I’ve always wondered about this dilemna :
Even if, as a CISO, you define the best Infosec policy ever, and forbid your users all use of Cloud or unknown services such as Gmail, Dropbox, LogMeIn, TeamViewer to prevent Data Leakage, is that really efficient ?
Your company is not in a closed environment. Or it is already in bankrupcy, because you don’t have clients and contractors.
I was striked, a few years ago, to realize I was sending emails to a well-known Infosec contractor to their domain name… that were in fact handled by Postini (Gmail Pro). The company didn’t inform any of their customers about this interesting fact. When I asked them about this, they wisely answered that by nature email wasn’t secure and we shouldn’t use it to discuss anything sensitive. Which is right in theory, but which in practice is seldom observed by any users… including their own staff.
The Cloud industry is changing habits. More and more people tend to use Gmail, Dropbox, Teamviewer, and many more data storage or sharing online tools. That also includes many SMEs, and obviously part of your own contractors.
Most of them will argue that SalesForce, Gmail or Google Docs are the best way for them to ensure sustainbility, as the cost/convenience ratio is very good. And I really understand most SMEs, including the companies you’re working with, are now already using those Cloud solutions.
A good example :
I’m currently watching a webcast from a vendor. Using my BYOD Macbook Air over our public Hotspot Wifi. On its side, the vendor also uses a MacBook and shares its screen using LogMeIn. The documents he uses are stored on Google Docs and Prezi. The solution he’s promoting is only available on the Cloud. The previous version was on-premises, now, it’s Microsoft Azure, no choice left). The documents he’s showing us seem to contain info that come from our organization. Not sensitive info, but it could be… And those documents seems to have been transfered either by Dropbox or Gmail.
Our business managers wants the application to be used, no matter the risks. So it will be hosted on the Cloud, in the Netherlands. There are no alternatives to this solution.
As a CISO, what are the options left ?
– You can ask the vendor to sign any NDA or corporate policy, but anyway he won’t change it’s internal processes or move away from the current Cloud solutions he already chose.
– You can audit the vendor, and that will just lead to a report explaining he’s not compliant. But you won’t be able to switch to another vendor if he’s the only software maker for this specific business case your business leaders want. And if you choose another vendor, the issue may be the same…
– You can explain the business and your management that the vendor/solution doesn’t comply to security requirements, and has to be put away in the choice. Do you really believe the management will accept this every time ? You’ll be soon be put away of the decision process…
– DLP (Data Leak Prevention, or Data Loss Protection) doesn’t work. I’ve always been saying loud that’s useless and costly for no effect. Encryption doesn’t solve anything, because your vendors will need to decrypt the data and manage it somehow.
So your’re dead, as a CISO
My vision is not pessimistic, but realistic.
I know most companies currently have this issue. Either their CISOs don’t know the real business and processes that their company uses, or either they are good liers at claiming that they handle everything smoothly and that everything is under control. But I’m sure that’s not the reality.
Your business managers want some applications that help them ensure their objectives, and save money.
Your company partners are already promoting Cloud-only products, and your business want those products.
Your company partners are already using Cloud internally (salesforce, Gmail, Azure…) and your corporate documents or info *will* be stored on it, whether your want it or not.
Your company partners will not change their business processes and Internal IT to suit your needs. They have other customers than you.
They will say they already comply with 27001 and privacy laws, which is probably true.
…And you cannot resist long to the pressure.
Escape, escape !
So a a CISO, I have to find an acceptable solution, both for the business, the vendors, the partners and obviously myself.
1/ Accept that the vendors and partners that your organization works with are already using tools and solutions that you cannot control, and that will probably leak your documents in the future.
2/ Compile a list of all your partners, vendors, external resources, and people that can or will handle your corporate data.
3/ Contact them individually, and discuss with the most appropriate person that may be concerned by their own information security.
4/ Explain them the issues you could have in case of data leaks, and ask them to be cooperative if possible, that they are also responsible when handling data, and that they will have to sign a NDA to ensure they take care of your data.
Cross your fingers and hope it works.
Supply-Chain risk management
More and more, I realize tomorrow’s CISO will be more and more a Supply-Chain risk manager, having to deal with numerous partners to ensure they follow basic requirements, and that the global risk is tolerable by the business.
Comment by Patrick Zwahlen on 2014-10-09 16:15:43 +0200
Protect your crown jewels, the rest is owned!
This is the conclusion we reached with @haroonmeer a couple weeks ago.
Problem is now:
Define: crown jewels
Comment by Sebastian Rohr on 2014-10-10 10:12:19 +0200
Gives me the shivers. As an external consultant to many-a-big-fish companies, we do see their IT-Sec/IT-Risk people putting loads of pressure on their supply chain. So, maybe their CISOs did not realize they are dead yet (they are not! I talked to them 🙂 recently) but they seem to have come to the same conclusion. And with regards to Crown Jewels, I support this. Hard task to define this…