How to manage third-party service, support and security

U.S. retailer Target saw one of the largest thefts of credit card data in recent history
U.S. retailer Target saw one of the largest thefts of credit card data in recent history

Productivity expert David Allen once stated that his approach, “Getting Things Done,” was based on the simple premise that you can’t do everything. In IT, we face this problem every day. Whether it is due to lack of domain specific expertise or simply not enough resources to handle all of our IT services, there are many reasons why we might look to third parties to help support our requirements.

Third party access can come in various guises – from full IT support and service operations, to specialist knowledge that is required on an irregular basis. The majority of this support is delivered remotely over the internet, making third-party outsourcers an even more cost-effective solution.

A research report by Ovum last year highlighted how many third parties have access to company IT networks. While 12% of organisations ran everything themselves, the majority of companies (56.3%) surveyed across Western Europe had granted access to between one and four suppliers, while 28.3% had between five and 29 suppliers. One company admitted that it had more than one hundred organisations with permission to access their networks.

Why does this matter? 

One word: Security.

Third party access is only going to grow, as more devices become internet-enabled and more specialist knowledge is required to keep them running. However, third party access is also one of the areas where control and management is often overlooked. There are plenty of options out there for remote access to networks, but the security and management of those tools is not as mature. Too often, access is binary and broad. The third-party either has access to the entire network, or it doesn’t.

This is a significant security risk, as witnessed by the attack on U.S. retailer Target last year, one of the largest thefts of credit card data in recent history. Poor third party access management opened the door for hackers to access the entire Target network via the vendor responsible for managing the firm’s air conditioning services. Once in, the attackers were able to use a variety of tricks to navigate from that section of the network and to the credit card database servers.

The current press attention around remote access security should drive better industry practices, but there are further proactive steps that service desks can take now to protect themselves.

Steps to take

For companies running their own service desks, security around third party access should be part of the overall request management process. When internal customers ask for new services or need help that a third party will provide, consider the management of the session as part of the request process.

This includes being able to control access. Why should a third party have access to everything on the network, when they are being asked to fix a specific problem? Locking down access – either to a specific section of the network, or only allowing the third party access to access certain devices or applications – is one option that service desks can look at in more detail. Service desks should also capture a full audit trail of every action a third-party technician takes while on their network, and set up alerts for any suspicious activity, such as a vendor logging in in the middle of the night.

For third-party service providers, keeping their customers’ networks secure should be top of mind. Just as the Doctor’s Hippocratic oath states, “Do No Harm”, so too should third-party providers reduce security risks to their customers around remote access. Implementing secure remote access tools and best practices will help service providers set themselves apart from competitors and improve customer loyalty.

Ultimately, third party access has to be secure, auditable and controlled. At the same time, the requirement for more flexibility in how services are delivered will make remote access by third parties even more common than it is today. Within the overall service delivery strategy, keeping this third party access under control is a key management task to consider.

Image Credit

Winners and Losers in the ITSM Premier League

Six leading ITSM vendors went head to head this week at the itSMF UK Tools forum. The free event was held at the Etihad stadium in Manchester, home of the 2012 premier league winners Manchester City.

This was openly promoted as a tool focused event. A perfect opportunity for some of the leading lights of the industry to showcase their technology and highlight their competitive differentiators.

An opportunity to shine?

It’s a tough, competitive market out there. Differentiate or die.

I was eager to find out which vendors could articulate their unique qualities, who could position themselves in the market? Could they inspire confidence in buyers? Would buyers be safe in their hands?

The result? In my opinion – Delegates experienced the full spectrum from cutting edge to dull as dishwater:


Roy IllsleyOvum (6/10)

Roy gave us an interesting, thought provoking presentation. The content seemed to be a bit out of place for the theme of the day but otherwise it was great talk and I look forward to delving into the slide deck when it becomes available (Applying Lean principles to IT Strategy).

Patrick BolgerHornbill (9/10)

You can tell why Patrick has ‘Evangelist’ in his job title. Patrick gave us an inspirational pitch for not only his company but also the industry as a whole. If all Hornbill customers have the same software installed and the same ITIL training – how is it that they experience vastly different results? Patrick argued that it is because of the people. Hornbill believes in putting their successful customers on a pedestal when positioning their solution. Nice job Patrick.

Tony Bambury, FrontRange (1/10)

Tony provided us a live demo of their SaaS solution and ran through a user ordering an iPhone. I struggled to see how FrontRange differed from the rest of the pack. An opportunity missed.

Kevin Parker, Tom Burnell and James Warriner from Serena (8/10)

Serena have some closet amateur dramatics buffs in their midst. Serena declared an end to dull PowerPoint pitches and provided a refreshingly different demonstration of their technology. We were entertained by means of a reenactment of one of their ‘Doug Serena’ episodes.  For me, it would have been the presentation of the day – but unfortunately it was difficult to hear their presentation and the ‘actors’ were not always visible, so we lost the thread at times. Otherwise – an excellent slot by Serena and they should be congratulated for their effort, preparation and originality (the product looked good too!).

Dave D’Agostino from ServiceNow (5/10)

Dave gave a safe and steady presentation on ‘SaaS driving forces’ and positioned ServiceNow as a cloud platform rather than pure ITSM focused tool. I’m personally not convinced that the market needs telling the advantages of cloud anymore and I would welcome some more pragmatic advice about shifting services to the cloud. E.g. if you are in this particular industry facing abc market forces and xyz legislation this is what similar customers achieved. Perhaps it’s time to move the conversation on from ‘You don’t need to buy servers!’.

I also thought Dave’s ROI model of on premise versus cloud looked a bit shaky, given the likely implementation / customization costs of ServiceNow over a 3 year period – I would welcome some independent industry statistics on this.

Don Page, Marval (4/10)

I tuned out for Don’s session. It was entertaining but a bit of a rant. If I were a prospect for a new ITSM tool provider I would be left with the impression that Don is a great guy and unique personality, but I would be a bit lost if you asked me to remember the redeeming features of his solution, apart from ‘Buy British’.

Tony Probert, Cherwell (7/10)

Tony set out the stall for Cherwell in his no-nonsense forthright style. Tony urged us to think about business services over support and that if we were doing break-fix for a living we were ripe for outsourcing.

He openly stated that most of Cherwell’s features were ‘just like everyone else’ but then managed to clearly articulate their competitive differentiators:

  1. Code-less configuration
  2. Autonomy from Cherwell (not dependent on consultancy and feature lock down)
  3. and seamless upgrades despite customization.

Three bullets to separate Cherwell from the competition and an attractive proposition for those migrating from on-premise tools. That one slide was a refreshing change to the others of the day who struggled to articulate their competitive differentiators.


Same again next year?

Like the SDI tools day, this is a great format by the itSMF and I hope they repeat it again soon. As with regionals – perhaps some real life user feedback could be shoehorned into the day. Further upcoming itSMF events can be found here.

Great seminar location: The view from the 'Legends' lounge at the Etihad Stadium in Manchester.