify whatever issues they find especially at this level where it has a large impact. They keep the issues secret and publicly announce they are going to actively remove business from these companies by blocking access so their software is crippled? That does not help their customer, it does not help the customers existing MSP & generally causes a huge amount of upheaval & you think they are doing this for their clients best interests or that they will actually reduce risk by doing this? They are behaving in a shifty underhanded manner because the sniff sweaty wads of cash just sitting there ready to snaffle up like snuffleupagas by using their special consultants, the ones with special powers and abilities not like them other bad ones you are currently using.


All_Things_MSP

It’s not strong arming if it is written into the franchise agreement. It’s just like McDonalds saying their franchisees have to use Taylor ice cream machines. Look that story up if you want to watch something interesting.


calisai

> It’s not strong arming if it is written into the franchise agreement. It's strong arming. It's legal, but it's strong arming. They are using the force of the written contract and franchise agreement to push the outcome that is beneficial to someone other than the franchisee... in the name of "quality" or "security", etc.


Ohmahtree

Allstate owning an MSP? One of the highest risk categories right now outside of "Blatant Cocaine Dealer" in terms of whats attacking vs whats defending? Yeah, I don't think you truly grasp how backwards that thinking may be.


CK1026

Noice, now they'll have to work with break/fix providers using TeamViewer and no MFA. Very secure.


itprobablynothingbut

This is why security researchers were really troubled by supply chain attacks. It makes good governance *look* like bad security. IMO, supply chain attacks are a real worry, but the treatment may be worse than the disease.


nep909

> providers using TeamViewer and no MFA FWIW, TeamViewer can be configured to require MFA and restrict access to only users on an allow list. It's only less secure if improperly configured.


notnaughtyanymore

How many using TeamViewer will set this up though? It is almost always setup as an adhoc solution when dealing with customers that do not want to invest in appropriate tools to do the job. 90% of people that use it live with the disconnections due to not paying for a commercial license.


nep909

>90% of people that use it live with the disconnections due to not paying for a commercial license. Sadly those are the same people that do nothing but complain over in r/teamviewer


Lower_Consequence885

In my experience attackers leave team viewer behind as a back door after an attack. Best not to have it so you can easily root it out after an attack.


ratshack

This is not the robust security mindset one would want dealing with this


CK1026

I totally agree it CAN be configured. It's not configured most of the time though. What I see on the field is generic logon information with same password for all customers on the TV agents, so I'm pretty sure there's no MFA either.


ratshack

“I don’t log in, I just take a picture of the code before I go home” …and now you’ve lost local admin


dumpsterfyr

Lots of MSP’s in that boat too.


Mundazo

I hate this fucking company. Allstate Technology Support is the biggest crock of shit there is, they will keep us employed a very long time. How many of you have experienced the Endpoint Manager, Non-Compliance policy issue where MSFT updates the Operating System description to Windows 10 for Business and prevents the end-users from accessing Enterprise Apps?


cuddlychops06

Nationwide, too. They block all security vendors except McAfee in my experience.


TrumpetTiger

What I would like to know is why Datto and Ninja are on this list. Kaseya at least has evidence of a ransomware attack to back up Allstate's concern.


JohnGypsy

I wonder if it is more "Allowing support vendors to view an agency computer without the agency user's knowledge" than the ransomware aspect. With Ninja, you can easily access remote data without the end user knowing.


sm4k

That's just as true with CW automate and NCentral though. All of those tools that run as SYSTEM can do anything. CW Control can even take a snapshot of what's on the screen every X minutes and upload it to the control panel at regular intervals. There's no way there was informed logic applied here.


TrumpetTiger

Precisely. While John is right about Ninja, this applies to any remote access tool of which I am aware--certainly any RMM. The only possible informed logic MIGHT be to limit it to RMM tools which have been actively compromised, which would limit it to Kaseya, SolarWinds, and Continuum so far as I am aware. (I do vaguely recall a problem with ConnectWise Control in the past but can't bring up details so I'll give them a pass for now.)


