InsightaaS perspective: 451 Research is one of the world’s leading sources of insight into cutting edge technologies — including areas that are important to InsightaaS and our principals, such as cloud, communications, security, analytics, and sustainable IT. As regular visitors to this site are aware, InsightaaS.com works with 451 Research to bring periodic thought leadership pieces to our readers. Today's feature report illustrates why we (and our readers) find so much value in 451's perspective: the analysis of the issues surround third party management of corporate data responds to a requirement that is more pressing each day, as IT departments use the cloud for storage, as business people use SaaS applications to manage processes like customer interactions, and as individuals use Dropbox as a collaboration tool.
As the title implies, this is Part 2 in a three-part series. Part 1 provided context for the issue, and part 3 delves into the tools available to address specific needs. In this installment, we get an expanded view of the issue itself, why it is important to organizations of all sizes, and how businesses are responding (for example, through use of risk management products, open source software management software, and encryption). Readers interested in acquiring the entire series are encouraged to contact 451 Research directly, or to contact InsightaaS at firstname.lastname@example.org.
Report by Adrian Sanabria, Senior Security Analyst, 451 Research; special to InsightaaS.com
In the first part of our series on securing the data supply chain, we discussed some of the issues at a high level. Yes, the cloud and SaaS are at the center of this outsourcing trend and the issues related to it. No, it is unlikely the trend will stop — we're going to have to address these issues 'in flight.' The reality is that enterprises are allowing data, whether explicitly or implicitly, to go beyond the reach of IT, security departments and even the users themselves. Some regulation actually outpaced the trend this time, although we fear the threat of fines and penalties won't be enough to close the gap on this one. The size of the issue could be growing at a faster pace than companies' ability to address it. Well, that is, address it without the assistance of tools that make the job easier, which the security market is always happy to oblige. The big questions are, what are the options, and will they really help address the supply chain issue?
How did we get from four third-party vendors to 400?
The outsourcing of speed and efficiency, and the cost savings that come with it, goes back to the industrial age and earlier. The equivalent rise of the factory/assembly line has now come to computing services and software. Most assume that the reason many products are made in China is all about cost. That's part of it, but it is also about how quickly they can make changes to production. Factories in China are more agile due to the lack of red tape, small distances between resources and production, and small distances between different kinds of factories, thanks to large areas entirely dedicated to manufacturing. Doesn't that sound a lot like the efficiencies made possible by DevOps, virtualization and the cloud?
We touched on the major downside of this trend in the first report in this series — constantly increasing dependencies. The more it makes financial sense to outsource a task, hand off the data or let someone else write the code, the less it costs to deliver products and services. However, the trade-off is a lack of transparency for the provider and customer into how that product or service is delivered. Due to market forces, it is difficult to resist this trend while staying competitive, so we've seen the average size of a company's third-party vendors skyrocket over the past decade. In some cases, it has become commonplace to outsource entire departments. Payroll, accounting, human resources and IT are all examples that are easily and commonly outsourced these days.
Typically, when we think about third-party and supply chain issues, sensitive data handling is the first thing that comes to mind (especially with credit card information, healthcare records and social security numbers lost and stolen on a regular basis). The constantly debated and morphing breach reporting requirements worldwide ensure that the media will let us know when any significant data loss has occurred. On the other hand, without widespread publicity on these incidents, we wouldn't have anywhere near the proper level of attention and support on addressing the underlying issues. As we have mentioned previously, the fact that a trusted third party was the initial vector used by attackers to get into Target has been excellent leverage to bring supply chain issues to the forefront.
Although data loss is by and large most companies' greatest concern, it isn't the only one. Data residency — legal concerns over where data is geographically stored — is a big issue for many non-US companies. It isn't a big issue in the US mostly because cheap US-based storage is readily available, and for technical and latency reasons, it doesn't make sense to store the data anywhere else. Thanks in large part to the Patriot Act, however, non-US and even some US companies aren't terribly comfortable storing data in America. Many countries, most notably Germany and Switzerland, have set legal mandates for keeping data concerning their own citizens within their borders. However, as we will explore later on, some vendors think they have the key to getting around some data residency issues.
