Is your cloud security data private? 3 questions to ask your security vendor
Can you trust your cloud security vendor?
With each tool or technology you introduce to your organization, your attack surface expands—and your security solutions are no exception. While security tools are essential and provide a valuable layer of protection, bringing in a new one could introduce you to exposure risks, especially if it has not been carefully architected to maintain your data privacy.
At Lacework, believe ALL customers (not just highly regulated ones) deserve the most secure deployment model—that’s why we carefully designed our agentless workload scanning architecture to make your data private by default. But unfortunately, not all vendors take this approach. If you are considering a vendor that has historically focused on promoting risk-focused, agentless-only solutions, you may want to ask them some of these critical questions to ensure your data stays private.
1. What are their default permissions?
The first thing you need to understand is what permissions your security provider has implemented. By default, many security vendors today ask you to connect your cloud accounts and give them permission to create snapshots of your infrastructure volumes and application data and then copy that data into their own cloud account for security scanning. The permissions they’ve been granted may allow them to pull anything that resides on your cloud’s file system. We’ve seen multiple instances of companies making this their default setting—so be on the lookout for it.
2. Where are they storing your data?
The second most important thing to know is where they’re storing your data. If your security vendor had your permission to export data, and then they got hacked, the hacker could exploit those permissions to your security vendor’s entire customer base. They could theoretically go into every account, take snapshots, extract, and exfiltrate that data. Those snapshots could contain your secrets or credentials, which means they could access your systems directly. This could lead to further, targeted attacks.
The Lacework implementation is private by design. Our default and only setting is to keep your data in your own account.
When it comes to agentless workload scanning, this is exactly why the Lacework implementation is private by design. Our default and only setting is to keep your data in your own account. We will scan it in your environment only—not ours. And we will only ever have read access to the scan results. We give privacy-conscious customers agentless vulnerability scanning without adding license costs or increasing their attack surface. This is the ONLY deployment option we provide. Our least privilege approach protects your data, so even if we were hacked, it wouldn’t pose a threat to any of our customers.
3. Are they charging extra for privacy?
As you now know, many security vendors are able to export your data by default. The good news is some companies are realizing this isn’t the safest way to store your data. The bad news is that they’re charging you extra to keep your own data in your account instead of theirs.
To keep your snapshot data in your account, these companies require you to pay for an advanced license tier and deploy a tech stack running in your cloud account, which will perform the in-account scanning. And if you want to scan more than once every 24 hours (which you do, because attacks can happen in seconds), that’s even more expensive.
To ensure data privacy, you will have to pay more. Essentially, you’re paying your cloud security company extra money for a more secure implementation, which should have been present in the first place.
Worst-case scenario: Here’s why it matters
If you’re wondering why vendors exporting your data is a big deal, just take a look at one of the biggest data breaches ever. In 2020, there was a cyber attack on the IT management company SolarWinds. The hackers added malicious code to SolarWinds’ software system, so when their customers downloaded software updates, their networks were infected too. The hackers were then able to access the data and systems of up to 18,000 SolarWinds customers. One customer even discovered hackers had stolen the cybersecurity tools that they used to test their own clients’ networks. It was a seemingly endless chain of disasters.
Do you know the exact permissions that you’ve granted your cloud security provider? And just how comfortable are you with them? Are you being charged extra just for the privilege of protecting your own data?
You shouldn’t have to pay more for privacy
Giving your security company (or any provider) excessive privilege is an unnecessary risk that expands your attack surface. To better protect your information, you need to know what your security vendor’s default permissions are, where they’re storing your data, and if they are charging you extra to keep your data private. At Lacework, we don’t think it’s fair for you to pay more for privacy and peace of mind, which is why our solution was designed to keep your data private. Even if a worst-case scenario occurs, our customers can trust that they’re protected. Watch our on-demand demo to see firsthand how our platform works.