Increasing Security and Improving Performance With Network Managed Service Providers

Managing enterprise networks to meet increasing business requirements in the face of consistent cost reduction pressures can be demanding. Most organizations require reliable, secure networks to enhance their digital capabilities and achieve their objectives. Network managed service providers (NMSPs) have the potential to deliver all-inclusive and truly exceptional high-quality services because they employ a wide range of highly trained and experienced engineers who are specialists in network security, enterprise architecture, switching and routing and other technical areas, leading to greater reliability, availability and resiliency. An NMSP may serve a group of customers that operate within the same industry or economic sector or within the same geographical location, including clients that manage critical national infrastructure (CNI) or essential services.

Because NMSPs manage several clients and have extensive access to multiple client networks and a lot of data, they are attractive targets for threat actors.

Because NMSPs manage several clients and have extensive access to multiple client networks and a lot of data, they are attractive targets for threat actors.¹ However, traditionally, NMSP contracts are focused on service levels, and organizations typically do not consider security a priority when outsourcing the management of their enterprise network to an NMSP. This needs to change as it is imperative for clients of NMSPs to understand security obligations for network and network security management, define their security requirements and ensure the effective implementation of security controls to enhance their digital trust. No organization wants to make headlines for a major network security breach, and mutually agreed-on cybersecurity obligations and shared responsibility are central to the outsourcing of network operations.

Business Drivers for Outsourcing Network Management

The global shortage of qualified network engineers, increasing business requirements, difficulty retaining experienced staff, additional resource needs and other challenges are the main business drivers for outsourcing network management. Figure 1 shows the high-level business drivers for outsourcing network management to NMSPs.

Figure 1—Business Drivers for Outsourcing Management of Networks and Network Security Services

Cost Savings
Organizations derive significant cost savings from outsourcing network management to NMSPs. Many direct costs (such as wages for maintaining in-house network engineers, initial huge capital outlays for procuring network hardware infrastructures and hardware repair and maintenance costs) and indirect costs (such as research and development, expenses associated with employee recruitment and training costs) can be eliminated. Outsourcing gives organizations the ability to plan and budget effectively, as they will be able to break down the costs into fixed monthly charges, reducing their impact. In addition, network management outsourcing can provide competitive advantages to organizations, as it eliminates the need to build an internal network operations center (NOC).

Network Service Continuity
Because in-house network engineers often take a reactive approach to cyberresilience due to inadequate resources and lack of expertise, many organizations are not prepared to respond and recover from unforeseen cyberthreats. NMSPs provide guidance and subject matter expertise to organizations and can implement an effective cybersecurity resilience program, ensuring a prompt response and fast recovery in the event of an unforeseen cyberattack.

In-House Capabilities
The hiring and retention of highly qualified network engineers can be challenging, especially for small or newly formed organizations. Although some large enterprises may employ experienced in-house network management engineers, it is challenging to retain these resources given the current high demand for cybersecurity professionals. Further, in-house teams may find it challenging to keep up with innovative network management techniques due to the demands of the day-to-day management of network operations. Outsourcing to NMSPs provides enterprises with a range of expertise, including access to network engineers who are trained, experienced and certified to provide higher-level support services that would otherwise not be easily available to small to medium-sized enterprises.

Network Reliability and Availability
NMSPs typically run network operations centers with 24/7 availability of a network fault resolution team, ensuring quick response times to network events, thereby decreasing client network service unavailability.

Enhanced Digital Trust
Through outsourcing, organizations can enhance their digital trust, reduce service incidents and improve customer retention, as NMSPs typically ensure security compliance is maintained and security risk is contained by following best practice standards and frameworks. In addition, NMSPs ensure prompt detection and resolution of potential vulnerabilities before they become critical security threats.

Technology Innovations
NMSPs typically acquire the latest technologies—such as network management software, virtualization capabilities, network hardware, cloud storage, remote monitoring and management, backup and disaster recovery and other innovative tools. These capabilities are made available to their clients as required. They also make use of artificial intelligence (AI) and machine learning technologies to create models, monitor multiple events and incidents and prioritize them for resolution.

Proactive Maintenance
NMSPs deploy remote monitoring solutions to quickly identify, diagnose and resolve potential service and security issues before they become more critical threats to the client’s business.

Network Automation
NMSPs automate network service management through the generation of automated incident tickets, automated back-up of configurations and deployment of a centralized configuration management tool. They also employ the use of automated toolsets for real-time monitoring of device health and availability for security devices and prompt deployment of security patches and updates to network and network security devices to enhance digital trust on clients’ systems and ensure security compliance.

Network Security
Cybersecurity has become the number one business risk.² The swift transition to remote working, due to the COVID-19 pandemic, made traditional perimeter security obsolete for many organizations. Some NMSPs provide the full spectrum of proactive threat management. NMSPs can protect client information systems outside the perimeter and prevent incidents, especially when they have online real-time access to data from servers and firewalls in addition to threat intelligence feeds operating in the cloud.

