attentionstealthy
stealthy 时间:2021-01-12 阅读:()
WhitePaperVMwareandtheNeedforCyberSupplyChainSecurityAssuranceByJonOltsik,SeniorPrincipalAnalystSeptember2015ThisESGWhitePaperwascommissionedbyVMwareandisdistributedunderlicensefromESG.
2015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance22015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ContentsExecutiveSummary3CyberSupplyChainSecurityRealities3CyberSupplyChainSecurityCanBeDifficult4CISOsareBolsteringCyberSupplyChainSecurityOversight.
5CyberSupplyChainSecurityAssurance.
7TheVMwareTrust&AssuranceFramework.
8TheBiggerTruth10Alltrademarknamesarepropertyoftheirrespectivecompanies.
InformationcontainedinthispublicationhasbeenobtainedbysourcesTheEnterpriseStrategyGroup(ESG)considerstobereliablebutisnotwarrantedbyESG.
ThispublicationmaycontainopinionsofESG,whicharesubjecttochangefromtimetotime.
ThispublicationiscopyrightedbyTheEnterpriseStrategyGroup,Inc.
Anyreproductionorredistributionofthispublication,inwholeorinpart,whetherinhard-copyformat,electronically,orotherwisetopersonsnotauthorizedtoreceiveit,withouttheexpressconsentofTheEnterpriseStrategyGroup,Inc.
,isinviolationofU.
S.
copyrightlawandwillbesubjecttoanactionforcivildamagesand,ifapplicable,criminalprosecution.
Shouldyouhaveanyquestions,pleasecontactESGClientRelationsat508.
482.
0188.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance32015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ExecutiveSummaryThecommonsaying,"mayyouliveininterestingtimes"isactuallytheEnglishtranslationofatraditionalChinesecurse.
ThisrealityissomewhatironicasCISOsandcybersecurityprofessionalswouldlikelyagreethattheyindeedliveinaveryinterestingbutdifficulttime.
WhyCyberthreatshavebecomemoreubiquitous,stealthy,andtargetedwhiletheITattacksurfacecontinuestoexpand,drivenbycloudcomputing,InternetofThings(IoT)initiatives,andmobileapplicationuse.
EnterpriseorganizationsnowrealizethatweliveinauniquetimeofincreasingITriskandarerespondingaccordingly.
Corporateexecutivesandboardsareparticipatingmoreintheirorganizations'cybersecuritystrategiestomitigatebusinessandtechnologyrisk.
Manyfirmshaveincreasedcybersecuritybudgetsaswellandarenowpurchasinganddeployingapotpourriofnewsecurityanalyticssystemsandlayersofdefense.
Allofthisactivityisastepintherightdirection—butitisjustnotenough.
VMwarehasintroducedanewinitiativecalled"VMwareTrustandAssurance,"whichhelpsanswercustomers'questionsaboutVMware'ssecurityanddevelopmentpracticesandprovidesgreatertransparencyaroundhowitdevelops,builds,secures,andsupportsitsapplications.
Thiswhitepaperconcludes:Organizationsareexposedtovulnerabilitiesinthecybersupplychain.
Thecybersupplychainintroducestheriskthataproductorservicecouldbecompromisedbyvulnerabilitiesand/ormaliciouscodeintroducedadvertentlyorinadvertentlyduringproductdevelopmentormaintenance,dueinparttoincreasingglobalizationoftheITsupplychain.
Consequently,ITproductsandservicesbuiltonafoundationofbroaddiversecybersupplychainsmayincreasetheriskofadevastatingcyber-attacktocustomers.
ITrisksarenotlimitedtocorporateLANs,WANs,anddatacenters.
Rather,enterprisesremainatriskforcyber-attacksthattakeadvantageofvulnerabilitiesexistinginITequipment,businesspartnernetworks,non-employeedevices,etc.
Asthesayinggoes,"thecybersecuritychainisonlyasstrongasitsweakestlink.
"Regrettably,muchofthecybersecuritychainresidesoutsidetheperimeterfirewallandthusneedsproperoversight,cybersecuritybestpractices,andamplelayersofdefense.
CISOsarepushingbackonITvendors.
PragmaticcybersecurityprofessionalsnowrealizethattheirstrategicITvendorscanmakeorbreakthecybersecuritychain.
Intheworstcase,insecurepartnersorITsystemscanbeusedasastaginggroundforadevastatingdatabreach.
Tominimizerisk,manyenterpriseorganizationsareaddressingcybersupplychainsecuritybyauditingITvendors'securityprocessesandmakingpurchasingdecisionsbaseduponavendor'sabilitytomeetincreasinglyrigorouscybersecurityrequirements.
ITvendorsmustdevelopcybersupplychainsecurityassurancecapabilities;TheVMwareTrustandAssuranceFrameworkservesasamodelfortheindustry.
Enterprisecybersecurityrequirementswillcontinuetobecomemorerigidinthefuture.
Asthissituationevolves,CISOswillonlydobusinesswithtrustedITvendorswithdemonstrablecybersupplychainsecurityassuranceprogramsthatincludeallaspectsoftheirproductdevelopment,testing,distribution,deployment,customization,andsupport.
VMware'sTrust&Assuranceinitiativeservesasamodelofthetransparencyneededforcybersupplychainsecurityfortheindustry.
CISOsshoulddemandasimilarresponsefromallstrategicITvendors.
CyberSupplyChainSecurityRealitiesOrganizationslargeandsmallarechangingtheirbehaviorwithregardstocybersecurityinresponsetotheincreasinglydangerousthreatlandscapeandhighly-publicizeddatabreaches.
Infact,manyorganizationsnolongerconsidercybersecurityanITissuealone.
Alternatively,cybersecurityriskisnowabusinessprioritythatgetsampleattentionwithbusinessexecutivesandcorporateboards.
AccordingtoESGresearch:WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance42015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Whenaskedtoidentifythebiggestdriverfortechnologyspendingoverthenext12months,46%oforganizationspointedtosecurityandriskmanagementinitiatives.
Thiswasthemostpopularresponse,quiteabithigherthanthesecondmostpopularanswer,"costreductioninitiatives,"whichcameinat37%.
Justoverone-thirdoforganizations(34%)saythatInformationsecurityinitiativesarethemostimportantITprioritythisyear.
Onceagain,thiswasthetopresponse.
59%oforganizationssaidthattheirITsecuritybudgetsfor2015wouldincreasewhileonly9%saidtheywoulddecreaseinfosecbudgetsthisyear.
1Increasingfocusoncybersecurityhasresultedinlotsofactivity,asmanyorganizationsaddlayersofdefensetotheirnetworks,implementnewsolutionsforincidentdetectionandresponse,andbolstersecuritymonitoringandanalyticsefforts.
TheseinternaleffortsareagoodstartbutagrowingnumberofCISOsrealizethatcybersecurityriskextendsbeyondtheLAN,WAN,andcorporatedatacenterstoalargerpopulationofcustomers,suppliers,andbusinesspartners.