With cloud at the center of supply chain discussions, it would be difficult to ignore availability issues. One theme that has persisted for years is a common misunderstanding of how important proper system/security architecture is to application resiliency in the cloud. Recently, we've seen SaaS provider Code Spaces literally disappear overnight after a ransom situation went bad. A simple AWS console compromise was all it took for an innovative young startup to disappear. In the past, we've seen regional AWS outages take down some of the most active sites on the Internet due to a widespread lack of understanding of how to translate high-availability design in the cloud.
Terms and conditions are commonly overlooked when companies choose to 'trust' a third party. Engaging third parties isn't as much about trust as it is about planning for incidents involving these vendors and understanding how they would play out. For this reason, many regulations, like the latest iteration of the PCI data security standard, specifically require companies to determine where responsibilities lie. When a company entrusts a third party, it is choosing to give up some portion of control over its data and resources. If an attacker tries to gain access to a company's resources or data through this third party, are they required to notify that company? Are they even required to monitor for these attacks? Based on past incidents, it seems the answer to both questions is more troubling than reassuring:
- Adallom discovered a Zeus variant that would exfiltrate all data from a company's salesforce.com account. Salesforce was not actively detecting or notifying customers of this activity.
- Amazon has security measures available to detect brute force attacks against the AWS console, but as we saw in the Code Spaces example, it is up to the customer to implement them.
- In the recent iCloud celebrity photo kerfuffle, attention was drawn to the fact that Apple's two-factor authentication implementation would not have protected against these attacks, and Apple is either not willing or not able to detect attacks against individual accounts and report them to users. Although this was an attack against consumer accounts, the example applies to any SaaS account protected only by a simple username and password.
A better understanding of where this line is drawn would likely prevent a number of security incidents every year. Understanding third-party vendor responsibilities should be a key part of two underappreciated corporate processes: vendor selection due diligence and incident-response planning.
Transparency and the ability to perform due diligence on a service provider represent another serious issue. To what extent should the customer trust that the service provider takes security seriously? How much information will the service provider be willing to share in the interest of getting a contract signed? Finally, how feasible is it for the customer to perform in-depth due diligence on every service provider? Perhaps a system to identify high-priority or high-risk providers could be used to prioritize which vendors get the 50-point inspection and which get a pass.
Who is the supply chain? Where is our data going?
Although we might traditionally think of the supply chain as just vendors, with the rise in BYOD popularity and tolerance, it might be necessary to think of employees as third-party relationships as well. If we follow this train of thought, employees handling data often use their own third parties (fourth parties to the company), and may not worry about corporate standards or due diligence when choosing to use a cloud-based file-sync service or a remote access and management service on their personal devices.
The concept of fourth parties and beyond isn't unique to employees and their personal devices. It is commonplace for SaaS vendors to also take advantage of SaaS, to reduce the cost and complexity of providing services. Although it is common knowledge that, for example, Dropbox uses Amazon's S3 service to store data, this level of transparency might not exist with other providers. It is possible that this sharing could go even deeper. Let's suppose our file-sync and -share (FSS) product uses a third party for storage, and that storage vendor uses a traditional third-party tape backup vendor. The data now resides with a fifth party vendor. Hopefully it is encrypted, but do we know that for sure? Do we even know the fourth and fifth parties exist in the first place? Where is our data going?
The market response
Although some market segments are just starting to specifically address supply chain trust, others have been around for a while. Additionally, some products are inherently capable, through design, to help with some third-party issues. We will start with segments that are directly addressing the issue.
Creating trust in the supply chain
The EPA oversees the Safe Drinking Water Act so that the public has some baseline of confidence in the water they use for drinking and washing. Currently, there's no comprehensive private or public equivalent for technology services. This isn't terribly surprising, given that people die from drinking dirty water, but not from using buggy software. As the financial strain from data breaches has increased, however, the concept has certainly been discussed and put to the test in some limited ways.
