Why Co-Management Makes Sense for Information Security
Co-Management involves sharing the responsibility for the configuration, management and operation of a particular device or offering.
I first started using the term in 2002 to talk about firewall management. Co-Management represents a hybrid between a managed service (where the service provider provides all of the functions defined above) and an internal solution (where no service provider is involved).
The term has been used over the past 10 years in a number of contexts, but most recently to describe Co-Managed Privileged Password Service. Privileged Password Management relates to the lifecycle of privileged account passwords, like Administrator on Windows or root on Unix.
Co-Management has a number of advantages if properly implemented, but typically is more difficult to execute than a managed service or an internal solution. This is primarily due to the largest risk of Co-Management, which is accountability.
True Co-Management means that either organization, the service provider or the customer, has the ability to implement change. This requires a system with rock-solid auditing to ensure accountability. Also, many service providers do not want the level of transparency Co-Management dictates. These are two reasons why more service providers do not offer this approach.
However, the advantages of Co-Management are the following:
• Cost: A co-managed solution will typically be less expensive than an internal solution, since the resources needed to provide the service can be shared among multiple customers, allowing each customer to pay less. For example, each person required to manage the service does not need to be hired by the customer, but in fact can be shared across multiple customers, allowing the service provider to allocate cost across multiple customers.
• Expertise and Experience: People use specialists (whether a doctor, plumber or handyman) either because they need a skill they do not have (like medical training) or experience they lack (like installing a sink), or time they do not have (like the handyman that hangs the picture you have been trying to hang for months). The same applies for Co-Management. In the firewall example, you may need a skill (how to effectively write firewall policy) or experience (when does a port scan mean an attack versus a misconfigured server). For Privileged Password Service, it may be expertise (how do I make it work) or experience (is it working correctly) that drive the need. In either case, the customer gets the advantage of a specialist to work directly with them.
• Knowledge: The main advantage of Co-Management over a typical managed solution has to do with the knowledge the customer has over their environment. The customer typically designed, built, and lives in their environment. They can say immediately whether they have employees in another country that should be accessing their resources at 2 a.m. They also own and understand their risks better than any service provider.
• Control: This is the other factor that gives Co-Management an edge over a managed solution. In a true co-managed offering, the customer has the ability to affect change independently. This gives the customer control to makes changes for a variety of reasons — safety (they need a password in the next two minutes to reboot a critical system), operations (this firewall rule is not allowing the e-commerce site to function), or privacy (thank you, but the HR system will only be accessed by us). Control also allows the customer to have transparency into the actions of the service provider.
With these advantages, why hasn’t Co-Management become the standard approach for security services? As I mentioned before, it is easy to describe but difficult to execute. In the firewall example, if a firewall rule change knocked out the e-Commerce site, who made the change? If there is any doubt, Co-Management will fail. It also requires the service provider to provide transparent access to their activities. The customer can easily see that the change they requested has been completed, when it was completed, and most importantly, how it was completed. Some service providers see this as sharing the expertise that reflects their value.
Co-management for Privileged Password Management makes a lot of sense. First, look at the evolution of Privileged Password Management. In the 80s and 90s, this was only handled internally through in-house developed technology. During the 2000s, commercial products began to displace in-house technology in these internal solutions. Now, Managed Solutions are beginning to appear in the marketplace.
Co-Managed Privileged Password Service represents all of the advantages of Co-Management:
• Cost: The commercial solutions described above are primarily designed for Fortune 1000 customers, which lead to Fortune 1000 capabilities and prices. This has been a deterrent to smaller companies trying to satisfy this requirement.
• Expertise and Experience: Privileged Password Management is still relatively new technology compared with firewalls or authentication. Experts are not common. Experience tends to reside in the large companies that were early adopters, and definitely not in the SMB space.
• Knowledge: The customer knows which accounts and systems are the most important to manage based on risk or operational uptime. More importantly, they know which individuals should have access to these passwords, and under what conditions.
• Control: Control and management of these passwords are critical, as these passwords represent the ‘keys to the kingdom’ and must remain under the customer’s control. This is why a large centralized system has not been successful. Cloud CRM has critical information, but most companies (no matter their size) do not feel comfortable with the local administration password for their CEOs laptop sitting in a datacenter they do not control.
Privileged Password Management is a key control for individual accountability. Compliance and auditing organizations are becoming increasingly aware of how this affects other mechanisms. A strong two-factor authentication mechanism does not work well if administrators can bypass this control by logging in with a shared local administrator account. System logging doesn’t help describe what has happened if multiple individuals are using the root account which was noted in the log.
The world is becoming more connected every day, which means that more and more small companies are using the internet for basic business functions. As threats continue to evolve and adversaries have the ability to use the internet to reach all companies, small companies are becoming targets at an increasing pace. Co-Management is an answer for companies that need expertise to help them solve their problems, without creating new ones by reducing the control over their environment.