attentionstealthy
stealthy 时间:2021-01-12 阅读:()
WhitePaperVMwareandtheNeedforCyberSupplyChainSecurityAssuranceByJonOltsik,SeniorPrincipalAnalystSeptember2015ThisESGWhitePaperwascommissionedbyVMwareandisdistributedunderlicensefromESG.
2015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance22015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ContentsExecutiveSummary3CyberSupplyChainSecurityRealities3CyberSupplyChainSecurityCanBeDifficult4CISOsareBolsteringCyberSupplyChainSecurityOversight.
5CyberSupplyChainSecurityAssurance.
7TheVMwareTrust&AssuranceFramework.
8TheBiggerTruth10Alltrademarknamesarepropertyoftheirrespectivecompanies.
InformationcontainedinthispublicationhasbeenobtainedbysourcesTheEnterpriseStrategyGroup(ESG)considerstobereliablebutisnotwarrantedbyESG.
ThispublicationmaycontainopinionsofESG,whicharesubjecttochangefromtimetotime.
ThispublicationiscopyrightedbyTheEnterpriseStrategyGroup,Inc.
Anyreproductionorredistributionofthispublication,inwholeorinpart,whetherinhard-copyformat,electronically,orotherwisetopersonsnotauthorizedtoreceiveit,withouttheexpressconsentofTheEnterpriseStrategyGroup,Inc.
,isinviolationofU.
S.
copyrightlawandwillbesubjecttoanactionforcivildamagesand,ifapplicable,criminalprosecution.
Shouldyouhaveanyquestions,pleasecontactESGClientRelationsat508.
482.
0188.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance32015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ExecutiveSummaryThecommonsaying,"mayyouliveininterestingtimes"isactuallytheEnglishtranslationofatraditionalChinesecurse.
ThisrealityissomewhatironicasCISOsandcybersecurityprofessionalswouldlikelyagreethattheyindeedliveinaveryinterestingbutdifficulttime.
WhyCyberthreatshavebecomemoreubiquitous,stealthy,andtargetedwhiletheITattacksurfacecontinuestoexpand,drivenbycloudcomputing,InternetofThings(IoT)initiatives,andmobileapplicationuse.
EnterpriseorganizationsnowrealizethatweliveinauniquetimeofincreasingITriskandarerespondingaccordingly.
Corporateexecutivesandboardsareparticipatingmoreintheirorganizations'cybersecuritystrategiestomitigatebusinessandtechnologyrisk.
Manyfirmshaveincreasedcybersecuritybudgetsaswellandarenowpurchasinganddeployingapotpourriofnewsecurityanalyticssystemsandlayersofdefense.
Allofthisactivityisastepintherightdirection—butitisjustnotenough.
VMwarehasintroducedanewinitiativecalled"VMwareTrustandAssurance,"whichhelpsanswercustomers'questionsaboutVMware'ssecurityanddevelopmentpracticesandprovidesgreatertransparencyaroundhowitdevelops,builds,secures,andsupportsitsapplications.
Thiswhitepaperconcludes:Organizationsareexposedtovulnerabilitiesinthecybersupplychain.
Thecybersupplychainintroducestheriskthataproductorservicecouldbecompromisedbyvulnerabilitiesand/ormaliciouscodeintroducedadvertentlyorinadvertentlyduringproductdevelopmentormaintenance,dueinparttoincreasingglobalizationoftheITsupplychain.
Consequently,ITproductsandservicesbuiltonafoundationofbroaddiversecybersupplychainsmayincreasetheriskofadevastatingcyber-attacktocustomers.
ITrisksarenotlimitedtocorporateLANs,WANs,anddatacenters.
Rather,enterprisesremainatriskforcyber-attacksthattakeadvantageofvulnerabilitiesexistinginITequipment,businesspartnernetworks,non-employeedevices,etc.
Asthesayinggoes,"thecybersecuritychainisonlyasstrongasitsweakestlink.
"Regrettably,muchofthecybersecuritychainresidesoutsidetheperimeterfirewallandthusneedsproperoversight,cybersecuritybestpractices,andamplelayersofdefense.
