IT Security Best Practices are processes and configurations outlined by industry-leading standards organizations such as SANS, NIST, and OWASP, amongst others. Some examples of best practices include: keeping software and systems updated, uninstalling all but required applications and services, segmenting critical network resources, and configuring host and network firewalls first to block all traffic, then allowing the only required traffic by IP and protocol. But are best practices always feasible for an organization? To some, this may seem like a ridiculous question. However, most CISO's would likely instead consider the question the other way around: "Is not having best practices feasible?" since their jobs depend on the performance of security controls. So why did John Mandia of Mandiant Security LLC respond with "it depends" when responding to a question before a US congressional special hearing in response to the SolarWinds malware? Senator Wyden's question specifically referenced NIST firewall best practices and their ability to increase network security and reduce the impact of cyber-attacks. But there is something more complex lurking behind the seemingly obvious answer.
Crowdstrike CEO George Kurtz's answer to the same question explained more. Operational complexity is a natural and tangible barrier to push-button implementation of network best practices. Large Corporate Networks are increasingly a frenzy of complexity due to digital transformation. From a Baseline perspective, the more complex a network configuration is, the exponentially more expensive it is to maintain. For example, a "deny all, and only allow required" approach to firewalls is operationally complex to configure, and that complexity increases the burden of onboarding new network admin team members. It's not only large enterprises experiencing the increased burden of digital complexity. SMEs are also being overwhelmed by fast-changing IT requirements.
Digital complexity affects administrative duties such as documentation, training new team members, upgrading skills and certifications, implementing change management, vulnerability management, and threat response. For fortune 500 companies securing billions of dollars worth of assets and data, managing the talent pipeline is complex and has spurred the growth of managed IT services 3. However, corporate executives of small and mid-sized companies (SMEs) may feel they exist in a grey area where the cost savings of managed services are not obvious, and the uncertainty of 3rd party reliability is a looming concern. In the case of municipal governments, a progressive model may be considered costly to the taxpayer, while a traditional model of keeping IT talent "in-house" may seem like a more sensible decision. But by the time SMEs and State and Municipal governments uncover that they are having trouble filling the technical skills gap, it may be too late, and they will find they have already taken on more risk than they should.
Even a SMEs single mail-server or website requires a depth of specialized IT knowledge, and that knowledge evolves quickly. For example, access controls, SPF, DKIM, and TKIP security configurations must be adequately enabled to prevent an attack that could allow hackers to hijack a domain and send spam or breach access, allowing them to steal or compromise sensitive information. In addition, applications have constant update cycles and output detailed security logs that require attention. The internet ecosystem is also constantly evolving with new security features and laws to mitigate cyber threats and protect privacy. As a result, compliance with technical and legal requirements is a moving target. Also, the persistent trend of Ransomware attacks on companies of all sizes shows the bad guys are ready to take advantage of any oversight or misstep they can, which could result in significant operational setbacks and costs.
Trends in increased digital complexity and decreased access to talent are key factors driving MSSP adoption. The adoption of MSP can enable tangible returns for Risk Management and offer benefits in the following aspects of business potential:
Becoming cloud-aware is critical to managing the transition to the MSP. The most common types of cloud services are listed below, with brief descriptions and essential benefits. However, the number and scope of cloud services are increasing quickly, and this is not a comprehensive list of available services.
Infrastructure as a Service (IaaS): Rather than purchasing network hardware infrastructure and managing it on-premise, the IaaS model allows customers to rent VPS network infrastructure in a large data center. This provides flexibility, scalability, and cost advantages. For example, a company can avoid predicting exactly how much server power they will need and shop around for the best price on hardware. Instead, companies can reap the advantage of network effects, get premium hardware at discount prices and have the alternative to scale when required. Finally, IaaS providers may have additional features such as push-button full and incremental backups, full-drive encryption, and metrics dashboards showing VPS performance. In an IaaS relationship, most of the responsibility is placed on the customer rather than the IaaS provider. The customer is entirely responsible for VPS configuration and maintaining any software applications or services. The vendor provides accessible and scalable hardware in the cloud.
Platform as a Service (PaaS): Similar to how IaaS simplifies the process of procuring and deploying network hardware, PaaS starts at the operating system level and deploys a technological environment. Building and maintaining a specialized system can require complex installation and configuration. Typical PaaS includes database management, secure software development tools, web application clusters, and business management application environments. Responsibility in a PaaS relationship is well balanced. The vendor takes responsibility for keeping the software systems running. However, the hardware may be owned by the customer and on the customer's premises.
Software as a Service (SaaS): SaaS is the most simple and powerful way to migrate to MSP. SaaS provides specialized cloud applications such as email, cloud storage, online meeting software, office tools, and customer relations management software. Some examples include Microsoft Office 365 and Google Workspace. Most of the responsibility in a SaaS relationship lies with the vendor. The customer will pay a monthly or annual fee, log in via a web portal and use the application suite. In addition, using a SaaS MSP allows greater data security since MSPs apply enterprise-level vulnerability management, virus scanning, and backup solutions, keeping data safe. When best practices become infeasible, it's a good time to move to a contracted MSP to secure access to the best professional talent and ensure security does not go by the wayside. The industry trends indicate this is already taking place at scale. Now is an excellent time to evaluate your organization's security posture and ensure the sustainability of your assets. The benefits go past security and offer the opportunity to streamline your operations and gain more insight.