Re: Managed services provider question

["Sonder, Henk E." <hsonder () RIC EDU>]

Andy,

This very much feel likes your MSP was strong-arming you.  Glad to hear they conceded (for now?). Having said that, if 
they want total control and zero liability, you really have to ask yourself if this is the right MSP. None of their 
arguments were ever convincing to surrender your access to your equipment. What controls would they have provided you 
to audit their operations?

Beyond pushing back, have you performed a risk assessment of handing over the control? Any time we partner with any 
third party, I have a hard time convincing our senior administration to first determine an exit strategy before signing 
any contract. I know what it feels like when you are negotiating with your back against the wall. Personally I feel 
that when a vendor is not looking out for the interest of me as a customer, it is time to walk away from that vendor.

Even with Tom’s suggestion of transferring ownership of the equipment, my concern would be controlling the data 
traversing your network. I want to retain ownership of the communication and therefore need to know and authorize any 
configuration and access to the equipment. Even with Cloud-based IaaS, I know ahead of time what my risks are. But when 
you ‘surrender’ control of all your infrastructure up to the endpoint, you have to consider other security controls 
(encryption), monitoring ingress/egress, and have a ‘dead man switch’ control built in. Even with limited budget, 
foregoing on defense-in-depth, is a risky proposition. You should always have a separation of duties. Do you follow the 
HECVAT conversation (https://library.educause.edu/resources/2016/10/higher-education-cloud-vendor-assessment-tool)?  
This may be helpful in approaching your MSP, because I am sure they have not given up on trying to convince you to see 
it their way at the next opportunity.

Henk E. Sonder
Director Information Security
Rhode Island College
600 Mount Pleasant Ave
Providence, RI 02908
Office: 401-456-9577
Email: hsonder () ric edu



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pete, Andrew
Sent: Thursday, June 13, 2019 9:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Managed services provider question

Thanks Tom.  I 100 percent agree that this type of request is unusual.  Luckily our MSP finally conceded to us and will 
not make us move to their TACACS service.

The infrastructure as a service is out there with at least a few other MSPs today so it has started to take off.  
Definitely a nice model for smaller orgs like you pointed out.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Tom Miller
Sent: Thursday, June 13, 2019 8:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Managed services provider question


This message originated outside of New England Institute of Technology. Use caution when opening attachments, clicking 
links or responding to requests for information.
I understand.  I still seems to me unusual and we never did that at the MSP I worked for.  One challenge you would have 
is that you would not know their controls.  Does your contract have a right to audit clause?  Might be something to 
consider if you go that route, and maybe inquire with other MSPs what they do.

I like the idea of outsourcing things like network management/assistance when you can't afford or don't need a full 
time network engineer, but moving to another authentication is something different.  It would seem that you'd also need 
some sort of firewall rules to allow traffic for authentication.  Perhaps you could have some sort of sub domain in 
your org where management is shared but you own and your vendor could have control over that?

I don't think I'd go that route either, at least until I interviewed other customers and the vendor provided plans for 
incident response, disaster recovery, and possible de-coupling if you terminate the contract.  Your team should retain 
full control of the devices since you own them.

There is another model that we were developing when I was with my MSP:  the MSP owns the equipment, manages it 100%, 
and the client pays a lease fee.  The MSP would be responsible for replacement.  I left before any proposals of that 
went to clients.  I thought it was an interesting concept for small to mid size organizations looking to have a lighter 
hardware ownership footprint.  it could be gradually implemented as a client's aging hardware was replaced.  Maybe 
counter-propose that to your MSP and see what they say?

Tom

On Wed, Jun 12, 2019 at 4:24 PM Pete, Andrew <000000d06e28c017-dmarc-request () listserv educause 
edu<mailto:000000d06e28c017-dmarc-request () listserv educause edu>> wrote:
Hey Tom,

To clarify, they only want us to move our TACACS authentication (used for network management like routers, switches, 
wireless controllers, etc) to their platform.  Other systems like the ones you mentioned below would not be changing.

We ultimately think this is a bad idea as it would mean that authentication would be off premise and we would have very 
limited control over it.