The Shared Security Risk of Network Outsourcing

Although outsourcing network operations management to NMSPs provides a huge competitive advantage for organizations, it also poses significant business and security risk. Figure 2 provides a high-level view of the security risk elements shared between NMSPs and their clients.

Figure 2—Shared Security Risk Elements

Remote Network Access
Clients risk losing the control of their enterprise networks to NMSPs, and staff of the outsourcing service provider may have perpetual unrestricted and unauditable remote access to client networks.

Network Access Controls
Ineffectively designed network access controls on core networks, local area networks and Wi-Fi networks will readily admit unforeseen threat actors to client networks.

Security Information and Event Management
On-device logging may be enabled on network devices locally, and the logging information may not be available when required due to device hardware failure, accidental damage or a natural disaster. Also, unforeseen threat actors may clear the logs stored on devices if they are not well protected, thereby obstructing forensic investigation. It is common industry knowledge that many organizations do not integrate the logs from their network devices with a centralized security information and event management (SIEM) solution, and unforeseen threat actors may be able to escalate privileges within the network undetected.

Computer Security and Incident Response Planning
An NMSP will usually have a computer security and incident response plan (CSIRP) in place for the protection of its own organization. However, it may not be clear what CSIRP is available to clients for activation in the event of an unforeseen network security breach.

Network Architecture
It is commonplace for organizations to prepare network architecture documentation in conjunction with their NMSPs, especially during technology refresh programs or when they are in the project phase. Yet this documentation does not usually get updated through a change management process when significant alterations are made to the architecture of the network, and it may thus become obsolete over time. Network vulnerabilities may result due to failure to consider the security implications of the network changes being implemented. Also, more often than not, network architecture diagrams are not continually improved using zero trust architecture, secure by design and other appropriate technologies.

Although NMSPs have a responsibility to protect their clients’ data, the clients are the data owners and are legally responsible for the security of their data and networks.

Network Segmentation
An NMSP may not have adequate knowledge about a client’s business objectives, and this may prevent the NMSP from delivering services in line with the client’s business imperatives. The service provider may need to be aware of major business capabilities and the systems that support their operations for effective network segmentation and security protection. Ineffective network segmentation may enable a threat actor to move laterally across business and mission-critical systems, infect them with malware, access confidential business information or even hold data for ransom.

Security Update Management
Network devices need to be scanned for security vulnerabilities at defined intervals and security updates must be applied to ensure they are adequately protected. The absence of security updates may allow vulnerabilities on the devices to become gateways for unforeseen threat actors to breach client information systems and data.

External Network Connection Monitoring
Unmonitored external network connections may allow unfettered access to threat actors. Virtual private network (VPN) connections established with clients, partners, contractors, employees and suppliers may constitute entry points for unforeseen threat actors, especially if contracts between the parties have been terminated but the connections are left unattended. Also, the abandonment of firewall rules could potentially open clients to unforeseen cyberattacks when unforeseen threat actors exploit resulting vulnerabilities.

Shared Security Responsibility Model for Outsourcing to NMSPs

NMSPs and their clients should acknowledge the potential security risk associated with their business relationships and include adequate contingencies and controls as part of their network service delivery planning, service level agreements and contracts to set clear security expectations and responsibilities.

Although NMSPs have a responsibility to protect their clients’ data, the clients are the data owners and are legally responsible for the security of their data and networks. In addition, although NMSPs have a responsibility to ensure the effectiveness of the design and operation of their security controls, clients and NMSPs both have roles and shared responsibilities when it comes to protecting the clients’ networks, systems and data. However, many contracts between clients and NMSPs are devoid of security imperatives.

The global cybersecurity threat landscape requires network managed service providers and their clients to make cybersecurity and digital trust top priorities when establishing initial onboarding contracts, during contract negotiations and throughout their business relationship lifecycles.

The NMSP is responsible for operations support, while the client is responsible for security governance. However, the extent of client obligations depends on the nature of the client organization.

The security obligations between NMSPs and their clients are defined by the shared security responsibility model. Figure 3 shows a shared responsibility model that an organization may consider when outsourcing network management to an NMSP.

Figure 3—Network Security Shared Responsibility Between Clients and Managed Service Providers

Network Security Management Policies
Clients need to define network security management policies to provide governance over the services provided by NMSPs and ensure that such policies are included in the contracts to be executed with the NMSPs. Often, organizations may contract for network management services without considering this crucial element. Although NMSPs are subject matter experts, the absence of a network security policy implies that the services may not be delivered in line with a client’s business objectives and security policies.

Network Architecture Design and Maintenance
Clients and NMSPs may have shared responsibility for designing and maintaining network architectures and providing updates. It is noteworthy that network architecture is a must-have. This ensures the effective design of network security, improving network security posture through zero trust modeling and threat modeling, mitigating the risk of delayed network traffic transmission, loss of data, loopholes in the network, operational service incidents and other problems.

