If you would like to read the other parts in this article series please go to:
- Security: A Shared Responsibility (Part 1)
- Security: A Shared Responsibility (Part 2)
- Security: A Shared Responsibility (Part 3)
- Security: A Shared Responsibility (Part 4)
- Security: A Shared Responsibility (Part 5)
In this multi-part series, we’re taking a look at the big picture of security areas of responsibility and how each component (internal job position or external entity) fits into the puzzle, with a discussion of the importance of defined areas of responsibility. In the first four parts, we discussed roles of the CSO/CISO, IT admins, outside contractors, consultants and partners, and end users. Last time, in Part 5, we started talking about the very complex issue of software vendor responsibilities in relation to security.
Now in the final installment, Part 6, we’ll wrap up the series by continuing that discussion of software vendor responsibilities and also looking at the roles of ISPs and cloud services companies in preventing security breaches and keeping our networks and data safe.
Software vendors’ responsibilities, continued
As we noted in Part 5, at one time software vendors paid little attention to security because it wasn’t cost effective to do so; the cost of implementing higher security outweighed the cost of not doing so. In today’s highly regulated business environment, that’s no longer the case.
The new economics of security
Companies in many industries no longer have the luxury of deciding whether or not to implement a high level of security; they have to in order to comply with the government or industry standards that are imposed on them by law or as a condition of belonging to industry groups. That puts pressure on the organizations themselves, but it also puts pressure on the software companies whose products they use.
Even those businesses that aren’t required by law or industry membership to increase their security measures understand that it’s in their best interest to do so. A high profile security breach can drive customers away, and even questionable security practices without a breach, if publicized, can result in customers switching to the competition.
Even if customers remain loyal, the cost of cleaning up and remediating the damage done in a cyber-attack can be substantial – as much as $20,000 per day for an average $640,000, according to the Ponemon Institute – and that cost is rising rapidly, 23 percent from 2013 to 2014.
It’s making more and more business sense to stay on top of the security issue, even setting aside the legal, moral and ethical obligations to customers who buy a vendor’s products. But what exactly should software vendors be doing and how far should their security commitment realistically extend?
Software vendor action points
Software products can be verified to meet specific security standards, such as FIPS 140-2 or ISO 27001, as a means of assuring customers and regulators that certain levels of security are provided. It benefits a software vendor to be able to claim that its product has been certified. Software vendors also establish their own security initiatives with defined goals and standards, which they can advertise to their customers.
Microsoft’s Trustworthy Computing initiative and practices such as their Secure Development Lifecycle (SDL) serve as guidelines for programmers as they create new software products and helps to instill security awareness into the process from the ground up, as opposed to adding on security as an afterthought – something that in the past was the norm in most developer circles.
All developers should be trained to make security a priority and software vendors should give their programmers the resources they need to create secure products. Software vendors should also provide for extensive testing for security vulnerabilities prior to the release of new (or new versions of) products. Tests need to be conducted by researchers who can “think like a hacker.”
Finally, software vendors have an ethical obligation to respond as promptly as possible to reports of vulnerabilities and work with outside researchers to encourage vulnerability disclosure policies that are in the interest of the software products’ users and the computing public. Vendors should communicate with researchers who report vulnerabilities and keep them informed regarding the vendors’ investigations.
Public disclosure is a trickier business. Vendors should not disclose so much information that it makes it easier for attackers to exploit a vulnerability before a patch is available, but should disclose enough information so that customers can determine whether they are at risk. Vendors should provide temporary workarounds and mitigations whenever possible while in the process of developing a more permanent fix.
Finally, most would agree that vendors have a moral obligation to customers to fix vulnerabilities that are discovered in their software, in as timely a manner as possible, to make users aware of the availability of the fixes and to distribute them as widely as possible and make it as easy as possible for customers to deploy them. The vendor’s responsibility doesn’t stop there, though; software companies also should follow up by monitoring for reports of problems caused by the patches. It’s not unusual for security updates, particularly when they’re rushed out to address a particularly serious and imminent threat, to break some of the software’s functionality. When that happens, the vendor is obligated to “fix the fix” as quickly as possible.