Andy

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Tom Miller
Sent: Wednesday, June 12, 2019 4:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Managed services provider question


This message originated outside of New England Institute of Technology. Use caution when opening attachments, clicking 
links or responding to requests for information.
Andrew,

To be sure I understand, are you stating that the MSP expects you to use the MSP's director (AD, whatever) for 
authentication, even with your third-party connectors (Banner, Google, Office 365, AWS, etc.)?  I might not be properly 
understanding.

If your answer is yes, that's a big change to move from the current model (yours and controlled by you) to an MSP's 
platform.  I had a previous role in an MSP similar to yours, and we never used that model:  our authentication model 
was for our systems only, and we had accounts on customer's platforms.  I can see how your MSP wants to move to that 
model:  easier for the MSP to manage their staff accounts, easier to manage client account.  But, this is a clever way 
for an MSP to make you heavily dependent on the MSP and exaction from the MSP could be quite a challenge.  You might 
want to review your contracts with your connected partners to see if there would be any issues.

If you go this route, I would ask to speak with other MSP customers who went with this model and ensure you have good 
protections in a contract.

On Wed, Jun 12, 2019 at 1:40 PM Pete, Andrew <000000d06e28c017-dmarc-request () listserv educause 
edu<mailto:000000d06e28c017-dmarc-request () listserv educause edu>> wrote:
Hi All,

I wanted to get some opinions on a discussion we are currently having with our managed service provider.  We are a 
smaller department and rely on an MSP for monitoring/alerting.  In addition to monitoring, we recently decided to have 
them co-manage our critical infrastructure so that we can lean on them to back us up in the event we need more man 
power or need assistance with major issues.  Our MSP was bought in the last year or so and with our renewal, they are 
moving us to a new managed service platform and structure.  As part of this process, the MSP has insisted that we have 
to move from our TACACS infrastructure to theirs.  We do not see this as a good move for our organization and this 
discussion is holding up the process of them onboarding all of our necessary infrastructure so they can provide us with 
services.  The MSP has continued to push the issue only citing that it is how they do things as to why we have to 
switch.  We finally got a little more of an explanation from them as to why we need to move to their TACACS.  Below is 
what they gave us with any org names removed.

Advantages
•             Centralized, standardized, and auditable repository of access controls
•             Included in the service (we do the work)
•             Security wrapper

Risks
•             Security.  MSP will have no control over access, but instead be subject to customer’s policy/procedures
•             Maintenance -  MSP cannot manage a device it does not have access to.
•             Human Error -  customer will be the only customer of roughly 300 who procured MSP management, but owns 
TACACs

Protections for MSP
•             SOW modifications to protect MSP against any security breach damage
•             SOW modifications to protect MSP against SLA violations on those devices
•             Additional hours to modify procedures for change management; continuous updates

We discussed their response internally and many of the things they list would be exactly the same or similar regardless 
of switching to their TACACS or continuing to use ours.  We even are going back to them that we want them to co-manage 
our TACACS server as part of the MSP agreement to ensure they have the ability to support our TACACS infrastructure.

I’m curious if anyone out there has ever seen this type of request out of a MSP.  Even if not, I’d love some input on 
the matter.

I have worked for about 7 years for two different MSPs doing both managed services and professional services for many 
customers.  In my role, I also did some sub work for a few other MSP/PS companies.  In all those cases, I have not run 
across a MSP that requires the use of their own authentication infrastructure for a co-managed network.

Thanks,

Andrew Pete
Information Security Architect

New England Institute of Technology
One New England Tech Boulevard
East Greenwich, RI 02818-1205
401-780-4460 (Direct)
apete () neit edu<mailto:apete () neit edu>

[NEIT_Full_Stack_H_White_BG_PNG1]




--
Tom Miller, MBA
Internal IT Auditor
Christopher Newport University
1 Avenue of the Arts
Newport News, VA  23606-3072
Phone:  757-594-8610
E-mail:  thomas.miller () cnu edu<mailto:thomas.miller () cnu edu>


--
Tom Miller, MBA
Internal IT Auditor
Christopher Newport University
1 Avenue of the Arts
Newport News, VA  23606-3072
Phone:  757-594-8610
E-mail:  thomas.miller () cnu edu<mailto:thomas.miller () cnu edu>