Evaluate the IAM Risks Associated with outsourcing your SOC to an MSSP
Dan Jackson
Teacher/Educator - Management - Certified in Cyber Security / Health and Fitness Professional
This paper will provide an initial assessment of the new initiative by the government agency to outsource its Security Operations Center to a Managed Security Services Provider (MSSP).? The objective is to evaluate the potential risks and considerations associated with identity and access management (IAM), asset and data classification, and authorization mechanisms due to this engagement.? The paper examines key IAM issues that may arise, including risks of unauthorized access, insider threats and loss of control over sensitive information.? It also will address the critical role of asset and data classification in determining the level of access granted to the MSSP and how to ensure the MSSP's compliance with best practices around identity and access and provisioning (Crowdstrike).
?
Further, the paper outlines how to determine appropriate authorization mechanisms (such as RBAC and MAC) for MSSP personnel accessing the agency's data and identifies strategies to prevent access control attacks.? The assessment provides actionable recommendations to help the agency's senior management and Board make informed decisions, ensuring that the MSSP engagement aligns with security requirements and operational objectives while minimizing risk exposure (Swimlane).
The first step to creating a secure partnership with the MSSP is to establish the responsibilities and expectations of the MSSP.? By completing a Scope of Services we have outlined what the services the MSSP is expected to deliver. The MSSP will be responsible for managing the Security Operations Center (SOC). Which will include monitoring, detecting and responding to security incidents, performing identity and access management(IAM), including provisioning and de-provisioning for employee access.? The MSSP will also be required to manage compliance with industry standards, conduct forensic investigations when needed, and provide regular reports on security performance and incidents.? With these responsibilities clarified we can ensure we will meet the needs of the security needs of the government agency? (Palo Alto Networks).
When partnering with a MSSP managing who has access to what becomes the central challenge.? The MSSP will be ultimately responsible for overseeing security operations which means that Identity and Access Management (IAM) must be a primary focus.? With the correct implementation of IAM we can prevent unauthorized access and maintain control over sensitive data.? Focusing on IAM allows us to address such issues as provisioning and de-provisioning access, insider threats, and ensuring proper authorization protocols are in place with the MSSP partnership (CrowdStrike).
When outsourcing to an MSSP for the SOC, Identity and Access Management does come with its own risks and setbacks. Let us address a few of these known risks.
?
Over-Provisioning of Access Rights: Granting broad access to MSSP employees may lead to over-provisioning, allowing access to data or systems that are not part of their role. This can lead to data misuse by exposing sensitive data and creating unnecessary risk. Implementing well-defined controls will help mitigate this potential risk (Swimlane).
Insider Threats: Excessive privileges for MSSP employees can increase the risk of insider threats, whether accidental or intentional. Allowing privileged access could result in data breaches or leaks. A mitigation strategy is to enforce IAM policies such as least privilege and need-to-know, ensuring users have only the access required to perform their tasks. In conjunction with these strategies, continuous monitoring will add an additional layer of security, allowing the detection, investigation, and response to suspicious activities or behavior (CrowdStrike).
Lack of Visibility: When IAM functions are outsourced, the agency might lose the ability to see who has access to sensitive systems and data. Without regular reviews and visibility into access logs, privilege creep can occur. This happens when users retain access permissions that are no longer necessary. Over time, this can create vulnerabilities such as unauthorized access to sensitive areas. A mitigation strategy that greatly reduces the risk of privilege creep is to implement regular access reviews and Role-Based Access Control (RBAC) (Frontegg).
?
To elaborate on mitigation strategies for the above-mentioned risks associated with outsourcing the SOC to an MSSP, we will dive deeper into how we can further reduce and prevent the possibilities of these vulnerabilities becoming exploitable weaknesses (CrowdStrike).
Least Privilege:?
Just-in-Time (JIT) Access:?
Need-to-Know Policy:?
Continuous Monitoring:?
Role-Based Access Control (RBAC):?
Regular Access Reviews:?
Service Level Agreements (SLAs):?
Let us take a look at Assets and Data Classification and why it is so important to ensure a secure partnership.? When outsourcing to an MSSP, asset and data classification plays a very important role in determining what information the MSSP will need to access.? It will also apply proper classification (public, internal, confidential) on the data to ensure that only the authorized staff have access to specific data. In order to correctly determine the value and sensitivity of the assets and data we must follow these steps:
?
Define a clear purpose and scope for the data collection
Create an inventory
Create a Data Governance Policies
Classify the data/asset
Regulatory and Compliance Requirements
Assign Ownership
Document the Asset
Apply Access Controls:
Track the Asset's Lifecycle:
Regular Audits and Updates:
?
This process will help ensure that all assets and data are well-organized, protected, easy to locate, and managed according to their classification and organizational importance. This is essential for effective risk management and compliance with legal and regulatory frameworks.
?
Now that we have established the roles and responsibilities of the MSSP and created an Asset and Data Classification Catalog we can now address in detail the need for correct implementation of Identity and Access Management (IAM) practices for the MSSP's identity and access provisioning lifecycle
?
In order to make sure the MSSP complies with the best practices over the course of the partnership, we need to address a few critical steps and ensure proper implementation.? The main goal is to reduce security risks while being able to ensure the MSSP can effectively complete their tasks and maintain integrity with the access control process. Let's take a look at how we can do this:
?
?
Provisioning with Least Privilege and Need-to-Know:
?
Just-in-Time (JIT) Access:
?
Regular Access Reviews:
?
De-provisioning Process:
?
Multi-Factor Authentication (MFA):
领英推荐
?
