In the last few years, the role of CISO has evolved into that of a strategic stakeholder. Today, CISOs are considered important business enablers and often have a seat at the leadership table. This ascent is widely due to the radical change in the way of working due to COVID-19, which required CISOs to find an immediate solution for secure remote work. At the same time, a growing number of more dangerous cyber attacks like the Colonial Pipeline or Solar Winds have made leadership sit up and listen to the warnings CISOs have been giving for years.
CISOs now have a leadership voice in companies. They can use that voice to implement the right practices and choose the optimal vendors for tackling the security challenges of today and tomorrow. Among those challenges, securing cloud infrastructure is one of the most pressing matters. With digital transformation bringing IT architecture to the cloud at a staggering pace and a lamented lack of cloud security expertise across the industry, the question is: how can CISOs be confident they are choosing the right cloud security solution? After all, vetting, implementing and integrating a solution is no easy feat, and the cost of replacing a vendor is high.
To overcome these challenges, some CISOs might choose to create their own cloud security mousetrap with their in-house cloud experts. But should they? Dom Zanardi, Security Automation Engineer at SaaS company Latch, chose to procure a solution from a vendor because, though they could, building one was “just not the right use of our time.”
To help CISOs evaluate different offerings, we’ve created a framework to aid in choosing security vendors for AWS, Azure and GCP. You can use this guide to find vendors that will answer your specific needs as well as identify which solutions are sufficiently mature and comprehensive to reduce — rather than add to — management and integration overhead.
The framework is divided into three parts:
- Vendor Maturity – Covers industry familiarity and compliance, so you can be confident the vendor has the expertise and backing to deliver on its promise.
- Technical Knowledge – Covers the vendor’s understanding of the landscape, so you can be confident the solution is of high quality.
- Solution Features – Which capabilities the vendor offers, so you can be confident the solution answers your needs.
Section 1: Vendor Maturity
Gauging vendor maturity is important for ensuring that the vendor will be able to deliver on their promise, for understanding the value their product adds to your security arsenal and for establishing their role in supporting your business objectives.
Here are some key requirements to look for during the vetting process that will help you determine vendor maturity:
While cloud infrastructure is built from the same components, your cloud security strategy will depend on the industry you belong to. Each industry has its own unique requirements, including unique compliance regulations, customer demands, scalability needs, geographical reach and SLAs.
To ensure your cloud security provider can support your needs, make sure it is familiar with the nitty-gritty requirements of your industry and has experience in addressing them. Complying with HIPAA is not like complying with GDPR, and securing an infrastructure that is heavily targeted by fraud or expanding to new geographies calls for greater solution robustness and scope than businesses that are more stagnant.
Securing the cloud requires deep technological know-how in areas like configurations, encryption, networking, identity management and application security. These areas are complex enough on their own but, to make matters worse, differ from one public cloud vendor to another. In addition, technologies are rapidly evolving and the most up-to-date information is constantly changing.
Make sure your vendor has internal expertise and experience in these cloud areas and can demonstrate that knowledge during all phases of the project: design, planning, onboarding, implementation and monitoring. A good way to check this is to examine in which areas you can consult with them. (See more in Section 2).
Sometimes a vendor’s website, sales deck or RFP responses will blow you away — but marketing and sales professionals are skilled at doing that ;-). You will likely want or feel you need additional layers of evaluation to ensure the vendor meets your standards. Look for recognition from analysts, as well as accolades from third-parties you trust and acknowledgement by influencers.
In addition, review case studies to see which kind of projects they’ve run. It’s always useful to ask to speak with a customer. Beyond understanding their satisfaction, you may uncover insights you may want to factor into your own project scope. This feedback diversity can help you better establish your trust in the solution.
They Secure Themselves
Vendors that understand the value of security will also take measures to ensure their own operations are secure. This includes meeting compliance regulations like SOC 2 but also taking extra measures like building a long-term security program for themselves. According to Daniel Meissler, when auditing vendors you should assume that they themselves are at risk of being compromised – or already have been – so it’s important to understand how they manage their risk. That is, check that their own security measures are adequate for minimizing any risk their solution poses to your environment.
They Make Good Partners
When choosing a vendor, you want to make sure they have the qualities that will enable you to work with them. Solution implementation is not just technical, it’s also about the soft skills that can help ensure optimized usage. Make sure you can communicate easily and frequently with your vendor. It’s even worth clearly stating your expectations in the contract phase.
And while we’re at it, get a sense of how grounded and sincere their sales organization is. Are they responsive to your requests for further information and to speak with different roles in the organization? Do they help amplify the value you get from a call? Do the demos seem to legitimately reflect the solution they claim to have? Is there an openness; are you able to take the conversation where you want to? Assessing if a vendor will make a good partner starts with the vibe you get from early calls — and continues as you move through the sales process.
Some vendors in new security categories are very flexible and open to partnering with clients to evolve their offering. This can be an excellent opportunity for you to get even higher value from a solution. Find out how responsive the vendor is to product suggestions and more importantly — since vendors often promise more than they can deliver on — try to determine their process and how they would engage you if they were to go forward on a development idea of yours.
Section 2: Technical Knowledge of the Cloud
As we’ve established, securing the cloud requires immense technological knowledge in multiple aspects of cloud security. Therefore, confirming that your cloud security vendor has cloud proficiency is an important stepping stone in your vetting process.
Here are some knowledge areas your security vendor should incorporate in their process for you:
The Shared Responsibility Model
The AWS shared responsibility model — and that of other cloud providers — is a framework depicting which parts of the cloud are the vendor’s responsibility to secure and which are the user’s. Unfortunately, this division is not always readily understood or executed on by the cloud customer, resulting in security gaps that can lead to a cloud data breach.
