Every profitable business relies on a healthy supply chain to facilitate the delivery of the product or service offered, in order to deliver value to customers. Profitability on the black digital market is no different, where technically proficient individuals rely on creating a healthy supply chain of data in order to turn a profit. However, in order for any supply chain remain profitable, it must remain unbroken. Where data is stolen, the theft must remain undetected or the chain is broken. It is therefore troubling to see that the data theft market is a market in boom. In 2019 Verizon Data Breach Investigations Report (VDBIR), 71 per cent of data breaches were found to be financially motivated, while a further 56 per cent of breaches took months or more to discover. These are healthy data supply chains that were profitable for the months leading up to their discovery, remediated by severing the chain.
Digital transformation has become a catalyst for change for organisations to improve their IT environments, expanding into the cloud and dissolving the traditional security perimeter. With this expanded attack surface, IT teams often struggle to keep up with the complexity, compliance requirements or security risk assessments, which may be completely new territories to them.
With increased business change, the demand for Managed Security Service Providers (MSSP) has been increasing for some time. There are, however, a number of other reasons – and other business considerations - that should influence an organisation’s choice to either perform identity access management functions in-house, or to outsource them to an external provider.
Here’s what needs to be considered:
- What are the security objectives that brought you to consider outsourcing IAM to an MSSP?
When making the decision of outsourcing certain security functions, it is necessary to have a clear picture of the objectives the organisation wants to achieve. Whether these are the scalability of the authentication process to account for people working remotely, or monitoring privileged sessions to protect the most critical databases, these goals need to be laid out before any other consideration is made. After all, not all MSSPs are created equal, and it is important to choose a model that suits the security objectives specific to the business.
- Has your organisation undergone significant digital transformations, and has your IT security function been able to keep up?
With the advent of cloud environments and the progressive digitalisation of operations, security needs are changing faster than ever. When choosing an MSSP, it’s important to both understand what has transformed within the organisation and where IT security teams may have fallen behind with putting the appropriate security measures in place.
Furthermore, assessing which changes the organisation is planning to implement in the future can also help to make decisions that take security into account from the design phase. This means that, rather than having to draft new security policies and procedures further down the line, security can be part of the process from the beginning and be seamlessly integrated with business operations.
- What is the surface that you need to protect?
Knowing what needs to be protected is another fundamental piece of building a successful IAM strategy. Organisations looking to MSSPs should have a thorough inventory of all their digital assets and should prioritise them based on their individual risk factors. Much like vulnerabilities, which are rated based on the likelihood of them being exploited and the potential consequences of such exploit, different databases and systems have different risk factors. Obviously, more critical systems will need a stronger form of authentication, but understanding how identity is structured across other systems is also necessary to make sure that there aren’t other ways in which an attacker could manage to escalate privileges and reach the crown jewels.
- Does your organisation have a BYOD policy?
As the office transforms to allow more employee flexibility, and as connected portable devices are travelling in our pockets and on our wrists, the potential entry points that an attacker could exploit to gain access an organisation’s network have grown exponentially.
And with people working remotely, or using their own laptops at work, it has now become a necessity to ensure that sessions from these devices are as secure as they would be if the employee had accessed the network from within the organisation’s walls.
- Are you aware of the shadow IT on your network?
Visibility is a core principle of IT security. It is paramount for organisations to know what is connected to their network, as it is impossible to protect an entry point that you didn’t know was there.
What is considered shadow IT depends on organisations’ individual policies, but it generally includes all the systems that are used without the knowledge of the IT department. As these systems can be a liability, you should have policies in place to control what is installed on the network and what employees are doing on their machines. This can take the form of firewall restrictions, but each case needs to be assessed individually to minimise the risks.
- Do you have external workers accessing your environment?
Visibility over who has access to the environment is one of the keys of a successful IAM policy. This includes third party suppliers and contractors who may have access to your internal network and systems. These users are no less at risk than internal ones and should therefore be managed according to the same principles that guide internal IAM policies, ensuring that users are assigned the least privilege they need to do their job.
- Human resources: how is your IT team keeping up with your cybersecurity needs?
One of the main reasons to turn to a MSSP is reducing the workload of IT Security functions and manage security in a more cost-effective way. Before purchasing an expensive automation solution, you would need to ensure that your internal team has the skills and the bandwidth to operate it effectively.
Similarly, when choosing an MSSP model, you should consider how much can be done in-house, where it would be worth for you to save manpower, and where instead it makes more sense for your security people to manage process and procedures. There shouldn’t be any gap between the security tools you use, and there shouldn’t be any between the functions you outsource and those you keep in-house.
- What compliance standards do you need to adhere to?
While previously it was only regulated industries such as Financial and Insurance that needed to comply to specific standards, the advent of GDPR and other privacy regulations has put all organisations under the radar of regulatory bodies. It is now each business’ individual responsibility to protect the data it stores, and the consequence of not doing so can be disastrous both in economic and reputational terms.
Be realistic about how the resources of your IT security function: can they meet the compliance requirements?
Addressing these issues ahead of making the leap to an MSSP will help both the organisation and the MSSP to work the best way it can to suit individual requirements. As with most relationships, it is a two-way street, so organisations that lay the ground work up front will be setting themselves up for success – with the help and guidance of their chosen MSSP.
Alan Radford, Technical Director, One Identity