ACM.147 Posts by Teri Radichel on safety assessments for safety merchandise, distributors and provide chains
A part of my sequence on Automating Cybersecurity Metrics. The Code.
In my final submit I wrote about multi-session compromise in a situation the place you’ve separated the duties of who can create customers and who grants them entry.
On the finish I discussed that maybe we might take into account a third-party device to handle the customers individually from the cloud setting itself. There’s a couple of the explanation why this could be useful, which I’ll cowl within the subsequent submit. I’ve been contemplating a specific vendor for some time however by no means actually had time to check the product out, however I’m going to be doing that now. Sure, I’m veering away from the ultimate implementation I got down to write once more, however my current discoveries are a bit too regarding to disregard. I need to see if a third-party identification supplier (IdP) might assist on this situation — or if it can make safety much more difficult.
I’ve written a couple of posts now on safety product assessments that are listed on the backside of this submit. One in all drivers for these posts is that firm preserve asking me to advertise or market their merchandise or “have a look” to see what I consider it. I merely don’t have time. On that observe, distributors are higher off not sending me emails I didn’t request introducing their merchandise in the event that they don’t need to get reported as spam. Alternatively, I cannot report your emails as spam for those who rent me! 🙂 Some distributors have and I respect that very a lot.
Even in these instances the place I did have a look at no cost or alone time, I actually simply seemed on the product. I didn’t really assess it. I don’t have time and can’t afford to totally assess a product at no cost, until it’s one thing I occur to be contemplating utilizing myself. I additionally don’t work in a advertising and marketing capability for distributors. I’ll present an sincere evaluation in the event that they pay me to take action. A “demo” of your product doesn’t actually inform me something. I’ve to take a seat down and browse the documentation, deploy it, use it, poke round at it, presumably reverse-engineer elements of it to know potential safety gaps, and ask inquiries to carry out an evaluation.
I did sit down for a demo of some merchandise for associates in very restricted instances. The folks had been in my Seattle AWS Meetup (which I hope to revive in some capability fairly quickly — I simply have one different challenge to finish). A type of was an organization known as Cloud Neeti which ended up getting bought by Zscaler. Once I noticed the product, I patted the founder on the arm and stated, “Bear in mind me whenever you’re well-known” as a result of it seemed actually good. I can’t communicate to the inside workings of it or the place it stands now however it could be a pleasant safety scanner for corporations making an attempt to evaluate their configurations in cloud environments.
I didn’t spend extra time on it as a result of that product wouldn’t work for me. I’ve to evaluate different firm’s cloud environments, and I host some data in AWS or typically Azure or GCP relying on the evaluation, however I’ve a bit extra management of the information than I’d in a SAAS platform. Subsequently, I don’t use them.
Additionally, on the time the product was maintained by 23 folks in India, which is a fairly small quantity for all that information containing firm vulnerabilities, probably. However the product idea was wonderful and I’m positive they’ve extra assist for correct safety at Zscaler now.
What merchandise do I assess alone time with out a paid evaluation? Merchandise I’d think about using for my specific enterprise. And I’m going to undergo how I assess a product I’m contemplating utilizing in my subsequent few weblog posts. You’ll see why I can’t do that for everybody at no cost. And in addition, I’ve restricted entry to what I would wish to actually assess the product as a result of I can not interview their employees and carry out a full-on evaluation. So even this evaluation I’m going to indicate you is considerably restricted.
Comply with alongside to see how I assess the product from an exterior technical standpoint within the subsequent few posts by merely making an attempt out the product. This isn’t going to incorporate a course of or compliance evaluation which would come with issues like interviews masking how they handle improvement methods and presumably a evaluation of their IAM and community implementation and a vulnerability scan, relying on the scope. However you will note a few of the issues I look into when making an attempt out a product and risk evaluation concerns.
Additionally, by the way in which, nobody particular person or firm goes to seek out each drawback in a single evaluation or penetration check. Simply have a look at the variety of vulnerabilities and issues introduced day by day — a few of which result in information breaches. However I’ll do my finest with the free time I’ve to cowl some primary concerns.
2nd Sight Lab gives product safety assessments for cloud-based merchandise. Attain out to Teri Radichel on LinkedIn for those who need assistance with a cloud safety product evaluation.
https://linkedin.com/in/teriradichel
Teri Radichel | © 2nd Sight Lab 2023
For those who preferred this story ~ use the hyperlinks beneath to indicate your assist. Thanks!
Assist:
Clap for this story or refer others to comply with me.
Comply with on Medium: Teri Radichel
Join E-mail Listing: Teri Radichel
Comply with on Twitter: @teriradichel
Comply with on Mastodon: @teriradichel@infosec.change
Comply with on Put up: @teriradichel
Like on Fb: 2nd Sight Lab
Purchase a Guide: Teri Radichel on Amazon
Purchase me a espresso: Teri Radichel
Request providers by way of LinkedIn: Teri Radichel or via IANS Analysis
About:
Slideshare: Shows by Teri Radichel
Speakerdeck: Shows by Teri Radichel
Recognition: SANS Distinction Makers Award, AWS Hero, IANS College
Certifications: SANS
Training: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I received into safety: Girl in tech
Firm (Penetration Exams, Assessments, Coaching): 2nd Sight Lab
Cybersecurity for Executives within the Age of Cloud on Amazon
Cloud Safety Coaching (digital now accessible):
2nd Sight Lab Cloud Safety Coaching
Is your cloud safe?
Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query?
Ask Teri Radichel by scheduling a name with IANS Analysis.
Extra by Teri Radichel:
Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts
