Your organization should feel vulnerable when one of your vendors gets hacked, especially vendors with a connection to your network or that hold your sensitive information. When one of those vendors gets hacked, their breach should send shivers down your spine. We’re at the point where security professionals have to anticipate the crime before it happens. To use an analogy based on the 2002 movie Minority Report starring Tom Cruise, organizations must operate a vendor risk management program much like a Pre-Crime unit.
Two tools can enable such a Pre-Crime effort: cyber risk ratings and cloud security gateways. Neither tool purports to be a crystal ball, but they do measure risk factors that can merit attention before a breach occurs.
Cyber risk ratings firms are driving a new age of transparency. They offer an objective assessment of an organization’s vulnerability to hackers in the form of a rating that can change daily. The lower the rating, the greater the vulnerability. Risk factors covered include IT housekeeping issues such as port configuration and email security protocols, as well as events, such as an IP address that becomes associated with malware or botnets. Cyber risk ratings complement, but also leapfrog questionnaires and penetration tests, the traditional methods of vetting vendors. BitSight adds cost-effective breadth and depth of coverage on a continuous basis.
Cloud Security Gateways (CSGs) are becoming popular because workloads are shifting from locked-down, on-premises data centers to the cloud, and organizations need to be able to identify and control employee use of cloud-based services. Also, regulations such as the EU GDPR require control over data that can only be achieved with a CSG, with penalties for non-compliance that can cost a company up to 4% of annual global revenue. The cloud offers amazing agility and innovation, but it also introduces considerable security and compliance risks that must be managed.
The breach reported by OneLogin on May 31, 2017, was a spine-tingling event for its customers. OneLogin is a cloud-based service that provides single sign-on and identity management for all the cloud-based applications used by an organization. Comparable providers include Ping Identity, Okta, Centrify, Sailpoint and Bitium. OneLogin's breach has been well-covered by the media, including security bloggers. Let’s see what we could have known about OneLogin before the event occurred.
BitSight Technologies has become the standard for cyber risk ratings. Organizations that use BitSight can detect changes in the security posture of any of their covered vendors across numerous risk factors on a daily basis. BitSight promotes a transparent conversation between customer and vendor that can drive greater accountability on security standards.
OneLogin experienced a reported breach in September 2016, causing their score to decline. OneLogin’s score has risen since then, but dropped again after last week’s event. None of the other comparable providers experienced that kind of event over the past year. It's one thing to be once bitten, twice shy, but how should you react to a vendor that's twice bitten?
While not clinically predictive, BitSight asserts that a vendor with a botnet grade (one of several risk factors measured) of ‘B’ or lower is twice as likely to experience a significant data breach than one with a grade of ‘A.’ BitSight isn’t a comprehensive measure of cyber security, but it can drive efficient, meaningful interaction between customers and vendors that leads to a safer and more compliant supply chain. The age of cyber transparency ushered in by the ratings firms can affect market share over the long run.
Cloud-based vendors have a whole other set of risk factors to consider. The Cloud Security Alliance has developed a robust set of about 50 factors that have been incorporated and further developed by CSGs such as Netskope and Skyhigh Networks, among others. For example, does your organization continue to retain sole ownership of its data after uploading to a cloud host? What compliance certifications do they possess? Do they encrypt data-at-rest and in-transit? Does the app have a disaster recovery plan?
Netskope’s approach to measuring risk is embodied in their Cloud Confidence Index (CCI), a 1-100 metric that indicates a cloud-service’s enterprise-readiness. There are over 25,000 cloud-based services out there, of which only 6% are enterprise-ready, so there are considerable security and compliance risks to manage.
By monitoring their CCI score, you can understand the unique risks that a cloud-based vendor can represent to your organization. A customer should engage cloud-based vendors with its eyes open, raise an issue that is concerning, and choose another vendor if it's not satisfied.
Hindsight is 20/20 but, with the right tools, your risk management program can help you foresee issues that can lead to trouble, so that you can avoid them.
Note: Source Calle LLC is a channel partner for BitSight Technologies, Netskope and Skyhigh Networks.