(isc)2 security congress 2015 - the cloud trust conundrum- you’re asking all the wrong questions

The Cloud Trust Conundrum:You’re Asking All the Wrong Questions

Andrew LeethJill Czerwinski

2

September 28, 2015Session Number: 2230

About Us» Representing the Customer...Jill Czerwinski

» 13 years in Information Security Consulting for Crowe Horwath» Focus on Third Party Risk Management» Manage several outsourced Vendor Info Sec Assessment functions » CISSP, CISA, PMP, MCSA, Sec+» https://www.linkedin.com/in/jillczerwinski

» Representing the Vendor...Andrew Leeth» Product Security Engineer at Salesforce» Specialize in Application Security of our products and that of vendors» GWAPT, GMOB, CSSLP, CISSP, CEH, CCSK, Sec+» @SecurityLeeth

3

Overview1. The (Cloud) Vendor Information Security Paradigm2. Current Process for 3rd Party Reviews3. Pitfalls in Current Processes4. Fixing the problem from both sides - Our Tips

4

The Cloud Vendor Information Security Paradigm:The Plight of the Customer

» Outsourcing (in a big way) is here to stay & volume is overwhelming» Uphill battle to maintain consistent Info Sec Standards across the Extended Enterprise» Could we have prevented Target?

The Vendor Information Security Paradigm:The Plight of the Vendor

» Able to provide the same high level of security for *all* customers; even small customers can benefit from the security usually left for larger companies

» Teams of experts working around the clock to provide the highest level of availability and security

» Reduced cost compared to traditional on-premise technology by sharing resources with other customers

» Often times, can provide better security than a customer could provide themselves

The Vendor Information Security Paradigm:The Plight of the Vendor

» Complete every certification/standard questionnaire/audit available

» Trying to minimize work by customer» Many customers come from various industries with

different regulations and requirements» Sheer number of customer who what to perform an

assessment is overwhelming» Account executives aren’t able to assist, left to in

demand security resources

So Customers... How are we solving this?

❖ We’re trying to ‘Tier’ relationships ➢ True Risk Assessment?

❖ We’re considering our ‘Questionnaire’➢ Sometimes custom, sometimes leveraging a tool

like the Shared Assessments Group (SIG)❖ We may outsource some or all reviews❖ We’re unsure if we’re the Chicken or the Pig...

➢ Mar 2013 Ponemon Institute Study: 79% believed that End-Users are primary responsible for cloud security

❖ Volume keeps getting in the way➢ As we get comfortable, volume and complexity

goes up

We Vendors Know…

You’re asking all the wrong questions!!» Endless stream of assessments (cloud providers

have many customers)» Customers are vague in questions» Questions are custom and do not follow a standard» Oftentimes hundreds, if not thousands, of questions» Questions come in various forms: email attached

documents, GRC/Web App form, plain email, etc.» Often times, customer assessment/audit team is not

in the loop with customer business on what the solution is being offered

» Don’t use the resources provided either online or after NDA (such as SOC, STAR, and other reports)

» Understand what is the customer’s responsibility vs. cloud provider’s responsibility!

Babysitter Pro

Cost EffectiveKeeps kids happy

Innovative TechnologyAllows you to get out of the house

Alright Customers, Lets go back to basics…What do we ultimately want out of this process

We want to know that our vendor:- Is appropriately knowledgeable

(People)- Does the right things (Process)- Has inherently secure solutions

(Technology)

Ultimately, we want to know that you can be trusted!

So where do we go from here?Leading Practices in Cloud Vendor Security Assessments

Customer1. Assess the Solution, not just the

Vendor2. Evaluate your vendor’s response3. Think continuous improvement

Vendor1. Trust/Security is not going away2. Security can be differentiator3. Dedicated team to address

customer assessments4. Channel to direct customer

feedback/issues to development

Roadmap for the Customer:

#1: Assess the Solution, Not the Vendor

Integrate Vendor Assessments into the Solution development and monitoring processUnderstand:- What drove us to procure this solution?- What are our internal roles and responsibilities

(potential significant carve out) (i.e PaaS)

For periodic vendor reviews, why would be assessing Security independent of an assessment of the overall relationship?- Is the solution even meeting our needs?- Security as a scapegoat, potential waste of effort

“We’ve got a vendor for you…”


#2: Evaluate your vendor’s response

We want to gain enough information to establish trust and identify gapsWe sometimes settle for…

- A really long questionnaire (that we made, found, bought)- An attestation report (SOC, PCI, SIG, etc) we struggle to interpret- Going onsite and ‘walking around’



So how do we establish this trust?

We want to know that our vendor:● Is appropriately knowledgeable (People)● Does the right things (Process)● Has inherently secure solutions (Technology)



Example #1: The Cutting Edge SaaS provider

Confidentiality: Highly Confidential, High Volume

Availability: Not business critical

Integrity: Reporting system, no reliance on data integrity

People: 10 person startup

Process: No formal programs, no physical locations

Technology: Penetration Test



Example #2: The Mega-Provider

Confidentiality: Highly Confidential, High Volume, Data Masked prior to transmission

Availability: Mission Critical

Integrity: SOX application

People: Formal Info Sec Officer and Team

Process: Formal Programs, SOC reports, etc etc.

Technology: Legacy Mainframe-based system that does not employ modern security principles


#3: Think Continuous Improvement

Security vendor management is not a ‘one time’ exercise. Think about:

» How do I set the relationship up for success during due diligence? (Example: Penetration Test)

» Are their vendor communities that our team can become a part of, to keep a pulse on the vendor and its Information Security strategy?

» Is your team trained and incentivized to monitor vendor security?

» Are you gathering feedback from your business units and vendors on your process?

» Automation - continue to refine and explore

Roadmap for the Vendor:

#1: Trust/Security is not going away

» Security is here to stay» Customers are not going to drop their data into a black

hole; there will always be a need for customer assessments

» Accept this as the future and build people and processes around this


#2: Security can be differentiator

» Transparency into security operations can go a long way

» A company investing in security is looked upon favorably

» Implementing cutting edge security practices vs. keeping up with security


#3: Dedicated team to address customer assessments

» Consistency in responses is key» Team is trained on common

security/compliance/regulatory requirements» React quickly on reports of new zero days (ex:

Heartbleed)» Build tools and processes to quickly respond to

assessments


#4: Channel to direct customer feedback/issues to development

» Customers will ultimately discover ways to better the product’s security, need a way to get this in the right hands

» Vulnerabilities, zero days, and new attacks happen everyday to the most secure systems. Critical findings need to be escalated and handled on an expedited timeframe.

» Responding and adapting to threats is half the battle

How do we improve?From the other side of the fence...

Customer1. Inquiries from customers into

Security should be expected, not resisted. We consider that part of the solution.

2. We expect you to be as passionate about Security as we are.

3. Our testing is not your testing.

Vendor1. Customers should set realistic

timeframes on assessments2. Ask only the essential questions,

you truly care about to gain trust3. Do your homework, talk to the

business procuring the solution and research public security information about the solution

Andrew Leeth@SecurityLeeth

[email protected]

Jill Czerwinskiwww.linkedin.com/in/[email protected]