Difference between revisions of "User:Shawndouglas/sandbox/sublevel1"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
Before we move on to choosing an MMSP, we need to briefly mention the shared responsibility model and how it relates to both the MSSP's (and CSP’s) services and assuring quality within the laboratory. Back in Chapter 2, we discussed the shared responsibility model, occasionally referred to as the "shared security model." We said the shared responsibility model is useful because it clarifies elements of responsibility for information security between the laboratory and the CSP in regards to provided cloud services. A trusted CSP should be able to make both levels of responsibility clear at every step of the way, from early contract discussions to late-stage changes to customer services. The CSP remains responsible for certain levels of the IT infrastructure and software, while the laboratory remains responsible for the security of the guest OS, account security, firewall settings, and more. This delineation of responsibility varies from provider to provider, but optimally the information is related clearly to the lab by each.
[[File:NSOC-2012.jpg|right|400px]]Many MSSP options exist for labs seeking MSS. (Appendix 2 of this guide provides a list of profiles for top MSSPs to consider.) In some cases, if the lab is already using a public or hybrid cloud provider, that provider may already offer MSS to its customers, providing a certain level of convenience and familiarity to the lab. (For example, both IBM and Cisco, which offer public and hybrid cloud services, are ranked among the top 30 MSSPs in several publications.<ref name="MSSPCyber20">{{cite web |url=https://www.msspalert.com/top250/list-2020/25/ |title=Top 250 MSSPs for 2020: Companies 10 to 01 |work=Top 250 MSSPs: Cybersecurity Company List and Research for 2020 |publisher=MSSP Alert |date=September 2020 |accessdate=21 August 2021}}</ref><ref name="MSSPCyber-30to21_20">{{cite web |url=https://www.msspalert.com/top250/list-2020/23/ |title=Top 250 MSSPs for 2020: Companies 30 to 21 |work=Top 250 MSSPs: Cybersecurity Company List and Research for 2020 |publisher=MSSP Alert |date=September 2020 |accessdate=21 August 2021}}</ref><ref name="STHTop15_21">{{cite web |url=https://www.softwaretestinghelp.com/managed-security-service-providers/ |title=Top 15 Best Managed Security Service Providers (MSSPs) In 2021 |publisher=Software Testing Help |date=30 April 2021 |accessdate=21 August 2021}}</ref><ref name="CDMMSSPs21">{{cite web |url=https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/ |title=Top 100 Managed Security Service Providers (MSSPs) |work=Cyber Defense Magazine |publisher=Cyber Defense Media Group |date=18 February 2021 |accessdate=21 August 2021}}</ref>) However, in some cases it may make sense for the lab to look beyond their cloud provider, particularly if their cloud provider doesn't supply MSS to its clients.


When it comes to MSSPs and the cloud, they are capable of further reducing the burden of responsibility the laboratory has in regards to not only their cloud services but also any networked on-premises systems. An MSSP can take on the responsibility of the guest OS, network configuration, firewall settings, and server-side encryption, as well as a select portion of client-side data encryption, data integrity authentication, application hardening, and network traffic monitoring and protection.<ref name="WangShared20">{{cite web |url=https://blog.cloudticity.com/shared-responsibility-cloud-managed-service-provider-security |title=Shared Responsibility in the Cloud: Reduce Your Security Burden With a Managed Security Service Provider (MSSP) |author=Wang, K. |work=Cloudticity Blog |publisher=Cloudticity |date=14 October 2020 |accessdate=21 August 2021}}</ref><ref name="SavirHowAMan">{{cite web |url=https://allcloud.io/blog/how-a-managed-service-provider-can-harden-security-across-your-business-and-save-on-costs/ |title=How a Managed Service Provider Can Harden Security Across Your Business and Save on Costs |author=Savir, L. |work=AllCloud Blog |date=n.d. |accessdate=21 August 2021}}</ref> This frees the laboratory from even more security detail, providing monetary, quality, and time investment benefits. As noted earlier, however, the laboratory is not completely free from worrying about security. A company culture of cybersecurity and quality must continue to be driven by strong management buy-in, well-documented business and quality policies, well-considered and -enforced operational policies, and regular quality training.
As discussed prior, a knowledgeable and well-run MSSP can provide many benefits to the cloud-based lab, but what should stand out about the MSSP you select? When choosing a provider of comprehensive cloud-based MSS, you'll be looking for not only years of experience managing cloud installations, but also that the provider is able to<ref name="TrianzHowMana21">{{cite web |url=https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works |title=How Managed Cloud Security Works, and Why You Might Want It |publisher=Trianz |date=29 March 2021 |accessdate=21 August 2021}}</ref><ref name="RSIHowMuch20">{{cite web |url=https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/ |title=How Much Does Managed Security Services Cost? |publisher=RSI Security |date=20 August 2020 |accessdate=21 August 2021}}</ref><ref name="Russell10Tips21">{{cite web |url=https://www.harmony-tech.com/10-tips-for-selecting-a-managed-security-services-provider-mssp/ |title=10 Tips for selecting a Managed Security Services Provider (MSSP) |author=Russell, J. |work=HarmonyTech Blog |date=10 January 2021 |accessdate=21 August 2021}}</ref><ref name="NTTHowToChoose16">{{cite web |url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 |format=PDF |title=How to Choose an MSSP ||publisher=NTT Security |date=November 2016 |accessdate=21 August 2021}}</ref>:


