As the economy continues to tumble and organizations of all kinds seek ways to reduce costs, the promise of security savings by outsourcing certain infosec tasks to managed security service providers (MSSPs) can be quite alluring. Using an MSSP can lower your payroll expenses and provide you with the talents of highly specialized engineers.
Managed security service providers now exist for a wide range of security functions, including:
- Firewall management
- Antivirus management
- Intrusion detection and prevention (IDS/IPS)
- Virtual private networks (VPNs)
- Workstation, server and network device configuration and management
In this tip, we'll take a look at when enterprises should outsource these critical elements of their security infrastructure. The decision to move to one or more managed providers is a complex one, and the answer will vary depending upon given business requirements.
Why make the switch to MSSPs?
There are two basic reasons to consider a managed security service provider: cost savings and service enhancements (or some combination of the two). It's important to clearly understand the objectives before evaluating service providers, as the balance struck between them will definitely influence your MSSP selection.
Economic factors often force the consideration of MSSPs as a cost-saving measure. Indeed, economies of scale often permit MSSPs to provide security services in a much more cost-effective fashion than what can be performed in-house. Consider the costs, for example, involved in maintaining a highly available border firewall in an enterprise. In addition to equipment costs (which may or may not be covered in an MSSP agreement), staff must be recruited, hired and trained to operate the equipment. The costs of fringe benefits, payroll taxes and other employer obligations will also need to be covered. And when an employee decides to leave your organization, you'll need to begin the recruiting, hiring and training process all over again. The MSSP approach shifts this burden to the provider.
MSSPs also offer the opportunity to obtain superior functionality than what can be supported in-house. While an IT shop likely has security as one of many areas of concentration, such as server/desktop management, network infrastructure and database administration, MSSPs have one function: security. This focus allows them to gather expertise that is extremely difficult to obtain in the environment of a busy IT enterprise.
Why to not switch to MSSPs
Is it always appropriate to move to an MSSP-based security infrastructure? Definitely not. Here's some food for thought before making the plunge to managed security service providers:
- Cost savings: Will moving to an MSSP really achieve cost savings in the long run? When building a case for outsourcing security, dissect the business justification for an MSSP. Unrealistic expectations often find a way of creeping into these documents. For example, if you forecast savings in human resources costs, is it likely that you will make the downsizing moves necessary to achieve those savings?
- Control: Are you willing to give up the keys to the kingdom? Moving the management of parts of the security infrastructure to a third party requires a leap of faith. Do you (and your management) feel comfortable with this arrangement? Things can definitely go south quickly if you find out only after you sign a contract that the audit committee of your board of directors vehemently opposes giving someone else control of your security infrastructure.
- Liability: Are you contractually permitted to outsource security? Many organizations, especially those that do business with the government, have contractual relationships with customers that restrict their ability to engage subcontractors. Check with your legal team to determine if an MSSP agreement would run afoul of any such relationships.
If you decide to take the plunge, you'll need to consider the terms of your contract with the provider before signing on the dotted line. Here are some items to address in the service-level agreement (SLA):
- Response time in the event of a security incident. You'll need to spell out exactly how quickly you'd like to be notified and provide details on the various scenarios that trigger an alert. For example, you may wish to be notified immediately if the vendor detects a successful intrusion, even if it's 2:00 a.m. On the other hand, you may wish to receive a summary report of unsuccessful attempts once a week.
- Timeliness of signature updates, software upgrades, security patches and related maintenance. The easiest course of action here is to take your own internal standards and apply them to the MSSP as well. If you require your own system administrators to apply security patches within 30 days, that's probably a reasonable standard to apply to the MSSP as well.
- Access rights on security and other devices provided to both the MSSP and your organization's staff. You probably want to guarantee the MSSP will always allow you administrative access to the systems they manage. This provides a sense of security in the event the MSSP goes belly-up.
- Personnel security controls implemented by the MSSP. Again, consider applying the standards that you use in your own organization here as well. If you conduct criminal history checks and credit checks for your own employees, insist that the MSSP follow a similar policy for the people that will be working on your account.
- Frequency and nature of service reviews. At a minimum, plan to get together with the MSSP on an annual basis to review what's working well and what can be an opportunity for improvement. You might wish to tie this to your annual contract renewal cycle.
By taking the time to lay an appropriate foundation of understanding and written agreements, your relationship with a managed security service provider can be a long and fruitful strategic collaboration. Taking the time to plan appropriately will greatly increase the likelihood of success. The judicious use of MSSPs can help enterprises achieve cost savings and gain access to security specialists, but they're not a panacea. It's critical to perform due diligence to ensure that each potential relationship is built upon a solid foundation.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.