Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"
Shawndouglas (talk | contribs) (Blanked the page) Tag: Blanking |
Shawndouglas (talk | contribs) |
||
Line 1: | Line 1: | ||
==5. Managed security services and quality assurance== | |||
So far in this guide, the assumption has been made that your organization—whether a laboratory or some other business type—will either have the knowledgeable and experienced onsite personnel to assist with a cloud implementation or will acquire such people as new hires or contracted consultants. But as the age of [[cloud computing]] has progressed ever onward and more businesses have moved to the cloud, a third option has emerged: have someone else, like an MSSP, manage most of the implementation and security details for you. | |||
===5.1 The provision of managed security services=== | |||
Gartner defines a managed security service provider (MSSP) as an entity that "provides outsourced monitoring and management of security devices and systems," including "managed firewall, intrusion detection, virtual private network, vulnerability scanning, and anti-viral services."<ref name="GartnerManaged">{{cite web |url=https://www.gartner.com/en/information-technology/glossary/mssp-managed-security-service-provider |title=Managed Security Service Provider (MSSP) |work=Gartner Glossary |publisher=Gartner, Inc |accessdate=28 July 2023}}</ref> Gartner continues, noting that MSSPs run their security operations through their own or third-party data centers in order to provide an "always available" service, with the ultimate intent of reducing "the number of operational security personnel an enterprise needs to hire, train, and retain to maintain an acceptable security posture."<ref name="GartnerManaged" /> In addition to reducing personnel requirements, turning to an MSSP may also improve the overall security competency of and reduce the technological complexity burdens within an organization.<ref name="IBMMSS">{{cite web |url=https://www.ibm.com/services/managed-security |title=Managed security services (MSS) |publisher=IBM |accessdate=28 July 2023}}</ref><ref name="SOTheReal20">{{cite web |url=https://secureops.com/2020/08/26/the-real-benefits-of-an-mssp/ |archiveurl=https://web.archive.org/web/20210514165923/https://secureops.com/2020/08/26/the-real-benefits-of-an-mssp/ |title=The REAL Benefits of a Managed Security Service Provider (MSSP) |publisher=SecureOPS |date=26 August 2020 |archivedate=14 May 2021 |accessdate=28 July 2023}}</ref> | |||
One perceived downside to this approach may be the added risk of placing access to sensitive data in the hands of a third party, and indeed, there may be a few unique situations where it makes the most sense to keep security operations in-house.<ref name="TrianzHowMana21">{{cite web |url=https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works |title=How Managed Cloud Security Works, and Why You Might Want It |publisher=Trianz |date=29 March 2021 |accessdate=28 July 2023}}</ref> However, this perceived downside largely comes down to a question of the trust you place in the MSSP. As was discussed in previous chapters, many cloud service providers (CSPs) recognize the importance of supporting the element of trust associated with its services, as witnessed by their trust centers and associated documentation and certifications, particularly those related to the management of sensitive data. This element of trust is also baked into the service level agreement (SLA) provided by the CSP.<ref name="TrianzHowMana21" /> In the end, just like a CSP, the level of trust you place with an MSSP will largely be based upon your business' approach to both vetting them and determining the level of accepted risk should the MSSP not be able to meet your every requirement. (These aspects are discussed in further detail in the following chapter.) | |||
====5.1.1 Managed security services in the cloud==== | |||
[[File:Cloud-Security.png|right|400px]]Just as turning to a CSP's [[infrastructure as a service]] (IaaS) offloads much of the responsibility for supporting IT infrastructure to someone else, you can also offload a significant portion of the responsibility for supporting cloud security to someone else. As such, the vendor of managed security services (MSS)—whether it's the CSP itself or a third-party cloud-friendly MSSP—manages cloud-based security aspects such as vulnerability testing, intrusion detection, firewall management, virtual private network (VPN) management, security reporting, and technical support for your cloud implementation. As such, most of your internal IT staff can be freed to focus on other aspects of the business' IT infrastructure and operational developments. | |||
