Three Managed Service Provider Attributes to Look for When You Need a Secure Managed Services Offering
Managed services offerings are becoming more of a staple these days as complexity and diversity in technology are on the rise and IT staffing is on the decline. These conditions are forcing more and more companies to partner with one or several managed service providers to handle their support needs.
At the same time, security is also attracting increased interest. With recent events demonstrating how clever and resourceful hackers have become, the need to maintain security is more paramount than ever before.
This blog post outlines what makes a managed service provider strong from a security perspective to help you identify a provider that can deliver secure managed services offerings. Read on to learn what to look for in a managed service provider when you cannot compromise on security.
Managed Service Provider Security Attribute #1: In-House vs. Third-Party Platforms
One important factor to consider is how much of the code being used to manage and monitor your environment is written by the managed service provider using it to support your environment. There is no limit to the number of IT applications that can be used to monitor and manage voice and data networks, but trusting a firm who is putting their trust in various other third parties is creating exposure for you and your firm. If you can find a managed service provider partner who writes their own code, you greatly improve the security model for your firm by not extending your exposure beyond their immediate company.
This benefit also ensures that any issues with the managed service provider software experienced by engineers are instantly brought to the attention of the developers of the tools. Further, common issues like one vendor pushing out a patch that conflicts with another vendor’s tool or in some way does not improve the managed services offering are eliminated.
Managed Service Provider Security Attribute #2: On-Premises vs. Cloud Platforms
When the tools being used to monitor or manage your environment are external to that environment in terms of their physical location, the need to create a variety of access points external to your LAN arises. If a managed service provider leverages on-premises appliances that can remain in a DMZ – thus eliminating the need for any of your systems to share external telemetry – your security team will thank you.
You can ask a managed service provider the following questions to further validate the security of their platform deployment model:
- Can your tools be customized around best practices in terms of concepts such as IP addressing scheme and disaster recovery? Confirm with the managed service provider that your disaster recovery goals and existing designs can be complemented by the managed service and monitoring you are considering.
- How much of our customer sensitive data is sent offsite? The answer to this question should be “none,” with very rare exceptions – even then, try to confirm what security certificates the managed service provider possesses.
- Is any of our sensitive data stored on your appliances? Again, the answer should be “little to none,” with very rare exceptions for specific use cases.
Managed Service Provider Security Attribute #3: Access Design
While you want it to be easy for your managed service provider to access your environment so that they can quickly address problems, you do not want it to be easy for any other external parties to do so. To gauge just how easy it may be for an unwelcome external party to access your environment, ask a managed service provider the following questions:
- How many ports need to be open for external access? If the managed service provider answers with a range of ports instead of providing very specific port numbers, or if they cannot clearly define what each port they require access to will be used for, you should be concerned.
- How many levels and types of access are required? If the only types of access the managed service provider says they require are read-only and admin (and nothing in between), you may want to press them for more information. Most MACD changes, for example, call for mid-level access.
- Do you rely exclusively on traditional VPN/SSL or more modern designs that enhance the levels of security around our environment? One example of a more modern design would be in-house security software designed to add additional layers of protection and restrict types of possible access.
- How are the logs pertaining to access reviewed and audited and can we, the customer, review and access this information? A managed service provider should be able to tell you if the logs are reviewed on a schedule or only when a problem is detected, and also exactly who has made any changes and what specific system(s) they have changed. They should also grant you, the customer, access to this information.
- Is the access predominantly southbound with as little northbound traffic as possible? As the question implies, look for a managed service provider that predominantly operates via southbound access and limits northbound traffic.
- Can you accommodate our security standards and security best practices into the architecture that you are presenting? Ideally, any managed service provider you select should be able to comply with your standards, as well as industry best practices, whether those standards be that you only allow access through a shared web conference or only after background checks on their engineers have been completed.
This blog post was authored by Steven Faust, a director of solutions architecture at Optanix. It is part of a series of posts by Optanix employees focusing on the importance of security in the IT management space.