WEBVTT

00:00.259 --> 00:04.560
>> Vendor risk. The
learning objectives

00:04.560 --> 00:07.005
for this lesson are to
explain vendor risk,

00:07.005 --> 00:09.495
to perform vendor
risk assessments,

00:09.495 --> 00:12.195
and to explore the shared
responsibility model.

00:12.195 --> 00:15.825
Let's get started. Vendor risk.

00:15.825 --> 00:18.090
You may have done everything
that was necessary

00:18.090 --> 00:19.980
to secure the network of

00:19.980 --> 00:22.440
your enterprise
but all companies

00:22.440 --> 00:24.810
are doing business
with other vendors.

00:24.810 --> 00:27.240
Some of these vendors
may even need to connect

00:27.240 --> 00:29.595
to your network and have
access to your data.

00:29.595 --> 00:31.380
We need to make sure
that they're doing

00:31.380 --> 00:34.005
everything to protect
that as well.

00:34.005 --> 00:36.690
This creates a unique challenge

00:36.690 --> 00:38.070
to us as security practitioners

00:38.070 --> 00:39.660
because we don't have
a lot of control over

00:39.660 --> 00:42.115
their network and
what they're doing.

00:42.115 --> 00:44.390
I've mentioned this several
times throughout the course,

00:44.390 --> 00:47.165
but it bears
mentioning again that

00:47.165 --> 00:49.580
the Target hack all
happened because of

00:49.580 --> 00:52.595
the HVAC vendor that was
connected to Target's network.

00:52.595 --> 00:54.230
Target itself didn't get hacked

00:54.230 --> 00:56.150
but they came in
through the back door,

00:56.150 --> 00:59.000
through the HVAC vendor
into Target's network.

00:59.000 --> 01:00.860
We want to really take care when

01:00.860 --> 01:03.290
we're looking at doing
business with another vendor,

01:03.290 --> 01:04.430
especially if
they're going to be

01:04.430 --> 01:06.780
connecting directly to us.

01:08.320 --> 01:11.045
The shared responsibility model.

01:11.045 --> 01:14.210
This is where the responsibility
for securing apps, data,

01:14.210 --> 01:17.150
and the workloads that are
in a Cloud environment

01:17.150 --> 01:19.820
are shared between the customer

01:19.820 --> 01:21.425
and the Cloud Service Provider.

01:21.425 --> 01:23.675
Different areas will
be assigned to each,

01:23.675 --> 01:25.130
but identifying these and

01:25.130 --> 01:27.535
ensuring they are being
performed is critical.

01:27.535 --> 01:29.660
Before you choose any level

01:29.660 --> 01:31.010
of service in the Cloud model,

01:31.010 --> 01:33.110
you want to be sure
what you're responsible

01:33.110 --> 01:34.220
for and what your Cloud

01:34.220 --> 01:36.040
service provider is
responsible for.

01:36.040 --> 01:38.555
Then you can go about making
sure that each of those

01:38.555 --> 01:42.090
are doing the things that
they are responsible for.

01:43.880 --> 01:46.020
The Cloud service models,

01:46.020 --> 01:48.365
we're going to begin with
the software as a service.

01:48.365 --> 01:50.660
This is the lowest
level of responsibility

01:50.660 --> 01:53.060
for the customer
because the facilities,

01:53.060 --> 01:55.820
utilities, the physical
security, the platform,

01:55.820 --> 01:56.900
and the apps are all the

01:56.900 --> 01:58.970
responsible of the
Cloud service provider.

01:58.970 --> 02:01.670
They're simply giving you
access to an app that's it.

02:01.670 --> 02:03.520
You're not responsible
for anything,

02:03.520 --> 02:05.120
they're responsible for it all.

02:05.120 --> 02:07.115
Next, we have platform
as a service,

02:07.115 --> 02:09.140
and this is where the
OS and the apps are

02:09.140 --> 02:11.435
now your responsibility
as a customer.

02:11.435 --> 02:12.860
Everything else still stays

02:12.860 --> 02:14.180
with the Cloud service provider,

02:14.180 --> 02:16.630
but those two are now
under your control.

02:16.630 --> 02:19.405
Then last we have
infrastructure as a service.

02:19.405 --> 02:21.770
This is where the
CSP only provides

02:21.770 --> 02:24.485
the infrastructure utilities
and the physical security,

02:24.485 --> 02:26.390
more of the responsibility

02:26.390 --> 02:28.700
has now shifted to the customer.