Thislargercybersecurityuniverseissometimesreferredtoasthecybersupplychain,whichESGdefinesas:"Theentiresetofkeyactorsinvolvedwith/usingcyberinfrastructure:systemend-users,policymakers,acquisitionspecialists,systemintegrators,networkproviders,andsoftwarehardwaresuppliers.
Theseusers/providers'organizationalandprocess-levelinteractionstoplan,build,manage,maintain,anddefendcyberinfrastructure.
"Cybersupplychainsecurityissuesarenotuncommon.
Forexample:In2008,theFBIseized$76millionofcounterfeitCiscoequipment.
AspartoftheStuxnetincidentin2010,fivecompaniesactingascontractorsfortheIraniannuclearprogramhadtheirnetworkscompromisedinordertogaintrustedaccesstogovernmentnuclearfacilities.
Thesuccessful2013databreachatTargetCorporationwaseventuallytracedtosystemcompromisesatFazioBrothers,oneofTarget'sHVACcontractors.
HackersusedFazioBrothersasastaginggroundandusedthecompany'snetworkaccessasanattackvector.
CyberSupplyChainSecurityCanBeDifficultSomeCISOsrecognizetherisksassociatedwiththeircybersupplychainsecurityandthisisespeciallytruefororganizationsthatdependuponarmiesofexternalbusinesspartners,contractors,orsuppliersaspartoftheirbusinessoperations.
Unfortunately,cybersupplychainsecuritybestpracticesaren'teasyastheyrequireconstantoversightofthestateofcybersecurityrelatedtoITequipmentproviders,softwarevendors,connectedbusinesspartners,etc.
Infact,cybersupplychainsecurityseemstobegrowingincreasinglyproblematicforsomefirms.
InarecentESGresearchsurveyofcriticalinfrastructuresectororganizations(i.
e.
,chemicalsector,emergencyservices,energysector,financialservices,healthcare,telecommunications,etc.
),40%ofcybersecurityprofessionalsadmittedthatcybersupplychainsecurityhasbecomemoredifficultoverthepastfewyears,andthosewhodidsuppliednumerousreasonsforthatincreaseddifficulty(seeFigure1):44%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasimplementednewtypesofITinitiatives,increasingthecybersupplychainattacksurface.
TheseinitiativesincludeBYOD,cloudcomputing,InternetofThings(IoT)projects,andthegrowinguseofmobileapplicationsanddevices.
39%ofcriticalinfrastructuresectororganizationssaytheirorganizationhasmoresuppliersthanitdidtwoyearsago.
Thisistobeexpected,giventhewaveofITinnovationaroundsoftware-defineddatacenters,cloudplatforms,virtualnetworks,etc.
36%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasconsolidatedITandoperationaltechnology(OT),increasingthecomplexityofcybersupplychainsecurity.
Inthesecases,CISOs1Source:ESGResearchReport,2015ITSpendingIntentionsSurvey,February2015.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance52015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
areforcedtosecurebusiness-criticalbutunfamiliartechnologieslikeprogrammablelogiccontrollers(PLCs)andsupervisorycontrolanddataacquisition(SCADA)systemsusedforindustrialoperations.
2Figure1.
ReasonsWhyCyberSupplyChainSecurityHasBecomeMoreDifficultSource:EnterpriseStrategyGroup,2015.
AsidefromtheassortmentofissuesdescribedinFigure1,CISOsoftenvoiceotherconcernstoESG.
Forexample,manysecurityexecutivesareanxiousaboutthegrowinguseofopensourcecomponents(andvulnerabilities)aspartofcommercialsoftware(i.
e.
,Heartbleed,OpenSSL,Shellshock,etc.
).
CISOsalsoworryaboutthingslikerogueinsidersworkingforITsuppliersanddataprivacyrelatedtosensitiveinformationmovedtothecloudbyITvendorsandbusinesspartners.
Dataprivacyandcybersupplychainsecurityissuescanalsobeasourceconcerndrivenbyglobal"follow-the-sun"developmentpracticesandcloudarchitectures,aswellasemergingregulationsliketheEUDigitalSingleMarketinitiative.
CISOsareBolsteringCyberSupplyChainSecurityOversightAscybersecuritymorphsfromatechnologytoabusinessissue,CEOsandcorporateboardsaregainingabetterperspectiveofcybersupplychainsecurityrisks.
Thisisdrivingachainreaction—businessexecutivesarepushingCISOstomitigatecybersupplychainrisk,causingcybersecurityexecutivesandpurchasingmanagerstoplacemorestringentcybersecurityrequirementsontheirITvendors.
2Source:ESGResearchReport,CyberSupplyChainSecurityRevisited,September2015.
AllESGresearchreferencesandchartsinthiswhitepaperhavebeentakenfromthisresearchreportunlessotherwisenoted.
34%34%36%39%44%0%5%10%15%20%25%30%35%40%45%50%MyorganizationhassourcedITproducts,components,andservicesfromothercountriesoverthepastfewyearsandthesechangesmaybeincreasingcybersupplychainsecurityriskMyorganizationhasincreasedthenumberofexternalthird-partieswithaccesstoourinternalITassetswhichhasincreasedthecybersupplychainattacksurfaceMyorganizationhasconsolidatedITandoperationaltechnologysecuritywhichhasincreasedthecomplexityofcybersupplychainsecurityMyorganizationhasmoresuppliersthanitdidafewyearsagoMyorganizationhasimplementednewtypesofITinitiativeswhichhasincreasedthecybersupplychainattacksurfaceYouindicatedthatcybersupplychainsecurityhasbecomemoredifficultatyourorganizationoverthepastfewyears.
Whydoyoubelievethatthisisthecase(Percentofrespondents,N=180,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance62015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ESGresearchillustratesthistrendwithanextensivearrayofsecurityconsiderationsforITvendorsascriticalinfrastructuresectororganizationsevaluateandpurchaseITproductsandservices.
Forexample,35%examineavendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsoftwarepatches,35%lookatavendor'soverallsecurityexpertiseandreputation,and32%contemplateavendor'sreputationandindustryexpertise(seeFigure2).
Figure2.
CybersecurityEvaluationConsiderationsforITPurchasingofProductsandServicesSource:EnterpriseStrategyGroup,2015.
TofurtherappraiseITvendorsecurity,manyorganizationsarealsoadoptingaformalcybersecurityauditprocessaspartoftheirITprocurementprocess.
Forexample,91%ofcriticalinfrastructuresectororganizationsauditthecybersecurityoftheirstrategicsoftwarevendors(i.
e.
,alwaysconductauditsordosoonanas-neededbasis),90%auditthecybersecurityoftheircloudserviceproviders,and88%auditthecybersecurityoftheirstrategicITinfrastructurevendors.
