Starting late last year, Antigen CEO Steven Legg was joined by Antigen’s Tim De Block for a podcast in which they discussed all matters relating to cyber liability insurance and the security controls organizations need in order to be insurance-ready. If you missed an episode, just visit our YouTube page to see the original recordings!
While you are waiting for the next episode to drop, here’s an excerpt from one of our November episodes, in which Steven and Tim are discussing Cloud Protection, and everything that comes with it. Both the video version and text version are below. Be sure to subscribe if you found the information to be helpful!
Timothy: All right, hello, welcome to the Antigen Cyber podcast. My name is Timothy DeBlock, Director Advisory Services of Antigen. With me as always is Steven Legg, the CEO of Antigen Security. Steven, how are you?
Steven: Hey Tim, doing well. How are you, sir?
Timothy: Pretty good. Let’s talk about Cloud security.
Steven: Cloud security is a broad topic. For today’s discussion, let’s focus on SAS applications that most businesses use. It could include managing public versus private Cloud infrastructure and hybrid clouds, also API security.
Timothy: I’ve talked about API security this past year. It’s a huge concern for GRC from the compliance angle. Permissions, data leakage, third parties handling data – these are critical issues.
Steven: Absolutely. From a technology perspective, when considering Cloud security for SAS vendors, look at business purpose, integration with identity and access management, Dev device-based authentication, monitoring, logging, recoverability, data encryption, and sharing with third parties.
Timothy: True. And from a compliance perspective, Cloud security is often part of cyber insurance policies. Insurers ask questions about email hosting, security features, encryption, and data protection.
Steven: Compliance requires assessing how SAS or third-party applications handle data. Questions about encryption, security alerting, and recoverability are crucial for underwriting.
Timothy: How do organizations check these aspects? Are they using scans or just relying on vendor responses?
Steven: For Cloud security, users often answer questionnaires using marketing language. It’s better to rely on vendor reports and compliance attestations for a more accurate picture.
Timothy: Cloud security involves various technologies. What are the key security functions to consider when choosing SAS vendors?
Steven: Business purpose, integration with identity and access management, multi-factor authentication, monitoring integration, recoverability, encryption at rest, secure data storage and transfer – these are key functions to evaluate.
Timothy: True. Now, considering MDR services and Cloud security, how do organizations assess these environments?
Steven: Organizations should have monitoring solutions in place. Questionnaires should cover how logs from SAS or third-party applications are maintained, compatibility with SIM or other log aggregation platforms, and monitoring effectiveness.
Timothy: Got it. Moving to vendor reviews, how should organizations vet Cloud security vendors?
Steven: Vendor reviews should include checking for any reported breaches in the last 36 months, evaluating the vendor’s response to incidents, and asking vendors about instances where their product failed or was circumvented.
Timothy: That makes sense. Talking about bug bounty programs, are they a good indicator of a vendor taking security seriously?
Steven: Yes, bug bounty programs indicate a vendor’s commitment to security. They involve crowdsourcing QA and security testing, providing external perspectives on vulnerabilities.
Timothy: I’ve encountered cases where pentest reports were inadequate. Bug bounty programs seem more comprehensive.
Steven: Bug bounty programs indeed provide a broader testing approach, utilizing external testers to strengthen security practices.
Timothy: Shifting focus to identity and access management, recent breaches at vendors like Okta raise concerns. How can organizations tackle IAM issues in the Cloud?
Steven: IAM is critical. Vendors like Okta faced challenges due to source code compromises. Past compromises are indicative of future risks. Vendor reviews should include any reported incidents or vulnerabilities.
Timothy: Okta’s situation is indeed complicated. Finally, where do you see the future of Cloud security?
Steven: Future Cloud security solutions will get closer to the source of activity. We’ll see advancements in proactive scanning for data breaches, encryption, and automatic system backups, addressing privacy and regulatory requirements.
Timothy: Any final thoughts on Cloud security or topics we didn’t cover?
Steven: The key takeaway is to be aware of where sensitive data is stored. Prioritize data based on sensitivity, consider the types of data stored, and evaluate potential risks. Regularly review vendors and their reported incidents.
Timothy: Thanks, Steven. And with that, we’ll wrap up today’s episode. Send us any follow-up questions or thoughts. I’ll be at My SetCon next week on November 17th. If you’re attending, come say hi. We’ll see you next time on the Antigen Cyber podcast.