02:29.300 --> 02:31.550
Here's a good visual
that will help

02:31.550 --> 02:33.335
you understand this better.

02:33.335 --> 02:35.135
You can see with
a SaaS model that

02:35.135 --> 02:37.400
the customer is not really
responsible for anything.

02:37.400 --> 02:39.200
We move over to the platform as

02:39.200 --> 02:40.880
a service now they're
responsible for

02:40.880 --> 02:42.490
the apps and the OS

02:42.490 --> 02:44.870
and then finally with the
infrastructure as a service,

02:44.870 --> 02:46.310
they're responsible
for the platform,

02:46.310 --> 02:47.795
the apps, and the OS.

02:47.795 --> 02:49.400
This is a good
visual to help you

02:49.400 --> 02:52.310
see what level of
responsibility based on

02:52.310 --> 02:54.830
what service model so you

02:54.830 --> 02:56.630
understand what you would be

02:56.630 --> 02:57.650
responsible for and what

02:57.650 --> 03:00.330
your CSP would be
responsible for.

03:01.420 --> 03:04.150
Vendor assessments.
Whenever you're

03:04.150 --> 03:06.115
looking to do business
with a new vendor,

03:06.115 --> 03:08.245
you want to make
sure that you do

03:08.245 --> 03:11.235
a proper vetting on
that new vendor.

03:11.235 --> 03:13.795
You might want to
look at, for example,

03:13.795 --> 03:15.835
have a third-party audit and

03:15.835 --> 03:17.845
other proof that that
vendor is stable,

03:17.845 --> 03:19.285
that their finances are good,

03:19.285 --> 03:22.060
and just what are their
cybersecurity capabilities.

03:22.060 --> 03:24.280
Now, depending on what
type of vendor it is and

03:24.280 --> 03:25.630
what level of access to

03:25.630 --> 03:27.210
your network and
your data they have,

03:27.210 --> 03:28.720
will determine how thorough

03:28.720 --> 03:31.130
this vetting process would be.

03:33.350 --> 03:35.784
Here are some considerations

03:35.784 --> 03:36.850
that you want to
think about when

03:36.850 --> 03:39.720
you're choosing a new
vendor. Vendor lock-in.

03:39.720 --> 03:41.230
This is when the customers are

03:41.230 --> 03:42.835
completely dependent
on the vendor

03:42.835 --> 03:44.930
because changing is either

03:44.930 --> 03:46.970
too expensive or
it's impossible.

03:46.970 --> 03:49.700
Before you go into a
relationship with a new vendor,

03:49.700 --> 03:52.670
you want to make sure is
this going to happen to us?

03:52.670 --> 03:53.840
If that's what
you're looking for,

03:53.840 --> 03:55.430
if that's not a
problem, just make

03:55.430 --> 03:57.580
sure that it's not a
surprise for you later.

03:57.580 --> 03:59.840
Vendor lockout. This is when

03:59.840 --> 04:01.460
a vendor's product will not

04:01.460 --> 04:03.230
work with other
vendors' products.

04:03.230 --> 04:05.810
They will not allow it to
integrate and that could

04:05.810 --> 04:08.420
cause problems if you need
that level of integration,

04:08.420 --> 04:11.805
you need to know this going
in. Vendor viability.

04:11.805 --> 04:13.860
Will a vendor be in
business in the future?

04:13.860 --> 04:16.370
Are they growing or
expanding in their field?

04:16.370 --> 04:19.265
You want to make sure that
before you allow this,

04:19.265 --> 04:21.290
that are they going to be
purchased by someone else

04:21.290 --> 04:24.300
or are they even going
to be here in two years?

04:26.320 --> 04:28.685
Source code escrow.

04:28.685 --> 04:31.355
This is where the
vendor-developed products

04:31.355 --> 04:32.975
have their source code placed at

04:32.975 --> 04:34.940
a third party so that it is

04:34.940 --> 04:37.775
available should they
go out of business.

04:37.775 --> 04:39.785
Support availability.

04:39.785 --> 04:41.150
What is the level of support

04:41.150 --> 04:42.770
that that vendor will provide?

04:42.770 --> 04:44.615
What is the service
level agreement?

04:44.615 --> 04:46.205
How fast will they respond?