9%14%17%18%20%22%24%29%31%32%35%35%0%10%20%30%40%Locationofvendor'scorporateheadquartersLocationofvendor'sproductdevelopmentand/ormanufacturingoperationsVendor'suseofthird-partiesaspartofitsoverallproductdevelopment,manufacturing,testing,andmaintenanceVendor'sformalanddocumentedsecureproductdevelopmentprocessesVendor'sISOcertificationSecuritybreachesofvendororganizationVendor'semergencyresponse/problemescalationproceduresVendor'sprofessionalservicesofferingsforsecureITproductassessment,planning,anddeploymentVendor'sreputationandexpertiseinourindustryVendor'scybersupplychainriskmanagementprocessesVendor'soverallsecurityexpertise/reputationVendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsubsequentfixesofitsproductsThefollowingisalistofsecurityconsiderationsanorganizationmayevaluatebeforepurchasingITproductsandservices.
Whichofthefollowingconsiderationsaremostimportanttoyourorganizationduringtheproductevaluationandpurchaseprocess(Percentofrespondents,N=303,threeresponsesacceptedperrespondent)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance72015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Theseauditsarebecomingincreasinglycomprehensive.
AsESGresearchillustrates,ITvendorcybersecurityauditsincludethingslikehandsonreviewsofavendor'ssecurityhistory,reviewsofavendor'ssecuritydocumentation,processes,andmetrics,andreviewsofvendors'owninternalITandcomplianceaudits(seeFigure3).
Figure3.
MechanismsUsedInITVendorAuditsSource:EnterpriseStrategyGroup,2015.
CyberSupplyChainSecurityAssuranceTheESGresearchpresentsaclearpicture—high-securityenterpriseorganizationsareincreasinglydemandinggreatercybersecuritybestpracticesfromtheirstrategicITvendors.
Furthermore,vendors'cybersecuritypolicies,processes,andmetricsarebecomingadeterminingfactorforITprocurementasadvancedorganizationsarenowselectingstrategicITvendorsbaseduponanewstandard,cybersupplychainsecurityassurance,definedas:28%30%40%42%44%49%51%52%54%0%10%20%30%40%50%60%SendvendorastandardlistofquestionsonpaperandthenreviewtheirresponsesOn-siteinspection(s)ofvendor'sfacilitiesReviewanyrecentpenetrationtestingresultsandsubsequentremediationplansDemandvendorcertificationsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssecurityprocessesHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'sproductdevelopmentprocessesReviewofvendor'ssecurityauditsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssupplychainsecurityprocessesHands-onreviewofvendor'ssecurityhistoryYouhaveindicatedthatyourorganizationconductsauditsofitsITvendors'securityprocesses.
WhichofthefollowingmechanismsdoesyourorganizationusetoconducttheseITvendorsecurityaudits(Percentofrespondents,N=294,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance82015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Cybersupplychainsecurityassuranceisthepracticeofmanagingcybersupplychainrisksrelatedtothepeople,processes,andtechnologiesusedtodesign,develop,produce,distribute,andimplementIThardware,software,andservices.
Toparsethisdefinitionfurther,cybersupplychainsecurityassuranceincludes:Secureproductdevelopment.
Thisincludesasecuresoftwaredevelopmentlifecycle,assessment,andtestingofopensourceandthirdpartycodeincludedinvendorproducts,andconsiderationofthecybersecuritypracticesofallcontractorsandsuppliersthatparticipateinsoftwaredevelopmentorhardwarebillofmaterials.
Adequatesecurityskills.
Tominimizerisksassociatedwithhumanerror,productdevelopers,testers,andotherhandlersmusthavesuitableandup-to-datecybersecurityskills.
Therightcybersecurityprocessesandprocedures.
Vendorsmustbacktheirday-to-dayoperationswithcybersecuritybestpracticesforriskmanagement,threatprevention,andincidentresponse.
Additionally,ITvendorsmustemploycybersecuritybestpracticesforinternalITthemselves.
Field-levelcybersecurityexpertise.
EvenwhencybersecurityfeaturesareembeddedinITsystems,overwhelmedcustomersmaynotknowhowtoconfiguredevicesorcustomizesystemsfortheirindividualsecurityneeds.
Vendorswithleadingcybersupplychainsecurityassuranceskillshavefield-levelemployeesorpartnerswhocanhelpcustomersconsumeandbenefitfromproductsecurityfeaturesandfunctionalityupondeploymentandcontinuallyovertime.
Strongcybersecuritycustomersupport.
Whilevendorsshoulddoalltheycantodevelop,distribute,anddeploysecureproducts,theyalsomusthavetherightpreparationforinevitablesecurityvulnerabilities.
Cybersupplychainsecurityassurancedemandsthatvendors'securityteamsmonitorthelatestattacktrendsandworkwiththegreatersecuritycommunitytoensuretimelyawarenessofnewvulnerabilitiesthatcouldimpacttheirproducts.
Oncevulnerabilitiesaredetected,vendorsmustalsohavehighlyefficientprocessesfordeveloping,testing,anddistributingsoftwarepatches.
Finally,vendorsmusthaveahighlytrainedstafftoguidecustomersthroughsecurityfixesasneeded.
TheVMwareTrust&AssuranceFrameworkESGbelievesthatcybersupplychainsecurityassuranceisstartingtohaveamarketimpact,creatingaclearlineofdelineationbetweenITvendorswithtruecybersecuritycommitmentsandthosethatremainbehind.
Sadly,manyITvendorshavenotembracedtherightlevelofcybersupplychainsecurityassurance,puttingtheircustomersatrisk.
Sinceitsformationin1998,VMwareCorporationhasgrownandevolveditsroleatenterpriseorganizations.
Earlyon,VMwareservervirtualizationtechnologywasusedprimarilybyITdepartmentsforsoftwaretestinganddevelopment.
Overtime,largeorganizationsembracedVMwareinproductiondatacentersforserverconsolidation.
Mostrecently,VMwarehasbecomeastrategicITvendoratmanyenterpriseorganizationsasVMwaretechnologyisoftendeployedonendpoints,indatacenters,andacrosspublicandprivatecloudinfrastructure.
AsitadvancedfromtacticaltostrategicITvendor,VMwarefacedapatternofincreasingcybersecurityscrutinyfromdemandingpublicandprivatesectorcustomers.
Toaddressthis,VMwaremanagementintroducedaninternalfocusoncontinuouscybersecurityimprovementseveralyearsago.
ThiseffortculminatedrecentlywithaninitiativecalledVMwareTrust&Assurance,whichiscomposedoffourguidingprinciples:Reliability.
WithintheVMwareTrust&Assuranceframework,thecommitmenttoreliabilityincludes:ProductperformanceandscalabilityinordertoensurethatVMwareproductscanmeetenterprisedemands.
ApervasivecultureofevangelismandeducationtokeepVMwareemployeesandcustomerseducatedandengagedonrapidly-changingcybersecurityrisks.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance92015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ResearchdedicatedtoenhancingVMwareproductperformanceandreliabilitywhileworkingwithcustomersonassociatedprojectplanning,testing,deployment,andoptimization.