CISOsarepushingbackonITvendors.
PragmaticcybersecurityprofessionalsnowrealizethattheirstrategicITvendorscanmakeorbreakthecybersecuritychain.
Intheworstcase,insecurepartnersorITsystemscanbeusedasastaginggroundforadevastatingdatabreach.
Tominimizerisk,manyenterpriseorganizationsareaddressingcybersupplychainsecuritybyauditingITvendors'securityprocessesandmakingpurchasingdecisionsbaseduponavendor'sabilitytomeetincreasinglyrigorouscybersecurityrequirements.
ITvendorsmustdevelopcybersupplychainsecurityassurancecapabilities;TheVMwareTrustandAssuranceFrameworkservesasamodelfortheindustry.
Enterprisecybersecurityrequirementswillcontinuetobecomemorerigidinthefuture.
Asthissituationevolves,CISOswillonlydobusinesswithtrustedITvendorswithdemonstrablecybersupplychainsecurityassuranceprogramsthatincludeallaspectsoftheirproductdevelopment,testing,distribution,deployment,customization,andsupport.
VMware'sTrust&Assuranceinitiativeservesasamodelofthetransparencyneededforcybersupplychainsecurityfortheindustry.
CISOsshoulddemandasimilarresponsefromallstrategicITvendors.
CyberSupplyChainSecurityRealitiesOrganizationslargeandsmallarechangingtheirbehaviorwithregardstocybersecurityinresponsetotheincreasinglydangerousthreatlandscapeandhighly-publicizeddatabreaches.
Infact,manyorganizationsnolongerconsidercybersecurityanITissuealone.
Alternatively,cybersecurityriskisnowabusinessprioritythatgetsampleattentionwithbusinessexecutivesandcorporateboards.
AccordingtoESGresearch:WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance42015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Whenaskedtoidentifythebiggestdriverfortechnologyspendingoverthenext12months,46%oforganizationspointedtosecurityandriskmanagementinitiatives.
Thiswasthemostpopularresponse,quiteabithigherthanthesecondmostpopularanswer,"costreductioninitiatives,"whichcameinat37%.
Justoverone-thirdoforganizations(34%)saythatInformationsecurityinitiativesarethemostimportantITprioritythisyear.
Onceagain,thiswasthetopresponse.
59%oforganizationssaidthattheirITsecuritybudgetsfor2015wouldincreasewhileonly9%saidtheywoulddecreaseinfosecbudgetsthisyear.
1Increasingfocusoncybersecurityhasresultedinlotsofactivity,asmanyorganizationsaddlayersofdefensetotheirnetworks,implementnewsolutionsforincidentdetectionandresponse,andbolstersecuritymonitoringandanalyticsefforts.
TheseinternaleffortsareagoodstartbutagrowingnumberofCISOsrealizethatcybersecurityriskextendsbeyondtheLAN,WAN,andcorporatedatacenterstoalargerpopulationofcustomers,suppliers,andbusinesspartners.
Thislargercybersecurityuniverseissometimesreferredtoasthecybersupplychain,whichESGdefinesas:"Theentiresetofkeyactorsinvolvedwith/usingcyberinfrastructure:systemend-users,policymakers,acquisitionspecialists,systemintegrators,networkproviders,andsoftwarehardwaresuppliers.
Theseusers/providers'organizationalandprocess-levelinteractionstoplan,build,manage,maintain,anddefendcyberinfrastructure.
"Cybersupplychainsecurityissuesarenotuncommon.
Forexample:In2008,theFBIseized$76millionofcounterfeitCiscoequipment.
AspartoftheStuxnetincidentin2010,fivecompaniesactingascontractorsfortheIraniannuclearprogramhadtheirnetworkscompromisedinordertogaintrustedaccesstogovernmentnuclearfacilities.
Thesuccessful2013databreachatTargetCorporationwaseventuallytracedtosystemcompromisesatFazioBrothers,oneofTarget'sHVACcontractors.
HackersusedFazioBrothersasastaginggroundandusedthecompany'snetworkaccessasanattackvector.