But turning to MSS for your cloud implementation should be about more than just staffing relief. Outsourcing security services may also have other perceived benefits to an organization, such as gaining operational and financial efficiency, increasing service availability, and avoiding technological obsolescence.<ref name="FFIEC_Out04">{{cite web |url=https://ithandbook.ffiec.gov/media/274841/ffiec_itbooklet_outsourcingtechnologyservices.pdf |archiveurl=https://web.archive.org/web/20220201011601/https://ithandbook.ffiec.gov/media/274841/ffiec_itbooklet_outsourcingtechnologyservices.pdf |format=PDF |title=Outsourcing Technology Services |author=Federal Financial Institutions Examination Council |publisher=FFIEC |date=June 2004 |archivedate=01 February 2022 |accessdate=28 July 2023}}</ref> To be sure, managing [[cybersecurity]] in the cloud is both vital to and difficult for the average organization, particularly small organizations like independent laboratories with constrained budgets. Managing the physical and cybersecurity complexities associated with the likes of the [[Health Insurance Portability and Accountability Act]] (HIPAA), the [[General Data Protection Regulation]] (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) can be daunting, particularly given a lack of sufficient in-house expertise. Throw hybrid and multicloud deployments into the mix, and you suddenly require even more in-house expertise for development in public cloud environments like AWS and Microsoft Azure. When also considering that traditional on-premises IT security experience is not enough to manage cloud implementations, it's not difficult to imagine a scenario where an inexperienced IT staff could misconfigure a network security setting and compromise sensitive data within a cloud implementation.<ref name="TrianzHowMana21" /> | |||
An optimally run set of managed security services by a knowledgeable and experienced organization able to offer and stick to clear, legally defensible service level agreements and information governance mechanisms<ref name="SmallwoodInform14">{{cite book |title=Information Governance: Concepts, Strategies, and Best Practices |chapter=Chapter 1: The Onslaught of Big Data and the Information Governance Imperative |author=Smallwood, R.F. |publisher=Wiley |pages=3–13 |year=2014 |isbn=9781118218303}}</ref><ref name="O'NeillInform15">{{cite web |url=https://www.daymarksi.com/information-technology-navigator-blog/information-governance-a-principled-framework |title=Information Governance: A Principled Framework |author=O'Neill, S. |work=Daymark Blog |date=22 October 2015 |accessdate=28 July 2023}}</ref> makes sense for organizations without the necessary technical expertise and with significant liability should something go wrong. The complexities of running secure operations in the cloud only increase the importance of such an MSSP. Such a provider is able to<ref name="DotsonPract19">{{cite book |title=Practical Cloud Security: A Guide for Secure Design and Deployment |chapter=Chapter 7: Detecting, Responding to, and Recovering from Security Incidents |author=Dotson, C. |publisher=O'Reilly Media |pages=139–71 |year=2019 |isbn=9781492037514}}</ref>: | |||
* monitor for, identify, assess, and react to vulnerabilities, intrusions, and other threats; | |||
* audit, adjust, and patch native security settings; | |||
* improve encryption, firewall, and anti-malware mechanisms; | |||
* manage and secure connected devices; | |||
* manage and improve identity access management; and | |||
* provide detailed reports about the state of organizational infrastructure. |
Revision as of 20:07, 26 July 2023
5. Managed security services and quality assurance
So far in this guide, the assumption has been made that your organization—whether a laboratory or some other business type—will either have the knowledgeable and experienced onsite personnel to assist with a cloud implementation or will acquire such people as new hires or contracted consultants. But as the age of cloud computing has progressed ever onward and more businesses have moved to the cloud, a third option has emerged: have someone else, like an MSSP, manage most of the implementation and security details for you.
5.1 The provision of managed security services
Gartner defines a managed security service provider (MSSP) as an entity that "provides outsourced monitoring and management of security devices and systems," including "managed firewall, intrusion detection, virtual private network, vulnerability scanning, and anti-viral services."[1] Gartner continues, noting that MSSPs run their security operations through their own or third-party data centers in order to provide an "always available" service, with the ultimate intent of reducing "the number of operational security personnel an enterprise needs to hire, train, and retain to maintain an acceptable security posture."[1] In addition to reducing personnel requirements, turning to an MSSP may also improve the overall security competency of and reduce the technological complexity burdens within an organization.[2][3]
One perceived downside to this approach may be the added risk of placing access to sensitive data in the hands of a third party, and indeed, there may be a few unique situations where it makes the most sense to keep security operations in-house.[4] However, this perceived downside largely comes down to a question of the trust you place in the MSSP. As was discussed in previous chapters, many cloud service providers (CSPs) recognize the importance of supporting the element of trust associated with its services, as witnessed by their trust centers and associated documentation and certifications, particularly those related to the management of sensitive data. This element of trust is also baked into the service level agreement (SLA) provided by the CSP.[4] In the end, just like a CSP, the level of trust you place with an MSSP will largely be based upon your business' approach to both vetting them and determining the level of accepted risk should the MSSP not be able to meet your every requirement. (These aspects are discussed in further detail in the following chapter.)
