The trouble with third-party assessments
- 05 January, 2017 22:00
When it comes to security, more is always better, right?
That sounds good in the abstract, but in practice it can cause problems. For example, I have always resisted allowing any of our 20,000-plus customers to conduct third-party assessments of our security measures. I re-evaluate that policy from time to time, but for now I’m sticking to it. I’ll explain why.
My team spends more than 20% of their time filling out security questionnaires, doing security-related contract reviews, responding to requests for information and participating is sales engagement meetings to address security and privacy. Repeatedly, we find that prospective customers want to conduct a security assessment of our applications and infrastructure, using either their own resources or a third party. It would just be a matter of them running a tool such as Nessus, Qualys or Nmap.
My answer is no. The prospect then says something such as “What are you trying to hide?” or “How can we trust you?” or “You should welcome a free assessment” or “We can’t move forward without our own assessment.”
I have my reasons, of course, but first I explain that, as part of our risk management program, we conduct regular internal and third-party assessments of both our applications and our infrastructure. The third parties we work with are reputable firms constrained by strict statements of work and nondisclosure agreements (NDA). We schedule the activity for off hours and announce the activity to the relevant departments because assessment activities can result in performance issues or other anomalies.
I then provide the prospects with an executive summary discussing the engagement, including high-level findings and the bottom line of whether our defenses were penetrated. I also show them SSAE 16 SOC 1, SOC 2, PCI and other third-party compliance reports. In most cases, the companies are satisfied.
But I often have to explain the philosophy behind this stance. My experience has been that allowing an outside assessment once can open the door to unannounced assessments that result in unnecessary incident response. When we expect a third-party assessment, we suppress our response. Knowing that an assessment is in progress, an attempt at unauthorized access is attributed to penetration testing, so we don’t share intelligence with the security community, block the IP address range of the offending IP, report the incident to law enforcement or contact the internet service provider associated with the IP address range to report abuse. If we don’t know an assessment is taking place, any of those responses could be embarrassing for our customer or the third party vendor conducting the assessment.
Also, when you have thousands of customers, you could find yourself suppressing incident response practically all of the time, which is hardly conducive to better security.
Another issue is that because many of our customers are small businesses with limited resources, they are inclined to hire the least expensive firms to conduct third-party assessments, and those firms are likely to be inexperienced. I don’t have the time to vet a lot of third parties, especially if they are offshore, as often happens when cost is a high priority. Many years ago, before I learned to just say no, I let a customer conduct an assessment through a third party, only to find out later that the third party had outsourced the work to a fourth party. The result was an outage caused by an unannounced denial-of-service attack that required us to pay customers for violating our service-level agreements. Another time, a customer that had identified some sensitive security issues disclosed them in a public forum, which hurt our brand.
I also say to our customers, “Look, our application will process a lot of your sensitive data, including financial, healthcare and personally identifiable information. I know you want to be diligent about assuring the security of that information, but if we allow you to do your own testing, we’d have to allow all our customers the same privilege. Do you really want us to have an open scan policy?”
Maybe your own situation is different enough for you to allow customers to conduct their own assessments of your security. If you do so, though, I hope you have a strict program to vet your customers or their vendors, conduct reference checks, address legal issues, prepare statements of work and NDAs, schedule and track assessment activity, and monitor that activity. If not, I think you’re asking for trouble.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.