Re: Managed services provider question

[Tom Miller <thomas.miller () CNU EDU>]

Andrew,

To be sure I understand, are you stating that the MSP expects you to use
the MSP's director (AD, whatever) for authentication, even with your
third-party connectors (Banner, Google, Office 365, AWS, etc.)?  I might
not be properly understanding.

If your answer is yes, that's a big change to move from the current model
(yours and controlled by you) to an MSP's platform.  I had a previous role
in an MSP similar to yours, and we never used that model:  our
authentication model was for our systems only, and we had accounts on
customer's platforms.  I can see how your MSP wants to move to that model:
easier for the MSP to manage their staff accounts, easier to manage client
account.  But, this is a clever way for an MSP to make you heavily
dependent on the MSP and exaction from the MSP could be quite a challenge.
You might want to review your contracts with your connected partners to see
if there would be any issues.

If you go this route, I would ask to speak with other MSP customers who
went with this model and ensure you have good protections in a contract.

On Wed, Jun 12, 2019 at 1:40 PM Pete, Andrew <
000000d06e28c017-dmarc-request () listserv educause edu> wrote:

> Hi All,
>
>
>
> I wanted to get some opinions on a discussion we are currently having with
> our managed service provider.  We are a smaller department and rely on an
> MSP for monitoring/alerting.  In addition to monitoring, we recently
> decided to have them co-manage our critical infrastructure so that we can
> lean on them to back us up in the event we need more man power or need
> assistance with major issues.  Our MSP was bought in the last year or so
> and with our renewal, they are moving us to a new managed service platform
> and structure.  As part of this process, the MSP has insisted that we have
> to move from our TACACS infrastructure to theirs.  We do not see this as a
> good move for our organization and this discussion is holding up the
> process of them onboarding all of our necessary infrastructure so they can
> provide us with services.  The MSP has continued to push the issue only
> citing that it is how they do things as to why we have to switch.  We
> finally got a little more of an explanation from them as to why we need to
> move to their TACACS.  Below is what they gave us with any org names
> removed.
>
>
>
> Advantages
>
> •             Centralized, standardized, and auditable repository of
> access controls
>
> •             Included in the service (we do the work)
>
> •             Security wrapper
>
>
>
> Risks
>
> •             Security.  *MSP* will have no control over access, but
> instead be subject to *customer’s* policy/procedures
>
> •             Maintenance -  *MSP* cannot manage a device it does not
> have access to.
>
> •             Human Error -  *customer* will be the only customer of
> roughly 300 who procured *MSP* management, but owns TACACs
>
>
>
> Protections for MSP
>
> •             SOW modifications to protect *MSP* against any security
> breach damage
>
> •             SOW modifications to protect *MSP* against SLA violations
> on those devices
>
> •             Additional hours to modify procedures for change management;
> continuous updates
>
>
>
> We discussed their response internally and many of the things they list
> would be exactly the same or similar regardless of switching to their
> TACACS or continuing to use ours.  We even are going back to them that we
> want them to co-manage our TACACS server as part of the MSP agreement to
> ensure they have the ability to support our TACACS infrastructure.
>
>
>
> I’m curious if anyone out there has ever seen this type of request out of
> a MSP.  Even if not, I’d love some input on the matter.
>
>
>
> I have worked for about 7 years for two different MSPs doing both managed
> services and professional services for many customers.  In my role, I also
> did some sub work for a few other MSP/PS companies.  In all those cases, I
> have not run across a MSP that requires the use of their own authentication
> infrastructure for a co-managed network.
>
>
>
> Thanks,
>
>
>
> *Andrew Pete*
>
> *Information Security Architect*
>
>
>
> *New England Institute of Technology*
>
> One New England Tech Boulevard
>
> East Greenwich, RI 02818-1205
>
> 401-780-4460 (Direct)
>
> apete () neit edu
>
>
>
> *[image: NEIT_Full_Stack_H_White_BG_PNG1]*


-- 
Tom Miller, MBA
Internal IT Auditor
Christopher Newport University
1 Avenue of the Arts
Newport News, VA  23606-3072
Phone:  757-594-8610
E-mail:  thomas.miller () cnu edu