Network Segmentation
Clients need to define the major business capabilities and digital systems that support their operations and ensure they are communicated to NMSPs in their contracts so they can be placed in more secured network segments.

Network Security Logging and Monitoring
Clients that have an existing SIEM solution should ensure centralized security monitoring and logging of network and network security devices and integrate the logs into SIEM tools to identify threats and trends. Alternatively, this service can be provided by NMSPs. Although the absence of centralized security logging and monitoring of all activities on network devices may not facilitate a cyberattack on its own, such absence implies that accountability for activities performed on the network may not be established. This may obstruct incident and forensic investigation, and it may constitute a huge risk for client organizations.

Although NMSPs may be responsible for ensuring on-device network backups of logs to protect the logs stored on network devices, both NMSPs and clients may be responsible for ensuring that the logs are protected from accidental damage, hardware failures or natural disasters.

CSIRP
It is noteworthy that NMSPs and their clients have joint obligations to ensure effective recovery from unforeseen security incidents. This is business critical and should not be left to NMSPs alone because clients may not be aware of their obligations. In the event of an unforeseen cyberattack when there is no shared responsibility model in place, recovery may be more reactive than proactive, as proper procedures that have been adequately tested for different threat scenarios may not be followed to contain breaches and recover from them when detected. Consequently, recovery progress may be impeded, and clients may fail to recover. Therefore, both NMSPs and clients have shared obligations for incident response planning. NMSPs and their clients need to ensure that they put in place a CSIRP that includes management playbooks for different threat scenarios and conduct periodic simulation exercises to ensure preparedness for unforeseen cyberincidents.

The CSIRP should be integrated with the service continuity plans of both the NMSPs and clients and should be aligned with enterprise business continuity plans.³ NMSPs need to reinvent their business models in such a way that they can support their clients effectively in the event of unforeseen cyberattacks. Client CSIRPs should be jointly owned by the client and the NMSP, and the obligations of both parties should be explicit. This will go a long way toward improving the cybersecurity posture of NMSP clients and ensure they continue to carry on business in the face of growing global threats.

NMSPs must keep their clients informed of cybersecurity incidents that have the potential to compromise their networks and maintain openness with their clients by reporting unforeseen security breaches when they occur.⁴

Periodic Network Security Risk Assessment
Clients of NMSPs need to conduct periodic security risk assessments and audits of their networks. Clients should ensure that an independent audit of their network is performed by an external accredited organization to proactively identify security concerns, weaknesses in their network security posture and potential vulnerabilities in addition to carrying out their own internal assessments periodically.

Conclusion

The proposed approach shows that neither clients nor NMSPs have absolute responsibility for network security. NMSPs and their clients need to agree to accept mutually beneficial security obligations as part of their contract negotiations and ongoing relationships.⁵ Roles and responsibilities for managing network security should be clearly defined. NMSPs that follow a shared responsibility model have a unique selling proposition and competitive advantage: Because their clients’ security postures are continually improved, helping them to stay in business, NMSPs can ensure a lasting relationship with their clients’ business.

Endnotes

¹ Canadian Centre for Cyber Security, Cyber Security Considerations for Consumers of Managed Services, Canada, 2020, http://www.cyber.gc.ca/sites/default/files/cyber/publications/itsm50030-e.pdf
² Duignan, J.; “The #1 Business Risk Is Cybersecurity—How Do You Manage Cyber Projects?,” PwC, April 2023, http://www.pwc.com/us/en/services/consulting/managed-services/library/enterprise-cybersecurity-and-risks.html
³ ACG Research, “Managed Services: The TCO Payoff,” 2014, http://www.acgcc.com/media/reports/files/Business-Case-for-Managed-Network-Services.pdf
⁴ Australian Signals Directorate, “Managed Service Providers—How to Manage Risk to Customer Networks,” Australia, October 2021, http://www.cyber.gov.au/sites/default/files/2023-04/PROTECT%20-%20Managed%20Service%20Providers%20%E2%80%93%20How%20to%20Manage%20Risk%20to%20Customer%20Networks%20%28October%202021%29.pdf
⁵ US Cybersecurity and Infrastructure Security Agency (CISA), “Risk Considerations for Managed Service Provider Customers,” CISA Insights, 2 September 2021, http://www.cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf

OLUWAFEMI ADEYEMO ADELEKE | CISA, CISM, CRISC, CDPSE, CGEIT, CCISO

Is director and principal consultant at 3DMA Consulting Limited and a freelance cybersecurity consultant. His practice focuses on third-party cybersecurity risk management, cybersecurity transformation, cybersecurity governance, risk and compliance and operational and cybersecurity resilience. He can be reached at Oluwafemi.adeleke@3dmaconsult.com.