CyberSupplyChainSecurityCanBeDifficultSomeCISOsrecognizetherisksassociatedwiththeircybersupplychainsecurityandthisisespeciallytruefororganizationsthatdependuponarmiesofexternalbusinesspartners,contractors,orsuppliersaspartoftheirbusinessoperations.
Unfortunately,cybersupplychainsecuritybestpracticesaren'teasyastheyrequireconstantoversightofthestateofcybersecurityrelatedtoITequipmentproviders,softwarevendors,connectedbusinesspartners,etc.
Infact,cybersupplychainsecurityseemstobegrowingincreasinglyproblematicforsomefirms.
InarecentESGresearchsurveyofcriticalinfrastructuresectororganizations(i.
e.
,chemicalsector,emergencyservices,energysector,financialservices,healthcare,telecommunications,etc.
),40%ofcybersecurityprofessionalsadmittedthatcybersupplychainsecurityhasbecomemoredifficultoverthepastfewyears,andthosewhodidsuppliednumerousreasonsforthatincreaseddifficulty(seeFigure1):44%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasimplementednewtypesofITinitiatives,increasingthecybersupplychainattacksurface.
TheseinitiativesincludeBYOD,cloudcomputing,InternetofThings(IoT)projects,andthegrowinguseofmobileapplicationsanddevices.
39%ofcriticalinfrastructuresectororganizationssaytheirorganizationhasmoresuppliersthanitdidtwoyearsago.
Thisistobeexpected,giventhewaveofITinnovationaroundsoftware-defineddatacenters,cloudplatforms,virtualnetworks,etc.
36%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasconsolidatedITandoperationaltechnology(OT),increasingthecomplexityofcybersupplychainsecurity.
Inthesecases,CISOs1Source:ESGResearchReport,2015ITSpendingIntentionsSurvey,February2015.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance52015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
areforcedtosecurebusiness-criticalbutunfamiliartechnologieslikeprogrammablelogiccontrollers(PLCs)andsupervisorycontrolanddataacquisition(SCADA)systemsusedforindustrialoperations.
2Figure1.
ReasonsWhyCyberSupplyChainSecurityHasBecomeMoreDifficultSource:EnterpriseStrategyGroup,2015.
AsidefromtheassortmentofissuesdescribedinFigure1,CISOsoftenvoiceotherconcernstoESG.
Forexample,manysecurityexecutivesareanxiousaboutthegrowinguseofopensourcecomponents(andvulnerabilities)aspartofcommercialsoftware(i.
e.
,Heartbleed,OpenSSL,Shellshock,etc.
).
CISOsalsoworryaboutthingslikerogueinsidersworkingforITsuppliersanddataprivacyrelatedtosensitiveinformationmovedtothecloudbyITvendorsandbusinesspartners.
Dataprivacyandcybersupplychainsecurityissuescanalsobeasourceconcerndrivenbyglobal"follow-the-sun"developmentpracticesandcloudarchitectures,aswellasemergingregulationsliketheEUDigitalSingleMarketinitiative.
CISOsareBolsteringCyberSupplyChainSecurityOversightAscybersecuritymorphsfromatechnologytoabusinessissue,CEOsandcorporateboardsaregainingabetterperspectiveofcybersupplychainsecurityrisks.
Thisisdrivingachainreaction—businessexecutivesarepushingCISOstomitigatecybersupplychainrisk,causingcybersecurityexecutivesandpurchasingmanagerstoplacemorestringentcybersecurityrequirementsontheirITvendors.
2Source:ESGResearchReport,CyberSupplyChainSecurityRevisited,September2015.
AllESGresearchreferencesandchartsinthiswhitepaperhavebeentakenfromthisresearchreportunlessotherwisenoted.