QualitymetricsandcontinuousimprovementassociatedwithVMwareproducts,people,andpartners.
Integrity.
ThisprinciplealignswithVMware'ssoftwaredevelopmentandcomprises:TheVMwaresoftwaredevelopmentlifecycle.
VMwarehadbuiltadevelopmentprocessthatincludesformalrepeatableprocessesforsoftwaredesign,testing,documentation,release,andongoingsupport.
Complianceandrisk.
Alongwithitspartners,VMwaredevelopedthecompliancereferencearchitectureframework(RAF)thatalignsitstechnologywithregulatorycompliancerequirementsacrossindustries.
Softwaresupplychainmanagement.
VMwareisaddressingitsowncybersupplychainpracticesinanumberofareasincludingIPprotection,sourcecodesharing,riskmanagementassessment,andproactivesoftwaresecurityprogramswithstrategicpartnersandsuppliers.
Privacy.
Toprotectcustomerprivacy,VMwaredefinesitsprivacypolicytocustomers,specifyingwhatdataitcollectsandhowitisused.
VMwarefollowsa"privacybydesign"frameworktoprovidetransparencyonprivacyasitrelatestoproducts,services,andsupport.
Security.
VMwarehasintroducedstrongcybersecuritythroughoutitsorganization.
Examplesofthisinclude:Productsecurity.
VMwarehascreatedaproductsecurityteamresponsibleforoversightofallproductsecurity.
Thisgroupsupervisessecuritydevelopmentprocessesandmetricswitheachproductteamandisresponsiblefordemonstratingcontinuousimprovement.
Securitydevelopmentlifecycle.
Thisextendsbeyondthesecuresoftwaredevelopmentlifecycleandincludessecuritytraining,planning,serviceability,aswellasresponseplanning,productsecurityrequirementsassessment,andoverallsecuritymonitoring.
Thesecurityresponsecenter.
VMwareemploysateamofsecurityresearchers,softwaredevelopers,andsupportstafftofindvulnerabilities,developfixes,andworkwithcustomersandpartnersfortimelydistributionanddeploymentofsecurityfixes.
ITsecurity.
Likealllargeenterprises,VMware'scorporateinfrastructureisundercontinualattacksfrommaliciousindividualsandentities.
Toaddressthisrisk,VMwaremaintainscybersecuritybestpracticesoninternalnetworksandsystems.
Commitment.
Tomakecybersupplychainsecurityassurancepervasiveineverythingitdoes,VMwarehasmadecybersecuritypartofitscorporateculture.
Ofcourse,thisrequiresatruecybersecuritycommitmentincluding:Continuingproductdevelopment.
VMwarehasestablishedacontinuingproductdevelopmentorganization,whichactsasasinglepoint-of-contactforaddressing,escalating,andresolvingproductandcustomercybersecurityissues.
Ecosystemservices.
VMwareunderstandsthatitscybersecuritysupplychainincludesanetworkofhundredsofotherITvendorandservicespartners.
VMwareprovidestechnicalsupport,testing,cooperativesupportservices,andrules-of-engagementtoensurestrongcybersecurityinthefield.
Customeradvocacy.
VMwarerecognizesthatcybersecurityprofessionalsareacommunityoflike-mindedindividualswithafewcommongoals—mitigatingITriskandprotectingcriticalITassetsanddata.
Tosucceed,VMwaredependsuponapartnershipofequalswithVMwareWhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance102015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
participatinginthecybersecuritycommunityratherthandictatingitsownITvendoragenda.
VMwareseekstofacilitatethisrelationshipwithsecurityresearch,workshops,benchmarks,securityeducation,andsocialmediacampaigns.
WithitsTrust&Assuranceinitiative,VMwareistakinga360degreeperspectiveoncybersecuritythatencompassesitsproducts,partners,customers,employees,andthecybersecuritycommunityatlarge.
Inthisway,VMwarehasnotonlyrespondedtoitsenterprisecustomers'needforgreatertransparencyrelatedtocybersupplychainsecurity,butisalsosettinganexamplethatshouldbeemulatedbyotherITvendors.
TheBiggerTruthCISOsfaceadauntingareaofchallenges.
Cyberthreatsgrowmorevoluminous,sophisticated,andtargetedwhileITinfrastructuregetsmorecomplexasnetworkperimetersdisappear.
Yes,thesechangesdemandanincreasingcommitmenttocybersecurityoversight,riskmanagement,andtightsecuritycontrolsbuttheseeffortssimplycan'tbelimitedtocorporateLANs,WANs,anddatacenters.
Rather,CISOsmustunderstandtherisksassociatedwiththeircybersupplychains,andestablishbestpracticesforcybersupplychainsecurity.
ESGresearchindicatesthatthistransitionisalreadyinprogress,causingmanyorganizationstoauditthesecurityoftheirITproductandservicesvendors.
Leadingedgeenterprisesarealsomakingpurchasingdecisionsbasedupontheirvendors'cybersupplychainsecurityassuranceprograms.
Movingforward,moreorganizationswilllikelyfollowsuit.
UnlikemanyotherenterpriseITvendors,VMwareiswellpreparedforthisincreasinglevelofcybersecurityoversight.
Infact,theVMwareTrust&Assuranceinitiativeisdesignedtomeetandexceedthegrowingneedforgreatertransparencyrelatedtoenterprisecybersecurity.
Assuch,VMwareissettinganexamplefortheITindustryatlarge.
CISOswouldbewellservedtodemandsimilarcybersupplychainsecurityassurancefromALLoftheirstrategicITvendors.
20AsylumStreet|Milford,MA01757|Tel:508.
482.
0188Fax:508.
482.
0218|www.
esg-global.
com
2015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance22015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ContentsExecutiveSummary3CyberSupplyChainSecurityRealities3CyberSupplyChainSecurityCanBeDifficult4CISOsareBolsteringCyberSupplyChainSecurityOversight.
5CyberSupplyChainSecurityAssurance.
7TheVMwareTrust&AssuranceFramework.
8TheBiggerTruth10Alltrademarknamesarepropertyoftheirrespectivecompanies.
InformationcontainedinthispublicationhasbeenobtainedbysourcesTheEnterpriseStrategyGroup(ESG)considerstobereliablebutisnotwarrantedbyESG.
ThispublicationmaycontainopinionsofESG,whicharesubjecttochangefromtimetotime.
ThispublicationiscopyrightedbyTheEnterpriseStrategyGroup,Inc.
Anyreproductionorredistributionofthispublication,inwholeorinpart,whetherinhard-copyformat,electronically,orotherwisetopersonsnotauthorizedtoreceiveit,withouttheexpressconsentofTheEnterpriseStrategyGroup,Inc.
,isinviolationofU.
S.
copyrightlawandwillbesubjecttoanactionforcivildamagesand,ifapplicable,criminalprosecution.