04:46.205 --> 04:48.620
You want to make sure all
this is documented out before

04:48.620 --> 04:51.680
you engage in any
agreement with them.

04:51.680 --> 04:54.065
Meeting client requirements.

04:54.065 --> 04:56.000
These are the formal measures

04:56.000 --> 04:57.740
that are used to evaluate if

04:57.740 --> 04:59.090
the vendor's products or

04:59.090 --> 05:01.745
services meet the
needs of the customer.

05:01.745 --> 05:03.470
Then also we want to consider

05:03.470 --> 05:05.330
their incident
reporting requirements.

05:05.330 --> 05:08.080
How and how quickly
will the vendor notify

05:08.080 --> 05:10.955
the customer of any
incidents at the vendor,

05:10.955 --> 05:12.805
such as breaches or downtime?

05:12.805 --> 05:14.615
You want to make sure
that you understand

05:14.615 --> 05:16.250
that especially if
they have access

05:16.250 --> 05:20.045
to your data in a HIPAA
situation, for example, PHI,

05:20.045 --> 05:23.450
if a third party to
a covered entity,

05:23.450 --> 05:25.085
which is the grouping that

05:25.085 --> 05:28.430
HIPAA law relates to

05:28.430 --> 05:31.280
the third party known as
a business associate.

05:31.280 --> 05:32.630
If they were to have a breach,

05:32.630 --> 05:34.220
it goes straight up stream

05:34.220 --> 05:36.200
back to the covered entity
and they're responsible.

05:36.200 --> 05:38.390
You want to make sure that
that business associate

05:38.390 --> 05:39.890
is letting the covered entity

05:39.890 --> 05:41.690
know about that breach since

05:41.690 --> 05:44.180
ultimately the covered entity
will also be responsible.

05:44.180 --> 05:46.670
You want to ensure that
if your vendor has

05:46.670 --> 05:49.085
a breach and somehow
impacts you,

05:49.085 --> 05:51.240
you want to know about it.

05:52.510 --> 05:55.670
There's also geographic
considerations.

05:55.670 --> 06:00.290
Globalization has increased
how vendors may be spread

06:00.290 --> 06:02.390
out over a number of
countries and each of

06:02.390 --> 06:03.830
those countries will
have their own laws

06:03.830 --> 06:04.850
on the data security,

06:04.850 --> 06:06.575
privacy, and even copyright.

06:06.575 --> 06:09.575
Legal jurisdictions have
become extremely important,

06:09.575 --> 06:11.600
especially with compliance
frameworks like

06:11.600 --> 06:16.315
the GDPR. Instructor side note.

06:16.315 --> 06:19.070
I once worked with
a medical provider

06:19.070 --> 06:20.300
who had outsourced his billing

06:20.300 --> 06:21.920
operations to an Indian firm.

06:21.920 --> 06:23.525
This is quite common now,

06:23.525 --> 06:25.850
but at that time it
wasn't a common thing.

06:25.850 --> 06:28.760
It was still fairly unheard
of and it was because they

06:28.760 --> 06:30.410
were very inexpensive compared

06:30.410 --> 06:32.255
to billers here in
the United States.

06:32.255 --> 06:34.580
Their billing company
had an employee that

06:34.580 --> 06:36.560
for whatever reason decided
that he wasn't paid

06:36.560 --> 06:38.450
enough and wasn't
paid fairly from

06:38.450 --> 06:40.225
the billing company in

06:40.225 --> 06:42.845
India and instead of
trying to work it out,

06:42.845 --> 06:45.020
he decided to steal
all of the data for

06:45.020 --> 06:47.900
the different sites they
were doing billing for.

06:47.900 --> 06:50.030
It took over six months for

06:50.030 --> 06:51.350
the billing company to let

06:51.350 --> 06:53.480
the medical provider
know about this.

06:53.480 --> 06:54.980
But that is a breach under

06:54.980 --> 06:56.690
HIPAA because now
that information,

06:56.690 --> 06:59.780
that PHI is outside
of the direct control

06:59.780 --> 07:01.520
of this billing company

07:01.520 --> 07:03.440
and it is now
considered a breach.

07:03.440 --> 07:07.220
But because this was a
company overseas and again,

07:07.220 --> 07:08.975
this was back when
this wasn't common,

07:08.975 --> 07:12.320
the medical provider had
no recourse because he

07:12.320 --> 07:13.940
couldn't do anything
against that company

07:13.940 --> 07:15.815
and he had no way
to get it resolved.

