Why it’s Not Easy to Become an MSSPBy Howard M. Cohen | Print
Many pundits are recommending that MSPs become MSSPs and "simply add security" to their offerings. It's not that simple.
You hear it all the time. It’s no longer enough to be merely a managed service provider (MSP). It’s time to graduate to managed security service provider (MSSP). New publications have emerged to promote it. They make it all sound easy. After all, how hard is it to install a firewall, right?
See Just How Difficult Security Really Is
Nobody is trying to dissuade or discourage you. The purpose of this review is to make sure you enter into this with your eyes wide open so you don’t end up with your wallet wide empty.
Let’s start by seeing just how far you are from getting there.
What part of the business are you in? Are you a developer? That’s pretty far. Are you a systems integrator? Well, good, you work with servers and storage and both are definitely targets. Are you a network integrator? That’s pretty close since attackers have to come in across your network.
In each of these examples we’re talking about an MSP who has specialized somewhat. Most do, because there’s something they’re just better at. Here’s where security becomes a problem. Let’s see where each of these MSPs wheelhouses live.
Where Does Security Fit In?
In 1983, the International Standards Organization (ISO) introduced a useful seven-layered model for networked computing called the Open Systems Interconnection (OSI) model. You’ve most likely heard of this referred to as the “seven-layer” model in many presentations about how networking works.
Moving outward from the user, data is entered into the network through software running on the Application layer. This application is running on a device-based operating system at the Presentation layer which is signed in through the Session layer. Data is moved from that user to another destination by the Transport layer which uses the Network layer to connect to that destination. This connects to the actual network via a network interface card at the Data-Link layer which, finally, connects to the actual cabling and wireless infrastructure at the Physical layer.
Arriving at the other end, the data travels back up the seven layers to arrive at its intended destination. Each layer has its own protocols and other communication standards that govern its efficient operation.
So, you may be asking, where is the Security layer? Where does security fit in?
The answer is “Yes.”
Security at Every Level
Many providers of data and network security products emphasize the importance of “multi-layer” security, but here is the reality; if security is not efficiently and effectively embedded into every layer of the ISO-OSI model, every step along the path data takes from origin to destination, it is vulnerable and ineffective.
Imagine a building with seven doors providing entry. If all seven doors are locked, the building can be considered secure. If one is left unlocked, the entire building is insecure. It really is just that simple. Unless every layer of the network is secured, penetration can occur. Data can be compromised. And compromised data creates an existential danger. According to Inc. Magazine, 60% of businesses whose data is significantly compromised go out of business and don’t return.
The point is, for you to become an MSSP you really need to be prepared to deliver services at each layer of the ISO-OSI model. That may be a lot of learning for your team to do.
A Chain is Only as Strong as its Weakest Link
Nobody loves old-fashioned axioms, but this one really applies here. If any link along the security chain is weaker than the others, you can bet attackers will find that and focus their arsenal on that one weak link. Everything you did right for your customer suddenly doesn’t matter. They’ve experienced a data compromise.
The fact is that true data and network specialists are well versed in every layer of the model. They understand the entire TCP/IP stack and can provide solutions involving any protocol. They are well-versed on the various operating systems they’re going to encounter at the session and presentation layers. They know a great deal because they’ve worked hard to learn a great deal. If you’ve been in this industry for any reasonable amount of time you can do the same thing. The point is that you must do the learning before you can do the earning.
Howard M. Cohen is a 35+ year executive veteran of the Information Technology industry who today writes for and about the IT channel. He’s a frequent speaker at IT industry events that include Microsoft Inspire, Citrix Synergy/Summit, ConnectWise IT Nation, ChannelPro Forums, Cloud Partners Summit, MicroCorp One-On-One, and CompTIA ChannelCon, frequently hosts and presents webinars for many vendors & publications.