Shouldyouhaveanyquestions,pleasecontactESGClientRelationsat508.
482.
0188.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance32015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ExecutiveSummaryThecommonsaying,"mayyouliveininterestingtimes"isactuallytheEnglishtranslationofatraditionalChinesecurse.
ThisrealityissomewhatironicasCISOsandcybersecurityprofessionalswouldlikelyagreethattheyindeedliveinaveryinterestingbutdifficulttime.
WhyCyberthreatshavebecomemoreubiquitous,stealthy,andtargetedwhiletheITattacksurfacecontinuestoexpand,drivenbycloudcomputing,InternetofThings(IoT)initiatives,andmobileapplicationuse.
EnterpriseorganizationsnowrealizethatweliveinauniquetimeofincreasingITriskandarerespondingaccordingly.
Corporateexecutivesandboardsareparticipatingmoreintheirorganizations'cybersecuritystrategiestomitigatebusinessandtechnologyrisk.
Manyfirmshaveincreasedcybersecuritybudgetsaswellandarenowpurchasinganddeployingapotpourriofnewsecurityanalyticssystemsandlayersofdefense.
Allofthisactivityisastepintherightdirection—butitisjustnotenough.
VMwarehasintroducedanewinitiativecalled"VMwareTrustandAssurance,"whichhelpsanswercustomers'questionsaboutVMware'ssecurityanddevelopmentpracticesandprovidesgreatertransparencyaroundhowitdevelops,builds,secures,andsupportsitsapplications.
Thiswhitepaperconcludes:Organizationsareexposedtovulnerabilitiesinthecybersupplychain.
Thecybersupplychainintroducestheriskthataproductorservicecouldbecompromisedbyvulnerabilitiesand/ormaliciouscodeintroducedadvertentlyorinadvertentlyduringproductdevelopmentormaintenance,dueinparttoincreasingglobalizationoftheITsupplychain.
Consequently,ITproductsandservicesbuiltonafoundationofbroaddiversecybersupplychainsmayincreasetheriskofadevastatingcyber-attacktocustomers.
ITrisksarenotlimitedtocorporateLANs,WANs,anddatacenters.
Rather,enterprisesremainatriskforcyber-attacksthattakeadvantageofvulnerabilitiesexistinginITequipment,businesspartnernetworks,non-employeedevices,etc.
Asthesayinggoes,"thecybersecuritychainisonlyasstrongasitsweakestlink.
"Regrettably,muchofthecybersecuritychainresidesoutsidetheperimeterfirewallandthusneedsproperoversight,cybersecuritybestpractices,andamplelayersofdefense.
CISOsarepushingbackonITvendors.
PragmaticcybersecurityprofessionalsnowrealizethattheirstrategicITvendorscanmakeorbreakthecybersecuritychain.
Intheworstcase,insecurepartnersorITsystemscanbeusedasastaginggroundforadevastatingdatabreach.
Tominimizerisk,manyenterpriseorganizationsareaddressingcybersupplychainsecuritybyauditingITvendors'securityprocessesandmakingpurchasingdecisionsbaseduponavendor'sabilitytomeetincreasinglyrigorouscybersecurityrequirements.
ITvendorsmustdevelopcybersupplychainsecurityassurancecapabilities;TheVMwareTrustandAssuranceFrameworkservesasamodelfortheindustry.
Enterprisecybersecurityrequirementswillcontinuetobecomemorerigidinthefuture.
Asthissituationevolves,CISOswillonlydobusinesswithtrustedITvendorswithdemonstrablecybersupplychainsecurityassuranceprogramsthatincludeallaspectsoftheirproductdevelopment,testing,distribution,deployment,customization,andsupport.
VMware'sTrust&Assuranceinitiativeservesasamodelofthetransparencyneededforcybersupplychainsecurityfortheindustry.
CISOsshoulddemandasimilarresponsefromallstrategicITvendors.
CyberSupplyChainSecurityRealitiesOrganizationslargeandsmallarechangingtheirbehaviorwithregardstocybersecurityinresponsetotheincreasinglydangerousthreatlandscapeandhighly-publicizeddatabreaches.
Infact,manyorganizationsnolongerconsidercybersecurityanITissuealone.
Alternatively,cybersecurityriskisnowabusinessprioritythatgetsampleattentionwithbusinessexecutivesandcorporateboards.
AccordingtoESGresearch:WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance42015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Whenaskedtoidentifythebiggestdriverfortechnologyspendingoverthenext12months,46%oforganizationspointedtosecurityandriskmanagementinitiatives.
Thiswasthemostpopularresponse,quiteabithigherthanthesecondmostpopularanswer,"costreductioninitiatives,"whichcameinat37%.
Justoverone-thirdoforganizations(34%)saythatInformationsecurityinitiativesarethemostimportantITprioritythisyear.
Onceagain,thiswasthetopresponse.
59%oforganizationssaidthattheirITsecuritybudgetsfor2015wouldincreasewhileonly9%saidtheywoulddecreaseinfosecbudgetsthisyear.
1Increasingfocusoncybersecurityhasresultedinlotsofactivity,asmanyorganizationsaddlayersofdefensetotheirnetworks,implementnewsolutionsforincidentdetectionandresponse,andbolstersecuritymonitoringandanalyticsefforts.
TheseinternaleffortsareagoodstartbutagrowingnumberofCISOsrealizethatcybersecurityriskextendsbeyondtheLAN,WAN,andcorporatedatacenterstoalargerpopulationofcustomers,suppliers,andbusinesspartners.
Thislargercybersecurityuniverseissometimesreferredtoasthecybersupplychain,whichESGdefinesas:"Theentiresetofkeyactorsinvolvedwith/usingcyberinfrastructure:systemend-users,policymakers,acquisitionspecialists,systemintegrators,networkproviders,andsoftwarehardwaresuppliers.
Theseusers/providers'organizationalandprocess-levelinteractionstoplan,build,manage,maintain,anddefendcyberinfrastructure.
"Cybersupplychainsecurityissuesarenotuncommon.
Forexample:In2008,theFBIseized$76millionofcounterfeitCiscoequipment.
AspartoftheStuxnetincidentin2010,fivecompaniesactingascontractorsfortheIraniannuclearprogramhadtheirnetworkscompromisedinordertogaintrustedaccesstogovernmentnuclearfacilities.
Thesuccessful2013databreachatTargetCorporationwaseventuallytracedtosystemcompromisesatFazioBrothers,oneofTarget'sHVACcontractors.
HackersusedFazioBrothersasastaginggroundandusedthecompany'snetworkaccessasanattackvector.
CyberSupplyChainSecurityCanBeDifficultSomeCISOsrecognizetherisksassociatedwiththeircybersupplychainsecurityandthisisespeciallytruefororganizationsthatdependuponarmiesofexternalbusinesspartners,contractors,orsuppliersaspartoftheirbusinessoperations.
