Managed security service providers (MSSPs) are IT service businesses that specialize in providing security-as-a-services offerings for their customers. While MSPs (managed services providers) have been around for 20+ years, MSSP practices have only recently begun to crop up and gain momentum.
To get a better picture of what MSSPs are and how they can help businesses address security challenges—such as identity access management (IAM) and privileged access management (PAM)—I spoke with Shawn Keve, Executive VP of Sales & Marketing at Simeio Solutions. Simeio is a BeyondTrust partner, and protector of over 100 million identities across its impressive customer base.
What is an MSP?
First, let’s review what an MSP is, in order to better distinguish it from an MSSP. In simple terms, a managed services provider is a third-party organization contracted out by a customer to perform various (usually ongoing) IT services. As opposed to a typical value-added reseller (VAR), which traditionally operates on a transactional and short-term basis (such as around a hardware purchase and deployment), MSPs typically partner with their customers over annual, or multi-year periods, receive recurring income for continuous services.
An MSP can help a customer at any stage of their IT lifecycle, including:
- creating policies and programs
- scoping potential solutions
- implementing solutions
- monitoring performance
MSPs can also manage ongoing IT services, such as by updating systems and making configuration changes to adapt to business needs. These service line items can include help desk support, network and application management and monitoring, hardware repair, and more. These services are generally outlined and agreed upon in an SLA (service level agreement).
How does an MSSP differ from an MSP?
The extra “S” in MSSP indicates that it is more focused on security than a typical MSP. While MSPs are increasingly offering security services (some may even have an MSSP practice rolled into the larger MSP business), MSSPs are purely focused on security. However, even then, according to Keve, MSSPs can encompass a fairly broad umbrella of security services.
For example, MSSP technology offerings may include deploying, configuring, and/or managing the following technologies:
- Intrusion prevention systems (IPS)
- Web content filtering
- Anti-virus (AV),
- Firewalls (UTMs, NGFWs, etc.)
- Vulnerability scanning
- Patch management
- Data loss prevention (DLP)
- Threat intelligence
- Identity access management (IAM)
- Privileged access management (PAM)
Furthermore, MSSP services may include:
- Risk assessments and gap analysis
- Policy development and risk management
- Solution scoping
- Solution/tool research and requisition
- Solution implementation
- Management of security systems
- Configuration management
- Security updates
- Reporting, auditing, and compliance
- Training and education
An MSSP may offer a broad, generalized suite of security capabilities and services, or it may specialize in one or a few core focus areas. “Traditionally, MSSPs have been overwhelmingly focused on the perimeter,” assesses Keve. “And, while MSSP offerings are evolving, even today, few MSSP’s tackle IAM, which is a focus of Simeio.”
Another differentiation between MSPs versus MSSPs is NOCs versus SOCs. MSPs frequently establish their own network operation center (NOC) from which they monitor and administrate over customer operations, MSSPs on the other hand typically establish a security operations center (SOC), which is responsible for protecting the infrastructure (networks, applications, databases, servers, etc.). However, as Keve notes, “if an MSP takes security seriously as part of its business, it may also operate a NOC.”
Organizations will commonly rely on both an MSP and an MSSP. “At Simeio, we work primarily with our clients, but we will often interoperate with functions out-sourced to a third-party, such as an MSP,” says Keve.
Why do organizations rely on MSSPs?
For many organizations, it simply boils down to the oft-bemoaned IT security skills shortage. Many IT staffs find themselves overtaxed in trying to ensure systems are operational, and with new initiatives, such as migrating to cloud or hybrid models, they simply lack the expertise or the time required for researching, installing, configuring, and managing security products and systems. Compliance initiatives that continue to ratchet up requirements, as well as an increasingly sophisticated threat landscape, also compound the problem.
An MSSP can step in at various client bottlenecks and help to:
- Scale up security
- Layer on needed expertise where there is an internal IT skills gap
- Understand the best solutions in the market
- Apply their know-how of having tackled similar challenges for diverse client environments
- Increase visibility into threats while expediting a security response (by having visibility into threats across multiple customers, an attack on one customer can allow MSSP adapt security to better protect its other customers)
“An MSSP can take over security and be proactive. They can fill the gaps, or they can provide back-up, such as doing monitoring and alerting during employees’ off-hours,” says Keve.
Why work with an MSSP?
According to Simeio, the following are the real-world drivers that galvanize prospective clients to solicit their help:
1) Risk analysis findings and / or a recent security breach event: According to Keve, a risk review exposing deficiencies, or having incurred a recent breach, are the top drivers prompting a prospective customer to reach out to Simeio. “The customer finds that they need a security capability, and they want to be mature in it fast,” explains Keve. “This often includes wanting a SOC 2 or ISO 270001 certification, which are outside reviews to certify your level of maturity. Many companies aren’t ‘security mature’ enough to receive those certifications. By leveraging an MSSP, they can immediately benefit from that level of maturity. Otherwise, it would require a significant investment in training, time, and money and people on their part.”
2) Lack of bandwidth: Not only do customers crave the skill sets that are difficult to source and maintain, they also desire the scale, bandwidth, and flexibility to optimally delegate those skills. “Companies typically want their people focused more on strategic things, such as compliance, rather than maintaining the tools,” appraises Keve. IT environments are rarely static constructs. Applications and environments continuously change. Businesses move workloads to the cloud, deploy new services, add branches, or merge their infrastructure through an acquisition. When it comes to controlling privileged access, “you need to be dynamically changing to continue to manage these privileges,” says Keve. This can mean gradually rolling out various pieces of a privilege management program across various applications, such as password management, or implementing server privilege management, or enforcing least privilege on end users. “So, it’s not just supporting the tool and keeping it running, it’s also continuing to expand adoption across the infrastructure,” adds Keve.
