In security circles, there is a famous saying which is: “trust but verify”. These are wise words; yet we still find most security professionals conducting incomplete third-party assessments, leaving out the “verify” aspect. Having sat on both sides of the fence, conducting cloud vendor assessments and filling out questionnaires required by potential customers. It’s become apparent that some put very little effort into this process and so it feels like a mere “tick-box” exercise. It begs the question: if it’s just a checkbox, then why waste everyone’s time?
More aptly, when little effort is put into questionnaires, it can seem like the individual works for a low-trust organisation or s/he simply doesn’t understand how to verify trust. Therefore, it’s time for organisations to consider changing the process from something that has become all but meaningless to a constructive way to assess cloud providers and the value they will bring to the company.
Admittedly, there is a market for companies to outsource third party risk assessments and a market for risk rating reports on vendors; however, in full disclosure, most are misleading. Companies in truth don’t need to hire a third-party company to conduct the cloud vendor risk assessment and they certainly don’t need a generalised risk rating of an overall cloud company.
So how do organisations know they can trust a cloud vendor?
The very first step is to understand the business requirements: what is the business wanting to do with the cloud vendor? What data is involved in this business process? Has the business looked at other vendors? If so, which ones?
Do your homework
Next, go to the compliance page and get a copy of the vendor’s SOC2 report. The Service Organization Control (SOC) 2 examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organisation’s control objectives and activities and tested those controls to ensure that they are operating effectively.
There are five trust principles and the SOC2 report will reflect which trust principles were tested. There are two types of SOC 2 reports: Type I and Type II. The Type I report is issued to organisations that have audited controls in place but have not yet audited the effectiveness of the controls over a period of time. The Type II report is issued to organisations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time.
If the cloud vendor has a SOC2 Type 2 and/or other certifications, companies should ask themselves if they really need them to fill out a lengthy security questionnaire? The answer is no. In fact, to receive the answer “refer to SOC2 or refer to AOC, etc.” is perfectly acceptable in these instances. Then, if questions still remain as to the verification of trust, even after reading the findings of those certifications, send the vendor any other queries that matter to the business. Note: if a potential customer is interested in the vendor’s PCI certification then sending the question, “Do you conduct vulnerability scans?” is a clear indicator that the business obviously doesn’t understand the PCI requirements, so be sure to send only the questions that will help verify that trust.
Buyer beware: if the vendor states it has a certification and sends an AWS certification, that is a BIG RED FLAG. In fact, run! The certifications to look out for are those that the vendor has itself achieved, not their vendor. As with all cloud vendors, there is a shared responsibility with security and compliance.
In this example, when evaluating the cloud vendor, the company seeking to verify trust will be looking at the cloud vendor’s own controls and responsibilities, and not AWS’ certifications.
What to do if there are no certifications
What if the vendor doesn’t have any certifications? No problem; that’s where the lengthy questionnaire is relevant. The Vendor Security Alliance (VSA) has a great questionnaire that is free to download. If business requirements include data privacy, then it will be necessary to add some questions to VSA’s questionnaire.
In addition, when trying to verify the trust of a vendor without any certifications, first ask what security/compliance framework it follows. If, for example, the answer is PCI, then give the vendor a test: how often does it scan for vulnerabilities? If it states annually, then this vendor obviously does not follow the PCI framework!
Remember, the job of organisations is to assess the risk and relay that back to the business. If the business still wants to move forward with a high-risk vendor, then the business owner didn’t understand the risk and the discussion can then be moved to consider compensating controls. However, once that path is travelled, the business owner usually instructs the team to look for other cloud vendors.
If the business still insists on using the vendor, then ensure a termination clause is put into the contract terms. For example, Termination due to Change in Security. If Vendor determines that it will not move forward with SOC 2 Type II certification, and/or no longer performs quarterly security scans then Vendor must notify Customer. At the time of notification, Customer will be granted the opportunity to exit this agreement. In addition, Vendor must notify the Customer in the event its security controls do not meet SOC2 Type II trust principles. A vendor will not materially decrease the overall security of the Service during a subscription term.
With a little guidance and common sense, the vendor assessment journey needn’t be a laborious task and can save the time and trouble in the long run associated with chopping and changing vendors that turn out to be riskier than deemed acceptable.