Security Is About Compliance, Not Trust - Page 3

Phil Lieberman (Profile)
Sunday, November 28th 2010

When working with any service provider or partner, an organization has every right to know what security processes are followed by the third parties and to be aggressive in getting the answers they need. Know that to understand an organization’s security posture you’ve got to look beyond its firewalls, intrusion detection devices and endpoint security software.

For example, absent a culture of accountability over privileged access, service provider staff that leave their jobs can and do take sensitive information with them. For the safety of the service provider and its customers the moment an employee changes roles – whether amicably or not – all passwords that grant privileged access to systems, appliances and applications must be changed. And in the event that questions arise about a departing employee’s actions it can be critically important to have an audit trail of privileged access in the days and weeks before the change in job role.

Best-in-class privileged identity management solutions continuously update passwords, audit and report access, and authenticate in real-time with directory services to allow or deny access the instant employee job roles change. Yet in an effort to drive down the cost of their offerings few of the major cloud service providers have these automated processes in place.

When examining a service provider or partner’s security posture you should also consider issues of transparency, organizational checks and balances, and their overall culture of accountability.

Demand Transparency

Start by asking your client’s business partners to meet every point of compliance that the client organization is required to meet, and ask partners every question that you’d ask of your client. If your client thinks that moving sensitive data to a partner or cloud service provider will save them from regulatory headaches, they ought to think again.

Auditors share a responsibility to verify that the client can still track usage and control of sensitive data once it moves to outside organizations. In keeping with major regulatory mandates, auditors are obligated to confirm segregation of duties and the enforcement of “need to know” and “need to access” policies. And, potential cloud customers should ask what provisions have been made to provide the required trail of access to their auditors on demand – and what provisions are in place to allow the sharing of privileged control between cloud vendor and client for appropriate reporting and verification.

Because so many of today’s cloud vendors offer literally no transparency and almost no information about internal processes, don’t be surprised if you don’t like the answers you get. Most cloud vendors would say that for security purposes, it’s on a “need to know” basis and you don’t need to know. And as we’ve already said, others may try to end the conversation prematurely by affirming SAS 70 compliance.

Each measure of security adds to cloud vendor costs, so it is appropriate for consumers of cloud services to demand to know precisely what measures are in place – and what auditing processes are supported – as they evaluate competing service provider offerings.


Evaluate Checks and Balances