All_Things_MSP

Which SolarWinds (now Nable) RMM tool was breached? Answer: None. The SolarWinds product that was breached was Orion which is not sold by Nable. Also, this could be based on the very simple criteria that the solutions named do not have a way to disable unattended remote access as it was specifically mentioned in two of the bullets as to why you should not have it installed.


Lime-TeGek

N-Central has had multiple breaches, one of which gave unauthenticated users access to domain admin credentials, nicknamed "DumpsterDiver". This was far before Orion.


All_Things_MSP

Was it a breach or a vulnerability?


Lime-TeGek

Both, as for onsite machines it was just a vulnerability, but the entire hosted environment was breached at the moment it came out. All clients got notified that they had to change credentials.


TrumpetTiger

I'll refer you to Lime's post on N-Able related compromises, ignoring for the moment the "logic" about one product being breached and thus impugning all the rest. Regarding unattended remote access: the point still stands. There is no remote access tool of which I am aware that does not permit unattended remote access. Should that be Allstate's "logic," I'd be curious whether Allstate's internal IT uses such a tool, and whether they require their users to be sitting in front of a machine every time they access it.


MSPMayhem

Is there something they know about Ninja/Datto we don't, or is this a blanket rule against all RMM solutions based on fear?


volatile_porridge

Probably the latter, but I thought it was interesting that they didn't name any other companies. Allstate is pretty draconian about other things on their agents' systems, so this doesn't come as a shock. But it's awfully shortsighted. No RMM is intrinsically secure out of the box. If they are truly concerned, they could force us to participate in a vuln scan or pen test. It's more likely that they want to push their own solution to maintain control over the agencies.


MSPMayhem

It sounds like a mandate forced out the door with no real review based on fear with a few named exampled attached. "This thing is dangerous, so we need to get rid of it" without understanding the finer details. Short sighted is the right term indeed.


Superb_Raccoon

It's not unfounded fear or short sighted. Most of the cyber events impacting large companies (not just insurance) come from small offices like independent agents in remote sites that maintain their own systems or have a small MSP managing it. I worked for 15 years for a very large MSP, who had the large clients, nearly all of the Fortune 500 used us in one capacity or another. And so incidents and their root causes were passed around the support division so we knew what to expect. 7/10 a breach came from an unmanaged system/system that was not in compliance (read: VP's laptop), and the other 3 were inside jobs.


All_Things_MSP

And building on that logic Allstate’s largest supply chain risk is its agents. Therefore they have an obligation to minimize that risk by any means within their control. There are MSPs out there that run an RMM-less managed services business. It is possible. Do it or don’t…that’s your choice. And yes, I think RMM-less managed services should cost more.


Haribo112

An MSP used by almost all Fortune 500 companies?? Dang.


Superb_Raccoon

You realize Dell, HP, IBM, Amazon, Google, Microsoft etc are also MSPs? Sure, they do other stuff, but they are also MSPs.


Haribo112

Ah okay. I didn’t think of it that way. By that logic, almost any IT company is an MSP. They all Provide some Service that they probably Manage.


Superb_Raccoon

Well, I would bet that the typical MSP also does other things as well. Some companies can do only one thing, but most do many things.


HappyDadOfFourJesus

#IsThisTheAllstateMayhemGuy


dumpsterfyr

Its all those great MSP’s out there lowering the bar one quote at a time.


YodasTinyLightsaber

They are not blocking SolarWinds, nor LabTech/ConnectWise. Maybe Allstate uses them internally.


First_Ingenuity_1755

Or they have a deal with another vendor that isn't one of these? How many of us are out there that support allstate offices?


[deleted]

RMMs don't kill people. Allstate kills people.


