In light of the breaking Uber security breach involving the cloud, I’m reminded of a security due diligence experience I had with a Cloud-based SaaS provider.
The Cloud has certainly opened new avenues for companies has reduced the IT TCO. Cloud is basically the CIOs and developers new found best friend. It was not that long ago, I was researching and writing a security white paper on virtualisation for the Bank of England. They were toying with the idea of virtualisation and were dubious about the virtualisation security. How times have changed. After years of holding back due to concerns about cloud security and data sovereignty, we have moved head first into the cloud.
There isn’t a company out there that does not have some sort of cloud strategy. Many have cloud-first strategies. Whether it is SaaS or IaaS, or hybrid cloud models, there are so many options and so many niche companies using the cloud to drive new models of working and revenue generation. But what about security? What has happened to all the security concerns? That funky SaaS software you are using hosted on Azure or AWS or any other cloud, is it secure? Just because the IaaS provider is secure, does it automatically mean the SaaS sitting on top of the IaaS is also secure?
Security, what security?
The Cloud has certainly empowered people. You can get five laptops and five guys to set up a billion-dollar company from a virtual office or even from your kitchen, but what about security? What security? The Cloud provider provides all the security, right? So what are the implications of hosting your personal data on SaaS platforms? With the imminent application of GDPR next May, the risk of hosting personal data on the cloud has changed. Do you SaaS provider, understand security, have they followed security best practices and tested their application as we would expect from traditional controlled development and hosting environments. You the easy access to the cloud and cloud-based tools can allow all sorts of development capabilities usually at the expense of security.
The following is a month-long conversation (shortened for the sake of sanity) I had with a cloud SaaS provider couple of years back. The client I was working with was about to put their Intellectual Property (IP) on this SaaS platform.
Excellent product, my customer liked it – the product manager liked it and even the marketing guys loved it. All set to go. The switched-on CIO asks the Security Manager (me) to do the last minute security due diligence before signing the contract.
Who is managing your security?
I send the vendor my security questionnaire as usual for the SaaS vendor to complete. It takes a while and prompting before it is returned. The vendor returns it -all good, all the boxes ticked. I ask for evidence – none forthcoming. The following a is to and fro conversation took place over a month trying to obtain some security assurance from the vendor.
Vendor: “We are hosting on nnnnnnnn Cloud and if it is good for the Bank of America, then it should be good for you.”
Me: “But what about your application? Have you tested the security of your application?”
Vendor: “The Cloud provider has ISO270001, PCI-DSS, you name it they have it, why do we need security on top of that?”
Me: “Have you not heard of the Shared Security Responsibility Model?”
Vendor: “What is that?”
I persevere to explain what it is.
Vendor: “No, but we are secure as its all taken care of.
Me: “Have you completed the security checklist that your Cloud provider asks you to?”
Vendor: “What are these?”
I send them the cloud provider’s security checklists.
The vendor completes them, and it is all positive and there are no gaps. – they had never completed it before for the Cloud provider.
I ask for evidence of the assertations they made in the questionnaire and the checklists.
Vendor: “Our security manager is now away on holiday, therefore cannot provide the details. Then cannot provide the details because it’s all confidential”.
I wait and wait.
Me: “Do you have security policies? You should be able to share these.”
Vendor: “Of course, we do, what do you mean do we have security policies!”
Me: “Can you share them please?”
Vendor: “No, as they are on our system and we cannot print them off for you”
Vendor: “We will set-up a WebEx session, so you can visually see them, only”
WebEx session arranged.
I get shown login panel of the application and high-level configuration but no policy.
That’s a month gone, trying to assess basic security posture of this SaaS vendor. A lot of obfuscation and bluster to hide the fact that they did not have a basic grasp of security best practices.
So was their chance to win the bid!
Security says no!
The lessons from this story are basically, how many small companies with big software out there, are thinking their IaaS service provider has taken care of all the security? Many don’t even do penetration test their apps/software before loading it up on the cloud. There are a lot of software developers out there that are not even aware of software security development best practices such as OWASP/CWE25 or vendor security frameworks or recommendations. These, often start-ups, are developing away software that may end up holding critical business data or even personal data that would be covered by GDPR. Do organisations understand the changed risk landscape with the imminent introduction of the GDPR. If you are a cloud consumer with personal data in the cloud then revisit and carry out risk assessments or even a DPIAs to assess the risk to your organisation and the data subject. Ensure the SaaS application and the provider are both GDPR ready.
Don’t be hosted and be damned, check whom you are hosting with and how they are protecting your data.
Author : Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF – is a certified GDPR and Cybersecurity practitioner. He as a security practitioner has written, tested, embedded many incident management plans and process and dealt with many incidents and data breaches. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers
Copyright Cyber Counsel