MSSPs should take a layered approach and target solutions where they'll be the most useful.

March 1, 2019

5 Min Read
Football playbook
Shutterstock

By Don MacVittie

MacVittie-Don_Ingrained-Technology-author-150x150.jpg

Don MacVittie

Our current state of never-ending disruption has created great opportunities for the MSSP market to bring new technology and better solutions to clients than those same clients could implement internally. Be it cloud, containers, DevOps, or overall digital transformation, MSSPs offer the ability for enterprises to get ahead by utilizing external resources.

There is always a cloud for that silver lining, though, and even the most advanced MSSP has to face the reality that security is behind on all of these fronts. It was already a bottleneck in most organizations’ forward motion, but the rate of change simply buried already over-burdened security teams.

This isn’t anyone’s fault, really. Security was becoming more important at the same time that agile and DevOps increased the rate of change, bringing all sorts of new technologies under the auspices of security, and the number of people who were both interested and capable in security was already barely meeting needs in most organizations. Security touches everything, so in turn is affected by every technology advancement — and here we are.

A Resolvable Problem

This ugly scenario is made worse for MSSPs because there are two different types of security to be implemented in a service organization — for the company, and for the clients. This is a resolvable problem, it just needs to be approached as a real problem that can be met with real solutions.

  • Automate: Because of the current state of the market, and the large gap between perfected security and existing security, the very first thing to mention is automation. Though security lags behind the rest of the industry, some great automation tools are coming along to help cover the increasingly complex environments that MSSPs are working in. As one example, check out VMware Secure State, which can help lock down both security and compliance for the cloudy parts of your service infrastructure. (Disclosure: Before VMware acquired this product, the author did some work for them)

    • Train: Equally important, but more long term in delivery, is to train internal security staff. There are people in your organization who enjoy doing the security bits of the job, and could be trained to do just the security bits. They’re existing employees, so the complex infrastructure and critical issues are already known to them. That makes training in the correct security toolsets easier than bringing in outsiders. And it is arguably more efficient to replace a younger developer or operations person than to hire a highly experienced security person and teach them all the ins and outs of the environment. Simply put, there are two pieces to experience – environment and market. This suggestion is just saying consider training those with environment experience in security as well as hiring those with security experience and training them in the environment.

    • Hire: And don’t stop hiring. New blood brings new experiences and ideas to the table. The market is in constant motion, so bringing in someone with a ton of security experience in something like containers might make sense if your organization is short in that area. Of course, every new idea isn’t a good idea, but knowing what’s out there and looking at ways to use it to increase the effectiveness of your security is …

    • … a huge bonus to you and to your clients.

  • Share: Cross-train. Different than the internal training noted above, this is spreading the security workload where it makes sense. One large insurer I worked at had security and architecture under the same VP, who would regularly make the two groups work together, or even ask people to move between teams. This meant that our architecture decisions were far more informed by security than the average enterprise architecture team, because we knew the issues or had worked closely with those who would. The architecture team (at least this member of it) weren’t security experts, but we were more aware and kept our eyes open for ways to ease security’s burden.

  • Build: Architectures matter. When faced with security, more always appears to be better. Always. The problem is that resources are limited, and response times can be negatively impacted. So target solutions where they will be the most useful. Layered is good if you can afford it, but I’ve never seen the shop where it was a reasonable idea at every juncture. So when detecting Bob from marketing logging in on his iPad from Uzbekistan while he’s simultaneously logged in from his office down the hall, put it on the edge. But when looking for SQL injection, put it with the code. There are a ton of options for where to implement either of these solutions, but the more you put into place, the more you have to maintain, and the greater the burden on security. That means picking the logical location and locking it down as tight as you can. Many shops will put these types of protection in multiple locations, yet one correct implementation is enough.

  • Profit: The tools and architectures that MSSPs can bring to bear for the benefit of customers are more diverse and powerful now than they have been in my entire time in IT. The ability to host what/where/when the customer wants, using the tools the customer needs, and providing value that the customer cannot easily walk away from, is great. We just have to make sure our Achilles’ heel is covered, and security does not cause that one breach that drives all of our customers to seek a different MSSP.

These steps won’t guarantee anything, but they will give your organization the tools and personnel to ensure customer (and corporate) data is secure. The rest is up to you.

Don MacVittie is the founder of Ingrained Technology, and has worked in every facet of IT from entry-level programmer to CIO, from network operations to storage and database analyst. He currently works in DevOps while running a successful technical evangelism consultancy. Don has contributed to projects his company worked on for organizations in DevOps, DevOps leadership, data protection, network security, global file systems and non-IP communications spaces, along with several international publications and PR firms. His MSSP background is in both communications and utilities. Follow him on LinkedIn or Twitter @dmacvittie.

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like