Enterprises across a wide variety of industries are turning to cloud computing to reduce the burden on their IT support staff, decrease costs and provide services that would otherwise be out of reach. As organizations evaluate the best options for cloudsourcing, attention is naturally turning to information security services because of the high cost of maintaining the hardware, software and staff required to provide these services on-site.
However, the options for outsourcing security services are numerous, and not without risk. Fortunately, not every organization’s solution to security outsourcing has to be found in the public cloud. In this article, we look at the managed security service provider (MSSP) landscape and discuss the use of MSSPs for vulnerability management, security incident and event management (SIEM), intrusion detection, virtual private networking (VPN) and more. We also offer advice on how to manage an MSSP relationship to reduce risk.
The Benefits and Risks of Outsourcing Security Services
The adoption of managed security services is often driven by the cost effectiveness of gaining access to specialized security tools and expertise on a shared basis. While your organization may not be able to stomach the budget requirements of hiring a full-time advanced intrusion analyst that might only investigate a few incidents per week, a MSSP can amortize the cost of this advanced experience over multiple enterprise customers. Essentially, organizations find themselves gaining time-shared access to the tools, techniques and knowledge of a wide array of specialized security professionals for the cost they would otherwise incur hiring a smaller team of full-time security generalists.
Compliance requirements also drive organizations to security outsourcing to help meet their regulatory obligations. The most common scenario is the need for merchants that operate credit card processing systems to comply with the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS contains requirements that can be difficult and burdensome to meet with internal staff. For example, the requirement that you “review logs for all system components at least daily” requires staffing your security monitoring function seven days a week. This can be quite expensive for organizations that operate on a typical eight-hours-per-day, five-days-per-week work schedule. In this case, a PCI DSS certified service provider for log monitoring may be able to provide this service, along with advanced monitoring and analysis capabilities, on a much more cost effective basis.
At the same time, you need to keep an eye on the risks associated with outsourcing security services. While any outsourcing project involves a degree of risk, these risks are exacerbated due to the critical nature of security services. Here are a few questions to consider:
- Does the security service involve sensitive information that you do not want in the hands of an outsourced provider?
- Does the provider make specific commitments regarding confidentiality, integrity and availability and do those commitments extend to any subcontractors?
- Will outsourcing introduce a single point of failure to your environment and, if so, what impact would a failure have?
- If you are storing critical data at the provider, will you keep local backups? If not, what provisions are in place to protect you if the provider goes out of business?
Answering these questions can help you identify whether the risk of outsourcing security services is justified in your business environment.
When comparing the pros and cons of outsourcing security services, the numerous benefits may have you nodding your head yes. But before making the decision to outsource, you should consider several factors that will influence which providers you evaluate. Ask yourself the following questions:
- Should we use cloud-based providers, providers who manage on-site equipment or those employing a hybrid model? Depending upon the type of services provided, MSSPs may either operate entirely in the cloud, manage equipment that either they or you physically place on your network, or implement a hybrid approach, using cloud-based management services to manage on-premises equipment. Each approach raises different issues to consider For example, do you want to allow an MSSP access to your internal network? Are you comfortable running services entirely through the cloud? What about having security equipment interact with, and possibly ship data to, a cloud service?
- Do we want to employ a single, broad-spectrum MSSP or a combination of specialized MSSPs? Some MSSPs provide a broad range of services and would like to act as your sole provider of outsourced security capabilities. Depending upon their size, they may or may not be able to bring the same level of specialized expertise to the table as niche providers who focus on a single security capability. Consider whether you prefer the consolidation offered by a single provider or the potential of increased effectiveness from specialized providers.
- What services do we want to maintain internally? Are there certain security services that you currently operate that you would hesitate to outsource? This may be due to concerns over the sensitivity of data processed, regulatory requirements or the ability of a provider to meet your reporting needs. On the other hand, it could be because you currently have staff with advanced skill sets in particular areas and you hesitate to lay them off as a result of outsourcing.
The decision to move to an MSSP is a significant one and should be considered carefully before making any moves. If you do determine that the use of MSSPs fits within your organization’s risk tolerance and may provide cost and/or effectiveness benefits, your next step is to examine the MSSP landscape and identify the services that are best suited to your organization.
