A Question of Control
By Declan Ingram
There has been a lot of discussion on here about 3rd party/cloud computing etc security (or lack there of). For many, this didn’t seem hugely relevant at the time as there was always a choice (or people just didn’t think it was going to be something that affected them). Recently however, the choice seems to be getting smaller.
The 3rd party management model is becoming…or should I say, has become, so popular now, that it is hard to keep control. (Control? Yes, of your information!).
Think about it. How much of your security is technically enforced by a 3rd party appliance? (And, how secure are they?) How much of your data is housed, managed, monitored, etc by a 3rd party? Professionally and personally we are giving ourselves away. More importantly, has this been looked at during your last Threat Risk Assessment? (Has you organisation even done one?)
From my experience, so many organisations that we audit have core data and systems housed and managed by 3rd parties, and nearly all of them have dangerously one sided contracts……Dangerously favouring the 3rd party.
For example, you want some hosting; you want availability, go to market and get a few VMs and attached to a SAN. Great. Fast, agile, available, cost effective – brilliant. Every player wins a prize!
Now think about you data, where it is, where it is going, who has access to it?
Your staff? Maybe. Your host’s administrations? Yes. Their Contractors? Yes. The vendors? Yes. Their contractors? Yes. Data centre staff? Yes.
You can never be sure to the extent of who has access to your data. You have no control!
To be fair, when ever I bring this up people say; “Oh but this place is secure!”….Okay fine, say it is. Say that only your staff and the sysadmins of the data centre can access your data. That they are all background checked and adhere to a baseline of security – now get that in writing! Make them agree to it in your contract!
9 out of 10 times, this will not happen. Even if it does, at best it is “all care and no responsibility”, but usually just “no responsibility”.
This example just covers where your data is kept at rest. What about your web traffic logs, your email, your DNS requests, your SMS messages, VOIP conversations. Most would consider this a privacy issue.. but what about your company’s IP? An attacker, with access to these systems, (or that data which is collected by these systems) would know an awful lot about your company.
Often this information is collected on 3rd party systems, all systems which you have no control of. Are they secure? Who knows.
In the end, there is no way for us to pull back now. Sure there are point solutions for most of the issues raised, but you get the idea.
Organisations are often losing track of their data and are rarely formally documenting the associated risks. The benefits of this model is obvious – the risks need to be documented and managed!
Sounds simple and you’re probably asking why I am writing about this….surely everyone knows….there’s your answer there!
September 14th, 2009 at 9:43 am
“nearly all of them have dangerously one sided contracts”
Tightened\strengthened contracts = strengthened risk mangement.
September 14th, 2009 at 1:35 pm
Security in the cloud or even around the cloud is the elephant in the room that needs to be addressed sooner than later. There is a very good article on securing your virtualized assets that is worth a read. Given that multi-tenant clouds will be more the rule than the exception, it becomes especially important to build digital walls around your information resident on third party servers. Auditing accesses to this information and enforcing the authorization policies to key datasets will spawn a new industry by itself.
September 14th, 2009 at 2:11 pm
So is the answer merely a robust enterprise risk management framework?
Does that then mean that we do not need a plethora of security tools and widgets to protect us?
Have you just marked the end of an entire industry, or do we need more than just risk identification and accountability / governance?
If so, do tell…
September 14th, 2009 at 7:02 pm
There used to be an accompanying document to 4360 that addressed outsourcing. From memory, it wasn’t a bad read from a theoretical perspective and covered much of this discussion. I could go on and on….but refer to Risk Management category in the blogs for some of those thoughts.
September 16th, 2009 at 7:24 am
It makes security worse if the company does not have a full picture of what data and information is being outsourced to be protected (at risk). If the company hasn’t taken on that responsibility for their own information, why would the outsourcer care. Now I would say this scenario is more often the case than not. Put your hand up if your company has an accurate asset register for both hardware and software with nominated owners of those assets.
September 16th, 2009 at 9:43 pm
I don’t think anyone would disagree with Declan’s point about security in the cloud but telling management types to “don’t put your data in the cloud” is like telling a child not to touch the hot stove. Kids never listen to their parents until they are burned.
