IT Service Management – Is Everything Milk And Honey?Anirban Banerjee
We will discuss what is IT Service Management and what are some of the hidden challenges that companies often run into when adopting this paradigm. We will also discuss some common sense and effective ways to steer clear of issues that often come back to bite enterprises when adopting it.
What is IT Service Management (ITSM)
ITSM is a glorified term for an external organization taking over (some or all) responsibility for your IT needs. Think of it as outsourcing your IT needs to a third party. Some companies don’t hand over complete responsibility to external resources like these but maintain a core group of personnel internally as employees.
Why does it benefit companies to adopt ITSM
The benefit of adopting IT Service Management is cost reduction and the ability to scale the IT organization in an easy manner. Often times its also hard for an internal IT organization to roll out and manage new products that require a set of skills that are currently missing. IT Service Management can help fill in these gaps. There are many multi billion dollar organizations that have garnered great success in this area. One of the prominent companies is ServiceNow.
There are many other companies who straddle the entire spectrum of ITSM, from simply outsourced IT bodies, all the way to providing software products tightly integrated into a company’s workflows. keep in mind though that the largest ITSM companies also provide ITOM (Ops Management) and ITBM (Business management) and more in addition to ITSM.
What should you be concerned about?
When using an external company to manage and maintain your own IT workflows, such as management of service desk accounts, patching workstations and more, you need to be aware of certain pitfalls and plan to tackle them effectively. In this section we will discuss what are the various issues that you should be keeping an eye out for when you work with IT Service Management vendors.
1. Attribution for changes to your system of record – If you are using bodies external to your core organization to manage entries in your core directory structure you need to be extra careful. As an example most companies will employ LDAP, Microsoft Active Directory/Azure AD, Workday or some variant to maintain a consistent source of truth about employees, group associations, policies (GPOs etc.) and other important information.
Having someone external to the organization manage and interact with something so critical can be fraught with issues relating to data loss, privacy violations and more. One of the most important things to consider is getting a good handle on who did what, when, from where, affected which users and so on. Often times usage of generic service accounts makes this extremely hard as there is little to no way to nail down responsibility and audit actions.
2. Compliance violations related to GDPR, NERC CIP, PCI and more – If you are complying with GDPR, NERC CIP, PCI, FFIEC or any such compliance regulatory standards, you need to do two things (at a minimum). Scope out and document copiously which teams have access to the most sensitive applications and servers. Then, restrict access based on need, location, seniority, risk and other factors.
In a lot of companies that have to deal with various compliance regimes, usage of external entities to help your internal workflows can often be a pain as you now need to include various teams into the mix to make sure the external bodies are working in conjunction with compliance regulations that you and your fellow colleagues need to follow. Basically, your ITSM vendor had better be up to date with all the necessary certifications, and be able to demonstrate at the drop of a hat (to not make you lose time) that they have checks and balances in place to protect your data.
3. Configuration management pitfalls – In some scenarios companies often have to migrate internal IT knowledge to external teams or tools. This migration of knowledge is never perfect. We deal with human egos, people being on vacations, fractured information landscapes and hence only in theory does it ever work perfectly. To compound this issue, if you are also handing off responsibilities for operations in addition to IT, your DevOps, SecOps team now also needs to be in the loop tightly with the third party vendor.
Often times this does not happen and configuration management tasks, which range from simply upgrading base docker images all the way to complex scripts being run to change BGP routes when DDoS attacks hit – break down. The real reason is that the knowledge the internal team has, built up over years, is never fully transferred to the external entity or tool.
4. Insider Threats – Lets face it, bad things happen. You can trust people with access, and most of the time everything works out just fine. However, there is that odd blip that rears its head once in a while wherein a person with the right amount of access rights decides to misuse their privileges.
When using external entities, you can have all the documents checked off to say that they are running employment verification on their employees, drug tests etc. but does that really tell you whether the new people being added to the mix are “Insider threat proof”? No. In fact when adding more than your organization into the picture for access to sensitive data, headaches are going to increase for CISOs, CIOs, and security leads.
Effective strategies to combat issues
The good news is that there are some effective strategies that enterprises have used to combat these challenges. We will discuss them in this section.
1. Session recording and dynamic session cut off – When external entities are accessing critical infrastructure and applications on your behalf one of the things that can help immensely with compliance, security and visibility – all in one shot – is session recordings. As an example, session recordings of activities can be switched on for SaaS applications. With session recordings you also have the capability to dynamically terminate and block access if a person attempts to misuse their privileges.
2. Time based access grants – When providing access to critical systems its important to do so on a time limited basis. Maybe an external IT resource is going to manage a server, thats fine, but – for how long? There needs to be a way to re-authorize access and rights grants on a periodic basis.
3. Verifying identities in a near invisible manner – Layering Multi Factor Authentication in a near invisible manner is extremely important to achieve two objectives: strong identity verification and reducing the friction caused to employees and third parties. Instead of using the standard token based approach, consider easier, yet effective approaches like geofencing, geoproximity, fingerprint sensing, airshake and more so that uses do not have to be burdened with SMS messages and OTPs.
4. Profile and audit as much as possible – When external entities are accessing your critical systems you need to have a workflow that alerts you immediately when any anomalous behavior is noticed and allows you to see at the drop of a hat who has access to what. This is important from a risk scoring perspective to identify that if an account from the third party is compromised, which systems and apps will be most affected.
Privileged Account Management can help with Your IT Service Management concerns
IT Service Management is a powerful paradigm. It can help you and your company, scale, be more cost effective, gain more visibility. As discussed in this article we have highlighted some areas of concern. With the right Privileged Access Management (PAM) solution in place, you can be rest assured that all your mission-critical infrastructure and applications are protected. What’s more, it will empower you with effective controls that will allow you to enforce access controls even on non native “super user” accounts, improve your security and ensure that audit and compliance requirements are met. Bottomline, the ability sleep easy and prevent insider threats.