In my previous article, I talked about 10 reasons why outsourcing to managed security service providers (MSSP) may be a cheaper and better way for companies to implement part of their security infrastructures. However, as with everything, where there are pros, there are always cons.
Here are some reasons why you should think twice before outsourcing.
1. Infrastructure control
Once you outsource your security infrastructure, such as firewalls and intrusion-detection systems, you may lose some or all control over it. Many MSSPs want to retain full control in order to reduce the finger-pointing when a catastrophe happens.
Also, MSSPs usually have the tools to manage security on the network, and they'll do it differently than your in-house administrators would, so shared control can create problems when both sides can't agree on certain issues. However, you still have control over system policies. If you can't swallow the fact that you will lose control, look for an MSSP that will share access with you.
2. Security policy
Any good security policy requires knowledge on the company's corporate culture and business. The MSSP won't know everything about your company. For example, it won't know that your company's extranet can only be accessed by specific strategic partners. Nor will it know that only specific administrators can access security data and that these people must have access at any time. It's your responsibility to work with the MSSP to make sure that it understands and builds your security policy. Some MSSPs can provide professional services to help you, but you will have to pay more.
3. Security environment
Unless the MSSP handles all of your infrastructure, it won't know all of the applications and servers you have. That means it's difficult for the vendor to accurately determine whether a security event is critical or just a false alarm, because it has insufficient information. Most MSSPs can work with you to set up an escalation policy that includes partial knowledge of your environment, including information on the applications and servers in your infrastructure. However, it's up to you to keep that information current and to update the MSSP as necessary.
4. Administrative access
One of the biggest surprises for companies considering outsourcing their information security is that most MSSPs have a team of engineers and they all have administrative access to the client company's systems. The team size can sometimes be as many as 30 engineers.
In contrast, most companies probably have only two or three administrators who are allowed to manage systems. To mitigate the risk of having too many people who can make modifications, work with the MSSP to make sure it knows who from your company may request changes. Restrict the people who can request changes to a number you are comfortable with.
5. Response time
Most MSSPs have a very fast response time when it comes to catastrophes. For example, if the system goes down due to a hardware or software failure, the response time to get on the case is usually about 15 minutes. However, if you need a policy change quickly, the response time can range from six to 24 business hours, depending on the terms of the service-level agreement. This generally requires the company to plan ahead when working on projects. It also means you shouldn't send in a change request to open a port on the firewall two hours before you need it.
6. Customization
MSSPs are all about economies of scale. All their operations are based on that concept in order to make a profit. Their preference is to perform any task on a mass scale so nothing needs customization. The downside, of course, is that your system will be managed just like any other. If you have specific requirements that need customization by the MSSP, it will be difficult to persuade it to do so because that breaks its model. For example, it will be difficult to persuade the MSSP to enable SNMP on your firewall if the MSSP's policy doesn't allow that.
7. Financial viability
This is perhaps one thing that most companies will ignore or won't spend enough time on when it comes to due diligence. To identify the MSSP that meets your requirements, not only do you need to spend time on the SLA and technical requirements, but it's also critical to understand the MSSP's business and financial viability.
Given that many of the MSSPs out there are new and fairly small, any risky business move on the part of the MSSP could put it out of business. As we have seen over the years, that's exactly what happened to many of them. Remember Pilot Networks and how much time it gave its customers when it went out of business (see story)?
Now that we've gone through the pros and cons of outsourcing to MSSPs, it's up to you to understand your requirements and decide whether to outsource. Make sure you ask all the questions and spend time on due diligence, and don't let the MSSP talk you into something that you are not sure about. Make sure you talk to multiple MSSPs and understand how they can meet your requirements. In other words, do your research first.
Jian Zhen is a senior product manager at LogLogic, a log management vendor in Sunnyvale, Calif. He has been in the information security industry for nine years, including five years at telecommunications company Cable & Wireless. He can be reached at zhenjl@gmail.com or www.trustpath.com/logmatters.