Now, we have a basic idea of the spectrum. The next important thing is to look closely at the actual skills to do the job. For a lot of security folks, there’s a lot skills needed that aren’t about deciphering malware, configuring firewalls, decoding IDS traces, or hacking web servers. A lot of security people, and even people who’s job title is simply “sysadmin”, need skills along the lines of risk judgement, security architecture, the spectrum of threats, and compliance issues. Almost all of these topics are covered deeply in certifications and classes, except for good risk judgement. And tellingly, that’s where I see a lot of security candidates falter.
“Cloud? First of all, that’s a huge issue. And audited, SSAE is like SAS-70, so that’s pretty not bad. But there are still a lot of security problems with the cloud. That’s a big risk there. FTP? No wait, you said SFTP. That means the connection is encrypted, okay. I’m mostly concerned about malware. I didn’t hear anything about anti-virus being used on the connection. Just because the server is Linux doesn’t mean they can’t get a virus."
“Cloud is audited? SSAE? Type 1 or Type 2? Okay, what else? Cloud Security Alliance? SFTP is okay, but how is it authenticating? Password? What are the password rules? How often is it rotated? And what’s in the file? I'd like to nmap that SFTP server too."
“First off, what’s in the file. Is it just documents? It sounds like it, but is there PII in them? SFTP file transfer is okay but since is this automated? If so, are we using SSH keys? Cloud provider says SSAE, is that Type 1 or Type 2, and SOC 1, 2 or 3? What other certifications or audits do they have? Is that server hardened?"
“First off, I'm excited to hear the cloud provider is willing to work with us. That tells us a lot about how well this will turn out. Okay, onto the risl. A lot depends on the nature of the files transferred. If they have confidential data in them, then we need to look at a lot of things: is the file encrypted at rest in addition to the SFTP encryption, whatever that is. I’d make sure the level of encryption AND authentication on the SSH session matches the need, not just risk but also for compliance. Same goes for the Cloud provider. They’re audited but what’s the scope? Does it include servers hosted by them or just their infrastructure? Is that SFTP server covered? And what levels? And I’d need to see the actual SSAE report so I can read it for scope, relevance and standards.”