derek

Azure Resources

by

If you are starting to flirt with using the cloud at your business, chances are you’ve probably taken a hard look at Azure from Microsoft. Odds are you have a few Microsoft products in your architecture already and it only seems natural that they would probably work best in the cloud that’s run by and designed for Microsoft products.

Now, as much as every geek would love to say, “Let’s build it all in the cloud right now!” Chances are, unless you are a startup company, moving your infrastructure to the cloud will probably be done in phases and projects over time depending on the size of your company and IT infrastructure, and budget.

You will most likely end up with a hybrid environment for a while or permanently before possibly transitioning to a cloud-only environment.

The following link from Microsoft is a great starting place on architecting that hybrid environment and securing the link between the two.
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz

Or maybe you already have a hybrid environment and could use some best practices on servers or application deployments. Azure is a huge environment and it’s challenging to remember all the boxes and levers you need to check or pull to build something in the most secure manner. This checklist is very thorough and should cover the majority of workloads you might use in the Azure cloud environment.
https://github.com/ghostinthewires/Azure-Readiness-Checklist

And lastly, maybe Azure is completely foreign to you and you need to start studying and learning more about it. There are tons of resources available. You can find books on Amazon as well as purchase great courses on Udemy and linuxacademy.com. You can also start with some high-quality free content from Microsoft on their Microsoft Learn platform. They have over 250 modules related to Azure. Go check it out!
https://docs.microsoft.com/en-us/learn/browse/?products=azure

Remember to Always be learning!

Why do we do Vendor Security Reviews?

by

Recently I was involved in a conversation with some internal departments (HR, Legalfinance, etc) about them wanting to change out a front end vendor for a solution we use. The new vendor was going to send the data to the same 3rd party backend solution.

Someone mentioned to the department that IT security may want to review the vendor. They reached out to me and gave me the high-level back story and were unsure of what further information I might need. They also didn’t understand the “why” for this security review.

What a Golden opportunity!

My attempts to get departments to engage with IT and Security on the front side of projects vs just a checkbox for compliance at the end were starting to make progress! I have people asking questions, and mentioning to each other in passing to keep IT security in mind regarding their projects. Maybe those awareness campaigns are starting to pay off after all? And while it may be obvious to like-minded security professionals like you and me, it’s not always at the forefront of other people’s minds, and what a great opportunity to teach and train fellow users!

I initiated conversations with the department and the potential vendor and explained why we do these kinds of audits for any new potential vendor and why we are working to audit our current portfolio of vendors if we don’t already have this info on file.

Some of the highlights from the emails and meetings are as follows:

  • I introduced them to our Audit checklist for 3rd party applications/vendors.
    The checklist includes some items such as:
    • What business problem does this solve?
    • How does it integrate into our environment? SSO? Email? Other business processes? Etc.
    • What kind of data is stored or collected? Where is it stored? How is it stored?
    • How is it transmitted?
    • Has legal reviewed the contract language?
    • Is this solution site-specific? Regional? Or Global?
    • Do they have 3rd party audits available (ISO, SOC, etc)?
    • Do they have insurance?
    • Do they or we require any non-disclosure agreements in this situation?
    • (There are some great vendor review templates available on the web to help you build your checklist if you don’t have one.)
  • I explain the importance of IT security in all industries in 2019 and the future.
  • I explain the relations to federal regulations (SEC, HIPPA, SOX, etc) and privacy laws (GDPR, CCPA, etc).
  • I explain the importance of us doing our due diligence for our internal employees as well as our customers.

Below are some excerpts of my emails back and forth explaining some of these concepts.

Attached is the 3rd party Application Security Review document that legal and IT use a starting point when evaluating products and agreements that (Insert your company name here) wants to use or already is using.
……..

The SOC2 / ISO27001 audits mentioned in the checklist are very useful in evaluating a current or potential company in their commitment to customer protection and data privacy. These go much further than just security rhetoric on an “about us” section of a vendor website as they are the results of a third-party audit.
…….

This kind of review is also very helpful as GDPR, Brazil’s LGPD, California’s CCPA, and other future data privacy laws are becoming more prevalent and companies are beginning to be fined for lack of effort on data privacy and security.
……..

Our goal is not to impede the business, but to empower it to use these tools and vendors securely by making sure we do our due diligence in vetting, architecting solutions, and partnering with appropriate vendors to accomplish our goals. I hope that gives more background on what we are attempting to do.
……

In Conclusion, you should always be evangelizing IT Security. Whether your security program is robust or in its infancy. Many people may just not know about the reasons for these kinds of reviews or understand them. And anytime you can get general business users to better understand the why behind business processes, you are more likely to get buy-in and participation. And ultimately, that is what we are here to do. Increase productivity and efficiency so the business can prosper. Hopefully, you can take some of these ideas and apply them to your environment and teach others why security is important. Especially the more we all dive into SaaS type solutions.

This article was originally published on Peerlyst at:
https://www.peerlyst.com/posts/why-do-we-do-vendor-security-reviews-derek-creason