Make sure you understand the model and where your responsibility lies – essentially, to protect any data stored in your cloud. When you engage a security vendor, have them help you understand where they fit in, how they help you answer gaps in your cloud protection and, most importantly, which areas are left unaddressed. This will help you understand where the vendor’s solution fits in your security plan — and, as we discuss below, help you understand if their product roadmap may provide an answer for remaining gaps.
Cloud Security Gaps
Securing the cloud is not easy for CISOs and whoever, by any other title, holds top responsibility for ensuring the organization’s cloud is adequately protected and will not bring harm upon the business, its employees or its customers. There are many gaps to overcome and lots of moving pieces. These include holes in visibility, access management, mitigation capabilities, proactive risk assessment and more. Also, security executives are a diverse club, coming to their role with various technical and information backgrounds, and may or may not have deep understanding of cloud security technologies.
To be able to truly reduce and prevent threats, make sure your vendor is overall cloud security technology savvy — well-versed in cloud security categories, solutions and gaps and able to show you how their solution is designed — or roadmapped — to overcome specific challenges, and to what extent. Since an important business value of cloud infrastructure, and intrinsic security risk, is its ability to rapidly scale, try to get answers on how the solution is architected to scale as your cloud footprint and reach grows.
Is the vendor solution able to give you a solid picture of risk? If you’re looking for a vendor, you know you have a high-level issue you want to secure. But once you have a solution in place, do you know how to get started? Do you know your organization’s risk health and how much work needs to be done to bring it in line with your organization’s risk tolerance? Does the vendor solution analyze, display and project risk and have the technological depth to find hidden risks?
Risk analysis is a key, if not the primary, phase in building out a security plan for the area you are addressing. The analysis helps you identify security areas that require improvement and actions. In best case scenarios, such an analysis will also include prioritization of the risks and solutions for mitigation.
Choose a vendor that offers both an early look at and ongoing risk analysis:
- Initial analysis – A first step before vendor selection or implementation. Includes identifying security gaps and offering how to remediate them. This step will also help show you the abilities of the vendor for securing your cloud.
- Continuous risk analysis – After vendor onboarding. An ongoing, automated analysis of your architecture, continuous identification of risks, prioritization and automated mitigation.
Multi-cloud and Hybrid Cloud Support
There are many different models of working in the cloud. Often, companies choose to work with different cloud providers for business reasons or wind up working with multiple providers following mergers or acquisitions. In addition, some companies deploy a hybrid model, in which some of their infrastructure stays on-premise. This can be due to corporate security policies, use of legacy systems or simply because they haven’t finished transitioning to the cloud.
Whichever cloud architecture model you currently deploy, make sure your vendor can support it and provide you with all the required features. This will require you to validate a seamless and secure transition between clouds and between the cloud and your servers, as well as a single pane of glass for unified management.
Pro tip: Make sure your vendor can also support your future planned architecture, so your security plans don’t get in the way of your digital transformation.
Section 3: Solution Features
Finally, it’s time to talk about the actual capabilities the vendor provides. While we can’t determine which specific features you need, we can describe how these features should be implemented to ensure you get the results you need, with good ROI.
Take a look at:
Operational Ease of Use
Unless you’ve taken a managed services plan, your vendor will not be around all the time to hold your hand. So choose a solution that you feel comfortable operating and managing autonomously. Think to yourself: if there’s an emergency on a Friday night, will my team and I intuitively know how to utilize this solution? If the answer is ‘yes’, you’ve got yourself a winner.
The solution you are implementing is one piece of your cloud security puzzle. To ensure it works seamlessly with the rest of your tech stack and systems, it should include an API and your shopping list of integrations, so you can configure it in.
CNAPP (Cloud-Native Application Protection Platform) is a new Gartner category that describes a comprehensive, end-to-end platform from development to production that has an integrated approach to cloud security. Such platforms move toward unifying siloed capabilities, like CSPM, CIEM, vulnerability scanning and workload protection. While no existing solution currently offers CNAPP, Gartner identifies it as the promised land that the cloud security market should strive towards.
Therefore, we recommend choosing a vendor that has a CNAPP “leaning” — integration of more than one cloud security domain and plans for more, and a core technology that lends itself to deep visibility able to expand further. In the meantime, make sure all the capabilities it does offer are unified by design and not a patched integration so it operates like a well-oiled machine in your cloud infrastructure.
Automated Prioritization and Remediation
Automation is the only way to keep up with the dynamic pace and complexity of cloud technology. For security, this means automated detection, prioritization and remediation of risk.
Evaluate the offering’s ability to prioritize risk so you can make an informed choice on what to spend time fixing while keeping your security posture good enough. It goes without saying that a solution must offer remediation to the degree of automation that aligns with your organization’s preferences and practices. Such solutions can also make a contribution to DevOps velocity — not to mention the security of new applications and services — by delivering improved code.
A solution with effective automation of risk mitigation helps scale security as your cloud footprint grows, giving peace of mind while freeing security and other teams for higher productivity tasks.
Plan for Evolutionary Deployment and Expansion
We can’t predict the future, but we can plan for it. We started out with the radical change in the role of the CISO due to changes in society, technology and security. You don’t know if or when the next big event will hit, but you can choose a vendor that takes such uncertainties into account and integrates capabilities and flexibility so you can quickly adapt. So choose a vendor that is as agile as you are and will be able to support you in the next years, regardless of the changes and challenges that arise.
*** This is a Security Bloggers Network syndicated blog from Ermetic authored by Ermetic Team. Read the original post at: https://ermetic.com/blog/cloud/useful-tips-for-choosing-a-cloud-security-vendor/