5.1.1 Managed security services in the cloud
Just as turning to a CSP's infrastructure as a service (IaaS) offloads much of the responsibility for supporting IT infrastructure to someone else, you can also offload a significant portion of the responsibility for supporting cloud security to someone else. As such, the vendor of managed security services (MSS)—whether it's the CSP itself or a third-party cloud-friendly MSSP—manages cloud-based security aspects such as vulnerability testing, intrusion detection, firewall management, virtual private network (VPN) management, security reporting, and technical support for your cloud implementation. As such, most of your internal IT staff can be freed to focus on other aspects of the business' IT infrastructure and operational developments.
But turning to MSS for your cloud implementation should be about more than just staffing relief. Outsourcing security services may also have other perceived benefits to an organization, such as gaining operational and financial efficiency, increasing service availability, and avoiding technological obsolescence.[5] To be sure, managing cybersecurity in the cloud is both vital to and difficult for the average organization, particularly small organizations like independent laboratories with constrained budgets. Managing the physical and cybersecurity complexities associated with the likes of the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) can be daunting, particularly given a lack of sufficient in-house expertise. Throw hybrid and multicloud deployments into the mix, and you suddenly require even more in-house expertise for development in public cloud environments like AWS and Microsoft Azure. When also considering that traditional on-premises IT security experience is not enough to manage cloud implementations, it's not difficult to imagine a scenario where an inexperienced IT staff could misconfigure a network security setting and compromise sensitive data within a cloud implementation.[4]
An optimally run set of managed security services by a knowledgeable and experienced organization able to offer and stick to clear, legally defensible service level agreements and information governance mechanisms[6][7] makes sense for organizations without the necessary technical expertise and with significant liability should something go wrong. The complexities of running secure operations in the cloud only increase the importance of such an MSSP. Such a provider is able to[8]:
- monitor for, identify, assess, and react to vulnerabilities, intrusions, and other threats;
- audit, adjust, and patch native security settings;
- improve encryption, firewall, and anti-malware mechanisms;
- manage and secure connected devices;
- manage and improve identity access management; and
- provide detailed reports about the state of organizational infrastructure.
- ↑ 1.0 1.1 "Managed Security Service Provider (MSSP)". Gartner Glossary. Gartner, Inc. https://www.gartner.com/en/information-technology/glossary/mssp-managed-security-service-provider. Retrieved 28 July 2023.
- ↑ "Managed security services (MSS)". IBM. https://www.ibm.com/services/managed-security. Retrieved 28 July 2023.
- ↑ "The REAL Benefits of a Managed Security Service Provider (MSSP)". SecureOPS. 26 August 2020. Archived from the original on 14 May 2021. https://web.archive.org/web/20210514165923/https://secureops.com/2020/08/26/the-real-benefits-of-an-mssp/. Retrieved 28 July 2023.
- ↑ 4.0 4.1 4.2 "How Managed Cloud Security Works, and Why You Might Want It". Trianz. 29 March 2021. https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works. Retrieved 28 July 2023.
- ↑ Federal Financial Institutions Examination Council (June 2004). "Outsourcing Technology Services" (PDF). FFIEC. Archived from the original on 01 February 2022. https://web.archive.org/web/20220201011601/https://ithandbook.ffiec.gov/media/274841/ffiec_itbooklet_outsourcingtechnologyservices.pdf. Retrieved 28 July 2023.
- ↑ Smallwood, R.F. (2014). "Chapter 1: The Onslaught of Big Data and the Information Governance Imperative". Information Governance: Concepts, Strategies, and Best Practices. Wiley. pp. 3–13. ISBN 9781118218303.
- ↑ O'Neill, S. (22 October 2015). "Information Governance: A Principled Framework". Daymark Blog. https://www.daymarksi.com/information-technology-navigator-blog/information-governance-a-principled-framework. Retrieved 28 July 2023.
- ↑ Dotson, C. (2019). "Chapter 7: Detecting, Responding to, and Recovering from Security Incidents". Practical Cloud Security: A Guide for Secure Design and Deployment. O'Reilly Media. pp. 139–71. ISBN 9781492037514.