I'd like to share our experiences with vendor security since I'm sure it's something that impacts all of us. Like every company, Rapid7 relies on a number of technology vendors for a huge range of products and services to run the business. I'm sure no one will be surprised to hear that as a security company we have a policy specifying the security requirements that our vendors need to meet before we'll do business with them. Our view is that their security directly impacts any of our internal or customer data that their systems hold, so we take it as seriously as our own infrastructure security. Most or all of you probably have the same approach, but one unique thing that we have at our disposal is a number of highly skilled security experts on staff which allows us to have a mandatory application security assessment as part of our policy.
The results of this policy over the last few years have been eye-opening. The number of prospective vendors that pass our security bar is disappointingly low, across every category we used (marketing tools, sales tools, support tools, file transfer tools, IT infrastructure, etc). The most recent failure sparked this blog post, but it was the norm rather than the exception. More often than not they fail basic tests with numerous readily apparent and easily exploitable issues. If the vendor has a great product or service that we think is significantly better than the alternatives we evaluated, we'll delay our deployment while we engage with them to address the issues we found, getting commitments to fix in a defined timeline. The results there have been equally dismal, with most of them missing their commitments and forcing us to end up going with an alternate months later. It's clear that our security bar is far higher than their bar, but also that in many cases they don't have either the desire or skills to significantly improve their security.
All of this ends up slowing our deployment of the various third party solutions, which is an acceptable tradeoff in our view. But what do we do when none of the vendors in the space pass the security bar? And more broadly, what can we do as a security community to raise awareness of the state of vendor security and create impetus for change? Our individual efforts to push the vendors we've engaged with generally haven't been enough to move the ball. If you have any suggestions on how we can tackle this as a community, please post them below.
In the meantime, I thought I'd share our own approach in case it's useful to any of you. The overall approach we use is a coordinated process between procurement, legal, and IT security. Having a coordinated process between the business discussion and technical due diligence allows for not just improved decision making, but also more informed negotiation.
- First, in addition to screening new vendors, if you haven't already been doing this, start by pulling together a list of all your existing vendors (particularly SaaS vendors that have an exposed security surface). This will be eye-opening the first time you do it, since lots of groups will have been using tools without any IT involvement.
- One useful tactic we use to find out what's in use and catch new ad-hoc “deployments” that bypass your vetting process is a periodic review of corporate credit card statements, flagging expenses associated with known vendors & SaaS providers.
- Use a security questionnaire to understand their security policies, processes, and sophistication.
- Demand to see the results of their latest security audit, showing what was tested, the findings, and the remediation they've done since that time. (We do an audit ourselves because we can). Negotiate for rights to this on a periodic basis.
- Pay close attention to audit logging functionality. Does the SaaS application track and report on login/logout, user actions within the application, and does it track source IP address? At the very least, you will want to conduct periodic reviews of the account logs to check for anomalies.
- Scrutinize the identity management capabilities and set a policy for how they are used. Access management, particularly account management, is one of the weakest areas of SaaS security today. Multiple users are often tempted to share accounts because account limits are common to SaaS: this practice needs to be discouraged. Organizational password strength and password rotation policies are usually difficult to enforce when it comes to SaaS. Account provisioning and de-provisioning usually happens outside the IT group, and sometimes there are multiple users on a SaaS application with the ability to create accounts but no single user with clear ownership of, and responsibility for, the application. This creates a substantial risk that accounts will not be revoked in a timely fashion upon a change in employment status. Some approaches that can mitigate the issue:
- Ensure that IT is solely responsible for account management in all SaaS applications.
- Conduct periodic reviews of active SaaS accounts across all applications, matching to current employee rosters.
- Work with your SaaS provider to enact IP-level restrictions to all logins, so that employees are required to be either physically present in the office or connected to the VPN to log in to the SaaS application. This will require the VPN to operate in “full tunnel” mode, where all traffic (including internet traffic) is driven over the VPN to egress from the corporate network.
- Most SaaS applications allow you to grant different levels of permissions to different users. As much as possible, place reasonable limits on user access levels in SaaS applications. Restrict manager privileges to as few accounts as possible
As companies increasingly rely on SaaS solutions to do every day business, and security moves even further outside of your control, it becomes more and more important to proactively ensure the security and integrity of the solution you rely on. Employing a number of these suggestions, when considering your SaaS solutions, will help put you on the road to a higher level of security serving both your internal stakeholders and customers well.