Unfortunately,cybersupplychainsecuritybestpracticesaren'teasyastheyrequireconstantoversightofthestateofcybersecurityrelatedtoITequipmentproviders,softwarevendors,connectedbusinesspartners,etc.
Infact,cybersupplychainsecurityseemstobegrowingincreasinglyproblematicforsomefirms.
InarecentESGresearchsurveyofcriticalinfrastructuresectororganizations(i.
e.
,chemicalsector,emergencyservices,energysector,financialservices,healthcare,telecommunications,etc.
),40%ofcybersecurityprofessionalsadmittedthatcybersupplychainsecurityhasbecomemoredifficultoverthepastfewyears,andthosewhodidsuppliednumerousreasonsforthatincreaseddifficulty(seeFigure1):44%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasimplementednewtypesofITinitiatives,increasingthecybersupplychainattacksurface.
TheseinitiativesincludeBYOD,cloudcomputing,InternetofThings(IoT)projects,andthegrowinguseofmobileapplicationsanddevices.
39%ofcriticalinfrastructuresectororganizationssaytheirorganizationhasmoresuppliersthanitdidtwoyearsago.
Thisistobeexpected,giventhewaveofITinnovationaroundsoftware-defineddatacenters,cloudplatforms,virtualnetworks,etc.
36%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasconsolidatedITandoperationaltechnology(OT),increasingthecomplexityofcybersupplychainsecurity.
Inthesecases,CISOs1Source:ESGResearchReport,2015ITSpendingIntentionsSurvey,February2015.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance52015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
areforcedtosecurebusiness-criticalbutunfamiliartechnologieslikeprogrammablelogiccontrollers(PLCs)andsupervisorycontrolanddataacquisition(SCADA)systemsusedforindustrialoperations.
2Figure1.
ReasonsWhyCyberSupplyChainSecurityHasBecomeMoreDifficultSource:EnterpriseStrategyGroup,2015.
AsidefromtheassortmentofissuesdescribedinFigure1,CISOsoftenvoiceotherconcernstoESG.
Forexample,manysecurityexecutivesareanxiousaboutthegrowinguseofopensourcecomponents(andvulnerabilities)aspartofcommercialsoftware(i.
e.
,Heartbleed,OpenSSL,Shellshock,etc.
).
CISOsalsoworryaboutthingslikerogueinsidersworkingforITsuppliersanddataprivacyrelatedtosensitiveinformationmovedtothecloudbyITvendorsandbusinesspartners.
Dataprivacyandcybersupplychainsecurityissuescanalsobeasourceconcerndrivenbyglobal"follow-the-sun"developmentpracticesandcloudarchitectures,aswellasemergingregulationsliketheEUDigitalSingleMarketinitiative.
CISOsareBolsteringCyberSupplyChainSecurityOversightAscybersecuritymorphsfromatechnologytoabusinessissue,CEOsandcorporateboardsaregainingabetterperspectiveofcybersupplychainsecurityrisks.
Thisisdrivingachainreaction—businessexecutivesarepushingCISOstomitigatecybersupplychainrisk,causingcybersecurityexecutivesandpurchasingmanagerstoplacemorestringentcybersecurityrequirementsontheirITvendors.
2Source:ESGResearchReport,CyberSupplyChainSecurityRevisited,September2015.
AllESGresearchreferencesandchartsinthiswhitepaperhavebeentakenfromthisresearchreportunlessotherwisenoted.
34%34%36%39%44%0%5%10%15%20%25%30%35%40%45%50%MyorganizationhassourcedITproducts,components,andservicesfromothercountriesoverthepastfewyearsandthesechangesmaybeincreasingcybersupplychainsecurityriskMyorganizationhasincreasedthenumberofexternalthird-partieswithaccesstoourinternalITassetswhichhasincreasedthecybersupplychainattacksurfaceMyorganizationhasconsolidatedITandoperationaltechnologysecuritywhichhasincreasedthecomplexityofcybersupplychainsecurityMyorganizationhasmoresuppliersthanitdidafewyearsagoMyorganizationhasimplementednewtypesofITinitiativeswhichhasincreasedthecybersupplychainattacksurfaceYouindicatedthatcybersupplychainsecurityhasbecomemoredifficultatyourorganizationoverthepastfewyears.
Whydoyoubelievethatthisisthecase(Percentofrespondents,N=180,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance62015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ESGresearchillustratesthistrendwithanextensivearrayofsecurityconsiderationsforITvendorsascriticalinfrastructuresectororganizationsevaluateandpurchaseITproductsandservices.
Forexample,35%examineavendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsoftwarepatches,35%lookatavendor'soverallsecurityexpertiseandreputation,and32%contemplateavendor'sreputationandindustryexpertise(seeFigure2).
Figure2.
CybersecurityEvaluationConsiderationsforITPurchasingofProductsandServicesSource:EnterpriseStrategyGroup,2015.
TofurtherappraiseITvendorsecurity,manyorganizationsarealsoadoptingaformalcybersecurityauditprocessaspartoftheirITprocurementprocess.
Forexample,91%ofcriticalinfrastructuresectororganizationsauditthecybersecurityoftheirstrategicsoftwarevendors(i.
e.
,alwaysconductauditsordosoonanas-neededbasis),90%auditthecybersecurityoftheircloudserviceproviders,and88%auditthecybersecurityoftheirstrategicITinfrastructurevendors.
9%14%17%18%20%22%24%29%31%32%35%35%0%10%20%30%40%Locationofvendor'scorporateheadquartersLocationofvendor'sproductdevelopmentand/ormanufacturingoperationsVendor'suseofthird-partiesaspartofitsoverallproductdevelopment,manufacturing,testing,andmaintenanceVendor'sformalanddocumentedsecureproductdevelopmentprocessesVendor'sISOcertificationSecuritybreachesofvendororganizationVendor'semergencyresponse/problemescalationproceduresVendor'sprofessionalservicesofferingsforsecureITproductassessment,planning,anddeploymentVendor'sreputationandexpertiseinourindustryVendor'scybersupplychainriskmanagementprocessesVendor'soverallsecurityexpertise/reputationVendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsubsequentfixesofitsproductsThefollowingisalistofsecurityconsiderationsanorganizationmayevaluatebeforepurchasingITproductsandservices.
Whichofthefollowingconsiderationsaremostimportanttoyourorganizationduringtheproductevaluationandpurchaseprocess(Percentofrespondents,N=303,threeresponsesacceptedperrespondent)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance72015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Theseauditsarebecomingincreasinglycomprehensive.
AsESGresearchillustrates,ITvendorcybersecurityauditsincludethingslikehandsonreviewsofavendor'ssecurityhistory,reviewsofavendor'ssecuritydocumentation,processes,andmetrics,andreviewsofvendors'owninternalITandcomplianceaudits(seeFigure3).
Figure3.
MechanismsUsedInITVendorAuditsSource:EnterpriseStrategyGroup,2015.
