Could An MSSP Be The Future For Your IAM Needs
08 September, 2021, by Paul Kennedy
How would you feel if you heard the following upon arriving into work one day:
- "We have had a data breach"
- "We have had a ransomware attack"
- "We have had a customer impacting service outage"
- "We have had a P1 incident and users can't access our services"
These are words to give any CTO, CISO, CIO, IT Manager or just the business owner nightmares. Nobody wants the inconvenience of responding, identifying, recovering, protecting, reviewing, etc. Nor does anyone want the possible repercussions of bad publicity, loss of stakeholder confidence, share price impact, penalties/fines or redundancies.
But the question that might be asked is: “Why are businesses in this position to begin with?"
Surely they have identified their cybersecurity requirements and implemented the people, technology and processes to address them? It's a simple question but alas, the answer isn't.
Deploying an Identity & Access Management solution is the easy part. Managing, maintaining, upgrading, enhancing, protecting and monitoring your IAM footprint is quite a different challenge. The bad actor need not be a hacker, a bot, phishing email, disgruntled employee or compromised service account. It may be a runaway process consuming too much resources for an out of date application version!
So what are the main challenges for operating an IAM solution? And what are the advantages of engaging a Managed Security Service Provider? Crucially, why might an MSSP model be unsuitable for some businesses?
One does not need to search for too long to find articles and blogs detailing the challenges that IT departments face in trying to manage their own IAM solution.
Lack of Resources and Skills
In the world of today everything is mobile. Nothing is truly static; From where, when and how we consume digital services, to how they are provided. This is the same for the workplace and by extension the workforce. With mobility comes choice and opportunity and today’s modern adaptive employees no longer need to spend their entire careers in the same department, at one company or even their chosen profession. But with fluidity of personnel comes the transient nature of skill-sets and experience. Therefore specialised IAM expertise that may have taken years to build up and is most sought after can simply walk out the door in an instant. This is very relevant to companies that have Identity and Access Management Department or where it forms a core part of enterprise’s operations and processes.
Additionally, who said at their graduation or at the start of their career that they wanted to be an IAM specialist? It's not perceived as cool or as a move to enhance your working career. Most IT savvy graduates or exponents aim for programming positions, application development, content creation or something that looks and feels exciting rather than managing identities, policies and monitoring for compliance! We know that there is a lot more to IAM and IGA than meets the eye but unfortunately there is a skills shortage in this area!
Lack of Investment
Finance! Nobody likes talking about it but ultimately running an IAM department costs money!
Maintaining, updating and managing your Cybersecurity footprint is continuous and so too are the skillsets needed. There is an argument that this should be seen as an investment, as being able to identify and act on threats whether internal or external, could save an enterprise more than just a financial loss. But ultimately it is factored as an operational cost and can be quite a significant one.
Too Much/Too Little Data
So you have your JML process running smoothly, your employees are being provisioned with the access they request and all is great with the world. But why is Janet from Accounts logging in at 3 a.m. or Mike from Procurement creating and approving Purchase Orders?
This information may be logged, backed up and archived but without having the correct resources, technology and processes to capture, sift, and highlight unusual or risky business activities, then these fall through the gaps. With the proliferation of logs generated by enterprise applications and servers it is impossible to manually mine for the red flags. But having too much data to sift through isn't quite as bad as having too little data! Do these ring a bell? Inadequate logging. Not enough information to join the dots. An inability to explain certain events or issues.
Business Needs Vs IT Processes
IT should be an enabler to the Business. Therefore, and by extension, the IAM solution should not be a blocker to business processes and people doing their day-to-day jobs. Unfortunately some IAM implementations are too ambitious in scope and lack proper planning or road-mapping to begin with. This results in long delivery cycles, possible scope-creep, additional manual processes, original requirements not being met, perceived lack of value, poor adoption, stakeholder fatigue and an over developed, under-utilised solution. Sometimes simplicity is the best route!
Let’s talk about the Positives of MSSP
All businesses that have any reliance on cybersecurity (whether a small retail outlet chain or a large multi-national corporation) would envisage that they should be able to:
- Identify their assets;
- Protect their resources;
- Detect threats;
- Respond to incidents; and
- Recover as soon as possible.
In addition to providing the resources and skills that enterprises might lack; delivering cost savings on security, and allowing organisations to concentrate on business, MSSPs also have the following advantages:
- 24x7 coverage
- Patching and upgrading
- Log monitoring, retention and data analysis
- Incident management
- Quick on-boarding and scalability
- Automated and adaptive processing
- Compliance management and audit reporting
Having the required resources, skill sets and technology sometimes is not enough. By the time that manual intervention has detected, identified and stopped the threat/attack the damage may already have been done. MSSPs can utilise technology to automate detection, identification and prevention at the perimeter as well as monitoring for internal threats.
For small to medium enterprises the question that might be asked is "Can we afford to outsource all our cybersecurity requirements to an MSSP?". The answer is you don't have to. MSSPs don't need to cater for all your needs. They can be engaged to augment areas where you lack the skills in house whether that is SIEM, SOAR, DLP or IAM. They can help fill the gaps in your cybersecurity processes enabling your IT department to continue with their day jobs.
And Why Not?
Handing over some or all of your cybersecurity and IT Security management operations may seem time and cost effective from a resources and operational capital perspective but some enterprises in certain vertical markets may not want to engage with an MSSP due to:
- Control: Certain enterprises may find it too much of a risk to allow a third party involvement in any aspect of their data management.
- Enterprise specific business and IT processes: There are advantages to having an internal IT department cater for the security needs of a business. They will have built up considerable knowledge of the internal processes, activities and culture of the organisation and can respond accordingly.
But even for businesses that want to engage an MSSP, how can they be sure that what they have agreed upon will be covered and delivered by their prospective supplier when they lack the expertise in that field?
Ultimately it comes down to control and trust. Knowing that your IT assets, including customer sensitive data, are safe from those that want to harm it and accessible to those that require it.
A cloud-based MSSP approach is advantageous to enterprises who have some of the following challenges:
- Technical experience and training
- Budgetary concerns
- Time critical/sensitive operations that require constant monitoring and uptime
- Application access and availability 24x7
Contact Us to learn more about how an MSSP model can help get value from your IAM infrastructure.