Many organizations would benefit from asking better questions when conducting their supplier security assessments in order to mitigate the risk for breaches, according to Terence Runge, head of security at Illumio.
At least some of the supplier security assessments that Illumio sees include compliance-oriented questions centered on organizational structure, policy, background checks, awareness training and, occasionally, basic product testing.
Although those questions are certainly important and necessary, there are a wide range of topics that are all too often absent from the questionnaires that could yield some valuable insight to help guide organizations’ decisions as a company and for their customers, Runge said Dec. 5, during an afternoon Performance & Monitoring breakout session called “Beyond Compliance – Supplier Assessment Security Considerations” at the annual Content Protection Summit, presented by the Content Delivery & Security Association (CDSA).
First, he stressed the importance of penetration testing, saying all applications that provide services over the internet and all devices that are directly connected to the internet must undergo tests.
Those penetration tests “must be” performed by independent organizations and “you must rotate” the firms used, “which is what we do,” because just getting one opinion isn’t valid, he said. These tests must be conducted prior to release into production and also whenever there are major changes, he noted. The tests must include a vulnerability scan of the external Internet Protocol (IP) addresses of cloud services, he also said, adding findings rated as “high” or “critical” must be resolved and re-tested.
There are then “12 considerations that I think are important for you to consider when assessing a product – especially a security product,” he told attendees.
First up, he urged organizations to “never lose sight of the fact that people are part of the product” and that they can also be “part of the problem too.” Next, he said, open source software vulnerability management is important because issues with it can be very costly.
Organizations also must have control of source code repositories and build environment access, he said, noting nobody asks about them. But they’re “critical” to check because “this is where a bad actor is going to go” to breach a company’s cybersecurity, he stressed.
Also important is for an organization to understand its platform dependencies when using cloud services and what those relationships mean, he said.
Next up, he pointed out that many suppliers outsource to other suppliers that get access to an organization’s information. Therefore, it’s important that an organization vet those other additional suppliers also, he said, noting: “You need to be aware who has access to your content.”
Service level agreements (SLAs) are also “very important,” he said, telling attendees organizations should know how security suppliers will notify them when there are issues, including how quickly, and also what’s being done to correct those issues.
Alerting and notifications are another area to be considered by an organization, he said, noting NDAs are a good idea to make sure a security supplier isn’t going to share security findings about them via a blog post or other web site.
Coverage and effectiveness of security controls are also important to gauge, as well as support portal security, including data persistence, access controls and encryption, he said. After all, “support portals are notoriously breachable,” he told attendees.
Also important to check up on is threat modeling, he said: Is it done, when and which framework or methodology is used? Also significant is what kind of threat hunting is done, including the frequency and whether it’s automated or human. The 12th consideration: questions about a security supplier’s red team, including how often they’re used, their target types, and whether they’re internal or third-party teams, he said.
Citing the assessments done at Illumio over the past 12 months, he said most of them included about 120 questions, which is “not too bad – that’s half a day’s work.” The longest had just over 200 questions, while the shortest had about 50, which takes only about an hour to complete, he said. Customers sometimes send their internal policies and ask Illumio to comply with them, he added, noting the average policy contained 140 controls.
Less than 10% of Illumio customers conducted independent penetration testing of the Illumio software, which “I thought that was a major gap,” he said. Those who did test the software said it was “the most secure software we’ve ever seen,” he told attendees, adding: “I’d like to see that number go up. I’d love to see people doing more independent validation.”
“Odd ducks” that he saw in the questions asked by customers included ones that focused on administrative process rather than control performance and questions that didn’t make any sense, he said. An example of the latter: “Does the third party comply with 1-200 ABC/AMBCDE Standards for Third Party Connectivity Policy?” Of that question, he said: “If somebody knows what that means, let me know. That’s a ridiculous question.”
The 2018 CDSA Content Protection Summit was presented by SafeStream, and sponsored by Edgescan, Microsoft Azure, LiveTiles, Aspera, Amazon Web Services, Convergent Risks, Dolby, Illumio, NAGRA, EIDR, the Trusted Partner Network (TPN), Videocites, Human-i-t, Telesoft and Bob Gold and Associates and is produced by the Media & Entertainment Services Alliance (MESA) in association with CDSA, the Hollywood IT Society (HITS), Smart Content Council and Women in Technology Hollywood (WiTH).
Click here to download the Illumio presentation.