Will Google’s security baseline work?

Google teamed up with several technology companies to create baseline security measures for third-party vendors, but there’s some skepticism about how effective the checklist will be.

The collaborative effort, which Google named the Minimum Viable Secure Product (MVSP), is a “vendor-neutral security baseline” designed to test the security posture of software companies and third-party vendors. The document is comprised of safety controls that address authorization, vulnerability reporting, password policies, backup protocols and patching recommendations. Salesforce, Okta and Slack assisted in the development of MVSP, among other vendors.

According to a blog post last week by Royal Hansen, vice president of security at Google, it is intended to “increase the minimum bar for security across the industry while simplifying the vetting process.”

Securing software and third-party suppliers presents many challenges, as evidenced by an uptick in supply chain attacks, including the massive one against SolarWinds last year that utilized a poisoned software update. A portion of the White House’s executive order on improving cybersecurity in May involved “enhancing the software supply chain security.”

With the increasing number of breaches known to be caused by third-party vendors, Melinda Marks, senior analyst at Enterprise Strategy Group, said it’s important for organizations to ensure that their vendors’ security practices meet a set of standards to prevent such incidents.

Similarly, Shawn Tuma, partner at law firm Spencer Fane LLP, specializes in data privacy and cybersecurity risk management and told SearchSecurity that cyber supply chain risk is one of the greatest threats that many companies face. “Once the vendor selection process is completed, it is often largely out of their hands to control, and that is a problem,” Tuma said in an email to SearchSecurity.

Google said the MVSP was designed to “ensure a reasonable security posture.” It was also designed to set a security precedent across all enterprises.

“Up until today, organizations of all sizes have had to design and implement their own security baselines for vendors that align with their risk posture. Unfortunately, this creates an impossible situation for vendors and organizations alike as they try to accommodate thousands of different requirements,” Hansen wrote.

According to Tuma, even enterprises that want to address cyber supply chain risks face much confusion. That includes what to look for, which Tuma said makes it an almost impossible task to perform without committing a tremendous amount of resources. “Anything that can help bring clarity and standardization to this process will be helpful,” Tuma said.

Confusion can also fall to third-party organizations. Marks said instead of third-party vendors “scrambling to meet every customer’s security requirements,” these recommendations provide a solid baseline for what vendors should provide.

Checklist raises concerns

While infosec experts and vendors agree having a security baseline of recommendations is a positive, there are a multitude of factors and potential obstacles to consider. The ability to commit a tremendous amount of resources is one problem, according David Brumley, CEO of application security vendor ForAllSecure, and MVSP is not feasible for all business sizes.

“Their idea of a ‘minimum’ is several dedicated full-time employees, while most small/medium organizations are struggling to have even one dedicated security person,” Brumley said in an email to SearchSecurity. “More often than not, IT is being asked to double-duty as security.”

One concern he cited was in the incident handling portion of the checklist, which states enterprises must notify customers about a breach “no later than 72 hours upon discovery.”

“The MVSP assumes there are dedicated employees for a full-time incident response team. It assumes the app will be a SaaS where single sign on makes site (what about on site), uses security libraries like an Object-relational mapping tool (but doesn’t talk about potential performance problems one would have to address) and that any vulnerability “medium” can be rolled out in 30 days.”

William Deller, managing consultant of cybersecurity risk and compliance at accounting firm Schneider and Downs, believes the MVSP is a good development, but initially it may actually “exacerbate the security framework circus.”

“Many organizations are already aligned to one or several frameworks and this will require mapping their controls to a new baseline,” Deller said. “However, eventually if more and more tech firms adopt the MVSP, it will create most consistency and transparency in their industry.”

This type of checklist is not new in the cyber insurance industry, either. Tuma said it is similar to the informal checklists that many carriers are now looking to for security controls that must be in place for companies to get coverage. “They will not all be the same, they will not all be comprehensive, and different experts will prioritize things in different order, but, it’s a great place to start and in the end, it should help improve security,” Tuma said.

The main impact that the MSVP will have on cyber insurance, according to Deller, is directly related to how well organizations are able to adopt frameworks and implement and execute controls. “The cyber insurance underwriting process will largely continue to be tied to the number of insurance holders enacting their policy due to a breach,” he said. “However, that won’t change without a decrease in breaches.”

Deller has observed examples of the development of these initiatives being successful when the minimum requirements are aligned to a specific industry’s norms and needs, and then a collaborative approach is developed for the assurance needs.

Tuma and Brumley agreed that there are difficulties in making one document that will be suitable for all parties. For now, Brumley said the document “assumes everyone can be perfect right away or is resourced that way.” Though he has no issue with the recommendations, he believes it’s more targeted for Google’s needs.

“They should just call this what it is — what Google wants you to do be a vendor for Google — and stop trying to consider itself an industry standard,” Brumley said.

According to Tuma, there is a constant challenge to find the balance between making the checklist substantively “right” versus making it practical and usable.

“Ten different experts will have ten different opinions, but getting a good baseline to start with is better than having nothing, and doing something – even if it is not exactly correct – will be better than doing nothing,” Tuma said.

Enterprise Strategy Group is a division of TechTarget.