Who’s Invited to Your Party: Discussion Framework

Presented at RSA Conference USA 2015
Yesterday I had the great pleasure of hosting, as facilitator, a peer-to-peer (P2P) session at RSA USA Conference in San Francisco.  The topic was information security of the partners with whom we do business.  I’ll write about the session and topic over a few blog posts; my first was posted yesterday, a post that summarized other RSAC USA 2015 sessions that cover security of partners.
The title of my P2P session was: Who’s Invited to Your Party?  Minimizing Risk from Outsourced Partners.  The session description was:
Recent headlines suggest your greatest risk may be from trusted, connected partners.  Let’s get beyond old approaches to share experiences and new control options for your elastic insider network.
Best practice partner security evaluations have typically included questionnaires, standardized forms, log reviews, and audits.  But these are proving insufficient.  If a connected partner supporting core operations is compromised, your internal defenses, such as layered network architecture, may also be insufficient.  Those partners have their own partners, all potentially becoming your “insiders”. We will discuss new ideas and better approaches for managing partner access and limited risk.
In advance of the session I answered a few questions to help prepare those interested in attending the session.  Here are the questions and answers:
 1. Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
  • Attendees whose organizations utilize outsourced partners to do business–partners that connect to internal computing resources and/or have access to proprietary information, forming “the elastic insider network”.
  • Attendees who assess security of organization-partner information exchanges and network connectivity.
  • Attendees whose roles include IT technical, IT security, legal, asset-management, risk-management, insurance.
  • This session will be strategic and tactical, not deeply technical.
2. Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
  • Organizations regularly engage partners to support operations, including core functions; this outsourcing is a well established and increasing trend across many industries.
  • Virtually all of these partner supported operations involve information sensitive or even strategic to the organization.
  • Most of these partner supported operations involve information exchanges between the partner and the organization, and many involve partner access to internal networks.
  • Organizations have limited influence over the operations of their partners, including partners of the partner, which increases information security risk and requires additional, and specialized, controls.
  • Many of the breach reports lately in the news have involved compromised partners as a vector to attack business networks, at great cost and reputational damage.
3. Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
  • Think about the partners engaged by your business, the types of operations they support, and the information and business networks they access, particularly mission critical, sensitive, or regulated.
  • Think about what processes you have in place to assess potential partners, to monitor and audit partner operations that involve your business, and to mitigate IT security incidents involving partner access.
  • Think about the contracts you have with your partners, specifically that language that gives you (1) rights to direct how the partner uses your business information and connects to and uses your internal networks; (2) rights to audit the partner; and (3) rights to direct how the partner engages and uses partners that also have access your sensitive information.
4. What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
  • I anticipate a vibrant, in-depth, inclusive discussion that surfaces a variety of viewpoints and debate between them.
  • Attendees will leave with an understanding of the issues, assessments and controls involving outsourced, connected partners.
  • I expect to spark for participants some of those invaluable RSA “aha!” moments, where they gain new perspectives and insights that they bring back to add immediate value to their work and spark meaningful change in their organization.
Tomorrow I’ll post a summary of the session and anonymized comments shared by participants.