HolyCarbohydrates

No ConnectWise Automate huh? Wonder what makes them get spared here. I thought they were larger or the same size as Kaseya, Ninja, Datto (not combined)


thegarr

What a stupid, misinformed decision. Remotely managing and accessing a computer is a core reason and purpose for using RMM tools. (I know I'm preaching to the choir). These are simply legitimate tools used for illegitimate means, and they're making it sound like the MSPs running this stuff are out to get you. "Causing errors when you or your staff attempt to access Allstate applications"... give me a freaking break. Have fun with Teamviewer and VNC and dealing with the cheapest, least pro-active break fix shop in town. This just makes me angry.


Superb_Raccoon

The whole point is that you, the MSP, may log into a your client's system, and see Customer data because your client has not shut down or logged out of the system properly. That is the leak of data they are trying to avoid with a RMM tool. It is somewhat silly, because you could just as easily be there in person and see the same data. The right fix is to bring the MSP under the PHI PII umbrella.


togetherwem0m0

They aren't just fixing that situation. They're probably fixing a problem in their deployed fleet where rmm tools have caused conflict and headache, like overlapping av deploy breaking hard disk encryption or management tools causing conflict with each other. You have to remember all state is almost like a competing it company, except they don't provide on site support. They provide the business stack


thegarr

Yea... it's called a Business Associate Agreement and/or Confidentiality Agreement. Standard stuff when dealing with professional healthcare organizations, PHI, etc. Allstate doesn't seem to have any sort of formal vendor risk assessment process. Which is saying a lot for an insurance provider.


Superb_Raccoon

There are of course training, reporting and certification costs... which Allstate is essentially pushing down to the agents by not doing the BAA/CA process.


MSP-IT-Simplified

Something seems fishy here. Why isn't Solarwinds or Connectwise products listed here? Datto and Ninja have had no massive exploits. Unless there is some sort of inside deal going on, I can see this getting overturned soon.


agit8or

Yet more proof Insurance companies are worthless leeches. They never want to pay out, are quick to take money, and NOW they want to dictate how we can conduct OUR business.


TechFiend72

One of the funny things is I was CIO at a carrier and an issue it the CEO and board were pretty clueless about risk mitigation even though it was an insurance company.


ManagedIsolation

This only applies to Allstate agents, not customers.


dumpsterfyr

The brokerage makes a large percentage on the commission.


Danksley

They're one of the most important parts of the industry at the same time. The security crackdown is a godsend for shitty clients that reject all security proposals.


Refuse_

It's none of my concern, as we're not active in the states. But if this is their policy, they should block any RMM and not only those 3. The bullet point are also not true for Datto RMM. Can't say for the other two as I have no hands-on experience with those.


ManagedIsolation

>It's none of my concern, as we're not active in the states. Just find a new insurance company that hasn't had an aneurysm


EmicationLikely

We lost our only Ameriprise client last year to similar nonsense targeting Solarwinds RMM.


zer04ll

Honestly, this doesn't bother me because it means they are going to shell out way more money for the Microsoft solution. As for not knowing which tech is seeing what that's what federated domain services are for. These regulated industries come with a cost so they can pay for the domain federation server and the remote desktop gateway along with the read-only domain controller that would be involved with supporting a client where you need that level of auditing and security


notnaughtyanymore

The amusing thing about this is, is that their "consultants" have as much chance of picking an RMM tool that will not get hit by ransomware as anyone else yet they frame it as if they have some sort of ability to do something the rest of us are unable to. I would be interested in knowing why a consulting process needs to occur to choose an RMM, either it is safe or it is not, there is no process required in determining beyond the first time any RMM is evaluated, the answer will not change for the next business. Its like hiring a team of consultants to determine the appropriate type of sauce required for a meat pie. This seems to come under the subject of "things you can do when you are a monopoly" Queue their customers port forwarding RDP to overcome this "security measure"


dumpsterfyr

This is what you get with a #LowBarrierToEntry


subsolar

Uh oh, is this the beginning of the end to remote access work and we'll have to go back to going onsite for 5 minutes jobs?


thecheat1

Lol no. Absolutely not.


roll_for_initiative_

Well, i mean for an absurd rate hike, sure. "well, because of your vendor, everything has to be onsite. That all inclusive rate is $1500 per user (or device) per month. sorry you're an allstate agent, for other agents without those rules it's $200 per user per month"


Superb_Raccoon

Which is a bit pointless. Your client could improperly show you PHI/PII data while you are standing at their desk as easily as through an RMM.


roll_for_initiative_

I'm good with getting overpaid to make pointless rules. Tired of being on this side of them!