3) Rapidly evolving technology and threat landscape: The blistering pace of technological evolution and the constant morphing of threats makes it demanding to keep internal staff up to speed. “For instance, if you’re on a security team, IAM is one of perhaps 15-20 domains in security,” explains Keve. “And then you look at privilege management, which is one of 6 to 8 domains within identity management. You’re talking about a ton of tools and technologies. It just makes it incredibly challenging for the staff of non-security companies to learn and scale. And, when it comes to security, expertise is not something you want to have to gain on the job.”
4) A stalled project: According to Keve, many customers underestimate what it takes to maintain a sustainable privileged account management program. Sometimes, an organization’s IT team powers through phase 1 of a product install on their own, but then the initiative loses momentum, and they need an MSSP to help them fully operationalize the project. Often this occurs when companies take a tool-based or project-based approach as opposed to a solution-based approached. “They know they have a need or a problem,” says Keve. “They evaluate tools. They buy a tool. They treat it like a one-off project. They assume they can install it and connect it to some things, and think they’re done. But, the reality is, it still needs to be operationalized.” In some cases, prospective customers had purchased a tool, but it remained shelfware for many months, or even over a year. “Then they were breached and panicked to get it implemented,” says Keve.
Why are IAM & PAM critical MSSP offerings?
Identity and access management solutions and programs have traditionally been purchased and managed by teams that are separate from the teams focused on perimeter security. “But, today, we’re seeing reports and analysis published by Verizon and other vendors that most breaches have something to do with compromised credentials. It’s a break down in identity management,” explains Keve. “And privileged accounts are at the core of identity management in terms of risk exposure. For us, they’re high risk and dangerous accounts, mainly because they’re powerful and they tend to be shared or anonymous. They have access to sensitive information and applications and there’s a lack of visibility. That combination makes for a potentially bad situation. If security and risk are concerns for your organization, then PAM (privileged access management) is absolutely essential.”
How can an MSSP help you address your PAM challenges? Simieo likes to distill this into terms of visibility and control.
1) Visibility: “Customers need to know what the accounts are (privileged user, application, etc.), who has them, and what they are doing – so they know their risk,” says Keve.
2) Control: “Here, we want to address how those accounts get created, accessed, used, and how they’re maintained,” asserts Keve. “A simple best practice, such as rotating passwords on a periodic basis can be impossible to adequately enforce if you don’t even know where those accounts are. By implementing a solution, such as BeyondTrust PowerBroker Password Safe, we can automatically find and apply those policy requirements, such as password rotation. And, an MSSP helps enforce best practices, making sure silly mistakes such as default passwords don’t happen.”
How do you select an MSSP partner?
Before reaching out to an MSSP, an IT organization needs to be comfortable, and permitted by policy, with outsourcing security to third-parties. Some organizations may be prohibited from sub-contracting security services out, so it’s worthwhile to know what the policy is up front.
Market validation: Keve encourages considering market validation, such as accolades, reviews, or rankings of the MSSPs offerings as provided by vendors (such as BeyondTrust) and independent analysts. Often in performing and publishing research, analysts perform field checks with the MSSP’s customers.
Security maturity: Third-party certifications, such as SOC 2 and ISO 270001, are another key indicator of an MSSP’s security maturity. You can also assess a MSSP’s maturity as an entity by how long they’ve been in business. Simeio, for instance, has been focused on identity and access management for 10+ years and has three SOCs. “Having a physical SOC should be table stakes for MSSPs,” says Keve.
Generalization versus specialization: As a customer, do you need to plug many security gaps, or are there one or two areas of focus where you unquestionably need to improve? Some MSSPs may provide a broad range of services, while others might be experts in a few specialized areas. Depending on a customer’s needs, generalization or specialization might be more valuable in an MSSP.
Service level agreements: As you narrow down the vendor list, focus on the language in the SLAs, which can vary dramatically between MSSPs. What pieces of security will be managed by the MSSP, and which will be maintained by the in-house team? In emergency situations, such as an imminent security threat or breach, will the MSSP perform special services or contribute more hours? When there is ambiguity about how services will be rendered, how will it be resolved?
Domain expertise: Are you in a highly regulated industry, such as healthcare or financial services? Companies with a high compliance load should look to MSSPs that have strong experience within their industry.
When is the best time to enlist an MSSP?
There are MSSPs, such as Simeio, that can assist the customer at any point in the lifecycle. If the customer is starting a PAM or other security program from scratch, the MSSP can provide vendor recommendations and help design the program and best practice policies. If the organization has already chosen a tool, and have reached their breaking point, the MSSP can help get the implementation on the right track, and continue to maintain it. “We try to work with customers with the products they’ve already invested in and get them the best security ROI,” says Keve.
Final word: How Simeio sees the threat landscape evolving – insiders, IoT, & social accounts
Simeio foresees no slowdown of insider threats, while attackers arm themselves with ever more sophisticated tools. “The Dark Web allows attackers with even modest skills to buy powerful tools and launch industrial-grade attacks,” says Keve.
The proliferation of IoT is also creating new privileged accounts that need to be managed, presenting another exploitable ingress into organizations. “With IoT, you’re not talking about hundreds of thousands of identities to be managed anymore – you’re talking about billions,” emphasizes Keve.
Another area of increasing concern is social media accounts. “A couple years ago, no one was talking about privileged accounts in the context of social media. But, hackers or rogue insiders can inflict tremendous damage by hijacking a Twitter handle for a company,” warns Keve. With the right partner, and the right tools, such as BeyondTrust’s comprehensive PowerBroker PAM platform, organizations can stay protected amidst an escalating cyber arms race.