Major software vendors generally work with computer security incident response programs such as US-CERT that create and maintain databases to keep track of known vulnerabilities in commercial software.
ISPs’ and network providers’ security responsibilities
Internet service providers (ISPs) supply the technology – over phone lines, fiber optic, CATV cable, satellite or land-based wireless signals – for consumers and businesses to connect their individual computers or local area networks to the global Internet. ISPs, although not legally classified as common carriers, have generally been treated as such in regard to network content. Common carriers (telecommunications carriers such as the phone company) are not held responsible for the content that flows on their networks, just as the operator of a private toll road would not be held responsible if someone used the road to transport illegal goods in his/her vehicle.
That doesn’t mean ISPs and network providers don’t have a responsibility to their customers to provide secure transport of customer data across their networks. ISPs are in the position to detect and intercept threats before they can reach customers, and have expertise and resources that home users and small businesses don’t have, that makes them better able to implement effective security measures. However, they also have to walk a fine line to prevent blocking content that customers want. Some customer contracts may prohibit ISPs from filtering traffic.
There has been increasing demands from customers and from the security community for ISPs to take a more active role in protecting customers from malicious traffic. The FCC has issued best security practices guidelines for ISPs and solicits comments from the security industry and public to improve on them.
Harvard’s Belfer Center published Duties for Internet Service Providers that includes many security-related responsibilities.
Corero Network Security issued a report last year concluding that the inability of ISPs to offer secure services was a contributor to recent exploits such as those of OpenSSL and NTP vulnerabilities.
However, ISPs may be concerned that if they take on the task of providing more security, they will incur more liability in case breaches do occur. This is analogous to the reasoning of hotels and cruise ships that don’t employ life guards for the pools that their customers use because they believe this implicitly makes them more legally responsible for accidental drownings in those pools.
Responsibility of cloud services providers
The role of cloud providers differs significantly from that of ISPs, even though both technically provide “Internet services.” Whereas the ISP is merely a conduit, the cloud provider takes over the duties formerly relegated to on-premises network administrators that include providing a place to store their data, software applications, email, web, database and communications servers and even in some cases end-user desktops. Thus the cloud provider is also responsible for the security of all these services.
Security has been a major concern of businesses considering moving some or all of their assets to the cloud. However, major cloud providers such as Microsoft, Google and Amazon have far greater investments in security than the typical enterprise and can provide higher levels of security at lower cost due to the economies of scale. This is particularly noticeable in terms of physical security; the big players in cloud services have data centers that are guarded almost as closely as Fort Knox. They also have the latest and greatest technologies for encrypting data and connections.
That doesn’t mean businesses can escape accountability for security by simply handing it over to the cloud. It’s still a shared responsibility. In regulated industries, it’s the regulated company that is ultimately responsible for compliance, not the provider – in the same way that individual taxpayers are held responsible for errors on their tax returns even if they hired a tax preparer or accountant to do the work.
The proportions of responsibilities divided between cloud provider and customer depends, too, on the type of cloud services. With Software as a Service (SaaS), the service provider has more responsibility because it has more control; with Infrastructure as a Service (IaaS), the customer has more control over the operating systems and installing and maintaining the software and thus has more responsibility for securing it. Either way, you’re responsible for the security of the endpoint machines and your local network through which they connect to the Internet and the cloud provider’s services.
When subscribing to a cloud service, you should carefully read the service agreement and ensure that security issues are addressed to your satisfaction. Is multi-factor authentication supported? How is your stored data encrypted? Do you (or does the provider) own the encryption keys? If your business falls under HIPAA, GLB, PCI, or other regulations, does the cloud service provide you with their audit results?
In this six part series on security as a shared responsibility, I hope I’ve given you a few things to think about. Unless everyone involved – from end users to the nameless and faceless rulers of the cloud – is dedicated to securing the parts of the computing environment that are under their control, security gaps will exist. Attackers are experts at finding and exploiting those gaps, so working together as a team is your best bet for thwarting them and keeping your data safe and your critical applications up and running.
If you would like to read the other parts in this article series please go to: