When I contacted IT professionals from different parts of the world for their opinion on MSPs, I got a mixed bag of responses. What are the potential security concerns in the managed IT services environment that could worry you the most? Is your agreement with the MSP letting you sleep well at night? What is that you need to look for? What is that you must not ignore at any cost? Experts made some assertive comments to these questions.

While dealing with your Managed Service Provider (MSP) be vigilant and careful about these points or else be ready to get friendly with sharks.

Watch for co-mingled user information: Although the potential security concerns arising out of managed IT services are essentially the same as from in-house services, with one major addition - the possibility of co-mingled client information. This can not only create chaos but also a great deal of breach in data security. There needs to be a very clear understanding of what infrastructure is shared, what technical resources are shared, and what processes (and technology) are in place to ensure that data does not get co-mingled across clients at the end of your MSP’s information infrastructure. “There needs to be strict monitoring, logging and reporting in an MSP configuration than when you are managing your own infrastructure. And, it's a good idea to ensure that this is true for both the primary hosting location as well as the backup/DR site, which might not be configured or staffed as thoroughly as the primary location,” suggests Andrew Barker, VP-IT Operations at AGRI, US.

Does your MSP know you well: Teams handling data offsite/offshore should have good understanding of the criticality of the data/system to the user-business. They should also be aware of the security/privacy policies of the organisation they are supporting. Most of the time misses are not deliberate; it comes more from ignorance/lack of understanding or sensitivity. And as for in-house or offshore required security controls need to be ensured (segregation of duty, strong access control, access to data only for the process, perimeter/network/systems security etc). “If your data is very sensitive, you need to look at Digital Rights Management (RMS) and Encryption at various levels. Related metrics need to be defined and monitored for all these controls with your MSPs,” suggests Sunil Varkey, Information Security & Privacy Professional, and former Project Manager - Global Incident Response Centre at General Electric.

Are you communicating your expectations assertively: Communication of expectations is a crucial step.  As a user of a fully managed hosting provider, you must transmit all security requirements to the potential hosting provider before committing to their service. Most high-end managed IT services will be able to consult with their potential clients. Will they be able to meet the "caged server" requirement? Do they offer PCI compliance scanning and fixes? Are they SAS-70 Type II? What experience do their system administrators have with cryptography? Do they have brute force detection services? A lot of these questions need to be asked before committing to a solution or signing on dotted lines.

“If you want to sleep well at night, you need to do your own research on your potential MSPs. Have your questions and requirements ready to go in the RFP. There are many different MSPs, and it is up to you to find the one that fits your requirements and your budget. If you are running a tight budget, then be prepared to sacrifice some requirements. In other words, prioritize your security requirements,” says Zane Williamson, Sales Manager at Liquid Web - a US based managed web hosting company.

As a CIO you’d ideally assign all the resources needed prior to establishing any relationship. An investment of this magnitude is not temporary, you would hope it would last for at least the duration of the contract or may be longer. “Craft a well designed RFP, which by the way can take several months. You should also develop a comprehensive list of business requirements and expectations. Additionally, the vendor selection process must be planned and very selective. The business must buy in into this process and must support and guide any decision. Your legal department also plays a critical role during the contract negotiation; not only they will spot check your contract but they will make sure your company's investment is secured,” says Williamson.

Keep the relationship going: After all this is done, another key point is to sustain an ongoing relationship with the managed service provider. As there are disgruntled employees that pose serious internal risks, there are MSPs - who with your IT environment in their hands - can cause as much or even severe harm. “The partnership needs to be well managed, both ways. They can have as many SAS 70, PCI certifications, HIPPA, etc. behind them but what matters the most is the results you will get on a daily basis,” suggests Elliott Bujan, Senior IT Auditor, Fortune Brands.

Is your MSP explicit: Enterprises – big or small - often use MSPs to manage their networks, perform periodic checks, to have latest updates, off-site back up and remote troubleshooting – the whole nine yards.  The vendor needs to make clear to the client what all is needed, so that if the client neglects some area with some vendor, intending to contract that to someone else, it is clear to future employees on the contracts, that the first vendor said this needs to be done, but you asked us not to do it. Otherwise stuff can fall through the cracks.

“The client needs to make sure the outside vendor is informed on any compliance requirements regarding the data, and get something in writing to verify the vendor is fully cognizant of the implications. There is a growing standard of computer vendors being like auto repair shops. Before they start the work, they tell you what it will cost, and discuss alternatives with you. If you decide to postpone the investment, they will tell you what the consequences will be,” says Al Macintyre, CIO, Kauffman Engineering, a Lebanon based engineering company.

Some of the MSPs even have satisfaction guaranteed – ‘We fix the problem, or you don't pay’. You would want the billing to have clarity, what you are paying for.

Grill yourself before you grill your MSP: In this time of economic crisis, the trusted advice is to find answers to the following questions:

-  What would happen if my service provider goes bankrupt? Can I still access my data?

-  What is the economic condition of my managed service providers? Do they have to reorganise any   time soon? What will be the impact of that on the integrity of the employees (=grudge due to layoffs)?

-  Will my service provider be engaged in a merger or separation soon? What are the consequences of that in regard to the integration and separation of IT systems (= downtime, mistakes etc.)

“A sound disaster/backup plan in case of any possible future availability problems can prevent a lot of headache. However, issues with integrity and confidentiality require more intrusive measures like monitoring and auditing your service provider.  Don't be blinded by their ISO 127002 certifications or other compliance statements. If they fool up, your head is in the noose,” concludes Michiel Broekhuijser Security Consultant, Advisor of Express in Bits.

rahul.mani@9dot9.in