The ideal security stack - part one

Some of your most important decisions as an MSP will concern securing your sites. No matter what you get right, if you get the security wrong, you lose. But getting that stack right is complex and growing more so all the time. However, like any other complex task, the first thing to do is to build a process you can follow in order to analyze the challenge, design a response, and execute upon it. 

We will start by conceptualizing several different types of clients. Next, we will consider whether to tier our services or build a single, comprehensive solution. Then we will discuss the actual components of the stack. Finally, we will discuss the limitations of these choices. But now, let’s start out by visualizing the challenge(s) we are responding to.

Start Conceptually

The first step is to analyze how they do business. Are they on-premise, cloud-centric, or somewhere in the middle? Is local data protection their paramount concern or is most of that data elsewhere? Is protecting endpoints you rarely, if ever, see the most critical issue? Are these assets real (that is hardware) or are they virtualized (hosted)? 

Next, you will need to identify and enumerate just what you are protecting. This is quite a bit more challenging than you may realize, especially with today’s work from anywhere reality. The very act of identifying the resources and data locations is one of the hardest things to get right as challenges continue to evolve and as the resources change over time.

Finally, you’ll want to consider data pathways protecting not only endpoints and cloud, but the way they do business (in IT terms) and how to best armor those data paths. Options like going with SSL VPN vs. proxied RDS connectivity, setting up SAAS monitoring and alerts, engaging a SOC or SIEM, and looking out how and to where they move their data are a good start.

Premise?

For those still working largely on-premise, you will have servers, endpoints, and infrastructure to secure. But even the most premise-centric organizations also have M365 endpoints to secure with backup, filtering, and log reading and response. You will also have a standard perimeter to protect with solutions such as a UTM firewall and log reading and response services. And you can’t forget to secure WiFi, IOT devices, and remote access. Finally, no premise-based security solution is complete without truly comprehensive BCDR (Business Continuity and Disaster Recovery).

Cloud? 

There are some of us protecting clients that truly are all-in cloud shops. Azure, M365, WVD, maybe even Windows 365. Some of these clients never really had a premise shop and truly were born in the cloud, while others have made that migration over the past few years. For operations like these, especially those using virtualized endpoints, the concerns are different. There is no traditional perimeter, endpoints are virtual not physical (mostly), and BCDR is more of a SAAS protection play. Endpoint focused SASE solutions may be the best answer here. 

Hybrid?

Of course, most of us are supporting businesses with both premise equipment and a substantial cloud footprint, not to mention both local and remote users. We may have some clients with virtually no premise footprint and some that barely use the cloud. These hybrid sites are often the most demanding, as we must bring both premise and cloud “mind” to bear. You will require conventional premise defenses such as MDR and firewall log reading and response, as well as more cloud centric services such as SAAS alerting. 

Related reading: Cybersecurity tips for MSPs

Where’s the data?

Once you have a handle on these basic issues, and you’ve identified the nature of their business, you need to look for the data that needs protecting. Premise-based operations, at least notionally, have their data in one place, on their server(s). Cloud-centric companies store much or most of their data hosted somewhere. And hybrid operations obviously have data in several locations. Ultimately, you will find most companies are hybrid operations with data in widely disparate locations, some of which they are not even aware of.

And the data pathways

This is a new concept for many, but part of protecting any business, no matter how centralized or distributed its operations are, is identifying and protecting its data pathways. While on-premise networks make identifying these pathways easier, they present many challenges. There will be local data access, likely both wired and wireless, remote access into a premise location, by means of either SSL VPN or proxied RDS. And you will have access to hosted data, whether in public or private cloud(s), and, of course, M365. Cloud-centric practices, especially those built on virtualized desktops present entirely different paths to protect. Again, you’ll probably find that most of your sites are hybrid in nature.

The Final Analysis

Using this framework of analysis, enumeration, and data pathways, you can now move on to designing the appropriate solution stack to protect your client sites. Of course, none of us is likely to serve only one type of client. And that leads us to the next part— do you build one stack to rule them all, or tailor your solutions to each site? Stay tuned.