Why Outsourcing Remote Access Management Isn't The Answer For SMBs

Wednesday, May 27, 2015

Patrick Oliver Graf


“How do you keep your data secure when you’re a data anchovy in a sea of hacker sharks?”

When the Wall Street Journal’s John Bussey posed this question in 2011, the corporate network security landscape was drastically different. Employees weren’t using company-managed smartphones at a rate of 64 percent. Nine out of every 10 employees weren’t keeping sensitive business information on devices they use for both work and personal matters.

Yet, even then, SMB network administrators were concerned about their security, and feeling like vulnerable little fish with bigger, more aggressive fish circling.

So concerned, in fact, that according to Bussey, many were reluctant to outsource network security services to a managed service provider (MSP), even though these companies would have both the expertise and resources required to keep their networks safe.

At the time, many SMBs thought that the “hard disk under the receptionist’s desk” strategy was more effective than handing over control to a third party, even though these MSPs could provide data encryption, threat mitigation and other critical security services.

SMBs thought to themselves: “Yes, but what if the host isn’t entirely well-protected? Or what if a peer company within the shared environment was attacked? Or what if hackers prioritized these target-rich environments?”

These were real concerns then, and they still are now. So, should network administrators consider tapping into MSPs for network security in our current environment? The core issue is a common one in network security – convenience vs. security.


The convenience vs. security debate comes to how SMBs go about securing communications. On one hand, SMBs could opt for convenience and bypass any potential IT headaches by outsourcing network security to an experienced managed service provider. The downside of this approach is that outsourcing always requires the customer to cede some control – a step many risk averse SMBs are, justifiably, and as we touched on earlier, reluctant to take.

That doesn’t mean some organizations aren’t giving it a try though.

The U.S. Senate has explored outsourcing certain security services to MSPs. A preliminary plan calls for the Senate to migrate certain core support functions off-site – monitoring, incident reporting, threat analysis and more – while keeping technology assessment, management of security policies and standards, and quality assurance management in-house.

While that setup may work well for the Senate, it’s not advisable for SMBs, particularly when it comes to how they manage remote access specifically. That in-house, centralized control over encryption keys, certificates and storage spaces is simply too important. And with a one-click solution that removes all complexity for end users, the expertise of an MSP isn’t that much of a value-add for an SMB.

Once a network administrator opts for in-house control and is searching for a particular remote access VPN, the SMBs that are best positioned to defend their networks in-house are those that deploy solutions that enable both networking and security, in one environment.

Once these solutions are in-hand, the network administrator should begin to feel less like an anchovy and more like a fisherman, capable of avoiding all the hacker sharks.

This was cross-posted from the VPN Haus blog.

Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.