07:15.815 --> 07:17.390
If that company
chose not to pay,

07:17.390 --> 07:20.150
then the data was never going
to be given back and it was

07:20.150 --> 07:25.580
a very messy situation and
ultimately, against my advice,

07:25.580 --> 07:27.755
this provider chose
not to report this

07:27.755 --> 07:30.650
as a HIPAA breach,
but unfortunately,

07:30.650 --> 07:32.590
it was 40,000 plus

07:32.590 --> 07:34.250
patient's data that had been

07:34.250 --> 07:36.250
stolen and they
chose not to do it.

07:36.250 --> 07:37.700
That includes all the credit

07:37.700 --> 07:39.395
card numbers that
might have been used,

07:39.395 --> 07:40.610
all those social
security numbers,

07:40.610 --> 07:42.110
all of that was now
in the hands of

07:42.110 --> 07:45.720
this one individual that
was already disgruntled.

07:47.360 --> 07:50.040
Vendor assessment tools.

07:50.040 --> 07:52.445
Once you've established
a relationship,

07:52.445 --> 07:53.660
you need to consider doing

07:53.660 --> 07:55.595
an ongoing assessment
of the vendor

07:55.595 --> 07:56.870
just to make sure that they're

07:56.870 --> 07:59.345
staying within the bounds
of your agreement.

07:59.345 --> 08:02.810
Vendor policies are the levels

08:02.810 --> 08:05.525
of service and the expectations
from the customer.

08:05.525 --> 08:06.860
These should be monitored for

08:06.860 --> 08:09.540
compliance on a regular basis.

08:10.510 --> 08:13.085
Supply chain diversity.

08:13.085 --> 08:16.190
Supply chain includes
all of the suppliers,

08:16.190 --> 08:17.540
vendors, and partners that are

08:17.540 --> 08:19.730
used to deliver a
product to the market.

08:19.730 --> 08:22.190
Many of the most
notable breaches in

08:22.190 --> 08:25.040
history have come from
supply chain attacks.

08:25.040 --> 08:28.700
Supply chain visibility
is understanding how all

08:28.700 --> 08:29.990
of the vendor-supplied parts and

08:29.990 --> 08:32.330
services are produced
and delivered.

08:32.330 --> 08:34.010
Also, how they will impact

08:34.010 --> 08:38.130
your organization's operations
or your finished products.

08:39.290 --> 08:41.745
Third-party assessments.

08:41.745 --> 08:43.730
A third party assessment
is performed by

08:43.730 --> 08:46.205
another party different
from the vendor.

08:46.205 --> 08:49.160
An objective view of the
vendor's stability and

08:49.160 --> 08:52.205
capabilities is the goal
of this assessment.

08:52.205 --> 08:53.885
Here are some examples.

08:53.885 --> 08:56.045
The Cloud Security
Alliance, CSA,

08:56.045 --> 08:58.670
security trust and
risk, or Star.

08:58.670 --> 09:01.190
This is the ability of a CSP to

09:01.190 --> 09:04.235
adhere to the key
principles in transparency,

09:04.235 --> 09:07.565
auditing and best
practices for security.

09:07.565 --> 09:11.150
The system and organization
controls or SOC.

09:11.150 --> 09:12.800
This uses standards created by

09:12.800 --> 09:14.690
the American Institute
of Certified Public

09:14.690 --> 09:17.660
Accountants for the
evaluation of policies,

09:17.660 --> 09:19.880
processes, and procedures to

09:19.880 --> 09:22.720
protect technology and
financial operations.

09:22.720 --> 09:24.780
These are both third party

09:24.780 --> 09:26.510
services they could come in and

09:26.510 --> 09:29.030
evaluate your vendor
to ensure that

09:29.030 --> 09:32.850
they're adhering to their
level of responsibility.

09:33.940 --> 09:36.784
We also have the International

09:36.784 --> 09:39.005
Organization of Standards, ISO.

09:39.005 --> 09:43.190
They'll do an audit of
compliance with ISO 27,000 for

09:43.190 --> 09:45.515
cybersecurity and then you have

09:45.515 --> 09:50.585
Cybersecurity Maturity
Model Certification, CMMC.

