It’s a tired line: vet your vendors. For security professionals who find themselves playing this song on repeat, it’s a wonder that we are still having this conversation. Yet, this issue isn’t going away. In fact, the United States Computer Emergency Readiness Team (US-CERT) has issued a warning to US organizations about the decided and observable increase in attacks coming through organizations’ Cloud Service Providers (CSPs) and Managed Services Providers (MSPs). The warning encourages companies to look more closely into the security practices of their vendors, as well as internal measures they are taking to prevent, monitor, detect, and remediate incidents via the supply chain, in particular. What defines thorough vendor vetting, though? What are the best practices that should guide our vetting of 3rd party vendors? How do I know if my vendor is telling the truth? What standards should I be using to evaluating CSPs and MSPs? Most importantly, what should I do if I discover that my current provider does not meet security best practices?
3rd Parties are Here to Stay
Third party vendors and service providers serve an invaluable purpose in the IT ecosystem. Outsourcing has redefined how we procure and execute solutions across our environments, supporting highly expert, less expensive, scalable, and available solutions for everything from infrastructure, to communications, to business applications, allowing organizations to accomplish far more in a far more efficient way than most could accomplish on-premise. Further, outsourcing functions–such as engaging Managed Service Providers also allows us to save on the cost of in-house staffing, outsourcing to–hopefully–experts and freeing up budgets for other necessities. The model makes sense. However, have we really audited the security of those providers before making a decision?
1. Ask, and Look for Transparency
Jerald Dawkins, PhD educates teams around the country on best practices for vetting your 3rd party vendors, and even vets on behalf of some of his clients, working to provide the assurance they need to prevent breaches and intrusions in the supply chain. First, he notes, one should ask for a copy of the security policy and all security audit documentation, and put together a decent questionnaire for them. “If they tell you they will get back to you, then avoid your phone calls, you have your answer. Sometimes, you may hear, ‘Oh, that’s classified information. If we give that over, we would compromise our own security.’ Again, there is your answer,” says Dawkins. A good vendor will have all of that documentation on hand, a willingness to disclose audit results, and clear policies/best practices. They also won’t mind giving assurances or signing SLAs.
2. Vendors Have to Update and Patch, Too
Second, what is the vendor’s own update and patch management process? This is especially key for any CSP or infrastructure-as-a-service provider. Any slack whatsoever in their patch management and regular updating is going to leave you, their customer, vulnerable to attacks, and nothing disrupts operations (aka profits) more than a well-executed attack. If your daily business is disrupted by malware, ransomware, or a zero day exploit that gets to you via a preventable vulnerability, and you don’t have any documentation to prove you performed due diligence in the vetting process, that is going to be difficult to explain to stakeholders– or even worse, in court. Third, go several generations out, looking at the whole ecosystem to find out about your vendor’s vendors. If your 3rd party provider tells you they have great security practices, but someone else is hosting their data, and that provider has a poor security posture, what good do their practices do? Due to the damage done through supply chains in hacks like Home Depot and Target, regulatory bodies are holding organizations responsible more and more for activity throughout the entire supply chain. Expect that to just keep increasing.
3. Coordinate Your Efforts
Once you have settled on a vendor for either CSP or MSP, ask them for best practices and tips for setting controls in your environment to their most secure options. Don’t assume that the presets you are getting “out of the box” are as they should be. Legally, you are the one who is responsible if they are breached, because you are hiring this provider to be an extension of your team. You will also want to clearly delineate responsibility for your security controls to prevent situations arising from you and your CSP or MSP both assuming that the other was responsible for a critical function. This is where you are going to do better with providers who are security-first in their mentality. What this means is that you can have high assurance that you and your provider are both doing your respective part to secure your environment and your data.
4. Marry Infrastructure to Security
Ideally, your CSP also maintains expertise in security-meaning you could have your environment set up securely from day one. Service providers who expertly manage both cloud IT and have auditing/security remediation consulting expertise will be far more likely to not only keep your environment secure, but to manage their own environmental access and controls securely. After all, they are operating as an extension of your team. What you may find is that typically, CSPs and MSPs will not be both IT and Security experts; those tend to be separate entities entirely, which forces companies to choose between favoring functionality or security when they provision help. For small to mid-sized businesses who have limited budgets, that means that, security will likely become an afterthought to operations, and that’s a problem.
Essentially, the CSP and MSP vulnerability boils down to a Vendor Management issue. If you find that one of your current providers falls short of your hopes and expectations, you should seek professional advice for ways to improve either your IT or Security posture holistically.
A Vendor You Can Trust
What sets TRUE apart in the world of MSPs is that we are more than a typical MSP or CSP– we merged two companies (True Digital Security and SL Powers) with well-established expertise as a Security Provider on one side of the house, and IT services on the other side. In marrying these together in the new TRUE, we are able to provide a holistic approach to your environment known as Security by Design and by Default. We support your ability to have trained experts set up, manage, and test your environment in such a way that you achieve the assurance you need that your environment is running optimally and secure. Contact us today for help with your environment or for more information.