Template:Choosing and Implementing a Cloud-based Service for Your Laboratory/Managed security services and quality assurance/Choosing a provider for managed security services

From LIMSWiki
Jump to navigationJump to search

5.3 Choosing a provider for managed security services

NSOC-2012.jpg

Many MSSP options exist for labs seeking MSS. (Appendix 2 of this guide provides a list of profiles for top MSSPs to consider.) In some cases, if the lab is already using a public or hybrid cloud provider, that provider may already offer MSS to its customers, providing a certain level of convenience and familiarity to the lab. (For example, both IBM and Cisco, which offer public and hybrid cloud services, are ranked among the top 70 MSSPs in several publications.[1][2][3]) However, in some cases it may make sense for the lab to look beyond their cloud provider, particularly if their cloud provider doesn't supply MSS to its clients.

As discussed prior, a knowledgeable and well-run MSSP can provide many benefits to the cloud-based lab, but what should stand out about the MSSP you select? When choosing a provider of comprehensive cloud-based MSS, you'll be looking for not only years of experience managing cloud installations, but also that the provider is able to[4][5][6][7]:

  • demonstrate deep knowledge of cloud-agnostic, industry-relevant best practices and approaches to security frameworks and their implementation;
  • demonstrate deep knowledge of regulatory mechanisms affecting your data and how to approach cloud security based upon those regulatory requirements;
  • describe what certifications, training, and continuing education requirements are met by staff;
  • leverage existing and emerging cloud security tools (e.g., security information and event management [SIEM] software) for automating security processes in a scalable future-proof fashion;
  • validate how their cloud security tools accomplish what they're intended to do, as well as how gathered information is analyzed both automatically and by the provider's analysts;
  • demonstrate how their approaches to security management can fit into or further mold your current IT and risk management strategies;
  • provide transparent pricing (e.g., is it tiered or bundled, based on number of users, something else) and make clear what the service covers;
  • provide examples of existing and past customers willing to give feedback about their experience with the provider;
  • provide a single point of contact to act as a security advocate to you during the entirety of your contract; and
  • support not only open-source security management tools, but also be flexible enough to integrate your own proprietary solutions and their associated licenses into the managed service.

Of course, cost will also be of concern. However, a blanket "how much does it cost" question isn't going to produce a simple answer; there will be many variables (e.g., business needs, current solutions, current IT staffing, regulatory requirements, etc.) within your organization that make it difficult for an MSSP to provide a canned response. They will need to respond to your lab’s needs, which may be different from another lab's.[8] Additionally, costs associated with MSS can vary, not only from provider to provider but also based upon each provider's pricing model. Will they charge your lab based upon number of users, number of devices, or some other mechanism? Does the MSSP provide a flat rate for protecting your cloud resources, or do they offer different tiers or bundles of services? And will the MSSP providing cloud-based MMS also manage your non-cloud resources? A "per user" or "per device" approach to pricing may make sense for small labs, but larger organizations may balk at such inflated costs, preferring a flat rate or tiered package of services. Those tiered services may be based on either a user number range or based on a set of offered services.[5]

Ultimately, before approaching an MSSP, your lab will have needed to go through multiple steps internally, stating IT goals, identifying technology and education gaps, and determining a budget to support those goals and gaps. If your lab doesn't have a clear picture of what it has, where it wants to be, and what it will need to get there, it will make selection process even more difficult. As such, your lab may want to consider the request for information (RFI) process as part of your selection process.

5.3.1 Using a request for information (RFI) process

In some cases—particularly if your organization is of significant size—it may make sense to issue a formal RFI or request for proposal (RFP) and have major cloud MSSPs approach your lab with how they can meet its needs. The RFI and RFP are traditional means towards soliciting bidding interest in an organization's project, typically containing the organization's specific requirements and vital questions that the bidder should be able to effectively answer. However, even if your organization chooses to do most of the investigative work of researching and approaching cloud MSSPs, turning to a key set of questions typically found in an RFI is extremely valuable for "fact finding."

An RFI is an ideal means for learning more about a potential solution and how it can solve your problems, or for when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.[9] Remember, however, that an RFI is not meant to answer all of your questions. The RFI is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.[9] Once the pool of potential MSSPs is narrowed down, more pointed questions can be asked to ensure those providers meet your needs.

Be cognizant, however, that just like CSPs, there may be no MSSP that can meet each and every need of your lab. Your lab will have to make important decisions about which requirements are non-negotiable and which are more flexible. The MSSPs you engage with may be able to provide realistic advice in this regard, based upon your lab's requirements and their past experience with labs. As such, those MSSPs with real-world experience protecting the information systems of laboratories may have a strong leg up on other MSSPs, as they can make informed comments about your lab’s requirements based on their past experiences.

For your convenience, Appendix 3 of this guide includes a comprehensive list of RFI questions to ask of MSSPs, as well as cloud providers. If you have zero experience developing an RFI, you may want to first seek out various example RFIs on the internet, as well as some basic advice articles on the topic. Some websites may provide templates to examine for further details. However, the templates in Appendix 3 attempt to provide basic background about the RFI process as well. This includes addressing important questions related to your business so providers responding to your RFI better understand your lab's goals and requirements.

Now that we've addressed MSSPs, it's time to move on and take a look at the considerations required when choosing and implementing a cloud solution. The next chapter will look at the various characteristics of an average cloud provider, what you should look for in a cloud provider, the questions your organization should ask of itself, and the questions your organization should be asking cloud providers.

  1. "Top 250 MSSPs for 2022: Companies 70 to 61". Top 250 MSSPs: Cybersecurity Company List and Research for 2020. MSSP Alert. September 2022. https://www.msspalert.com/top250/list-2022/19/. Retrieved 01 August 2023. 
  2. "Top 100 Managed Security Service Providers (MSSPs)". Cyber Defense Magazine. Cyber Defense Media Group. 18 February 2021. https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/. Retrieved 01 August 2023. 
  3. "Top 15 Best Managed Security Service Providers (MSSPs) In 2023". Software Testing Help. 14 July 2023. https://www.softwaretestinghelp.com/managed-security-service-providers/. Retrieved 28 July 2023. 
  4. "How Managed Cloud Security Works, and Why You Might Want It". Trianz. 29 March 2021. https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works. Retrieved 28 July 2023. 
  5. 5.0 5.1 "How Much Does Managed Security Services Cost?". RSI Security. 20 August 2020. https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/. Retrieved 28 July 2023. 
  6. Russell, J. (10 January 2022). "10 Tips for selecting a Managed Security Services Provider (MSSP)". HarmonyTech Blog. https://www.harmony-tech.com/10-tips-for-selecting-a-managed-security-services-provider-mssp/. Retrieved 28 July 2023. 
  7. "How to Choose an MSSP" (PDF). NTT Security. November 2016. Archived from the original on 08 May 2021. https://web.archive.org/web/20210508224537/https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1. Retrieved 28 July 2023. 
  8. Dosal, E. (2 May 2019). "Is Managed Security Worth the Cost?". Compuquip Blog. https://www.compuquip.com/blog/is-managed-security-worth-the-cost. Retrieved 28 July 2023. 
  9. 9.0 9.1 Holmes, T.. "It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner". AllCloud Blog. https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/. Retrieved 28 July 2023. 
Retrieved from "https://www.limswiki.org/index.php?title=Template:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory/Managed_security_services_and_quality_assurance/Choosing_a_provider_for_managed_security_services&oldid=52871"