Our company has made the decision to switch from an internally hosted Jabber-bas

Question

Our company has made the decision to switch from an internally hosted Jabber-based chat system to a more modern, cloud-based chat solution. Hosting our own chat servers and software presented the standard maintenance and issues that tend to come with any self-hosted stack but the system did work and generated few complaints. From a security perspective, having data in our control and subject to our security standards and controls seems to be a great added bonus. Who knows what kind of sensitive data is floating around in 1:1 chat histories.

The security implications of putting our chat servers, logs, etc. in the cloud with little control should terrify me as a security professional but when I step back and think about everything is transforming and I find myself more and more evaluating new tools that actually do promise the type of security I'd demand out of my own network. This has become a big part of my job-investigating the security implications from going in-house to a managed service.

This is more of a philosophical question to everyone out there who is doing security in a modern company that's trying to provide internal tools that can sometimes only be hosted in the cloud or the best option is to take it out of house. How do you weigh the benefits vs. risks of putting our potentially sensitive information out there to a third party? I have my own assessment methodologies that I've learned over the years but I'm curious what everyone out there is doing, how are you vetting our cloud infrastructure when people want to move things out of your control?

Explanation / Answer

To your first point, yes there can be a greater risk. Depending on what an attacker is after, a cloud provider is a great target. You can potentially get lots of juicy information about targets or perhaps even authentication materials. A great example of this is the MongoHQ breach which resulted in Buffer being compromised as they had stored their access tokens unencrypted.

The good news is that if you're moving services to third party services, you presumably have more resources to review these vendors. Obviously like anything there's no silver bullet, but I've found good success with auditing vendors before agreeing to pay them. The important thing is for this process to be lightweight, but since you're a security professional I'm sure that's one of the first things in your mind. Processes that involve friction often are not followed.

I've had great luck with building a 20 question or so questionnaire to ask potential cloud vendors. Asking things like how their security team is structured (oh you don't have one, thanks for playing), how they perform operational security, any standards they adhere to, etc. can help you make a choice.

The process should be transparent and allow you to rate each category and give an overall score. This is important for your internal users so they understand why they can't store your important data in a poorly scored vendor's environment. Your data classification policies may be different than mine, but basically you wouldn't use a provider with a low score with sensitive data. If they are hosting a company directory which is just photos and contact info, maybe the risk isn't so great. If they're hosting your chat logs, which you correctly point out could contain sensitive info, you would want them to be more buttoned up.

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.