One of the biggest mistakes companies make when it comes to their security strategy is thinking they have to apply the same level of security across their entire environment. This doesn’t make sense. It doesn’t make sense from a purely economic perspective, as it makes security extremely expensive, and it also doesn’t make sense from a risk perspective, as risk varies across an organization.
Even ultra large companies have to give up some ground. They need to look at the range of elements they have been tasked with protecting and decide which they are going to protect more, which they are going to protect less, and which they are going to monitor the most—requiring the most restrictions and controls.
Even when I worked at large enterprises, we had to give up land. We had to decide what the most important thing to protect was—was it our ecommerce site, our intellectual property, our update process, or our internal systems? We needed to make choices and implement significant controls to make sure the most critical environments would not go down or be compromised. To do this appropriately we spent more and had tighter controls on one set of systems and fewer controls on others. This was totally appropriate in these circumstances.
When a managed service provider (MSP) looks at an organization, they need to ask themselves, “How should I secure that environment?” We’ve talked about protecting crown jewels in a previous blog. When you look at a customer’s environment, what are the things that people are going to be after? What are the things that need to be protected the most? And what are the things that are less important that don’t need as much protection?
We’ve referenced patient care and healthcare in previous blogs, because they are easy examples showcasing the importance of security. In this scenario, if you’re managing patient care, you can never allow the patient to be compromised. As an MSP, this means looking at everything around the patient and how those systems are run, how they are connected, and how they are accessed. You then need to ensure there is strong protection around them, as you don’t want someone haphazardly accessing to those systems.
The other thing to consider is containment. What happens if someone’s machine does get compromised? You need to model that out. For example, if my laptop was compromised, you could get at my email and some of business systems, but you could not shut down SolarWinds MSP or gain access to our remote monitoring and management (RMM) platforms. The idea is to compartmentalize the network, so you can see exactly what happens when X is compromised and contain any potential damage at different levels.
The problem with thinking you need ultra security everywhere is that you actually end up with low security everywhere, as you ultimately become too thinly stretched and end up failing on all fronts. To continue the patient care example from above, you can end up not protecting the patient because you were focused on the billings system. Even though this is important, it’s not as important as patient care.
Ultimately, all these points are interlinked. MSPs have to understand the crown jewels and what a company’s priorities are, and then put a plan together that covers everything, from isolation to appropriate security, for those things that are at the highest level of risk or of the highest importance in an environment.
You may think this is just for big companies, but this principle needs to be applied even for the smallest of the small. Look at a tiny retail outlet employing a couple of people, with a cash register and a few back-end systems. What event would cause them to close? They may have good backup in place and a third party to handle card payments, but if you look outside the organization, who are their partners? Can they be used as an entry point to someone else, or could their identity be stolen and their credit lines used up? Either of these could potentially be extinction-level events for them.
Whatever organization you are working with, they will have different areas of weakness and different things that could irreparably damage them. The job of the MSP or MSSP (managed security service provider) is to understand and look at all these areas and provide a structure plan to help them achieve the security levels they need—not just a global blanket security strategy that ultimately serves no one.
In my next blog post, I’ll look at how to use security as a differentiator for you and your customers.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.
© 2018 SolarWinds MSP UK Ltd. All rights reserved.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.