ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Your Cyber Security Program’s Secret Weapon: Vendor Management

Your Cyber Security Program’s Secret Weapon: Vendor Management

Brian Nesgoda, CISSP, SVP Risk Management/CIO
| Posted at 3:02 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (0)

Brian NesgodaNot sexy enough? Well, I attended a security conference earlier this year in Phoenix, Arizona, with approximately 100 of my closest CISO colleagues, and much, if not most, of the conversations were focused on cloud-based business services providers and the challenges they faced securing those providers.

These were security professionals from large organizations sharing their experiences, both positive and negative, deploying services like O365 in the cloud, as well as dealing with the demands their business groups were placing on them to deliver data from any location and from any device – the digital workplace. Cloud and mobile devices have made it easier to work and collaborate but they often bypass perimeter security controls. Traditional security tools make it challenging to block or allow cloud traffic and enforce the organization’s security policies and standards.

Fast forward to a presentation I did at ISACA’s Africa CACS conference in Accra, Ghana, about what keeps us up at night. The conference was attended by auditors and security professionals from Germany, Kenya, South Africa and many other locations. I asked the group in my workshop about what keeps them up at night, and the response paralleled what I heard in Phoenix: “How do I secure the cloud services my organizations is deploying?” My group was attended primarily by auditors, so they were most concerned with validating the controls, but the theme was the same at both conferences: How do we secure/validate the cloud services?

I wrote a blog a while ago about “The vendors of my vendor’s vendor,” and I shared actionable steps an organization can take to improve vendor management. The blog and the actions were high level and more of administrative controls. First, hold your direct vendor accountable for the other vendors; second, tie the due diligence to the money; and third, follow the guidance.

I’d like to expand on those recommendations and include a technical control that is emerging and maturing quickly: Cloud Access Security Brokers, or CASBs. According to Gartner, by 2020, 85 percent of large enterprises will use a cloud access security broker.

A CASB is an on-premises or cloud-based security policy enforcement point that is placed between your employees, the consumers of the cloud services and the cloud service providers/your organization’s third-party vendors. The CASB enforces your enterprise security policies as cloud-based resources are accessed.

CASBs provide visibility and control across both approved and non-approved services. Organizations need to ensure their employees aren’t introducing cloud malware and threats through channels such as cloud storage services. This means being able to scan and remediate threats in real time when an employee tries to share or upload an infected file, or detecting and preventing unauthorized user access to cloud services and data. Data security is enforced when sensitive content is discovered in the cloud. The CASB allows IT the option of managing suspected violations to their on-premises systems for further analysis.

And, possibly most importantly, they provide compliance. As organizations move more of their data and systems to the cloud, they must ensure they comply with the many regulations designed to ensure the safety and privacy of personal or corporate data. So, actions to take right now include:

  1. Review and revise your policies and standards to include your third-party vendors.
  2. Read. Read everything you can about CASBs. Marketing people are paid to market, and many of these vendors promise everything. CASB is not a silver bullet, but it is another layer in your controls.
  3. Perform vendor management due diligence on the CASB vendor. Remember, this vendor could represent a single point of failure and impact the availability of your cloud services.

OK, so I don’t know if we’ve answered the question whether it’s sexy or not, but the technology is definitely promising and worth reviewing.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.