Adapting approaches used in the physical world is the first natural choice, but the initial attempts to do so have had high-profile failures, and fail to provide data on efficacy. Regulatory attempts thus far have failed to provide confidence in data security. Many share our opinion, and are turning to the open market to place bets and see if it can do any better.
While it is early yet in the market for improving awareness and trust in SaaS, there are several vendors and approaches we've already come across. Cavirin provides compliance and policy-based monitoring, with on-demand reporting available for customers that want assurances that their vendors have actually achieved some measurable security or compliance baseline. BitSight Technologies has a similar 'active' approach that provides a real-time score that is intended to reflect the security of a vendor's network and resources at any given time. MyPermissions and Appthority assess the risk of mobile applications. Most of the vendors in the cloud application control (CAC) market (e.g., Skyfence, Adallom, Netskope, FireLayers) offer some sort of risk rating system for SaaS. Additionally, Skyhigh Networks provides a 'seal of trust' to SaaS vendors that it deems to be enterprise-ready. The Cloud Security Alliance (CSA) has the STAR 'attestation' program, which has three levels of attestation (from self-assessment to continuous monitoring). Most of these ranking systems are based on a large variety of factors, but at this point, there is no industry-wide agreement on which factors are most important or standard on how to rank vendors.
A few organizations have emerged to take it upon themselves to increase awareness and set standards. Grassroots organizations BuildItSecure.ly and The Cavalry have taken to social media, giving talks and directly working with supply chain manufacturers to improve security in products. Most recently, The Cavalry announced a 'Five Star Automotive Cyber Safety Program' mimicking the crash safety program, which it hopes to get automotive manufacturers to adopt. The Open Crypto Audit Project brought attention to the fact that the widely trusted and utilized TrueCrypt encryption software had never been properly assessed and validated. The organization succeeded in raising money for a code audit, and completed the first phase in April. Finally, version 3.0 of the PCI data security standards, which became active at the beginning of 2014, added further requirements and guidance for monitoring and assessing third-party security.
Streamlining vulnerability discovery and remediation
Companies like Sonatype and Vericode, and issues like Heartbleed, have drawn attention to the fact that common open source software (OSS) libraries (like the aforementioned TrueCrypt) are often not properly audited and validated. While a number of large IT vendors donated money to ensure this would not happen again to a small subset of OSS products, some organizations have gone further. Both Sonatype and Vericode can identify insecure third-party libraries. Google's Project Zero aims to find and address as many major software vulnerabilities potentially affecting the public Internet as possible. A new market, currently composed of Bugcrowd, HackerOne, CrowdCurity and Synack, that aims to use bug bounties as a new approach to quickly identify vulnerabilities is gaining traction and visibility.
Risk management products
Some risk management products specifically address the issue of third-party risk, while others can be used to do it, although they're not specifically designed to. The real competition here is against Microsoft's Excel — everyone's favorite tool for tracking, listing and managing things.
We wrote about Prevalent a few months ago and its unique take on addressing and automating vendor risk. Risk management platform vendors Modulo, Aruvio and eGestalt Technologies each offer vendor-risk-specific products. Additionally, Modulo also has a supply chain security module. While the likes of Archer Technologies, Allgress, AvePoint and Agiliance aren't vendor-risk-specific, their platforms can be used to monitor and assess third-party risk, and many are using them for that purpose.
Since data loss is one of the primary concerns with third-party risk, encryption is naturally often proposed to address it. A number of vendors, including Sookasa, SafeMonk, nCrypted Cloud and PKWARE Viivo (to name just a few), exist specifically to encrypt data stored with FSS vendors. SafeNet, CloudLink (formerly AFORE) and the recently acquired PrivateCore sell products that can encrypt the operating system on a virtualized host (be it local or cloud-based). CipherCloud, PerspecSys, Vaultive and many of the previously mentioned CAC vendors have the ability to encrypt data prior to being stored in a SaaS application such as Office 365 or Salesforce. Encryption is even said to help get around some of the strictest data residency issues.
Note — For more information on this report or on subscribing to 451 Research programs, please contact 451 Research, or contact InsightaaS at email@example.com.