One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 752998 |
| Date de publication | 2018-07-25 13:00:00 (vue: 2018-07-25 16:00:44) |
| Titre | You are Doing Cloud Vendor Assessments Wrong |
| Texte |
I’m a firm believer in “trust but verify” and I’m just going to come out and say it, most security professionals are conducting 3rd party assessments wrong. I’m in a unique spot where I’m on both sides of the fence: we conduct vendor assessments and we fill out questionnaires required by potential customers. Some folks put very little effort into this process so it feels like it’s just a “checkbox.” If it’s just a checkbox then why waste everyone’s time? In his book, “The Speed of Trust,” Stephen M. R. Covey talks about the 7 Low-Trust Organizational Taxes and one of those is bureaucracy. So, when I see little effort put into questionnaires, it makes me think the individual works for a low-trust organization or they simply don’t understand how to verify our trust. Therefore, it’s time to change your process.
There is a market for companies that conduct 3rd party risk assessments and their market for risk rating reports on vendors (I find most are misleading). But you don’t need to hire a 3rd party company to conduct the cloud vendor risk assessment and you definitely don’t need some generalized risk rating of an overall cloud company. So how do you trust a cloud vendor?
The very first step is to understand the business requirements: what is the business wanting to do with the cloud vendor? What data is involved in this business process? Has the business looked at other vendors? If so, which ones?
Once you figure out the business requirements and their path to selecting the vendor, go to the vendor’s website and read their privacy policy. The first question that needs answering is who owns the data? Next, go to their compliance page and get a copy of their SOC2 report. The Service Organization Control (SOC) 2 examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities and tested those controls to ensure that they are operating effectively. There are five trust principles and the SOC2 report will reflect which trust principles were tested. There are two types of SOC 2 reports: Type I and Type II. The Type I report is issued to organizations that have audited controls in place but have not yet audited the effectiveness of the controls over a period of time. The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time.
If they have a SOC2 Type 2 and other certifications, do you really need them to fill out your lengthy security questionnaire? I say no. We receive so many questionnaires where we answer “refer to SOC2 or refer to AOC, etc.” If you really want to know how to verify our trust, read the findings of our certifications. Then if you are still uneasy about our trust, then send a question that really matters to you. If you send us a question, “Do you conduct vulnerability scans?” then you obviously don’t understand the PCI requirements. Send us the questions that will help you verify that trust.
Buyer beware: if the vendor states they have a certification and sends you AWS’ certification, that is a BIG RED FLAG. In fact, run!
The certifications you are looking for are what your vendor achieved, not their vendor. As with all cloud vendors, there is a shared responsibility with security and compliance. AWS has a great write-up on this located here.
|
| Envoyé | Oui |
| Condensat | “checkbox “do “refer “the “trust 3rd about accounting achieved activities add all alliance annually answer answered answering any aoc are around ask asked assess assessment assessments audited auditing aws aws’ back been believer beware: big book both bureaucracy business but buyer certification certifications change checkbox cloud come companies company compensating compliance conduct conducting control controls copy covey customers data definitely demonstrates didn’t discussion doesn’t doing don’t down download effectively effectiveness effort ensure etc evaluating everyone’s examination examined example fact feels fence: figure out fill find findings firm first five flag folks follow following forward framework free generalized get godspeed going great has have help here high hire his hope how i’m include independent individual instructs involved issued it’s job journey just know lengthy let’s like little located look looked looking low makes many market matters misleading most move need needs next not objectives obviously often once one ones operating organization organization’s organizational organizations other out over overall owner owns page party path pci period place policy potential principles privacy problem process professionals put question questionnaire questionnaires questions rating read really receive red refer reflect relay relevant remember report reports reports: required requirements requirements: responsibility responsible reviewed risk run say scan scans security security/compliance see selecting send sends service shared should sides simply soc soc2 some specified speed spot start state states step stephen talks taxes team tested that’s them then therefore think those time trick trust trying two type types understand uneasy unique use usually vendor vendor’s vendors verify verify” very vsa vsa’s vulnerabilities vulnerability want wanting wants waste website what when where which who why will without works write wrong yet you’ll your |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.