Date post: | 23-Jan-2018 |
Category: |
Technology |
Upload: | andrew-o-leeth |
View: | 318 times |
Download: | 0 times |
The Cloud Trust Conundrum:You’re Asking All the Wrong Questions
Andrew LeethJill Czerwinski
2
September 28, 2015Session Number: 2230
About Us» Representing the Customer...Jill Czerwinski
» 13 years in Information Security Consulting for Crowe Horwath» Focus on Third Party Risk Management» Manage several outsourced Vendor Info Sec Assessment functions » CISSP, CISA, PMP, MCSA, Sec+» https://www.linkedin.com/in/jillczerwinski
» Representing the Vendor...Andrew Leeth» Product Security Engineer at Salesforce» Specialize in Application Security of our products and that of vendors» GWAPT, GMOB, CSSLP, CISSP, CEH, CCSK, Sec+» @SecurityLeeth
3
Overview1. The (Cloud) Vendor Information Security Paradigm2. Current Process for 3rd Party Reviews3. Pitfalls in Current Processes4. Fixing the problem from both sides - Our Tips
4
The Cloud Vendor Information Security Paradigm:The Plight of the Customer
» Outsourcing (in a big way) is here to stay & volume is overwhelming» Uphill battle to maintain consistent Info Sec Standards across the Extended Enterprise» Could we have prevented Target?
The Vendor Information Security Paradigm:The Plight of the Vendor
» Able to provide the same high level of security for *all* customers; even small customers can benefit from the security usually left for larger companies
» Teams of experts working around the clock to provide the highest level of availability and security
» Reduced cost compared to traditional on-premise technology by sharing resources with other customers
» Often times, can provide better security than a customer could provide themselves
The Vendor Information Security Paradigm:The Plight of the Vendor
» Complete every certification/standard questionnaire/audit available
» Trying to minimize work by customer» Many customers come from various industries with
different regulations and requirements» Sheer number of customer who what to perform an
assessment is overwhelming» Account executives aren’t able to assist, left to in
demand security resources
So Customers... How are we solving this?
❖ We’re trying to ‘Tier’ relationships ➢ True Risk Assessment?
❖ We’re considering our ‘Questionnaire’➢ Sometimes custom, sometimes leveraging a tool
like the Shared Assessments Group (SIG)❖ We may outsource some or all reviews❖ We’re unsure if we’re the Chicken or the Pig...
➢ Mar 2013 Ponemon Institute Study: 79% believed that End-Users are primary responsible for cloud security
❖ Volume keeps getting in the way➢ As we get comfortable, volume and complexity
goes up
We Vendors Know…
You’re asking all the wrong questions!!» Endless stream of assessments (cloud providers
have many customers)» Customers are vague in questions» Questions are custom and do not follow a standard» Oftentimes hundreds, if not thousands, of questions» Questions come in various forms: email attached
documents, GRC/Web App form, plain email, etc.» Often times, customer assessment/audit team is not
in the loop with customer business on what the solution is being offered
» Don’t use the resources provided either online or after NDA (such as SOC, STAR, and other reports)
» Understand what is the customer’s responsibility vs. cloud provider’s responsibility!
Babysitter Pro
Cost EffectiveKeeps kids happy
Innovative TechnologyAllows you to get out of the house
Alright Customers, Lets go back to basics…What do we ultimately want out of this process
We want to know that our vendor:- Is appropriately knowledgeable
(People)- Does the right things (Process)- Has inherently secure solutions
(Technology)
Ultimately, we want to know that you can be trusted!
So where do we go from here?Leading Practices in Cloud Vendor Security Assessments
Customer1. Assess the Solution, not just the
Vendor2. Evaluate your vendor’s response3. Think continuous improvement
Vendor1. Trust/Security is not going away2. Security can be differentiator3. Dedicated team to address
customer assessments4. Channel to direct customer
feedback/issues to development
Roadmap for the Customer:
#1: Assess the Solution, Not the Vendor
Integrate Vendor Assessments into the Solution development and monitoring processUnderstand:- What drove us to procure this solution?- What are our internal roles and responsibilities
(potential significant carve out) (i.e PaaS)
For periodic vendor reviews, why would be assessing Security independent of an assessment of the overall relationship?- Is the solution even meeting our needs?- Security as a scapegoat, potential waste of effort
“We’ve got a vendor for you…”
Roadmap for the Customer:
#2: Evaluate your vendor’s response
We want to gain enough information to establish trust and identify gapsWe sometimes settle for…
- A really long questionnaire (that we made, found, bought)- An attestation report (SOC, PCI, SIG, etc) we struggle to interpret- Going onsite and ‘walking around’
Roadmap for the Customer:
#2: Evaluate your vendor’s response
So how do we establish this trust?
We want to know that our vendor:● Is appropriately knowledgeable (People)● Does the right things (Process)● Has inherently secure solutions (Technology)
Roadmap for the Customer:
#2: Evaluate your vendor’s response
Example #1: The Cutting Edge SaaS provider
Confidentiality: Highly Confidential, High Volume
Availability: Not business critical
Integrity: Reporting system, no reliance on data integrity
People: 10 person startup
Process: No formal programs, no physical locations
Technology: Penetration Test
Roadmap for the Customer:
#2: Evaluate your vendor’s response
Example #2: The Mega-Provider
Confidentiality: Highly Confidential, High Volume, Data Masked prior to transmission
Availability: Mission Critical
Integrity: SOX application
People: Formal Info Sec Officer and Team
Process: Formal Programs, SOC reports, etc etc.
Technology: Legacy Mainframe-based system that does not employ modern security principles
Roadmap for the Customer:
#3: Think Continuous Improvement
Security vendor management is not a ‘one time’ exercise. Think about:
» How do I set the relationship up for success during due diligence? (Example: Penetration Test)
» Are their vendor communities that our team can become a part of, to keep a pulse on the vendor and its Information Security strategy?
» Is your team trained and incentivized to monitor vendor security?
» Are you gathering feedback from your business units and vendors on your process?
» Automation - continue to refine and explore
Roadmap for the Vendor:
#1: Trust/Security is not going away
» Security is here to stay» Customers are not going to drop their data into a black
hole; there will always be a need for customer assessments
» Accept this as the future and build people and processes around this
Roadmap for the Vendor:
#2: Security can be differentiator
» Transparency into security operations can go a long way
» A company investing in security is looked upon favorably
» Implementing cutting edge security practices vs. keeping up with security
Roadmap for the Vendor:
#3: Dedicated team to address customer assessments
» Consistency in responses is key» Team is trained on common
security/compliance/regulatory requirements» React quickly on reports of new zero days (ex:
Heartbleed)» Build tools and processes to quickly respond to
assessments
Roadmap for the Vendor:
#4: Channel to direct customer feedback/issues to development
» Customers will ultimately discover ways to better the product’s security, need a way to get this in the right hands
» Vulnerabilities, zero days, and new attacks happen everyday to the most secure systems. Critical findings need to be escalated and handled on an expedited timeframe.
» Responding and adapting to threats is half the battle
How do we improve?From the other side of the fence...
Customer1. Inquiries from customers into
Security should be expected, not resisted. We consider that part of the solution.
2. We expect you to be as passionate about Security as we are.
3. Our testing is not your testing.
Vendor1. Customers should set realistic
timeframes on assessments2. Ask only the essential questions,
you truly care about to gain trust3. Do your homework, talk to the
business procuring the solution and research public security information about the solution