How many times have you had vendors say they’re secure because they’re using AWS, Azure or G Suite? Unfortunately, just because AWS is SOC II compliant that doesn’t mean that every vendor application running on AWS is equally compliant. Cloud hosting is based on a shared responsibility model. The cloud service provider is responsible for security of the cloud and the cloud service user is responsible for security in the cloud.
To get an accurate picture of your third-party vendors’ security in the cloud, Privva now offers a Cloud Security Assessment. The assessment focuses on best practices within each cloud environment as well as discovering which products third parties use to secure their cloud offerings.
The most secure cloud infrastructure in the world won’t protect applications if they use unpatched software with known vulnerabilities. Cloud-based application providers should implement best practices for the security of the virtual servers that they spin up, the applications they build on them, and the configuration of security groups, firewalls and other built-in security features. Are your application providers keeping all machines images up to date with the latest OS and security updates? Do they have appropriate access controls in place for admin users? Do they have robust security group rules to only allow the kind traffic that is absolutely essential into the cloud hosting environment? Privva’s Cloud Security Assessment will help you find out.
There are numerous security products available on each of the cloud platforms that can improve security awareness and preparedness. On AWS, for example, there are numerous products available for threat detection, protection from distributed denial of service (DDoS), management of SSL certificates, and log analysis. Assess which types of security products your cloud-based vendor is using with the Cloud Security Assessment to understand where their vulnerabilities lie.
Don’t let your third-party vendors hide behind the cloud when asked about their security practices. Contact Privva to start assessing the real security in the cloud of your vendors.
Best Practice: If your solution leverages S3 to store PII or other sensitive information, are your S3 buckets encrypted?
Product: Do you use Amazon Guard Duty or a similar solution for threat detection and continuous monitoring?
Best practice: Have you disabled RDP and SSH access to virtual machines?
Product: Do you have Azure AD Privileged Identity Management enabled to monitor privileged access?
Best practice: Do you have user login challenges set up for suspicious login attempts?
Product: Do you have spam moderation enabled for Google groups?
Schedule time with Privva to learn more.