Re: Managed services provider question

[Tom Miller <thomas.miller () CNU EDU>]

I understand.  I still seems to me unusual and we never did that at the MSP
I worked for.  One challenge you would have is that you would not know
their controls.  Does your contract have a right to audit clause?  Might be
something to consider if you go that route, and maybe inquire with other
MSPs what they do.

I like the idea of outsourcing things like network management/assistance
when you can't afford or don't need a full time network engineer, but
moving to another authentication is something different.  It would seem
that you'd also need some sort of firewall rules to allow traffic for
authentication.  Perhaps you could have some sort of sub domain in your org
where management is shared but you own and your vendor could have control
over that?

I don't think I'd go that route either, at least until I interviewed other
customers and the vendor provided plans for incident response, disaster
recovery, and possible de-coupling if you terminate the contract.  Your
team should retain full control of the devices since you own them.

There is another model that we were developing when I was with my MSP:  the
MSP owns the equipment, manages it 100%, and the client pays a lease fee.
The MSP would be responsible for replacement.  I left before any proposals
of that went to clients.  I thought it was an interesting concept for small
to mid size organizations looking to have a lighter hardware ownership
footprint.  it could be gradually implemented as a client's aging hardware
was replaced.  Maybe counter-propose that to your MSP and see what they say?

Tom

On Wed, Jun 12, 2019 at 4:24 PM Pete, Andrew <
000000d06e28c017-dmarc-request () listserv educause edu> wrote:

> Hey Tom,
>
>
>
> To clarify, they only want us to move our TACACS authentication (used for
> network management like routers, switches, wireless controllers, etc) to
> their platform.  Other systems like the ones you mentioned below would not
> be changing.
>
>
>
> We ultimately think this is a bad idea as it would mean that
> authentication would be off premise and we would have very limited control
> over it.
>
>
>
> Andy
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Tom Miller
> *Sent:* Wednesday, June 12, 2019 4:18 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Managed services provider question
>
>
>
> *This message originated outside of New England Institute of Technology.
> Use caution when opening attachments, clicking links or responding to
> requests for information.*
>
> Andrew,
>
>
>
> To be sure I understand, are you stating that the MSP expects you to use
> the MSP's director (AD, whatever) for authentication, even with your
> third-party connectors (Banner, Google, Office 365, AWS, etc.)?  I might
> not be properly understanding.
>
>
>
> If your answer is yes, that's a big change to move from the current model
> (yours and controlled by you) to an MSP's platform.  I had a previous role
> in an MSP similar to yours, and we never used that model:  our
> authentication model was for our systems only, and we had accounts on
> customer's platforms.  I can see how your MSP wants to move to that model:
> easier for the MSP to manage their staff accounts, easier to manage client
> account.  But, this is a clever way for an MSP to make you heavily
> dependent on the MSP and exaction from the MSP could be quite a challenge.
> You might want to review your contracts with your connected partners to see
> if there would be any issues.
>
>
>
> If you go this route, I would ask to speak with other MSP customers who
> went with this model and ensure you have good protections in a contract.
>
>
>
> On Wed, Jun 12, 2019 at 1:40 PM Pete, Andrew <
> 000000d06e28c017-dmarc-request () listserv educause edu> wrote:
>
> Hi All,
>
>
>
> I wanted to get some opinions on a discussion we are currently having with
> our managed service provider.  We are a smaller department and rely on an
> MSP for monitoring/alerting.  In addition to monitoring, we recently
> decided to have them co-manage our critical infrastructure so that we can
> lean on them to back us up in the event we need more man power or need
> assistance with major issues.  Our MSP was bought in the last year or so
> and with our renewal, they are moving us to a new managed service platform
> and structure.  As part of this process, the MSP has insisted that we have
> to move from our TACACS infrastructure to theirs.  We do not see this as a
> good move for our organization and this discussion is holding up the
> process of them onboarding all of our necessary infrastructure so they can
> provide us with services.  The MSP has continued to push the issue only
> citing that it is how they do things as to why we have to switch.  We
> finally got a little more of an explanation from them as to why we need to
> move to their TACACS.  Below is what they gave us with any org names
> removed.
>
>
>
> Advantages
>
> •             Centralized, standardized, and auditable repository of
> access controls
>
> •             Included in the service (we do the work)
>
> •             Security wrapper
>
>
>
> Risks
>
> •             Security.  *MSP* will have no control over access, but
> instead be subject to *customer’s* policy/procedures
>
> •             Maintenance -  *MSP* cannot manage a device it does not
> have access to.
>
> •             Human Error -  *customer* will be the only customer of
> roughly 300 who procured *MSP* management, but owns TACACs
>
>
>
> Protections for MSP
>
> •             SOW modifications to protect *MSP* against any security
> breach damage
>
> •             SOW modifications to protect *MSP* against SLA violations
> on those devices
>
> •             Additional hours to modify procedures for change management;
> continuous updates
>
>
>
> We discussed their response internally and many of the things they list
> would be exactly the same or similar regardless of switching to their
> TACACS or continuing to use ours.  We even are going back to them that we
> want them to co-manage our TACACS server as part of the MSP agreement to
> ensure they have the ability to support our TACACS infrastructure.
>
>
>
> I’m curious if anyone out there has ever seen this type of request out of
> a MSP.  Even if not, I’d love some input on the matter.
>
>
>
> I have worked for about 7 years for two different MSPs doing both managed
> services and professional services for many customers.  In my role, I also
> did some sub work for a few other MSP/PS companies.  In all those cases, I
> have not run across a MSP that requires the use of their own authentication
> infrastructure for a co-managed network.
>
>
>
> Thanks,
>
>
>
> *Andrew Pete*
>
> *Information Security Architect*
>
>
>
> *New England Institute of Technology*
>
> One New England Tech Boulevard
>
> East Greenwich, RI 02818-1205
>
> 401-780-4460 (Direct)
>
> apete () neit edu
>
>
>
> *[image: NEIT_Full_Stack_H_White_BG_PNG1]*
>
>
>
>
>
>
>
>
> --
>
> Tom Miller, MBA
>
> Internal IT Auditor
>
> Christopher Newport University
>
> 1 Avenue of the Arts
>
> Newport News, VA  23606-3072
>
> Phone:  757-594-8610
>
> E-mail:  thomas.miller () cnu edu


-- 
Tom Miller, MBA
Internal IT Auditor
Christopher Newport University
1 Avenue of the Arts
Newport News, VA  23606-3072
Phone:  757-594-8610
E-mail:  thomas.miller () cnu edu