Enterprises across a wide variety of industries are turning to cloud computing to reduce the burden on their IT support staff, decrease costs and provide services that would otherwise be out of reach. As organizations evaluate the best options for cloudsourcing, attention is naturally turning to information security services because of the high cost of maintaining the hardware, software and staff required to provide these services on-site.
However, the options for outsourcing security services are numerous, and not without risk. Fortunately, not every organization’s solution to security outsourcing has to be found in the public cloud. In this article, we look at the managed security service provider (MSSP) landscape and discuss the use of MSSPs for vulnerability management, security incident and event management (SIEM), intrusion detection, virtual private networking (VPN) and more. We also offer advice on how to manage an MSSP relationship to reduce risk.
The adoption of managed security services is often driven by the cost effectiveness of gaining access to specialized security tools and expertise on a shared basis. While your organization may not be able to stomach the budget requirements of hiring a full-time advanced intrusion analyst that might only investigate a few incidents per week, a MSSP can amortize the cost of this advanced experience over multiple enterprise customers. Essentially, organizations find themselves gaining time-shared access to the tools, techniques and knowledge of a wide array of specialized security professionals for the cost they would otherwise incur hiring a smaller team of full-time security generalists.
Compliance requirements also drive organizations to security outsourcing to help meet their regulatory obligations. The most common scenario is the need for merchants that operate credit card processing systems to comply with the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS contains requirements that can be difficult and burdensome to meet with internal staff. For example, the requirement that you “review logs for all system components at least daily” requires staffing your security monitoring function seven days a week. This can be quite expensive for organizations that operate on a typical eight-hours-per-day, five-days-per-week work schedule. In this case, a PCI DSS certified service provider for log monitoring may be able to provide this service, along with advanced monitoring and analysis capabilities, on a much more cost effective basis.
At the same time, you need to keep an eye on the risks associated with outsourcing security services. While any outsourcing project involves a degree of risk, these risks are exacerbated due to the critical nature of security services. Here are a few questions to consider:
Answering these questions can help you identify whether the risk of outsourcing security services is justified in your business environment.
When comparing the pros and cons of outsourcing security services, the numerous benefits may have you nodding your head yes. But before making the decision to outsource, you should consider several factors that will influence which providers you evaluate. Ask yourself the following questions:
The decision to move to an MSSP is a significant one and should be considered carefully before making any moves. If you do determine that the use of MSSPs fits within your organization’s risk tolerance and may provide cost and/or effectiveness benefits, your next step is to examine the MSSP landscape and identify the services that are best suited to your organization.
MSSPs now provide some level of management over almost any security service that you can imagine. The growth of extremely high-speed broadband networking has made it possible to take services that were once constrained to physical networks and move them, either partially or fully, into the cloud. Some of the services commonly offered by MSSPs include the following:
There are literally dozens of MSSPs in the marketplace each offering a subset of these capabilities. Once you’ve identified the particular services of interest to your organization, you can begin to narrow down the vendor landscape to those that offer capabilities meeting your requirements.
Once you select a vendor, negotiate your contract terms and plan the implementation process in a manner that facilitates the effective management and utilization of the MSSP by your internal staff. There are a few guiding principles to keep in mind as you begin your MSSP deployment process.
First, make sure that you establish realistic boundaries between the responsibilities of your staff and that of the MSSP. You will never completely absolve yourself of security responsibility; there’s simply too much institutional knowledge in the minds of your staff that is essential to configuring and troubleshooting services and responding to potential security incidents. No matter what degree of outsourcing you choose, you will need to retain some internal capability and ensure that both sides have the same understanding of the division of responsibility. For example, while a provider can certainly manage your firewall, you must have system administrators on staff who are familiar enough with the functionality of the services protected by that firewall to specify and design new firewall rules. The provider won’t be able to tell you what ports need to be opened up for a new service that you’re putting into production—they can only act upon your staff’s instructions to implement a new firewall rule.
When you agree on the division of responsibility, put it in writing. Clearly defined roles should be part of a service-level agreement (SLA) that you negotiate with the vendor, along with concrete expectations regarding uptime, response time and escalation procedures. It’s far too easy to fall into the trap of “let’s agree in principle and sort the details out later,” which often results in disappointment for one or both sides.
Finally, be sure to measure your success as you evaluate the effectiveness of your MSSP relationship. One way to do this is by monitoring compliance with the SLA and taking action when operations fall outside of the agreed-upon parameters. However, this shouldn’t be your only guidepost. You should perform a “before and after” comparison between the service you provided internally and that offered by the MSSP, both in terms of cost and effectiveness. This will help you determine whether the move to an MSSP is delivering on its promise in the long term.
The growing use of MSSPs offers enterprises a new approach to building security capabilities. Outsourcing security services requires careful planning and management. However, managed properly, MSSPs can provide you with a way to reduce your internal staffing costs and/or add new capabilities to your security architecture.
About the author
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Send comments on this column to [email protected].
25 Feb 2013