MSSPs Part 2: Reasons to be wary
Seven shortfalls of outsourcing security
Computerworld - In my previous article, I talked about 10 reasons why outsourcing to managed security service providers (MSSP) may be a cheaper and better way for companies to implement part of their security infrastructures. However, as with everything, where there are pros, there are always cons.
Here are some reasons why you should think twice before outsourcing.
1. Infrastructure control
Once you outsource your security infrastructure, such as firewalls and intrusion-detection systems, you may lose some or all control over it. Many MSSPs want to retain full control in order to reduce the finger-pointing when a catastrophe happens.
Also, MSSPs usually have the tools to manage security on the network, and they'll do it differently than your in-house administrators would, so shared control can create problems when both sides can't agree on certain issues. However, you still have control over system policies. If you can't swallow the fact that you will lose control, look for an MSSP that will share access with you.
2. Security policy
Any good security policy requires knowledge on the company's corporate culture and business. The MSSP won't know everything about your company. For example, it won't know that your company's extranet can only be accessed by specific strategic partners. Nor will it know that only specific administrators can access security data and that these people must have access at any time. It's your responsibility to work with the MSSP to make sure that it understands and builds your security policy. Some MSSPs can provide professional services to help you, but you will have to pay more.
3. Security environment
Unless the MSSP handles all of your infrastructure, it won't know all of the applications and servers you have. That means it's difficult for the vendor to accurately determine whether a security event is critical or just a false alarm, because it has insufficient information. Most MSSPs can work with you to set up an escalation policy that includes partial knowledge of your environment, including information on the applications and servers in your infrastructure. However, it's up to you to keep that information current and to update the MSSP as necessary.
4. Administrative access
One of the biggest surprises for companies considering outsourcing their information security is that most MSSPs have a team of engineers and they all have administrative access to the client company's systems. The team size can sometimes be as many as 30 engineers.
In contrast, most companies probably have only two or three administrators who are allowed to manage systems. To mitigate the risk of having too many people who can make modifications, work
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts