When Best Practices Are Infeasible

Cloud Security

IT Security Best Practices are processes and configurations outlined by industry leading standards organizations such as SANS, NIST, and OWASP amongst others. Some examples of best-practices include: keeping software and systems updated, uninstalling all but required applications and services, segmenting critical network resources, and configuring host and network firewalls to first block all traffic, then allow only required traffic by IP and protocol.

But are best practices always feasible for an organization? To some, this may seem like a ridiculous question. Most CISO’s would likely rather consider the question the other way around: “Is not having best practices feasible?”, since their jobs depend on the performance of security controls.

So why then did John Mandia of Mandiant Security LLC to respond with “it depends” when responding to that question before a US congressional special hearing in response to the SolarWinds malware [1]? Senator Wyden’s question specifically referenced NIST firewall best practices and their ability to increase network security and reduce the impact of cyber-attacks. But there is something more complex lurking behind the seemingly obvious answer.

Crowdstrike CEO George Kurtz’s answer to the same question offered a more detailed explanation. Operational complexity is a real and tangible barrier to push button implementation of network best practices. Large Corporate Networks are increasingly a frenzy of complexity due to digital transformation. Speaking from a bottom-line perspective the more complex a network configuration is the exponentially more expensive it is to maintain. A “deny all, and only allow required” approach to firewalls is operationally complex to configure and that complexity increases the burden of onboarding new network admin team members. It’s not only large enterprises experiencing the increased burden of digital complexity. SMEs are also being overwhelmed by fast changing IT requirements.

Digital complexity affects administrative duties such as documentation, training new team members, upgrading skills and certifications, implementing change management, vulnerability management, and threat response. For fortune 500 companies that are securing billions of dollars worth of assets and data, managing the talent pipeline is complex and has spurred the growth of

managed IT services [3]. However, corporate executives of small and mid-sized companies (SMEs) may feel they exist in a grey-area where the cost savings of managed services are not obvious, and the uncertainty of 3rd party reliability is a looming concern. In the case of municipal governments, a progressive model may be considered costly to the taxpayer, while a traditional model of keeping IT talent “in house” may seem like a more sensible decision. But by the time SMEs and State and Municipal governments uncover that they are having trouble filling the technical skills gap it may be too late, and they will find they have already taken on more risk than they should.

So what should organizations do to adapt to increasing complexity of digital transformation and manage their risk?

Don’t Try To Roll Your Own

Even a SMEs single mail-server or website requires a depth of specialized IT knowledge, and that knowledge evolves quickly. Access controls, SPF, DKIM, and TKIP security configurations all need to be properly enabled to prevent an attack that could allow hackers to hijack a domain and send spam or breach access allowing them to steal or compromise sensitive information. Applications have constant update cycles and output detailed security logs that require attention.

The internet ecosystem is also constantly evolving with new security features and laws to mitigate cyber-threats and protect user’s privacy. Compliance with technical and legal requirements is a moving target. Also, the persistent trend of Ransomware attacks on companies of all sizes shows the bad guys are ready to take advantage of any oversight or misstep they can, which could result in large operational setbacks and costs.

Reap The Adjacent Benefits of Managed Service Providers (MSP)

Trends in increased digital complexity, and decreased access to talent are they key factors driving adoption of MSP [2]. The adoption of MSP can enable tangible returns for Risk Management and offer benefits in the following aspects of business potential:

  • Market-leading skills and products
    Improved productivity, time and resource efficiency
  • Deeper insights through analytics
    Increased ability to segregate and visualize costs
  • Relief in managing an IT talent pipeline


Become Cloud Aware

Becoming cloud aware is critical to managing the transition to the MSP. The most common types of cloud services are listed below with brief descriptions and key benefits. However, the number and scope of cloud services is increasing quickly and this is not a comprehensive list of available services.

  • Infrastructure as a Service (IaaS) – Rather than purchasing network hardware infrastructure, and managing it on premise, IaaS model allows customers to rent VPS network infrastructure in a large data center. This allows flexibility, scalability, and cost advantages. A company can avoid the need to predict exactly how much server power they will need and shop around for the best price on hardware. Instead companies can reap the advantage of network effects, get premium hardware at discount prices and have the alternative to scale when required. Finally, IaaS providers may have additional features such as push-button full and incremental backups, full-drive encryption, and metrics dashboards showing VPS performance. In an IaaS relationship, most of the responsibility is placed on the customer rather than the IaaS provider. The customer is entirely responsible for VPS configuration, and maintaining any software applications or services. The vendor simply provides accessible and scalable hardware in the cloud.
  • Platform as a Service (PaaS) – Similar to the way IaaS simplifiesthe process of procuring and deploying network hardware, PaaS starts at the operating system level and deploys a specialized environment. Building and maintaining a specialized system can require complex installation and configuration. Some common PaaS include database management, secure software development tools, web-application clusters, and business management application environments. Responsibility in a PaaS relationship is more balanced. The vendor takes responsibility for keeping the software systems running, however, the hardware may be owned by the customer and on the customer’s premises.
  • Software as a Service (SaaS) – SaaS is the most simple and a very powerful way to begin the migration to MSP. SaaS provides specialized cloud applications such as email, cloud storage, online meeting software, office- tools, and customer relations management software. Some examples include MicroSoft Office 365, and Google Workspace. Most of the responsibility in a SaaS relationship lies with the vendor. The customer will simply pay a monthly or annual fee, log in via a web-portal and use the application suite. Using a SaaS MSP allows greater data security since MSPs apply enterprise level vulnerability management, virus scanning and backup solutions, keeping data safe.


When best practices become infeasible, it’s a good time to move to a contracted MSP to secure access to the best professional talent, and ensure that security does not go by the wayside. The industry trends indicate this is already taking place at scale. Now is a good time to evaluate your organization’s security posture and ensure the sustainability of your assets. The benefits go past security and offer opportunity to streamline your operations and gain more insight.


[1] CSPAN – Senate Intelligence Hearing on SolarWinds Hacking (1:06:30)

[2] 2020 Trends in Managed Services & Hosting

[3] You and I were meant to fly: The rise of managed services

[4] Are SMBs Ready to Embrace Managed Services

Leave a comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.