CyberSupplyChainSecurityAssuranceTheESGresearchpresentsaclearpicture—high-securityenterpriseorganizationsareincreasinglydemandinggreatercybersecuritybestpracticesfromtheirstrategicITvendors.
Furthermore,vendors'cybersecuritypolicies,processes,andmetricsarebecomingadeterminingfactorforITprocurementasadvancedorganizationsarenowselectingstrategicITvendorsbaseduponanewstandard,cybersupplychainsecurityassurance,definedas:28%30%40%42%44%49%51%52%54%0%10%20%30%40%50%60%SendvendorastandardlistofquestionsonpaperandthenreviewtheirresponsesOn-siteinspection(s)ofvendor'sfacilitiesReviewanyrecentpenetrationtestingresultsandsubsequentremediationplansDemandvendorcertificationsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssecurityprocessesHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'sproductdevelopmentprocessesReviewofvendor'ssecurityauditsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssupplychainsecurityprocessesHands-onreviewofvendor'ssecurityhistoryYouhaveindicatedthatyourorganizationconductsauditsofitsITvendors'securityprocesses.
WhichofthefollowingmechanismsdoesyourorganizationusetoconducttheseITvendorsecurityaudits(Percentofrespondents,N=294,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance82015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Cybersupplychainsecurityassuranceisthepracticeofmanagingcybersupplychainrisksrelatedtothepeople,processes,andtechnologiesusedtodesign,develop,produce,distribute,andimplementIThardware,software,andservices.
Toparsethisdefinitionfurther,cybersupplychainsecurityassuranceincludes:Secureproductdevelopment.
Thisincludesasecuresoftwaredevelopmentlifecycle,assessment,andtestingofopensourceandthirdpartycodeincludedinvendorproducts,andconsiderationofthecybersecuritypracticesofallcontractorsandsuppliersthatparticipateinsoftwaredevelopmentorhardwarebillofmaterials.
Adequatesecurityskills.
Tominimizerisksassociatedwithhumanerror,productdevelopers,testers,andotherhandlersmusthavesuitableandup-to-datecybersecurityskills.
Therightcybersecurityprocessesandprocedures.
Vendorsmustbacktheirday-to-dayoperationswithcybersecuritybestpracticesforriskmanagement,threatprevention,andincidentresponse.
Additionally,ITvendorsmustemploycybersecuritybestpracticesforinternalITthemselves.
Field-levelcybersecurityexpertise.
EvenwhencybersecurityfeaturesareembeddedinITsystems,overwhelmedcustomersmaynotknowhowtoconfiguredevicesorcustomizesystemsfortheirindividualsecurityneeds.
Vendorswithleadingcybersupplychainsecurityassuranceskillshavefield-levelemployeesorpartnerswhocanhelpcustomersconsumeandbenefitfromproductsecurityfeaturesandfunctionalityupondeploymentandcontinuallyovertime.
Strongcybersecuritycustomersupport.
Whilevendorsshoulddoalltheycantodevelop,distribute,anddeploysecureproducts,theyalsomusthavetherightpreparationforinevitablesecurityvulnerabilities.
Cybersupplychainsecurityassurancedemandsthatvendors'securityteamsmonitorthelatestattacktrendsandworkwiththegreatersecuritycommunitytoensuretimelyawarenessofnewvulnerabilitiesthatcouldimpacttheirproducts.
Oncevulnerabilitiesaredetected,vendorsmustalsohavehighlyefficientprocessesfordeveloping,testing,anddistributingsoftwarepatches.
Finally,vendorsmusthaveahighlytrainedstafftoguidecustomersthroughsecurityfixesasneeded.
TheVMwareTrust&AssuranceFrameworkESGbelievesthatcybersupplychainsecurityassuranceisstartingtohaveamarketimpact,creatingaclearlineofdelineationbetweenITvendorswithtruecybersecuritycommitmentsandthosethatremainbehind.
Sadly,manyITvendorshavenotembracedtherightlevelofcybersupplychainsecurityassurance,puttingtheircustomersatrisk.
Sinceitsformationin1998,VMwareCorporationhasgrownandevolveditsroleatenterpriseorganizations.
Earlyon,VMwareservervirtualizationtechnologywasusedprimarilybyITdepartmentsforsoftwaretestinganddevelopment.
Overtime,largeorganizationsembracedVMwareinproductiondatacentersforserverconsolidation.
Mostrecently,VMwarehasbecomeastrategicITvendoratmanyenterpriseorganizationsasVMwaretechnologyisoftendeployedonendpoints,indatacenters,andacrosspublicandprivatecloudinfrastructure.
AsitadvancedfromtacticaltostrategicITvendor,VMwarefacedapatternofincreasingcybersecurityscrutinyfromdemandingpublicandprivatesectorcustomers.
Toaddressthis,VMwaremanagementintroducedaninternalfocusoncontinuouscybersecurityimprovementseveralyearsago.
ThiseffortculminatedrecentlywithaninitiativecalledVMwareTrust&Assurance,whichiscomposedoffourguidingprinciples:Reliability.
WithintheVMwareTrust&Assuranceframework,thecommitmenttoreliabilityincludes:ProductperformanceandscalabilityinordertoensurethatVMwareproductscanmeetenterprisedemands.
ApervasivecultureofevangelismandeducationtokeepVMwareemployeesandcustomerseducatedandengagedonrapidly-changingcybersecurityrisks.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance92015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ResearchdedicatedtoenhancingVMwareproductperformanceandreliabilitywhileworkingwithcustomersonassociatedprojectplanning,testing,deployment,andoptimization.
QualitymetricsandcontinuousimprovementassociatedwithVMwareproducts,people,andpartners.
Integrity.
ThisprinciplealignswithVMware'ssoftwaredevelopmentandcomprises:TheVMwaresoftwaredevelopmentlifecycle.
VMwarehadbuiltadevelopmentprocessthatincludesformalrepeatableprocessesforsoftwaredesign,testing,documentation,release,andongoingsupport.
Complianceandrisk.
Alongwithitspartners,VMwaredevelopedthecompliancereferencearchitectureframework(RAF)thatalignsitstechnologywithregulatorycompliancerequirementsacrossindustries.
Softwaresupplychainmanagement.
VMwareisaddressingitsowncybersupplychainpracticesinanumberofareasincludingIPprotection,sourcecodesharing,riskmanagementassessment,andproactivesoftwaresecurityprogramswithstrategicpartnersandsuppliers.
Privacy.
Toprotectcustomerprivacy,VMwaredefinesitsprivacypolicytocustomers,specifyingwhatdataitcollectsandhowitisused.
VMwarefollowsa"privacybydesign"frameworktoprovidetransparencyonprivacyasitrelatestoproducts,services,andsupport.
Security.
VMwarehasintroducedstrongcybersecuritythroughoutitsorganization.
Examplesofthisinclude:Productsecurity.