34%34%36%39%44%0%5%10%15%20%25%30%35%40%45%50%MyorganizationhassourcedITproducts,components,andservicesfromothercountriesoverthepastfewyearsandthesechangesmaybeincreasingcybersupplychainsecurityriskMyorganizationhasincreasedthenumberofexternalthird-partieswithaccesstoourinternalITassetswhichhasincreasedthecybersupplychainattacksurfaceMyorganizationhasconsolidatedITandoperationaltechnologysecuritywhichhasincreasedthecomplexityofcybersupplychainsecurityMyorganizationhasmoresuppliersthanitdidafewyearsagoMyorganizationhasimplementednewtypesofITinitiativeswhichhasincreasedthecybersupplychainattacksurfaceYouindicatedthatcybersupplychainsecurityhasbecomemoredifficultatyourorganizationoverthepastfewyears.
Whydoyoubelievethatthisisthecase(Percentofrespondents,N=180,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance62015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ESGresearchillustratesthistrendwithanextensivearrayofsecurityconsiderationsforITvendorsascriticalinfrastructuresectororganizationsevaluateandpurchaseITproductsandservices.
Forexample,35%examineavendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsoftwarepatches,35%lookatavendor'soverallsecurityexpertiseandreputation,and32%contemplateavendor'sreputationandindustryexpertise(seeFigure2).
Figure2.
CybersecurityEvaluationConsiderationsforITPurchasingofProductsandServicesSource:EnterpriseStrategyGroup,2015.
TofurtherappraiseITvendorsecurity,manyorganizationsarealsoadoptingaformalcybersecurityauditprocessaspartoftheirITprocurementprocess.
Forexample,91%ofcriticalinfrastructuresectororganizationsauditthecybersecurityoftheirstrategicsoftwarevendors(i.
e.
,alwaysconductauditsordosoonanas-neededbasis),90%auditthecybersecurityoftheircloudserviceproviders,and88%auditthecybersecurityoftheirstrategicITinfrastructurevendors.
9%14%17%18%20%22%24%29%31%32%35%35%0%10%20%30%40%Locationofvendor'scorporateheadquartersLocationofvendor'sproductdevelopmentand/ormanufacturingoperationsVendor'suseofthird-partiesaspartofitsoverallproductdevelopment,manufacturing,testing,andmaintenanceVendor'sformalanddocumentedsecureproductdevelopmentprocessesVendor'sISOcertificationSecuritybreachesofvendororganizationVendor'semergencyresponse/problemescalationproceduresVendor'sprofessionalservicesofferingsforsecureITproductassessment,planning,anddeploymentVendor'sreputationandexpertiseinourindustryVendor'scybersupplychainriskmanagementprocessesVendor'soverallsecurityexpertise/reputationVendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsubsequentfixesofitsproductsThefollowingisalistofsecurityconsiderationsanorganizationmayevaluatebeforepurchasingITproductsandservices.
Whichofthefollowingconsiderationsaremostimportanttoyourorganizationduringtheproductevaluationandpurchaseprocess(Percentofrespondents,N=303,threeresponsesacceptedperrespondent)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance72015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Theseauditsarebecomingincreasinglycomprehensive.
AsESGresearchillustrates,ITvendorcybersecurityauditsincludethingslikehandsonreviewsofavendor'ssecurityhistory,reviewsofavendor'ssecuritydocumentation,processes,andmetrics,andreviewsofvendors'owninternalITandcomplianceaudits(seeFigure3).
Figure3.
MechanismsUsedInITVendorAuditsSource:EnterpriseStrategyGroup,2015.
CyberSupplyChainSecurityAssuranceTheESGresearchpresentsaclearpicture—high-securityenterpriseorganizationsareincreasinglydemandinggreatercybersecuritybestpracticesfromtheirstrategicITvendors.
Furthermore,vendors'cybersecuritypolicies,processes,andmetricsarebecomingadeterminingfactorforITprocurementasadvancedorganizationsarenowselectingstrategicITvendorsbaseduponanewstandard,cybersupplychainsecurityassurance,definedas:28%30%40%42%44%49%51%52%54%0%10%20%30%40%50%60%SendvendorastandardlistofquestionsonpaperandthenreviewtheirresponsesOn-siteinspection(s)ofvendor'sfacilitiesReviewanyrecentpenetrationtestingresultsandsubsequentremediationplansDemandvendorcertificationsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssecurityprocessesHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'sproductdevelopmentprocessesReviewofvendor'ssecurityauditsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssupplychainsecurityprocessesHands-onreviewofvendor'ssecurityhistoryYouhaveindicatedthatyourorganizationconductsauditsofitsITvendors'securityprocesses.
