How well are we tackling third-party risks in the cloud era?
On Friday's Super Cyber Friday event, “Hacking Third-Party Risk in the Cloud: An hour of critical thinking about the under-appreciated risks introduced by your sanctioned and unsanctioned SaaS apps," we talked about the journey of unsanctioned SaaS from shadow IT to common practice, the implications for identity data, the differences in risks between types of SaaS applications, and strategies to identify and manage such risks. Joining the conversation were Brian Vecci , field CTO at Varonis , and Richard Rushing , CISO at 摩托罗拉 .
HUGE thanks to our sponsor, Varonis
Watch the full video here
Join us for our next Super Cyber Friday on Friday [11-03-23] “Hacking SOC 2: An hour of critical thinking on trust, security, and compliance.” Register here.
Quotes from our guests
"Catalog every single application connected to any of your environments, whether sanctioned or not." - Brian Vecci, Varonis
"Sometimes, people don't realize that the access they're granting is actually granting access to sensitive data." - Brian Vecci, Varonis
领英推荐
"We have this push that users should not be responsible. This is a department thing. But no, the users are responsible." Richard Rushing, Motorola Mobility.
"People don't realize the scope of the exposure they have to third-party applications that they don't know about. Every time we do this, if you're using any cloud at all, whether it's Azure, AWS, GCP, or Salesforce, you have applications that are connected that you don't know about. What they really don't realize is the depth of access those applications have and what they actually have access to." - Brian Vecci, Varonis
"The number of times we find SaaS applications where the contract has ended, you're not paying anything, but they still have access because nobody ever shut it off is, I'll just say, surprising." - Brian Vecci, Varonis
Quotes from the chat
“Make sure you are providing training for your teams on your top cloud provider architectures.” - Timothy Burdon, director, partner success, BeyondTrust
“Make sure you glue yourself to your product and tech teams and make sure you know as much as you can about their books of work.” - Jeff Lacey , vp, global technology, 摩根大通
“Make sure you are sharing 'good apps' for the use cases you know exist within your orgs.” - Timothy Burdon , director, partner success, BeyondTrust
“If you have no idea who your biggest third parties are, ask Finance for a list of vendors that we pay the mosst money to and start there.” - David Peach “register your data in a system of record so you know what's in it, which countries are impacted, and when you need to get rid of it.” - Jeff Lacey “Use unique terms in your data classification policies to find unprotected data or detect a breach using automated processes. Example: ‘ConfidentialRedLimited’” - Tim Hahn , director of information security, 摩托罗拉
CISO. Practical. Reasonable. Creative. Concise. Experience with FedRAMP, CMMC, ISO, SOC, NIST, and many more. Former LE SWAT Team Leader.
1 年Just send all your third party vendors a 300 question survey. That should work and cover you just fine. They don't even need to complete and return it. Just send it and consider them Medium Risk until proven otherwise when/if they return the survey. Sunday Funday! The above was pure satire. Hope you all got it. :)
?Visionary CIO | Leading Digital Transformation in Healthcare | Expert in Cybersecurity, AI, and IT Infrastructure | Bringing Value through Innovation and Strategic Leadership |Maximizing Patient Care and Efficiency
1 年Great insights on tackling third-party risks in the cloud era, David Spark ! I particularly agree with your point on the importance of due diligence. In addition to the strategies you've outlined, I believe it’s crucial for organizations to establish clear contractual agreements with third parties, defining the security standards and compliance requirements they must adhere to. This adds an extra layer of accountability and helps in safeguarding sensitive data.!!!