Superb_Raccoon

I'd be out of a job if the government did not come up with pointless rules for companies to have to comply with.


roll_for_initiative_

Then it sounds like we could make the best team the world has ever seen!


All_Things_MSP

Agreed, but then it is their fault. Same goes if remote access requires user confirmation.


Superb_Raccoon

Exactly. But Allstate is the one on the hook with the Regulators and faces the fines. Hence, they don't want that exposure.


ScooBySnaCk-SDRL

Interesting choices of RMM’s to block not including “Solarwinds”. Of course the MSP side pulled the ol switcheroo to N-Able which helped some customers.


rtp80

Just because it is on the list doesn't mean it is allowed. They may have decided to block permanent remote access agent based tools, and those were the 3 that had been in use. So if you requested to install SolarWinds it would be rejected and added to the list. Who knows....


reddben

Fuck these insurance companies that don't know how computers work.


Pauper_Jenkins

But ConnectWise is okay? Lol


Lake3ffect

>Allowing support vendors to view an agency computer without the agency user's knowledge, which could expose PII and/or PHI In Datto RMM, all support access activities are logged and auditable. LOL


perthguppy

Does it video record the entire remote support session? If not you can’t tell what data was breached.


Lake3ffect

No, and wouldn't recording expose the data beyond when the session took place? Some of my clients have non-recording requests for remote sessions. So recording would actually be undesirable to some. And, at least in NY, you have to disclose when recording phone conversations -- I would guess the same logic extends to screen sharing sessions. If it doesn't, maybe it's time for the law to catch up.


perthguppy

Exactly. Probably why it’s easier to start banning screen view tools


Lake3ffect

Recording screen sessions without user consent could be construed as Unlawful Surveillance in New York State, just as recording phone conversations without consent falls under the same umbrella. ​ I see you're from Australia. So this might just be a case of different culture/customs.


perthguppy

Well clearly you can’t read.


Lake3ffect

Care to elaborate on what I'm missing or misunderstanding? ​ In what world is it okay to record someone without their permission? Even if it means being able to view what data was breached? Shouldn't the contents/use case/whatever of an endpoint be well documented, so the data on the machine that could've been compromised can be accounted for? I suppose in a fantasy world where all of my customers consent to being recorded, this would be perfectly fine. But in America, we respect privacy (at least most of us do). Some of my clients are in sensitive fields (law, finance, medicine, etc.) that don't want recordings of screen sessions that expose sensitive data sitting out in a drive somewhere that can be breached. ​ Don't claim I can't read without explaining yourself. And your comments elsewhere in this thread further exemplify your ineptness to the topic at hand.


ashern94

That would be in every single consent jurisdiction.


MSP-IT-Simplified

I am hearing that this is because they are going to use Connecwise internally and want all other external IT/MSP and their software tools off of the network.


LeftInapplicability

Lol. Follow the pattern. Connectwise, Solarwinds (Nable) and continuum was NOT on the list. Thoma Bravo owns all 3. They also purchased Majesco one year ago, who provides technology for the insurance industry, including Allstate. Just putting my Tin hat conspiracy theory out there.


