Managed services provider question

["Pete, Andrew" <000000d06e28c017-dmarc-request () LISTSERV EDUCAUSE EDU>]

Hi All,

I wanted to get some opinions on a discussion we are currently having with our managed service provider.  We are a 
smaller department and rely on an MSP for monitoring/alerting.  In addition to monitoring, we recently decided to have 
them co-manage our critical infrastructure so that we can lean on them to back us up in the event we need more man 
power or need assistance with major issues.  Our MSP was bought in the last year or so and with our renewal, they are 
moving us to a new managed service platform and structure.  As part of this process, the MSP has insisted that we have 
to move from our TACACS infrastructure to theirs.  We do not see this as a good move for our organization and this 
discussion is holding up the process of them onboarding all of our necessary infrastructure so they can provide us with 
services.  The MSP has continued to push the issue only citing that it is how they do things as to why we have to 
switch.  We finally got a little more of an explanation from them as to why we need to move to their TACACS.  Below is 
what they gave us with any org names removed.

Advantages
*             Centralized, standardized, and auditable repository of access controls
*             Included in the service (we do the work)
*             Security wrapper

Risks
*             Security.  MSP will have no control over access, but instead be subject to customer's policy/procedures
*             Maintenance -  MSP cannot manage a device it does not have access to.
*             Human Error -  customer will be the only customer of roughly 300 who procured MSP management, but owns 
TACACs

Protections for MSP
*             SOW modifications to protect MSP against any security breach damage
*             SOW modifications to protect MSP against SLA violations on those devices
*             Additional hours to modify procedures for change management; continuous updates

We discussed their response internally and many of the things they list would be exactly the same or similar regardless 
of switching to their TACACS or continuing to use ours.  We even are going back to them that we want them to co-manage 
our TACACS server as part of the MSP agreement to ensure they have the ability to support our TACACS infrastructure.

I'm curious if anyone out there has ever seen this type of request out of a MSP.  Even if not, I'd love some input on 
the matter.

I have worked for about 7 years for two different MSPs doing both managed services and professional services for many 
customers.  In my role, I also did some sub work for a few other MSP/PS companies.  In all those cases, I have not run 
across a MSP that requires the use of their own authentication infrastructure for a co-managed network.

Thanks,

Andrew Pete
Information Security Architect

New England Institute of Technology
One New England Tech Boulevard
East Greenwich, RI 02818-1205
401-780-4460 (Direct)
apete () neit edu<mailto:apete () neit edu>

[NEIT_Full_Stack_H_White_BG_PNG1]