The document discusses improving cloud vendor security assessments between customers and vendors. It outlines the challenges both parties face, including the overwhelming volume of assessments vendors receive and customers asking the wrong questions. The document provides recommendations for both customers and vendors, such as customers assessing the security of the solution and not just the vendor, and vendors establishing dedicated security teams to efficiently respond to assessments. The goal is for both parties to work together to continuously improve the security assessment process.

2. The Cloud Trust Conundrum:
You’re Asking All the Wrong Questions
Andrew Leeth
Jill Czerwinski
2
September 28, 2015
Session Number: 2230

3. About Us
» Representing the Customer...Jill Czerwinski
» 13 years in Information Security Consulting for Crowe Horwath
» Focus on Third Party Risk Management
» Manage several outsourced Vendor Info Sec Assessment functions
» CISSP, CISA, PMP, MCSA, Sec+
» https://www.linkedin.com/in/jillczerwinski
» Representing the Vendor...Andrew Leeth
» Product Security Engineer at Salesforce
» Specialize in Application Security of our products and that of vendors
» GWAPT, GMOB, CSSLP, CISSP, CEH, CCSK, Sec+
» @SecurityLeeth
3

4. Overview
1. The (Cloud) Vendor Information Security Paradigm
2. Current Process for 3rd Party Reviews
3. Pitfalls in Current Processes
4. Fixing the problem from both sides - Our Tips
4

5. The Cloud Vendor Information Security Paradigm:
The Plight of the Customer
» Outsourcing (in a big way) is here to stay & volume is overwhelming
» Uphill battle to maintain consistent Info Sec Standards across the Extended Enterprise
» Could we have prevented Target?

6. The Vendor Information Security Paradigm:
The Plight of the Vendor
» Able to provide the same high level of security for
*all* customers; even small customers can benefit
from the security usually left for larger companies
» Teams of experts working around the clock to
provide the highest level of availability and security
» Reduced cost compared to traditional on-premise
technology by sharing resources with other
customers
» Often times, can provide better security than a
customer could provide themselves

7. The Vendor Information Security Paradigm:
The Plight of the Vendor
» Complete every certification/standard
questionnaire/audit available
» Trying to minimize work by customer
» Many customers come from various industries with
different regulations and requirements
» Sheer number of customer who what to perform an
assessment is overwhelming
» Account executives aren’t able to assist, left to in
demand security resources

8. So Customers... How are we solving this?
❖ We’re trying to ‘Tier’ relationships
➢ True Risk Assessment?
❖ We’re considering our ‘Questionnaire’
➢ Sometimes custom, sometimes leveraging a tool
like the Shared Assessments Group (SIG)
❖ We may outsource some or all reviews
❖ We’re unsure if we’re the Chicken or the Pig...
➢ Mar 2013 Ponemon Institute Study: 79%
believed that End-Users are primary responsible
for cloud security
❖ Volume keeps getting in the way
➢ As we get comfortable, volume and complexity
goes up

9. We Vendors Know…
You’re asking all the wrong questions!!
» Endless stream of assessments (cloud providers
have many customers)
» Customers are vague in questions
» Questions are custom and do not follow a standard
» Oftentimes hundreds, if not thousands, of questions
» Questions come in various forms: email attached
documents, GRC/Web App form, plain email, etc.
» Often times, customer assessment/audit team is not
in the loop with customer business on what the
solution is being offered
» Don’t use the resources provided either online or
after NDA (such as SOC, STAR, and other reports)
» Understand what is the customer’s responsibility vs.
cloud provider’s responsibility!

10. Babysitter Pro
Cost Effective
Keeps kids happy
Innovative Technology
Allows you to get out of the house
Alright Customers, Lets go back to basics…
What do we ultimately want out of this process
We want to know that our vendor:
- Is appropriately knowledgeable
(People)
- Does the right things (Process)
- Has inherently secure solutions
(Technology)
Ultimately, we want to know that you can be trusted!

