Adam Ely
CISO, Heroku at salesforce.com
Founder & COO, Bluebox adam@bluebox.com
www.bluebox.com
Twitter: @adamely

• CISO of Heroku BU at salesforce.com
- I know cloud security
• Security leadership roles at Heroku/salesforce.com TiVo, and
Walt Disney
- I feel your pain
• Been around for ASP, OSP, HSP, SaaS, IaaS and PaaS
- I know more acronyms than you :P
• CISSP, CISA, MBA, and some other stuff like that
- I have more acronyms than you :(

• IaaS - Infrastructure as as service
- EC2, Rackspace
• PaaS - Platform as a service
- Heroku
• SaaS - Software as a service
- salesforce.com, box, workday
• Combining Service Types
- AWS EC2 + AWS SQS + Heroku Postgres + Rackspace

• IaaS
- Physical
- Personnel
- Internal operations/InfoSec
• PaaS
- Platform (OS, services, configurations)
• SaaS
- Web application security

• Not all vendors are the same
- One-size-fitsall checklists are dead, don’t be that guy
• Rationalize the risks
If the service is not interacting with card holder data, don’t demand it must be PCI compliant. Focus on the risks present.
• Accept transfer of responsibilities
You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak.
• Innovate, adapt, and improve
- Focus on the real risks, what you can do to ensure protections, and move to continuous assessment, not checklist auditing

• Develop a security baseline
- You do have a data classification and handling guide, right?
Define your critical assets, define controls, build a minimum baseline for vendors (intent not implementation)
• Understand the types of services
How can you know the risks if you don’t know what it does?
• What concerns us about each service?
- Determine the potential risk based on the service and develop assessments against the relevant guideline
• Accept transfer of responsibilities
You’re not going to manage the security of the vendor, be thankful for less work. Stop being a control freak.

• Work with the provider
- Ask them about their security, see what they provide, maybe that’ll be enough, or maybe you’ll think of new things
• Tailor your assessment
- Tailor your approach to the type of service, how your org will use it, and the risks present
• Don’t expect everything for $8/month
- Enough said.
• Communicate intent, not implementation
- Work with the vendor to meet intent and understand their implementation

• Encryption = data condom
- Really concerned about the data? Wrap it up!
• Audit
- Backhaul logs, monitor, alert, and react
• Continuous Audit
- Use vendor APIs to continuously audit settings, users, permissions, data, unicorns, whatever
• Communicate intent, not implementation
- Work with the vendor to meet intent and understand their implementation

• Is customer data co-mingled?
• Does the vendor perform security assessments?
- Always ask about scope and status of remediation
- What kind and frequency
• Encryption
- Data storage, external & internal transmission, queueing systems, backups, and in 3rd party services used by the vendor
- How are keys protected? Same key for all data/customers?
• Architecture
- Architecture review, determine what has access to your assets including 3rd party services
- If a SQLi vulnerability is exploited is your data at risk?

• Know every provider is different
• Accept responsibility for risk management
• Understand what’s in place, make decisions based on risk
• Use vendors based on acceptable risk levels
• Help vendors achieve more, let them learn from you

Adam Ely adam@bluebox.com
www.bluebox.com
Twitter: @adamely