It seems like an increasing number of organizations are relinquishing network control to third-party providers. Is outsourcing network services to third parties the future of network security and management? Can you talk about the risks versus the rewards and recommend best practices for outsourcing network management while ensuring network security?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
Companies choose to hand over their networks to a managed service provider (MSP) for many reasons, but the tight economy seems to be the most popular one right now.
With IT budgets shrinking, managers in many companies have turned to MSPs to take over part or all of their network services. This helps smaller companies that might not have the resources or skills to manage networks up to standards and allow them a greater ability to secure their environment. These services normally come with monitoring and the capacity to have an engineer work on issues at any time -- for a cost. Freedom and lower cost of ownership, however, also introduce risks that might have not been obvious at first.
Often times, outsourcing network security to a managed services provider means hosting equipment in a provider's facility or replacing equipment with a shared service. This brings up the issue of reliance on a provider's systems, which might not be configured up to the same standards. There's also the worry that customers' issues, like a DDoS attack, will bring down other customers' environments. To avoid this risk, be sure to discuss the topic of isolation from all other customers with potential providers.
Another area that introduces risk into a company when using network management outsourcing is that some loss of control over network architecture is lost when a company either hosts systems at a provider's data centers or has consultants come in to work on them in house. When someone else is performing the implementation or daily operations, the architecture can be configured less than ideally, or even just differently, especially if it's hosted somewhere else, which can present design limitations.
Before signing a contract to either host network equipment in a provider's facility or have a third party come in to help manage on-premises networks, be sure to have a good idea of the following factors:
- What is the service-level agreement (SLA) on the systems and services that you purchased? Read the fine print so there are no surprises. Almost all SLA contracts absolve the provider of all responsibility.
- If your company is regulated and it has network gear hosted in a managed services data center, ask for the provider's SAS 70 audit and Attestation of Compliance (AOC). Your company still needs to be compliant, even if someone else is assisting with the systems or they're outside of your data center.
- Find out the location and safety of your company's data. Is it in another country? Is it being backed up?
- Who's responsible for a breach? Is your company responsible for a breach if an MSP is hosting or configuring your systems? This is a big deal, because if you happen to compromise systems that were hosted somewhere else or had others managing it, you don't want to take all of the blame.
While there is a potential for increased risk with managed network services, careful planning and prudent controls can limit that risk to acceptable levels.
This was first published in January 2013