That said, how does the shared responsibility model affect the work of the QAO and laboratory's overall efforts to ensure security in the cloud, particularly with an MSSP? Primarily, shared responsibility says that the laboratory can't take a "set it and forget it" approach to security, even with a CSP and MSSP taking a significant portion of the responsibility off the laboratory's hands. Going back to the Wyoming Department of Health and its accidental upload of patient data to a public server, neither a cloud provider nor an MSSP could do much in this situation. We don't know the circumstances and technology surrounding their incident, but let's imagine that the public health lab was using a CSP and an MSSP. Certainly, the CSP would have no real say in how the lab uploaded content to a server outside its domain. The MSSP largely would have no blame either, as they likely wouldn't even be aware of the public server being uploaded to. No, that would be an internal policy issue, a solid example of how the laboratory would still have a shared stake in the responsibility of security at the lab.
* demonstrate deep knowledge of cloud-agnostic, industry-relevant best practices and approaches to security frameworks and their implementation;
* demonstrate deep knowledge of regulatory mechanisms affecting your data and how to approach cloud security based upon those regulatory requirements;
* describe what certifications, training, and continuing education requirements are met by staff;
* leverage existing and emerging cloud security tools (e.g., security information and event management [SIEM] software) for automating security processes in a scalable future-proof fashion;
* validate how their cloud security tools accomplish what they're intended to do, as well as how gathered information is analyzed both automatically and by the provider's analysts;
* demonstrate how their approaches to security management can fit into or further mold your current IT and risk management strategies;
* provide transparent pricing (e.g., is it tiered or bundled, based on number of users, something else) and make clear what the service covers;
* provide examples of existing and past customers willing to give feedback about their experience with the provider;
* provide a single point of contact to act as a security advocate to you during the entirety of your contract;
* support not only open-source security management tools, but also be flexible enough to integrate your own proprietary solutions and their associated licenses into the managed service.


From that example, we'd have to turn to the work of laboratory staff and management, including the QAO. Again, imagining a scenario where the lab was using both a CSP and an MSSP, a number of questions would arise, primary among them being "were they fully aware of and committed to the security responsibility they shared with their service providers?" That level of responsibility would include engaging in cybersecurity discussions among management and key IT personnel, having frank discussions about risk, and bringing in outside help where expertise was lacking. It would also include having a thorough understanding of how lab workers do their job, including learning about any public servers they were using. And it would also, ideally, involve discussion about that laboratory workflow with the MSSP. With all these elements, the likelihood of foreseeing the risk associated with uploading data to public servers from laboratory computers would be optimistically high. Finally, if we add the element of either a laboratory QAO or "cybersecurity quality and compliance officer," one could imagine the scenario turning out differently for the Department of Health. In the end, however, it would have still required knowledgeable personnel, a strong laboratory-wide focus on cybersecurity, and a committed QAO familiar with the importance of the shared responsibility model—and at least the basics of information security—to help ensure the quality of laboratory operations and the information security required of them.
Of course, cost will also be of concern. However, a blanket "how much does it cost" question isn't going to produce a simple answer; there will be many variables (e.g., business needs, current solutions, current IT staffing, regulatory requirements, etc.) within your organization that make it difficult for an MSSP to provide a canned response. They will need to respond to your lab’s needs, which may be different from another lab's.<ref name="DosalIsMan19">{{cite web |url=https://www.compuquip.com/blog/is-managed-security-worth-the-cost |title=Is Managed Security Worth the Cost? |author=Dosal, E. |work=Compuquip Blog |date=02 May 2019 |accessdate=21 August 2021}}</ref> Additionally, costs associated with MSS can vary, not only from provider to provider but also based upon each provider's pricing model. Will they charge your lab based upon number of users, number of devices, or some other mechanism? Does the MSSP provide a flat rate for protecting your cloud resources, or do they offer different tiers or bundles of services? And will the MSSP providing cloud-based MMS also manage your non-cloud resources? A "per user" or "per device" approach to pricing may make sense for small labs, but larger organizations may balk at such inflated costs, preferring a flat rate or tiered package of services. Those tiered services may be based on either a user number range or based on a set of offered services.<ref name="RSIHowMuch20" />
 
Ultimately, before approaching an MSSP, your lab will have needed to go through multiple steps internally, stating IT goals, identifying technology and education gaps, and determining a budget to support those goals and gaps. If your lab doesn't have a clear picture of what it has, where it wants to be, and what it will need to get there, it will make selection process even more difficult. As such, your lab may want to consider the request for information (RFI) process as part of your selection process.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 23:44, 3 February 2022

NSOC-2012.jpg

Many MSSP options exist for labs seeking MSS. (Appendix 2 of this guide provides a list of profiles for top MSSPs to consider.) In some cases, if the lab is already using a public or hybrid cloud provider, that provider may already offer MSS to its customers, providing a certain level of convenience and familiarity to the lab. (For example, both IBM and Cisco, which offer public and hybrid cloud services, are ranked among the top 30 MSSPs in several publications.[1][2][3][4]) However, in some cases it may make sense for the lab to look beyond their cloud provider, particularly if their cloud provider doesn't supply MSS to its clients.