Managed Security Services
MSSPs now provide some level of management over almost any security service that you can imagine. The growth of extremely high-speed broadband networking has made it possible to take services that were once constrained to physical networks and move them, either partially or fully, into the cloud. Some of the services commonly offered by MSSPs include the following:
- Firewalls and VPNs: These network security services are among the most popular to outsource to MSSPs. Depending upon the complexity of your environment, they rapidly approach commodity status. Unless you have a rapidly changing rule set (and even if you do!), outsourcing the management of your firewall and VPN services may be a quick way to reduce the burden of security management on your staff.
- Content filtering: Organizations that use content filtering most often subscribe to an externally provided blacklist of sites that are known to contain malicious and/or offensive content. MSSPs now provide this entire service in the cloud, either by operating shared proxy servers, or managing a “safe” DNS service. This service redirects users requesting blocked content to a page that informs them that the requested site appears to violate the organization’s security policy, providing instructions on obtaining an exception, if necessary and warranted.
- DDoS protection: Distributed denial-of-service (DDoS) attacks pose a significant risk to targeted organizations, as they have the capacity to quickly consume all of an organization’s available bandwidth and prevent legitimate use. DDoS protection services, offered by both ISPs and independent providers, filter traffic before it reaches your border, blocking requests that match attack patterns.
- Security monitoring: Maintaining and reviewing security logs is one of the most time-consuming and boredom-inducing tasks facing security analysts. MSSPs now offer services ranging from simple log aggregation to more advanced analysis services, including full security incident and event management (SIEM) capabilities.
- Vulnerability scanning: One of the most widely deployed MSSP capabilities, outsourced vulnerability scanning provides you with a way to harness a mature shared service. Scanning MSSPs offer you external scans from a third-party perspective and/or control of internal scanning appliances placed on your network. Results are typically aggregated in a management console for centralized review, prioritization and remediation.
There are literally dozens of MSSPs in the marketplace each offering a subset of these capabilities. Once you’ve identified the particular services of interest to your organization, you can begin to narrow down the vendor landscape to those that offer capabilities meeting your requirements.
Managing Your MSSP
Once you select a vendor, negotiate your contract terms and plan the implementation process in a manner that facilitates the effective management and utilization of the MSSP by your internal staff. There are a few guiding principles to keep in mind as you begin your MSSP deployment process.
First, make sure that you establish realistic boundaries between the responsibilities of your staff and that of the MSSP. You will never completely absolve yourself of security responsibility; there’s simply too much institutional knowledge in the minds of your staff that is essential to configuring and troubleshooting services and responding to potential security incidents. No matter what degree of outsourcing you choose, you will need to retain some internal capability and ensure that both sides have the same understanding of the division of responsibility. For example, while a provider can certainly manage your firewall, you must have system administrators on staff who are familiar enough with the functionality of the services protected by that firewall to specify and design new firewall rules. The provider won’t be able to tell you what ports need to be opened up for a new service that you’re putting into production—they can only act upon your staff’s instructions to implement a new firewall rule.
When you agree on the division of responsibility, put it in writing. Clearly defined roles should be part of a service-level agreement (SLA) that you negotiate with the vendor, along with concrete expectations regarding uptime, response time and escalation procedures. It’s far too easy to fall into the trap of “let’s agree in principle and sort the details out later,” which often results in disappointment for one or both sides.
Finally, be sure to measure your success as you evaluate the effectiveness of your MSSP relationship. One way to do this is by monitoring compliance with the SLA and taking action when operations fall outside of the agreed-upon parameters. However, this shouldn’t be your only guidepost. You should perform a “before and after” comparison between the service you provided internally and that offered by the MSSP, both in terms of cost and effectiveness. This will help you determine whether the move to an MSSP is delivering on its promise in the long term.
The growing use of MSSPs offers enterprises a new approach to building security capabilities. Outsourcing security services requires careful planning and management. However, managed properly, MSSPs can provide you with a way to reduce your internal staffing costs and/or add new capabilities to your security architecture.
About the author
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Send comments on this column to firstname.lastname@example.org.