I’m a firm believer in “trust but verify” and I’m just going to come out and say it, most security professionals are conducting 3rd party assessments wrong. I’m in a unique spot where I’m on both sides of the fence: we conduct vendor assessments and we fill out questionnaires required by potential customers. Some folks put very little effort into this process so it feels like it’s just a “checkbox.” If it’s just a checkbox then why waste everyone’s time? In his book, “The Speed of Trust,” Stephen M. R. Covey talks about the 7 Low-Trust Organizational Taxes and one of those is bureaucracy. So, when I see little effort put into questionnaires, it makes me think the individual works for a low-trust organization or they simply don’t understand how to verify our trust. Therefore, it’s time to change your process.
There is a market for companies that conduct 3rd party risk assessments and their market for risk rating reports on vendors (I find most are misleading). But you don’t need to hire a 3rd party company to conduct the cloud vendor risk assessment and you definitely don’t need some generalized risk rating of an overall cloud company. So how do you trust a cloud vendor?
The very first step is to understand the business requirements: what is the business wanting to do with the cloud vendor? What data is involved in this business process? Has the business looked at other vendors? If so, which ones?
Once you figure out the business requirements and their path to selecting the vendor, go to the vendor’s website and read their privacy policy. The first question that needs answering is who owns the data? Next, go to their compliance page and get a copy of their SOC2 report. The Service Organization Control (SOC) 2 examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities and tested those controls to ensure that they are operating effectively. There are five trust principles and the SOC2 report will reflect which trust principles were tested. There are two types of SOC 2 reports: Type I and Type II. The Type I report is issued to organizations that have audited controls in place but have not yet audited the effectiveness of the controls over a period of time. The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time.
If they have a SOC2 Type 2 and other certifications, do you really need them to fill out your lengthy security questionnaire? I say no. We receive so many questionnaires where we answer “refer to SOC2 or refer to AOC, etc.” If you really want to know how to verify our trust, read the findings of our certifications. Then if you are still uneasy about our trust, then send a question that really matters to you. If you send us a question, “Do you conduct vulnerability scans?” then you obviously don’t understand the PCI requirements. Send us the questions that will help you verify that trust.
Buyer beware: if the vendor states they have a certification and sends you AWS’ certification, that is a BIG RED FLAG. In fact, run!
The certifications you are looking for are what your vendor achieved, not their vendor. As with all cloud vendors, there is a shared responsibility with security and compliance. AWS has a great write-up on this located here.
In this example, when you are evaluating the cloud vendor you are looking at their controls they are responsible for and not AWS’ certifications.
What if the vendor doesn’t have any certifications? No problem, that’s where the lengthy questionnaire is relevant. The Vendor Security Alliance (VSA) has a great questionnaire that is free to download here. If your business requirements include data privacy, then you’ll need to add some questions to VSA’s questionnaire.
Here is a little trick I use when trying to verify the trust of a vendor without any certifications. I first ask what security/compliance framework they follow. Let’s say they answered PCI then I go down to where I asked them how often they scan for vulnerabilities. If they state annually, then they obviously are not following the PCI framework.
Remember, your job is to assess the risk and relay that back to the business. If the business still wants to move forward with a high-risk vendor then the business owner didn’t understand the risk and you should move the discussion around compensating controls. Once you start down that path, the business owner usually instructs their team to look for other cloud vendors.
I hope this help you and Godspeed into your vendor assessment journey.