Proposal Guidelines Archives Information Security Glossary Catalog InfoSecurityNetBASE Auerbach Publications Information Systems Security
Auerbach Publications

Four Cornerstones to a Successful MSSP Partnership

Trent Pham

Securing information assets has become a highly complex function demanding significant investment in process definition, security expertise, systems, and infrastructure. Compounding these challenges, it requires internal alignment between the various business units, IT organization and security teams to ensure the tensions between availability and security are well balanced. Security is also a 24x7 function, as threats can emerge at anytime.

Generally, there are two approaches to consider for an organization wanting to secure its network. It can do it internally or partner with a managed security services provider (MSSP). Both have their challenges and advantages, which each organization should consider based on its circumstance.

An internal approach requires a staff with security expertise, in addition to systems, toolsets, and processes to maintain an organization's security posture around the clock. Organizations that have time and money to implement an internal solution benefit from their ability to customize the solution fully, to integrate internal systems, including their ticketing environment or patch management systems, and to retain internal security knowledge.

If an organization is willing to share its network visibility with a trusted MSSP partner, it can benefit from shorter implementation time, skilled personnel, predictable cost, and a constant security posture through the partner's ability to identify security events in a proactive manner, and provide an organization with refined information to take action on.

An MSSP can help remove the burden of managing and monitoring security devices and offer the earliest possible warning of new threats emerging on the Internet and corporate networks. Additionally, an MSSP can provide real-time analysis and recommendations from security experts to prevent vulnerabilities from becoming security crises.

Purchasing managed security services is an investment of time, capital and trust. Organizations that select an MSSP as a security partner should be prepared to integrate the MSSP's people, processes, and technology with their own to effectively improve their security posture. This awareness of integration will prepare an organization for the commitment it will have with an MSSP. Ensuring the long-term success of a security partnership is based on four key areas of focus: trust, operational extension, service reviews, and parallel roadmaps.

Trust
It is critical for organizations to have clear visibility into the MSSP's service environment in order to better understand the services delivered. Managed security service providers that have earned certification under a widely recognized standard such as BS7799 have demonstrated their expertise in establishing, implementing, and documenting effective information management systems. Recertification must occur every three years through a complex process involving detailed audits of the MSSP's global security operations centers and data centers. This certification helps assure organizations that the MSSP uses proven policies, standards, procedures, and records to implement and maintain a world-class information security management environment that effectively protects assets and manages risk for its clients.

Another certification, the Statement of Auditing Standard No. 70 (SAS 70) Type II, also provides client organizations assurances regarding specific control objectives that the MSSP has designed to meet customers' unique needs. Many companies, particularly financial services and other highly regulated organizations, require credible proof that an MSSP has processes and controls in place to provide a consistent, stable, and secure environment to safely monitor and manage customer data throughout the organization. SAS 70 Type II certification addresses this need.

Organizations must also have a way to access information on how the MSSP is functioning. This can often be addressed through direct calls to the MSSP's security operations centers or more effectively, by empowering organizations with the ability to securely view service related information through a web portal. The portal should make available pertinent security information such as tickets, security incidents, events, logs, firewall reports, user information, and more.

By fostering an environment of both trust and transparency, the relationship between the organization and the MSSP can provide a solid foundation for ensuring a high quality of operation for building a secure infrastructure.

Operational Extension
Organizations must enable the MSSP to become an extension of their own security organization-a trusted advisor in the next cubicle as opposed to an outsider. To that end, organizations must be treated as partners rather than as customers. After all, outsourcing should not mean "out of your control."

One of the most effective ways to ensure operational extension is to enable seamless two-way communication with an organization through process and technology, while maintaining current data of an organization's network. There should also be alignment of the MSSP's support organization dedicated to supporting specific organizations as well as establishment of a single point of contact for the organization to interact with should they need to escalate a security issue. Moreover, because operations include not only people but also processes and technologies, organizations and MSSPs must establish a communications system for quickly notifying organizations of any emerging threats that are relevant to their environment and offering the information they need to proactively respond and strengthen their security posture.

Service Reviews

Organizations should conduct regular service review sessions to fully understand the state of the service. Service reviews help keep the relationship between the organization and MSSP honest and successful. These sessions are opportunities to determine what is and isn't working, and if necessary, to recalibrate the service. Often, if service reviews are not done, the organization and MSSP are unable to have a complete picture of how the service is performing and ultimately how secure the organization's assets are.

Review sessions help ensure accountability, and the dialogue helps to sustain strong relations between the organization and their MSSP. It is recommended that service reviews be conducted as frequent as monthly at the beginning of the MSSP relationship. This schedule can be changed to quarterly as the partnership matures.

Parallel Roadmaps
An organization's future security needs should parallel their MSSP's roadmap. This requires an MSSP to have the depth and breadth of expertise to meet an organization's current security needs. Equally important is an understanding of the MSSP's planned developments so this can be mapped to an organization's long-term security needs. The organization must be able to articulate what it is looking to accomplish by partnering with an MSSP, and the MSSP must be prepared to articulate what it can offer to that end.

Together their roadmaps for 6, 12, and potentially 18 months out should be in sync to ensure an organization's security needs are met today and tomorrow.

An organization that performs due diligence up front will be able to partner with the right MSSP for an important and critical service to its business. A MSSP that provides the right combination of people, processes, and technology can maximize the value of an organization's investments in technology and internal resources while helping to control security spending. Most importantly, by effectively solving security problems, these services enable organizations to focus on their core business issues to deliver both short- and long-term benefits that enhance profitability and create new business opportunities.


About the Author
Trent Pham is a senior product manager with Symantec Managed Security Services.

© Copyright 2007 Auerbach Publications