09:50.585 --> 09:52.130
These are standards created by

09:52.130 --> 09:54.170
the US Department of
Defense to help fortify

09:54.170 --> 09:57.290
the DoD supply chain by
requiring suppliers to

09:57.290 --> 10:01.560
prove they have a mature
cybersecurity capability.

10:02.240 --> 10:05.175
Vendor technical considerations.

10:05.175 --> 10:06.995
When we're looking
to choose a vendor,

10:06.995 --> 10:08.330
there are some
technical things that

10:08.330 --> 10:10.280
we also want to give
some thought to.

10:10.280 --> 10:12.800
Testing and evaluation allows

10:12.800 --> 10:14.650
us to ensure that the vendor

10:14.650 --> 10:16.490
and/or their
products are meeting

10:16.490 --> 10:19.265
the service level that we
are expecting it to be.

10:19.265 --> 10:21.530
Is the product working
the way we want it to?

10:21.530 --> 10:24.105
Is the service performing
the way we need it to?

10:24.105 --> 10:26.570
Network segmentation
is where we want

10:26.570 --> 10:28.610
to ensure that the
systems that are managed

10:28.610 --> 10:29.960
by vendors should be

10:29.960 --> 10:33.440
isolated from the rest of
the organization's network.

10:33.440 --> 10:36.095
Transmission control
ensures that

10:36.095 --> 10:38.300
any connection between
the customer and

10:38.300 --> 10:40.669
the vendor is secured

10:40.669 --> 10:43.234
and free from being
intercepted or infiltrated.

10:43.234 --> 10:46.355
This may be a good
example of using a VPN.

10:46.355 --> 10:49.055
Then shared credentials
should be a no-no.

10:49.055 --> 10:50.990
Every vendor
employee should have

10:50.990 --> 10:54.400
their own unique account
on any customer resources.

10:54.400 --> 10:56.960
This establishes
accountability for

10:56.960 --> 10:58.610
any activity that is done on

10:58.610 --> 11:00.665
customer devices by the vendor.

11:00.665 --> 11:05.885
You don't want an account just
named vendor for example,

11:05.885 --> 11:07.160
where all the employees of

11:07.160 --> 11:08.555
the vendor can log in remotely.

11:08.555 --> 11:11.210
It needs to be a
specific account

11:11.210 --> 11:12.980
where it's first
name, last name,

11:12.980 --> 11:14.600
or whatever so that anything

11:14.600 --> 11:16.610
that happens can
be tracked back to

11:16.610 --> 11:18.830
that specific
individual rather than

11:18.830 --> 11:22.290
just a generic
vendor company name.

11:23.810 --> 11:28.010
Let's summarize. We
went over vendor risk.

11:28.010 --> 11:30.845
We also discussed the
shared responsibility model

11:30.845 --> 11:32.990
and the different
Cloud service types.

11:32.990 --> 11:35.210
We went over vendor
assessments and what

11:35.210 --> 11:37.955
globalization means
for all of this.

11:37.955 --> 11:40.675
Then we went over vendor
assessment tools.

11:40.675 --> 11:43.600
Let's do some example questions.

11:43.700 --> 11:46.760
Question 1, this describes

11:46.760 --> 11:48.890
when a product does
not allow integration

11:48.890 --> 11:54.960
with third party products or
services. Vendor lockout.

11:54.960 --> 11:58.850
Question 2, all of the
suppliers, vendors,

11:58.850 --> 12:01.355
and partners needed
to deliver a product

12:01.355 --> 12:06.225
or service. Supply chain.

12:06.225 --> 12:08.690
Question 3, the blank was

12:08.690 --> 12:10.820
developed by the US
Department of Defense to

12:10.820 --> 12:13.234
ensure Department of
Defense suppliers

12:13.234 --> 12:16.920
had a mature security program.

12:17.800 --> 12:22.780
Cybersecurity Maturity Model
Certification or CMMC.

12:22.780 --> 12:24.685
Finally Question 4,

12:24.685 --> 12:26.300
the ability to understand

12:26.300 --> 12:28.280
how all vendor-supplied
parts are

12:28.280 --> 12:30.425
produced and delivered
and how this

12:30.425 --> 12:33.870
impacts an organization's
operation is.

12:34.180 --> 12:38.045
Supply chain visibility or SCV.

12:38.045 --> 12:39.650
Hope this lesson was helpful for

12:39.650 --> 12:42.000
you, and I'll see
you in the next one.