Managed Security Services Provider - Best Practices
October 31, 2018
The final installment of EisnerAmper/CloudAccess’ Managed Security Services Podcast addresses the best practices in security management. Jerry will cover setting and monitoring preventative and detective controls, as well as governance, risk assessment, data loss, vendor management, cultural awareness and incident response. Kevin will address the various tools companies use to manage security and the importance of integrating all of those applications for management and audit.
KC: Can you share some security management best practices?
JR: A lot of this stems from what the regulators are looking for, and we call this the health check or key areas of focus. A number of things need to be done for good security posture and best practice. The first is governance and risk assessment, knowing what you have and where the gaps are, evaluating those risks and where the communication is coming from. And that's really where the MSSP areas start, in terms of looking at logs. Another key area is access rights and controls around prevention, and that's where the MSSP lives. Ultimately, it’s about putting preventative controls in place, but also detective controls in place.
KN: In order to accomplish that there’s a number of tools that have to be put in place, such as encryption, to protect the data at rest and the data in transmission logs. Logs are the heart of the collection of what's happening in the environment. A preventative would be vulnerability and malware scanning on a regular basis and monitoring the network traffic and, of, course patch management as needed on a regular basis.
JR: One key area just in monitoring the network traffic is data loss and in the security world it would be known as data loss prevention. At that point, we need to understand what the companies are doing to monitor outbound communication and how data is being transferred. That's another key aspect of monitoring.
KN:You actually did mention access management and I think this is a key component because for the users, we need to know who the users are, if they're authorized to access the applications, what applications are they accessing, what time of the day are they allowed to access. If they're in a directory, for example, but they're not on the application, but you see them on the application without authorizations, can they be detected? All of the access management in the user context is an important part of security posture.
JR: It gets into the policies that are in place as well. Obviously, good security posture means that you've put policies and procedures in place. That again goes into access management Companies, unfortunately, often fall down in this space where they put a policy in place that they're unable to monitor. They say things in policies and procedures that unfortunately they don't have the team or the skillsets to do or even the tools to be able to monitor the controls. That may even be in that policy and some of the things in examples may even be BYOD management or continuous monitoring across IT systems, things of that nature. Or what about if there's a change in the environment, what do we do, how do we access that? This all gets back to what the MSSP would potentially bring to the table when we talk about centralized management. Bringing all that information in, bringing in the access logs in, aggregating those logs, but having a central console where you can identify particular events if you're not monitoring your IT systems. What are we doing and do we even know what systems are critical? Those are all key. We talked about governance and risk assessment, knowing what we have, where the gaps are, access rights and controls, data loss, or just knowing what your vendors are doing in your environment. Again, it gets back to monitoring and training. Kevin, I know you've mentioned this plenty of times, this is not IT training, this is a training across the organization, security awareness training as to what people can and cannot do. You literally want a company to create a culture that they're aware and they can bring different things to the table to you for monitoring purposes—whether they see a suspicious activity or suspicious email. There are a lot of different aspects that need to come in. And the last is really a incident response and knowing how to actually respond to a particular event. That's important because I think good companies will go through good security posture and they may be doing some of the right things around the controls and monitoring. But unfortunately they're not prepared when an event happens and they don't know what to do. That's another area where an MSSP is allowing them to be prepared because they can help them respond and recover.
KN: I think part of the challenge for most companies is the fact that they have to have multiple tools and install and manage them on a regular basis. This is somewhat difficult and that's where an MSSP could add a lot of value. You mentioned centralized management, one dashboard to administer all of this and have visibility. You mentioned policies. What if we could do a policy across the enterprise and it's managed from one dashboard? That makes things a lot easier for roles in the company, any rules, and then that maps to applications and it's all managed from one centralized management console. It makes it significantly easier not to just manage it on a day-to-day basis, but also to address an audit. When you run the reports that show who has had access to what applications and who authorized them that helps with the audit process. All these tools that we talked about, that are best practices, play into an audit as well. And they also address compliance.
JR: I completely agree. At the end of the day, it's what are we doing? And we spoke about this in a prior podcast. What are we doing to actually have real time compliance and security monitoring? That's really the best practice; that's what we need to get to. I cringe sometimes when I hear some of the stats coming out of a lot of these organizations. You'll see numbers that are certainly less than 50% of the companies that are actually doing a real time security monitoring activity. And that's good security posture.
KN:A good example of it is password management. Regular compliance requires an enterprise-level password management, and most companies don't have it. Are you regularly changing the passwords every three months? Do you have a number of characters, alpha numeric? What is your format for the password? What is your policy for lockouts and releases, and do you have security questions established that can be managed by an administrator? Or are they actually created by the end user and how do you manage them from one centralized dashboard? All of this plays into best practices to protect the company, but make it make it a lot easier to manage. That's the responsibility on this MSSP, to help customers achieve that goal.
KC:Jerry and Kevin, thanks for your expertise and this great insight. And thank you for listening to the EisnerAmper Cloud Access podcast series. In the future, we'll be releasing podcasts that go into more detail on the best practices and use cases, such as the one that we talked about here today. We hope you'll join us for those and many more podcasts from EisnerAmper and Cloud Access. You can always feel free to visit eisneramper.com for more information on this and a host of other topics.