11. So where do we go from here?
Leading Practices in Cloud Vendor Security Assessments
Customer
1. Assess the Solution, not just the
Vendor
2. Evaluate your vendor’s response
3. Think continuous improvement
Vendor
1. Trust/Security is not going away
2. Security can be differentiator
3. Dedicated team to address
customer assessments
4. Channel to direct customer
feedback/issues to development

12. Roadmap for the Customer:
#1: Assess the Solution, Not the Vendor
Integrate Vendor Assessments into the Solution
development and monitoring process
Understand:
- What drove us to procure this solution?
- What are our internal roles and responsibilities
(potential significant carve out) (i.e PaaS)
For periodic vendor reviews, why would be assessing
Security independent of an assessment of the overall
relationship?
- Is the solution even meeting our needs?
- Security as a scapegoat, potential waste of effort
“We’ve got a vendor for you…”

13. Roadmap for the Customer:
#2: Evaluate your vendor’s response
We want to gain enough information to establish trust and identify gaps
We sometimes settle for…
- A really long questionnaire (that we made, found, bought)
- An attestation report (SOC, PCI, SIG, etc) we struggle to interpret
- Going onsite and ‘walking around’

14. Roadmap for the Customer:
#2: Evaluate your vendor’s response
So how do we establish this trust?
We want to know that our vendor:
● Is appropriately knowledgeable (People)
● Does the right things (Process)
● Has inherently secure solutions (Technology)

15. Roadmap for the Customer:
#2: Evaluate your vendor’s response
Example #1: The Cutting Edge SaaS provider
Confidentiality: Highly Confidential, High Volume
Availability: Not business critical
Integrity: Reporting system, no reliance on data integrity
People: 10 person startup
Process: No formal programs, no physical locations
Technology: Penetration Test

16. Roadmap for the Customer:
#2: Evaluate your vendor’s response
Example #2: The Mega-Provider
Confidentiality: Highly Confidential, High Volume, Data Masked prior to transmission
Availability: Mission Critical
Integrity: SOX application
People: Formal Info Sec Officer and Team
Process: Formal Programs, SOC reports, etc etc.
Technology: Legacy Mainframe-based system that does not
employ modern security principles

17. Roadmap for the Customer:
#3: Think Continuous Improvement
Security vendor management is not a ‘one time’
exercise. Think about:
» How do I set the relationship up for success
during due diligence? (Example: Penetration
Test)
» Are their vendor communities that our team can
become a part of, to keep a pulse on the vendor
and its Information Security strategy?
» Is your team trained and incentivized to monitor
vendor security?
» Are you gathering feedback from your business
units and vendors on your process?
» Automation - continue to refine and explore

18. Roadmap for the Vendor:
#1: Trust/Security is not going away
» Security is here to stay
» Customers are not going to drop their data into a black
hole; there will always be a need for customer
assessments
» Accept this as the future and build people and
processes around this

19. Roadmap for the Vendor:
#2: Security can be differentiator
» Transparency into security operations can go a long
way
» A company investing in security is looked upon
favorably
» Implementing cutting edge security practices vs.
keeping up with security

20. Roadmap for the Vendor:
#3: Dedicated team to address customer assessments
» Consistency in responses is key
» Team is trained on common
security/compliance/regulatory requirements
» React quickly on reports of new zero days (ex:
Heartbleed)
» Build tools and processes to quickly respond to
assessments

21. Roadmap for the Vendor:
#4: Channel to direct customer feedback/issues
to development
» Customers will ultimately discover ways to better the
product’s security, need a way to get this in the right
hands
» Vulnerabilities, zero days, and new attacks happen
everyday to the most secure systems. Critical findings
need to be escalated and handled on an expedited
timeframe.
» Responding and adapting to threats is half the battle

22. How do we improve?
From the other side of the fence...
Customer
1. Inquiries from customers into
Security should be expected, not
resisted. We consider that part of
the solution.
2. We expect you to be as
passionate about Security as we
are.
3. Our testing is not your testing.
Vendor
1. Customers should set realistic
timeframes on assessments
2. Ask only the essential questions,
you truly care about to gain trust
3. Do your homework, talk to the
business procuring the solution
and research public security
information about the solution

23. Andrew Leeth
@SecurityLeeth
andrew@leeth.us
Jill Czerwinski
www.linkedin.com/in/jillczerwinski
jill.czerwinski@crowehorwath.com