With that in mind, security professionals need to be looking for practical solutions to these problems. Saying “no” simply doesn’t work. If you happen to be a consultant or in a business where you are not using cloud computing yet, consider yourself lucky – as you’re in a position you can at least prepare to answer these questions.
September 17th, 2009 at 2:53 pm
I keep thinking we are moving further and further away from attacking the problems at their root. We have over complicated this and waste billions of dollars leaving us in quagmire of technologies that add little value when critiqued against actual overall improvement in security. For me, the cloud is the next level of this. Great for vendors who have all rebranded their products as ‘cloud’. Why are we thinking that their crappy products and services are any better now that they are called ‘cloud’?
September 17th, 2009 at 8:18 pm
Trying to look for a web based enterprise management system at the moment.
Without going into it too much, can’t go cloud for security reasons. The stupid arse answers I am getting from vendors trying to tell me I just don’t “get” the new model are too funny. Really – You have all my data – sure I trust you. Don’t know you from a bar of soap but you have a really pretty website so you must be legit. 300,000 users. Shamantasic. Hacker perspective – I say thank you for making my job easier.
September 17th, 2009 at 11:06 pm
@anon, and therein lies one of the biggest problems. How do you trust an organization if they themselves cannot explain their models above sales level descriptions. It is a cloud and that is all you need to know. Inside the cloud is magic and that cannot be explained. Why would you need to or want to know about that?
September 20th, 2009 at 6:01 pm
How often do organisations actually test to see if the service provider is delivering what they promised? @Backyard Lawyer, even fairer contracts don’t necessarily equate to actual ‘expected’ delivery. A classic example is secured servers. How often do organizations test that their outsourcers are patching servers and building secure systems? Rare from my experience. Very few organizations run the likes of a Qualysguard but when they or their consulting company like Securus Global do, the results are generally scary and very much back-pedaling outsourcer with all excuses under the sun. So you are adding further complexity because if you are not testing that you are getting what you expect, you are probably not. Happy to bet that this is the case in 9/10 situations. What are you doing at your company?
From this blog, a couple of my favorite recent posts that relate to this that should be read:
http://beastorbuddha.com/2009/08/28/outsourced-unauthorised-vulnerability-assessment-testing-for-porkies/
http://beastorbuddha.com/2009/03/22/workarounds-accepted-mediocrity-and-questionable-future-benefitsimprovements/#more-1147
@Balaji, thanks for the link. To much trying to be done but are those involved that will be providing the service to organizations have sufficient knowledge to fully comprehend and understand what they are actually doing. You see it all the time. Big company outsourcers large piece of work to large managed service company. Managed service company hire monkeys to fill the resourcing gaps and so how does that organization have an improved service. See this link again:
http://beastorbuddha.com/2009/03/22/workarounds-accepted-mediocrity-and-questionable-future-benefitsimprovements/#more-1147
@sfbout, so true and so neglected in almost all cases we have seen.
@Jarrod Of course and ensuring substance to the message is most critical.
@geexr Of course that the framework is vital. If a company has deployed something like the Securus Global Strategic Security Management Framework and is committed to it, the less likely mistakes will be made and control lost. No death to the vendor and tool industry – just smarter decisions. How much money is wasted on useless technologies that have added little to no value. (As also mentioned by Anon1).
Don’t blame the vendor alone. The final decision is made by your company. If the vendor is full of it and cannot instill confidence about themselves and their products just don’t deal with them!
September 21st, 2009 at 12:42 pm
An article to add to the discussion here.
http://www.voiceanddata.com.au/articles/35294?utm_medium=email&utm_source=Email%20marketing%20software&utm_content=424304989&utm_campaign=vd_0909b+_+khiidu&utm_term=readmore
The last paragraph is “interesting”:
“One way of ensuring that data management gets the attention it deserves (without distracting IT staff from their current undertakings) is to outsource day-to-day data management processes to a third-party data service provider. Such organisations serve the dual purpose of taking on the hard work while focusing an organisation’s attention on the need to mitigate against data loss. They help companies to understand that data loss is not an IT issue. It’s a compliance risk.”
November 19th, 2009 at 4:37 pm
[...] Drazic of the Beast or Buddha blog, points out that control can become an issue even if your staff and sysadmin are the only ones [...]