Security is at a junction right now. At no point has the remit of security been so vast and wide-reaching, the advent of digital devices, internet, and ‘as a service’ type offerings have added to the complication that businesses can’t handle on their own.
It’s the reason why certain managed services are growing in popularity as a whole - if you can’t handle something yourself, the next best thing is a strategic partnership - and for Angela Madden of Rits Group, complexity is but one element of many behind this shift.
“One is the resourcing issue for people, because they don’t have or want to recruit the specialist expertise or knowledge, they prefer to go with an outsourcing model,” she said. “We’re seeing more legal and regulatory requirements around the security of data and associated fines if you get caught with a breach. If you have insufficient security, that’s also now increasing [the number of] people looking to outsource their managed services.”
The other major threat is the significant increase in hacking and phishing attacks. Keeping on top of that requires a mixture of training, processes and maybe some technological solutions like email content filtering to prevent these attacks from succeeding.
The biggest one is the growing trend of “as a service” models that are popping up. Thanks to the ubiquity of the cloud, more and more companies are relying on these services instead of managing their own system internally.
There are great benefits from this model but, as Madden mentions, you really need to have all your processes and procedures in place so you can effectively manage the security.
“More often than not, you see people signing up to managed services, and sometimes the security might not be what they think they’re buying or what they need,” she said.
“You have to be very careful to know what it is you’re buying, in terms of managed services. Once you enter into that contract, it’s really important that they have some metrics that are provided by the managed service to give assurances that it’s being managed the way you expect it to be and in line [with your requirements].
“When it’s easy to outsource, you can never outsource responsibility for your data, you have to bear that in mind. You’re not able to outsource risk management, your risk is still your risk, it’s just someone else is doing the day-to-day stuff for you.”
The sheer scale of requirements for security means that most or all of Security Infrastructure and Event Management (SIEM) is being outsourced to managed services.
“For a company to invest in the infrastructure, software, manpower and resources, to capture the logs and do the alerting and then do the monitoring and then do the alerting, it’s a whole team of people and some will decide I don’t need that headache, I’m going to outsource it. The outsourcing of SIEM is definitely increasing,” said Madden.
For Rits Group, it offers an audit process and review of third-parties which makes sure that all configuration settings are doing what they’re supposed to do and giving a level of assurance to companies.
The idea is that while a managed service will offer their own audits, having an independent party look at their efforts and measures can give a better overall view of a company’s security posture. It’s adding an extra layer of accountability and transparency to proceedings so that you’re stronger in the long term.
“We’re being asked to perform audits and reviews of the third parties as a service to make sure all that the configuration settings are what they suppose to be in terms of protection of people’s infrastructure and data,” Madden said.
“Also, it’s to give a level of assurance as well to the company to say everything is okay, because if you have the managed service provider doing their own audits, what level of independence are you getting from that? We do a lot of work around the assurance services and managed services.”
For managed security services as a whole, the overall benefit is that if you might have to pay for initial changes, the overall benefit will make security cheaper and easier in the long-run.
Regular consistent management will mean you can spot problems faster and make the necessary adjustments instead of waiting for a crisis to happen. It’s one of the parts that is in sharp focus thanks to GDPR, which is now over a year old.
“That is one thing, too, in terms of the whole managed services is that people are more aware of their GDPR requirements,” said Madden. “Under GDPR, you’re still the data controller and the third party and the managed services is the data processor.
“Under the law, you’re responsible for making sure you have the proper contracts in place and your third-parties complies, so you can’t sign a contract and say: ‘That’s fine, I’m set’, you’re still responsible under the law”.