WhichofthefollowingmechanismsdoesyourorganizationusetoconducttheseITvendorsecurityaudits(Percentofrespondents,N=294,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance82015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Cybersupplychainsecurityassuranceisthepracticeofmanagingcybersupplychainrisksrelatedtothepeople,processes,andtechnologiesusedtodesign,develop,produce,distribute,andimplementIThardware,software,andservices.
Toparsethisdefinitionfurther,cybersupplychainsecurityassuranceincludes:Secureproductdevelopment.
Thisincludesasecuresoftwaredevelopmentlifecycle,assessment,andtestingofopensourceandthirdpartycodeincludedinvendorproducts,andconsiderationofthecybersecuritypracticesofallcontractorsandsuppliersthatparticipateinsoftwaredevelopmentorhardwarebillofmaterials.
Adequatesecurityskills.
Tominimizerisksassociatedwithhumanerror,productdevelopers,testers,andotherhandlersmusthavesuitableandup-to-datecybersecurityskills.
Therightcybersecurityprocessesandprocedures.
Vendorsmustbacktheirday-to-dayoperationswithcybersecuritybestpracticesforriskmanagement,threatprevention,andincidentresponse.
Additionally,ITvendorsmustemploycybersecuritybestpracticesforinternalITthemselves.
Field-levelcybersecurityexpertise.
EvenwhencybersecurityfeaturesareembeddedinITsystems,overwhelmedcustomersmaynotknowhowtoconfiguredevicesorcustomizesystemsfortheirindividualsecurityneeds.
Vendorswithleadingcybersupplychainsecurityassuranceskillshavefield-levelemployeesorpartnerswhocanhelpcustomersconsumeandbenefitfromproductsecurityfeaturesandfunctionalityupondeploymentandcontinuallyovertime.
Strongcybersecuritycustomersupport.
Whilevendorsshoulddoalltheycantodevelop,distribute,anddeploysecureproducts,theyalsomusthavetherightpreparationforinevitablesecurityvulnerabilities.
Cybersupplychainsecurityassurancedemandsthatvendors'securityteamsmonitorthelatestattacktrendsandworkwiththegreatersecuritycommunitytoensuretimelyawarenessofnewvulnerabilitiesthatcouldimpacttheirproducts.
Oncevulnerabilitiesaredetected,vendorsmustalsohavehighlyefficientprocessesfordeveloping,testing,anddistributingsoftwarepatches.
Finally,vendorsmusthaveahighlytrainedstafftoguidecustomersthroughsecurityfixesasneeded.
TheVMwareTrust&AssuranceFrameworkESGbelievesthatcybersupplychainsecurityassuranceisstartingtohaveamarketimpact,creatingaclearlineofdelineationbetweenITvendorswithtruecybersecuritycommitmentsandthosethatremainbehind.
Sadly,manyITvendorshavenotembracedtherightlevelofcybersupplychainsecurityassurance,puttingtheircustomersatrisk.
Sinceitsformationin1998,VMwareCorporationhasgrownandevolveditsroleatenterpriseorganizations.
Earlyon,VMwareservervirtualizationtechnologywasusedprimarilybyITdepartmentsforsoftwaretestinganddevelopment.
Overtime,largeorganizationsembracedVMwareinproductiondatacentersforserverconsolidation.
Mostrecently,VMwarehasbecomeastrategicITvendoratmanyenterpriseorganizationsasVMwaretechnologyisoftendeployedonendpoints,indatacenters,andacrosspublicandprivatecloudinfrastructure.
AsitadvancedfromtacticaltostrategicITvendor,VMwarefacedapatternofincreasingcybersecurityscrutinyfromdemandingpublicandprivatesectorcustomers.
Toaddressthis,VMwaremanagementintroducedaninternalfocusoncontinuouscybersecurityimprovementseveralyearsago.