Privileged Access Management (PAM):
?
Privileged Identity Management (PIM):
?
Monitoring and Reporting:
?
Compliance with Regulatory and Security Standards:
?
By enforcing these as best practices across the identity and access management lifecycle, we can ensure that the MSSP will be aligned with the security policies and the necessary controls are in place to protect sensitive data and systems.
Now that we've covered the identity and access provisioning lifecycle, it's time to look at how we’ll determine the best authorization methods for MSSP users who need access to our assets and data. Choosing the right method or combination of methods is key to ensuring security and proper access control. Whether we use Role-Based Access Control (RBAC), Rule-based Access Control (RuBAC, Mandatory Access Control (MAC), or Discretionary Access Control (DAC), the decision will depend on the sensitivity of the data and the operational needs of the agency.
First let us take a look at the authorization methods that are available to us:
?
Role-Based Access Control (RBAC):?
Rule-Based Access Control:?
Mandatory Access Control (MAC):?
Discretionary Access Control (DAC):?
Attribute-Based Access Control (ABAC):?
Policy-Based Access Control (PBAC):?
Taking into consideration that the MSSP is being outsourced by a government agency, we must setup strict controls for sensitive and highly sensitive data while also maintaining availability when needed. To achieve this, we will implement multiple access control mechanisms that will meet the MSSP’s requirements. This approach will help maintain both compliance and security, ensuring the MSSP has appropriate access to perform their job duties (CrowdStrike).
?
When looking at which access control mechanism to implement, we need to include the sensitivity of the data. For highly sensitive data (e.g., secret government information), strict controls like Mandatory Access Control (MAC) are ideal because they enforce predefined, non-negotiable security policies. For moderate sensitivity or internal data, a more flexible option like RBAC in conjunction with ABAC could be applied, allowing access based on roles or attributes. These systems help balance security with the need for operational flexibility and data availability (CISSP CBK Volume 6).
?
Using multiple access controls can be highly effective, as it allows us to use specific security controls for different types of data sensitivity and user roles, ensuring both flexibility and security. For example, you can use RBAC for standard tasks while applying MAC or ABAC to more sensitive data (Frontegg).
?
However, this approach can increase complexity in management. We will need to ensure the access control rules are consistently applied and regularly audited. We will set up automated tools and/or access management systems to help reduce the burden of managing multiple access controls (CrowdStrike).
?
Adding PAM (Privileged Access Management) and PIM (Privileged Identity Management) within the MSSP infrastructure is extremely important to ensure highly sensitive data stays protected. PAM ensures that privileged access is strictly controlled, session activity is monitored, and access is only granted on a just-in-time basis.? PIM helps manage the privileged accounts by forcing time-limits on approved-based access which reduces the risk of abuse. With both PAM and PIM working together, sensitive data is restricted to authorized personnel and closely monitored, with alerts for suspicious activity enabling quick remediation and access revocation (Microsoft).
To wrap up the topic on Access Management, we’ve covered how using multiple access control mechanisms—like RBAC, MAC, ABAC, and DAC—ensures flexibility and security based on data sensitivity. We've also addressed the importance of PAM and PIM for managing privileged access for highly sensitive data. Together, these systems help protect sensitive data while ensuring that only the right people have the required access at the right time, helping us maintain security and compliance across MSSP operations(CISSP CBK Volume 6).
As we move into the final section of our discussion, let's address how we can prevent or mitigate access control attacks. These attacks target weaknesses in Identification, authentication, authorization, or data access safeguards. To protect against these threats, we must explore important strategies such as strong authentication, least privilege, continuous monitoring, and data encryption.
Strong Authentication:
Least Privilege:
Continuous Monitoring:?
Access Reviews:
Encryption:
?
We have addressed MFA, Least Privilege, Continuous Monitoring, and Access Reviews throughout this paper, so I would now like to focus on encryption and its importance in ensuring the integrity and accuracy of data.? Here is how we can either prevent or mitigate the risk of data at rest, in transit or in use.
?
Data at Rest:?
Data in Transit:?
Data in Use:?
In conclusion, outsourcing the SOC to an MSSP requires detailed consideration to access management and security controls. By using multi-factor authentication, least privilege, continuous monitoring, and encryption for data at rest, in use, and in transit, we can ensure the data is protected. The use of PAM and PIM further secures privileged access and highly sensitive information. Combining multiple access control mechanisms tailored to data sensitivity ensures that both compliance and security needs are met, helping the MSSP securely perform its duties while minimizing the risk of unauthorized access (CISSP CBK Volume 6).
Works Cited
"What a MSSP Does/Responsibilities." CrowdStrike, https://www.crowdstrike.com/cybersecurity-101/secops/msp-vs-mssp/ .
"SOC Metrics." Swimlane, https://swimlane.com/blog/soc-team-roles-responsibilities/ .
"SOC Tiers." Palo Alto Networks, https://www.paloaltonetworks.com/cyberpedia/soc-roles-and-responsibilities .
"MSSP Challenges and Benefits." NordLayer, https://nordlayer.com/learn/iam/challenges-and-benefits/ .
"Privileged Access Management." Microsoft, https://www.microsoft.com/en-us/security/business/security-101/what-is-privileged-access-management-pam .
"Access Control Mechanisms." Frontegg, https://frontegg.com/guides/access-control-in-security .
CISSP CBK Volume 6, (ISC)2.
"Data at Rest, Data in Transit, Data in Use." Jatheon, https://jatheon.com/blog/data-at-rest-data-in-motion-data-in-use/ .