RSAC 2015: RSA Conference (Day 2)

Shadow IT isn't the problem, complacency is

1 2 3 4 5 Page 4
Page 4 of 5

Bil Harmer, CISO, Good Data

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

Bil Harmer (BH): The key to ensuring a correctly share responsibility is with respect to sharing the technical and organizational measures.

The client should be able to review and understand the SaaS providers’ methodologies and processes and how they apply. They should not be trying to make the SaaS provider follow their specific processes. The outcomes should be the same but the path to the outcomes can be different.

SaaS providers need to deliver a single methodology that is applied to the environment. It cannot apply different processes based on each customer. It’s the process side of multi-tenancy. We see dozens of companies claiming they are multi-tenant SaaS providers when in reality they are hosting individual VM’s for each customer and use terms like 'multi-tenanted.' Now with a clear understanding of what each party will do setting up contractual obligations that define who will do what and when is very simple.

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

BH: Transparency with the providers. Simply grabbing a SOC2 audit or ISO cert is not sufficient. When selecting a SaaS partner and deploying a SaaS tool requires appropriate due diligence into how the provider delivers the service, where it’s delivered from and who is the provider using as sub-processors?

Q: What is your guidance on how an organization should get started with SaaS security?

BH: You need to inventory your approved SaaS providers and establish a process for each that aligns with the companies policies. Many of the SaaS providers being used will cover 90% of the corporate data but there is no consolidated view into the application of correct policies and requirements.

These apps are purchased by the business, configured by the vendor with the business and run by the business. This can lead to inconsistencies in the application of what the business 'thinks' is appropriate. Do they understand what a strong password is? Do the users know what data can and cannot be put into the freeform text field? By creating an inventory and getting insight into how these applications are being used companies will be able to reduce their risk.

Q: Privacy and data security appears to be a dichotomy. How do organizations balance this? For example, IT needs to monitor the activities but may be constrained under certain privacy considerations.

BH: Privacy and security should not be a dichotomy. Security is a tool that helps achieve privacy. If a CISO is trying to become “Secure” there is no way to know if they’ve made it without privacy.

Privacy should be the goal and security part of the tools. Many European countries do not permit the monitoring of employee behavior at work but companies need to proactively monitor system activities to protect data and stop attacks before they happen.

Someone, not necessarily IT, needs to monitor these activities. This is where a SaaS or outsourced solution can bring huge benefits. Monitoring for abnormal behavior can be done by the vendor and when something crosses a threshold, the customer can be contacted to investigate further. At this point the company is not monitoring employees but instead investigating a security event.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

BH: Hand the CEO a newspaper. Seriously, the comparison between security and insurance has been around forever. This all about mitigating risk.

If the data being held is at risk then mitigating controls need to be implemented. CEO’s and Boards are being held responsible for breaches now. These are board-level discussions. If a CISO is having trouble getting budget then they are not speaking the right language.

They should be talking about business risk; CISO should not be talking about firewalls and anti-virus. Those risks need to be reviewed and compared to other risks in the business and funds should be allocated based on business risk. Right now the business risk of being compromised is much higher due to the high profile cases that have been hitting the newspapers.

1 2 3 4 5 Page 4
Page 4 of 5
8 pitfalls that undermine security program success