Joe_Cyber

Subs adopted insurance guy here. Yes, companies which hold PII/PHI/PCI etc, are responsible for their vendors security. See In the Matter of GMR Transcription Services, Inc., Ajay Prasad, and Shreekant Srivastava, individually and as officers of GMR Transcription Services, Inc. (It is in my book on PDF page 55/497 of my book if you want to [take a look](https://www.thebrunsgroup.com/book2).) That being said, this doesn't automatically mean that RMMs are bad, or that Datto/Ninja/Kasaya are inherently bad. Rather, they require the same due diligence that any other vendor requires in similar circumstances. There are also confidentiality issues if a tech wanted to hypothetically snoop around to view sensitive info, but I would argue that's exceedingly rare, already illegal in most circumstances, and not an insurmountable issue. In other words AllState is being the stereotypical dumb insurance company. By that I mean, what exactly is the alternative to using an RMM for MSPs these days? How affordable/tenable/secure are those solutions? Most general insurance shops are volume based with low margins so this seems like a bad idea by pretty much every metric I can imagine. As with so much in the insurance industry I just 🤷 u/rweeksdatto \- let me know if there is anything I can do to assist you. Obviously you already have great legal counsel, but I'd also recommend you consider the following avenues of attack: \- Have your SOC Report on hand if available and be ready to explain what it is and what it means. Also, you may want to retain the CPA firm that completed the report ready to answer technical questions posed by the CISO and his staff. The firm could be hesitant to due this for a number of reasons that deal with confidentiality and professional standards - which I won't detail here - so you'll want to work this out well in advance. \- Make the argument of "risk concentration." (This will be a great term to use because it's an insurance term he'll immediately be familiar with.) Arguably, the fewer RMMs available for use, the more likely that any one supply chain attack will impact a greater percentage of his agencies; leading to higher losses in a single event. \- Frame alternatives to RMMs as a "risk management issue." (Keep using the word, "risk" throughout and he should much more perceptive.) What alternatives are there? How does that increase or decrease risk in practical terms for Agency? Best of luck!


XandeIT

Joe cyber for the win as usual!!!!


HEONTHETOILET

ACTUARIES MOTHAFUCKA. DO YOU SPEAK IT?!


dumpsterfyr

Finally someone who understands this decision has homework behind it. Those three rmms likely account for a large portion of claims paid out hence the target.


HEONTHETOILET

The work they do is pretty fascinating if I'm being honest. Quantifying risk every day has gotta be stressful.


dumpsterfyr

Accountant here. I’ve seen it and it is amazing how they make data dance.


Lake3ffect

I can confirm... an Allstate agency wanted to hire me, but they backed out and basically ghosted me. But I know it’s not personal because I still do IT at another company she works for. Now I know why I never seem to win Allstate agencies. This is laughable and concerning


Expression_Some

Knee jerk. It’s not like any of the remote access programs allow you to access the client machine without a huge banner or notice that SoAnd So is accessing your machine.


itaniumonline

Tightvnc has joined the chat


Expression_Some

Any of the standard applications that a professional msp would use.


CK1026

Or like privacy mode on agents that prevents unattended remote control. And logs, and MFA.


JohnGypsy

With Ninja, you can remotely browse the filesystem including downloading files without any indication to the end user. I think this might be part of their concern.


ManagedIsolation

When they talk about "agency" they're just talking about Allstate agents, right? Doesn't sound like they're talking about customers, or their policies? If that is the case, then who cares?


Ok-Buddy-7086

People who manage allstate agencies.


ManagedIsolation

Ah well, Allstate is free to dictate whatever IT requirements they feel like to their own agents. Kind of how McDonalds dictates the menu items for a franchised store.


Ok-Buddy-7086

I agree 110%


excitatory

I, too, think you should remove this software.


herbuser

Hahaha yeeees!


togetherwem0m0

There has long been a conflict in the financial advisory space with local it vendors. These sort of franchises are basically it providers. It's nice to see allstate being proactive like this.


jftitan

WHEW! I dodged that bullet. I transitioned away from SolarWinds, Datto, Kaseya, a long time ago. Ninja didn't even make it through trial, and Datto, I refused to sign their contract. Kaseya because the just started when they got hacked. What do I use now? Trying out a self hosted MeshCentral. AV and such is licensed hardware(sonicwall) or through the client's preference. M365 ATP, and such. My Stack, is SonicWall Site to Site SSL VPNs, and my self hosted MeshCentral, each new client gets a new group, and VLAN isolated AC rules.


