An effective vendor risk assessment is the cornerstone of every successful third-party risk management program. While the essential elements of an assessment should, in theory, be easily determined, the ever-evolving IT security landscape and threats is making the process more complex.
Addressing Platform-Specific Risks
Some recent incidents have shown that even respected security solution providers are not immune to breaches in information security. One such recent misstep by a well-known cybersecurity leader resulted in exposed Amazon Web Services (AWS) credentials. This allowed hackers to steal information on customers who used its Cloud Web Application Firewall (WAF) product. This incident underlined the importance of drilling down on the specifics of the platforms used by the 3rd party vendors during the security evaluation.
Organizations focused on good vendor governance need a thorough understanding of each vendor’s security posture to mitigate and manage risks from exposure. Most 3rd party providers host and maintain core tech infrastructure in the cloud. While existing third party assessments all focus on governance, processes, and security controls, the questionnaires employed do not adequately address platform-specific risks. Since the majority of 3rd party providers build on AWS and/or Azure, we believe it's in our clients' best interests to be able to drill down and address controls that are unique to the platform used.
Best Practices for AWS Security
AWS offers multiple tools that allow organizations to effectively manage security. Identifying the tools a third-party vendor uses gives a good indication of that vendor’s security posture. For example, does the vendor create VPC flow logs to capture IP traffic information? Is Trusted Advisor used to optimize the AWS environment for performance, cost, and fault tolerance? Are malicious and/or unauthorized activities continually monitored with AWS GuardDuty?
For successful vendor risk management for our clients, we’ve developed a list of best practices for vendors who host on AWS.
Five risk mitigation best practices for vendors who host on AWS include:
1. Security of the root account including disabling API access, alert set-up for root access use, and activating MFA (multi-factor authentication).
2. Access management techniques that include using groups to assign permissions, quarterly rotation of access keys, enabling MFA for accounts that have console access, and assigning unique IAM (identity and access management) usernames for each user.
3. Network restrictions that include using security groups to control inbound and outbound traffic.
4. Monitoring, encryption, and other controls that help build resilient IT architecture. This includes 24/7 monitoring of AWS account activity, conducting risk assessments of the AWS environment, and enabling server-side encryption (SSE), VPC flow logging, S3 Bucket access logging, AWS configuration in all regions, and logging for all resources.
5. Metric and composite alarms for events such as configuration changes, unauthorized API calls, non-MFA management console sign-in, storage policy changes, and changes to Network Access Controls Lists and network gateways.
Information gleaned on whether third-party vendors implement these best practices helps identify and measure 3rd party risks while delivering highly accurate risk intelligence that enables an organization to make more informed IT vendor management decisions.
Based on the above best practices, our vendor risk assessment questionnaires assess the 3rd party vendors utilizing AWS solutions, against a checklist of controls. This checklist is designed to make the process of assessing the security posture of these vendors simpler and more agile, and in the interest of minimizing breaches, we are making this list publicly available.
Check out the list here, and do not forget to contact us for any clarification!
Stay tuned for the best practices based checklist for Azure coming soon.
This blog was originally posted on https://complyscore.com/blog/aws-security-best-practices-for-third-party-3p-infosec-risk-assessments/
