Corporate Information Security

Cloud Security and 3rd-Party Vendor Risk Management

9 October 2019

Chicago IL, USA - Hosted by Discover


As the world becomes more digital, the imperative to provide secure operating environments becomes more and more complex, while simultaneously becoming more important as data, and products and services based on data, become the basis for value propositions and the tools of competition. One of the factors making the digital environment so challenging for security professionals is the ongoing migration of applications, end-point devices, data centers and storage of all types to places outside the physical and IT system boundaries of the enterprise, and the increasing reliance on and interaction with 3rd-party providers. This day will focus on the discussion of these phenomena, most especially the migration to the cloud and how we are dealing with 3rd-party providers (and resulting 4th-party risk). What are the solutions and best practices your companies are developing? What’s working? What not? We’ve divided the day into five sessions, and provided some questions below to consider as stimulation for each session.

Some of the questions we will seek to address are:

  • How much does your company do in the cloud? What type of cloud, whether multiple clouds, and for what purpose?

  • Do you think differently about security in the cloud environment? If so, how…what are the key differences and vulnerabilities between cloud and on-premises?

  • Is your general thinking that big cloud providers are actually more secure than your own environment, or not? If so, how does that translate for smaller niche vendors?

  • Do you use solely international/global cloud providers, or do you allow local or country cloud solutions? How does this affect your approach to security?

  • What is your greatest security concern in the cloud? What incidents have you had? What drove them?
  • What is your experience with CASBs? Are they working for you? Which ones?

  • Do you leverage a cloud management platform (CMP) to manage cloud instances?

  • How do you manage encryption and key management? When you use a cloud provider, do you allow them to provide the encryption keys or insist on holding your own (e.g. Microsoft Cloud vs. own encryption keys)? Does anyone have a reliable approach you are really pleased with?

  • How do you handle API security for the cloud? What is your approach?

  • Have you developed or are you developing a cyber/information security strategy specifically for cloud?

  • How are you helping your enterprise move to a hybrid environment that makes use of the cloud? Are you pushing the move to the cloud or being pulled?

  • How has the 3rd-party/vendor environment in your enterprise changed in the last 2-3 years? Assuming lots of growth, do you have the capacity to vet them or is this an issue?

  • How closely do you integrate with your 3rd party vendors?

  • Do you place restrictions on access, data or interaction? If so, how do you track/monitor?

  • What are the emerging types of attacks or threat vectors coming from the 3rd-party network?

  • What are the most concerning 4th-party risks? Are they the bigger concern than the direct 3rd-party risks?