VMwarehascreatedaproductsecurityteamresponsibleforoversightofallproductsecurity.
Thisgroupsupervisessecuritydevelopmentprocessesandmetricswitheachproductteamandisresponsiblefordemonstratingcontinuousimprovement.
Securitydevelopmentlifecycle.
Thisextendsbeyondthesecuresoftwaredevelopmentlifecycleandincludessecuritytraining,planning,serviceability,aswellasresponseplanning,productsecurityrequirementsassessment,andoverallsecuritymonitoring.
Thesecurityresponsecenter.
VMwareemploysateamofsecurityresearchers,softwaredevelopers,andsupportstafftofindvulnerabilities,developfixes,andworkwithcustomersandpartnersfortimelydistributionanddeploymentofsecurityfixes.
ITsecurity.
Likealllargeenterprises,VMware'scorporateinfrastructureisundercontinualattacksfrommaliciousindividualsandentities.
Toaddressthisrisk,VMwaremaintainscybersecuritybestpracticesoninternalnetworksandsystems.
Commitment.
Tomakecybersupplychainsecurityassurancepervasiveineverythingitdoes,VMwarehasmadecybersecuritypartofitscorporateculture.
Ofcourse,thisrequiresatruecybersecuritycommitmentincluding:Continuingproductdevelopment.
VMwarehasestablishedacontinuingproductdevelopmentorganization,whichactsasasinglepoint-of-contactforaddressing,escalating,andresolvingproductandcustomercybersecurityissues.
Ecosystemservices.
VMwareunderstandsthatitscybersecuritysupplychainincludesanetworkofhundredsofotherITvendorandservicespartners.
VMwareprovidestechnicalsupport,testing,cooperativesupportservices,andrules-of-engagementtoensurestrongcybersecurityinthefield.
Customeradvocacy.
VMwarerecognizesthatcybersecurityprofessionalsareacommunityoflike-mindedindividualswithafewcommongoals—mitigatingITriskandprotectingcriticalITassetsanddata.
Tosucceed,VMwaredependsuponapartnershipofequalswithVMwareWhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance102015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
participatinginthecybersecuritycommunityratherthandictatingitsownITvendoragenda.
VMwareseekstofacilitatethisrelationshipwithsecurityresearch,workshops,benchmarks,securityeducation,andsocialmediacampaigns.
WithitsTrust&Assuranceinitiative,VMwareistakinga360degreeperspectiveoncybersecuritythatencompassesitsproducts,partners,customers,employees,andthecybersecuritycommunityatlarge.
Inthisway,VMwarehasnotonlyrespondedtoitsenterprisecustomers'needforgreatertransparencyrelatedtocybersupplychainsecurity,butisalsosettinganexamplethatshouldbeemulatedbyotherITvendors.
TheBiggerTruthCISOsfaceadauntingareaofchallenges.
Cyberthreatsgrowmorevoluminous,sophisticated,andtargetedwhileITinfrastructuregetsmorecomplexasnetworkperimetersdisappear.
Yes,thesechangesdemandanincreasingcommitmenttocybersecurityoversight,riskmanagement,andtightsecuritycontrolsbuttheseeffortssimplycan'tbelimitedtocorporateLANs,WANs,anddatacenters.
Rather,CISOsmustunderstandtherisksassociatedwiththeircybersupplychains,andestablishbestpracticesforcybersupplychainsecurity.
ESGresearchindicatesthatthistransitionisalreadyinprogress,causingmanyorganizationstoauditthesecurityoftheirITproductandservicesvendors.
Leadingedgeenterprisesarealsomakingpurchasingdecisionsbasedupontheirvendors'cybersupplychainsecurityassuranceprograms.
Movingforward,moreorganizationswilllikelyfollowsuit.
UnlikemanyotherenterpriseITvendors,VMwareiswellpreparedforthisincreasinglevelofcybersecurityoversight.
Infact,theVMwareTrust&Assuranceinitiativeisdesignedtomeetandexceedthegrowingneedforgreatertransparencyrelatedtoenterprisecybersecurity.
Assuch,VMwareissettinganexamplefortheITindustryatlarge.
CISOswouldbewellservedtodemandsimilarcybersupplychainsecurityassurancefromALLoftheirstrategicITvendors.
20AsylumStreet|Milford,MA01757|Tel:508.
482.
0188Fax:508.
482.
0218|www.
esg-global.
com
- attentionstealthy相关文档
- HowtheF-35AandtheF-15EXcompare
- denesstealthy
- ensurestealthy
- approachstealthy
- CYBERstealthy
- victoriousstealthy
Hostinger 限时外贸美国主机活动 低至月12元且赠送1个COM域名
Hostinger 商家我们可能一些新用户不是太熟悉,因为我们很多新人用户都可能较多的直接从云服务器、独立服务器起步的。而Hostinger商家已经有将近十年的历史的商家,曾经主做低价虚拟主机,也是比较有知名度的,那时候也有接触过,不过一直没有过多的使用。这不这么多年过去,Hostinger商家一直比较稳妥的在运营,最近看到这个商家在改版UI后且产品上也在活动策划比较多。目前Hostinger在进...
硅云香港CN2+BGP云主机仅188元/年起(香港云服务器专区)
硅云怎么样?硅云是一家专业的云服务商,硅云的主营产品包括域名和服务器,其中香港云服务器、香港云虚拟主机是非常受欢迎的产品。硅云香港可用区接入了中国电信CN2 GIA、中国联通直连、中国移动直连、HGC、NTT、COGENT、PCCW在内的数十家优质的全球顶级运营商,是为数不多的多线香港云服务商之一。目前,硅云香港云服务器,CN2+BGP线路,1核1G香港云主机仅188元/年起,域名无需备案,支持个...
RAKsmart美国洛杉矶独立服务器 E3-1230 16GB内存 限时促销月$76
RAKsmart 商家我们应该较多的熟悉的,主营独立服务器和站群服务器业务。从去年开始有陆续的新增多个机房,包含韩国、日本、中国香港等。虽然他们家也有VPS主机,但是好像不是特别的重视,价格上特价的时候也是比较便宜的1.99美元月付(年中活动有促销)。不过他们的重点还是独立服务器,毕竟在这个产业中利润率较大。正如上面的Megalayer商家的美国服务器活动,这个同学有需要独立服务器,这里我一并整理...
stealthy为你推荐
-
云主机租用租用云主机有什么好处?虚拟空间租赁请帮忙理解:虚拟空间、租用主机、主机托管、自己架设服务器云服务器租用云服务器怎么租呀免费网站空间如何免费做网站 免费域名+免费空间+免费网站asp网站空间什么是ASP空间?香港虚拟主机香港虚拟主机多少钱一年呢?成都虚拟主机成都哪个公司建网站最好网络域名ip 地址和域名的区别是什么新网域名新网域名是不是又挂了?域名升级访问请问下老师:我新买的域名,要多长时间才能访问呀?