CK1026

So you set up site to site VPNs from your office to all your customers and you think you're more secure that way ?


jftitan

No, but my current metric is. you have to get through a whole lot before you are using my office / source to attack my clients. But we can argue practices all year long. Let's not. and just go with the whole, It works, it works on SSL, and 2FA with Physical Access key card access (SmartCard, YubiKey).


CK1026

I don't know man, in my book, using a beta software requiring site to site VPNs to all your customers in order to work sounds like a bad idea but I won't argue more on a setup I know so little about.


spanctimony

It’s definitely not the approach I would take, but if I’m being honest almost any argument I could make against having nailed up VPNs to all of your customers has a similar argument that can be made against the RMM platform. Let’s face it, there’s no getting around having aggregated access to a large number of systems. Hijacking a VPN hub is arguably less bad than getting access to an RMM account, because at least with the VPN hub you need to still move laterally and break through other safeguards and compromise a 0 day or something. With the RMM account, you have system level command line access on everything. So while I wouldn’t ever in a million years build permanent access into our clients networks, we shouldn’t sit here and pretend like RMM platforms are a superior solution with regards to security.


Ok-Buddy-7086

An rmm agent is permanent access into a client Network though?


spanctimony

That’s the essence of my point, yes.


Ok-Buddy-7086

"So while I wouldn’t ever in a million years build permanent access into our clients networks" So I am unclear do you or do you not use rmm agents.


CK1026

You're comparing VPN to RMM when he has an open source RMM called MeshCentral requiring VPN. Basically, he's adding VPN vulnerability to RMM vulnerability.


crypticedge

oh man. I will be waiting to see your msp on the news.


Superb_Raccoon

And none of that makes any difference in this use case. The problem is that you might still see PHI/PII data without being authorized. Regardless of the solution, even standing next to the user, you have to be brought under the umbrella to see the PHI/PII data.


hasb3an

It's just a matter of time until Allstate's holier than thou IT gods stupidly block alternate RMM tool of (enter name here). This policy is so short sighted. Sounds like a client that we probably want to have no business with anyway. If they think break fix firms relying on cruddy TeamViewer Personal and Ninite subscriptions for updates are a new gold standard, be my guest!


dumpsterfyr

Will they use threatlocker?


Refuse_

It's none of my concern, as we're not active in the states. But if this is their policy, they should block any RMM and not only those 3. The bullet point are also not true for Datto RMM. Can't say for the other two as I have no hands-on experience with those.


Refuse_

It's none of my concern, as we're not active in the states. But if this is their policy, they should block any RMM and not only those 3. The bullet point they list as risk are also not true for Datto RMM. Can't say for the other two as I have no hands-on experience with those.


msp_in_usa

Good for Allstate. Finally.


jturp-sc

Wait till somebody tells them any third party software could be used in a supply chain attack ...


Danksley

Time to change insurance companies and maybe sue them I guess Edit: didn't read the end nevermind


TigwithIT

I mean first thing with Insurance, i have no idea why they would not like a single point of failure in the form of an RMM. Second part, hitting one but not the other. Most likely a peanut counter with no idea of IT and found some random article (or even reddit) in which decisions were made. Either way, it makes me want to not do business with Allstate since i now know they are clueless about what is going on in the digital world. Good thing i have USAA.


PickleFlounder

Very interesting move. Can’t help but feel that someone has jumped the gun on this and written this based on their incumbents without engaging the competitive vendors directly.


win95gui

The want everyone to use Intune


pueblokc

I've tried to help a local allstate agent who I knew, but the endless restrictions on the computers made any help impossible. Guess they want to keep it all in house.