As discussed prior, a knowledgeable and well-run MSSP can provide many benefits to the cloud-based lab, but what should stand out about the MSSP you select? When choosing a provider of comprehensive cloud-based MSS, you'll be looking for not only years of experience managing cloud installations, but also that the provider is able to[5][6][7][8]:

  • demonstrate deep knowledge of cloud-agnostic, industry-relevant best practices and approaches to security frameworks and their implementation;
  • demonstrate deep knowledge of regulatory mechanisms affecting your data and how to approach cloud security based upon those regulatory requirements;
  • describe what certifications, training, and continuing education requirements are met by staff;
  • leverage existing and emerging cloud security tools (e.g., security information and event management [SIEM] software) for automating security processes in a scalable future-proof fashion;
  • validate how their cloud security tools accomplish what they're intended to do, as well as how gathered information is analyzed both automatically and by the provider's analysts;
  • demonstrate how their approaches to security management can fit into or further mold your current IT and risk management strategies;
  • provide transparent pricing (e.g., is it tiered or bundled, based on number of users, something else) and make clear what the service covers;
  • provide examples of existing and past customers willing to give feedback about their experience with the provider;
  • provide a single point of contact to act as a security advocate to you during the entirety of your contract;
  • support not only open-source security management tools, but also be flexible enough to integrate your own proprietary solutions and their associated licenses into the managed service.

Of course, cost will also be of concern. However, a blanket "how much does it cost" question isn't going to produce a simple answer; there will be many variables (e.g., business needs, current solutions, current IT staffing, regulatory requirements, etc.) within your organization that make it difficult for an MSSP to provide a canned response. They will need to respond to your lab’s needs, which may be different from another lab's.[9] Additionally, costs associated with MSS can vary, not only from provider to provider but also based upon each provider's pricing model. Will they charge your lab based upon number of users, number of devices, or some other mechanism? Does the MSSP provide a flat rate for protecting your cloud resources, or do they offer different tiers or bundles of services? And will the MSSP providing cloud-based MMS also manage your non-cloud resources? A "per user" or "per device" approach to pricing may make sense for small labs, but larger organizations may balk at such inflated costs, preferring a flat rate or tiered package of services. Those tiered services may be based on either a user number range or based on a set of offered services.[6]

Ultimately, before approaching an MSSP, your lab will have needed to go through multiple steps internally, stating IT goals, identifying technology and education gaps, and determining a budget to support those goals and gaps. If your lab doesn't have a clear picture of what it has, where it wants to be, and what it will need to get there, it will make selection process even more difficult. As such, your lab may want to consider the request for information (RFI) process as part of your selection process.

References

  1. "Top 250 MSSPs for 2020: Companies 10 to 01". Top 250 MSSPs: Cybersecurity Company List and Research for 2020. MSSP Alert. September 2020. https://www.msspalert.com/top250/list-2020/25/. Retrieved 21 August 2021. 
  2. "Top 250 MSSPs for 2020: Companies 30 to 21". Top 250 MSSPs: Cybersecurity Company List and Research for 2020. MSSP Alert. September 2020. https://www.msspalert.com/top250/list-2020/23/. Retrieved 21 August 2021. 
  3. "Top 15 Best Managed Security Service Providers (MSSPs) In 2021". Software Testing Help. 30 April 2021. https://www.softwaretestinghelp.com/managed-security-service-providers/. Retrieved 21 August 2021. 
  4. "Top 100 Managed Security Service Providers (MSSPs)". Cyber Defense Magazine. Cyber Defense Media Group. 18 February 2021. https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/. Retrieved 21 August 2021. 
  5. "How Managed Cloud Security Works, and Why You Might Want It". Trianz. 29 March 2021. https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works. Retrieved 21 August 2021. 
  6. 6.0 6.1 "How Much Does Managed Security Services Cost?". RSI Security. 20 August 2020. https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/. Retrieved 21 August 2021. 
  7. Russell, J. (10 January 2021). "10 Tips for selecting a Managed Security Services Provider (MSSP)". HarmonyTech Blog. https://www.harmony-tech.com/10-tips-for-selecting-a-managed-security-services-provider-mssp/. Retrieved 21 August 2021. 
  8. "How to Choose an MSSP" (PDF). NTT Security. November 2016. https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1. Retrieved 21 August 2021. 
  9. Dosal, E. (2 May 2019). "Is Managed Security Worth the Cost?". Compuquip Blog. https://www.compuquip.com/blog/is-managed-security-worth-the-cost. Retrieved 21 August 2021.