It is attractive to outsource cloud security to external vendors, especially those that offer attractive service contracts together with impressive security software. I often see this approach in security teams that have deep experience with on-prem security but are lacking cloud expertise. Even more concerning, in some cases, the head of the department was not even aware of the dependency. They had assigned the task of cloud security to a sub-team who, lacking cloud experience themselves, had been taken in by a generous service offer from a security software vendor.
Either way, there is usually a view that if the security team dictate the usual security practices and policies to the vendor, whatever the vendor implements in the cloud should be sufficient and appropriately contextualised to the organisation. While this may seem like a convenient solution, it has serious implications.
The in-house security team may be aware that the vendor has enabled certain compliance packs, but they might not fully grasp the specific cyber risks and organisational policies covered. This lack of understanding can lead to gaps in security protocols and a false sense of safety. Similarly, a lack of understanding of the cloud places a lot of trust in the vendor to close every cloud security risk, with no internal ability to confirm or audit that posture.
Perhaps a bit cynical, but vendors have little incentive to educate the organisation about the intricacies of the security tools or policies due to the lucrative nature of support contracts. Revenue-based KPIs drive the desire to maintain long-term dependency, which can overshadow the need for transparency and cooperation.
Lastly, keep in mind that in the unfortunate event of a security breach, it will be the organisation's brand that suffers, not the vendor's. The trust of clients and stakeholders can be shattered, leading to long-term reputational damage.
One notable example that illustrates the risks of vendor dependence is the Target Corporation's breach in 2013. Target outsourced certain aspects of its security, which contributed to the exposure of 40 million customers' credit card information.
The attackers initially gained access to Target's network by exploiting the weaknesses in Fazio Mechanical's own security systems. Once inside, they were able to move laterally across the network, eventually gaining access to Target's point-of-sale (PoS) systems. Here, they installed malware that captured the credit card information of 40 million customers during the payment process.
Target had outsourced the following aspects:
- Third-Party Network Access: Target gave network access to its HVAC vendor, but this access was not adequately segmented or monitored, allowing for lateral movement within Target’s internal network.
- Vendor Security Standards: Target did not enforce stringent cybersecurity standards for its third-party vendors, thus opening itself up to vulnerabilities within those external systems.
- Monitoring and Response: Even though Target's internal security system did flag the malware, the alerts were not acted upon in time, leading one to question the effectiveness of their outsourced security monitoring services.
- Data Encryption and Tokenisation: Had Target enforced more robust data encryption standards at the point-of-sale systems, the captured credit card information would have been much harder to exploit.
The incident underscores the critical nature of maintaining rigorous control, understanding, and end-to-end oversight of outsourced security functions. It’s not just about delegating responsibility but ensuring robust protocols for risk assessment, compliance checks, and real-time monitoring. Vendor dependence doesn't just extend the perimeter of the security posture; it also magnifies the surface area for potential attacks, particularly if those vendors don't uphold the same stringent security measures as the organisation.
Organisations, especially Chief Information Security Officers (CISOs), must proactively mitigate these risks. They should be aware of which vendors are involved in cloud security and what the RACI is between the in-house team and the vendor(s) is.
If there is a lack of in-house cloud skills, cloud training will be essential. Cloud security providers can offer training that focuses on security. However, ensure that content is contextualised to the organisation — especially if the organisation is using a platform strategy or similar custom process between the cloud and staff. This empowers the team to identify and address potential vulnerabilities proactively. Even if the vendor continues to execute cloud security, at least the in-house team will now have a firm understanding of what the vendor is doing and any potential gaps or risks they may be exposed to.
Similarly, require security vendors to deliver comprehensive training on the tools they provide and how they are configured, including the scope of any compliance packages and custom rules that may be implemented. An exercise called compliance mapping may be helpful here, too, as it will show clear mapping between organisational policy and the configurations that have been implemented in the cloud. This enhances the transparency and cooperation between the vendor and the organisation.
Remember that the ultimate responsibility for security rests with the organisation. Regular assessments of the internal team’s knowledge of the vendor and its processes, and end-to-end audits of the vendor's performance are vital to ensure alignment with the organisation's security objectives.