ThiseffortculminatedrecentlywithaninitiativecalledVMwareTrust&Assurance,whichiscomposedoffourguidingprinciples:Reliability.
WithintheVMwareTrust&Assuranceframework,thecommitmenttoreliabilityincludes:ProductperformanceandscalabilityinordertoensurethatVMwareproductscanmeetenterprisedemands.
ApervasivecultureofevangelismandeducationtokeepVMwareemployeesandcustomerseducatedandengagedonrapidly-changingcybersecurityrisks.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance92015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ResearchdedicatedtoenhancingVMwareproductperformanceandreliabilitywhileworkingwithcustomersonassociatedprojectplanning,testing,deployment,andoptimization.
QualitymetricsandcontinuousimprovementassociatedwithVMwareproducts,people,andpartners.
Integrity.
ThisprinciplealignswithVMware'ssoftwaredevelopmentandcomprises:TheVMwaresoftwaredevelopmentlifecycle.
VMwarehadbuiltadevelopmentprocessthatincludesformalrepeatableprocessesforsoftwaredesign,testing,documentation,release,andongoingsupport.
Complianceandrisk.
Alongwithitspartners,VMwaredevelopedthecompliancereferencearchitectureframework(RAF)thatalignsitstechnologywithregulatorycompliancerequirementsacrossindustries.
Softwaresupplychainmanagement.
VMwareisaddressingitsowncybersupplychainpracticesinanumberofareasincludingIPprotection,sourcecodesharing,riskmanagementassessment,andproactivesoftwaresecurityprogramswithstrategicpartnersandsuppliers.
Privacy.
Toprotectcustomerprivacy,VMwaredefinesitsprivacypolicytocustomers,specifyingwhatdataitcollectsandhowitisused.
VMwarefollowsa"privacybydesign"frameworktoprovidetransparencyonprivacyasitrelatestoproducts,services,andsupport.
Security.
VMwarehasintroducedstrongcybersecuritythroughoutitsorganization.
Examplesofthisinclude:Productsecurity.
VMwarehascreatedaproductsecurityteamresponsibleforoversightofallproductsecurity.
Thisgroupsupervisessecuritydevelopmentprocessesandmetricswitheachproductteamandisresponsiblefordemonstratingcontinuousimprovement.
Securitydevelopmentlifecycle.
Thisextendsbeyondthesecuresoftwaredevelopmentlifecycleandincludessecuritytraining,planning,serviceability,aswellasresponseplanning,productsecurityrequirementsassessment,andoverallsecuritymonitoring.
Thesecurityresponsecenter.
VMwareemploysateamofsecurityresearchers,softwaredevelopers,andsupportstafftofindvulnerabilities,developfixes,andworkwithcustomersandpartnersfortimelydistributionanddeploymentofsecurityfixes.
ITsecurity.
Likealllargeenterprises,VMware'scorporateinfrastructureisundercontinualattacksfrommaliciousindividualsandentities.
Toaddressthisrisk,VMwaremaintainscybersecuritybestpracticesoninternalnetworksandsystems.
Commitment.
Tomakecybersupplychainsecurityassurancepervasiveineverythingitdoes,VMwarehasmadecybersecuritypartofitscorporateculture.
Ofcourse,thisrequiresatruecybersecuritycommitmentincluding:Continuingproductdevelopment.
VMwarehasestablishedacontinuingproductdevelopmentorganization,whichactsasasinglepoint-of-contactforaddressing,escalating,andresolvingproductandcustomercybersecurityissues.
Ecosystemservices.
VMwareunderstandsthatitscybersecuritysupplychainincludesanetworkofhundredsofotherITvendorandservicespartners.
VMwareprovidestechnicalsupport,testing,cooperativesupportservices,andrules-of-engagementtoensurestrongcybersecurityinthefield.
Customeradvocacy.
VMwarerecognizesthatcybersecurityprofessionalsareacommunityoflike-mindedindividualswithafewcommongoals—mitigatingITriskandprotectingcriticalITassetsanddata.
Tosucceed,VMwaredependsuponapartnershipofequalswithVMwareWhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance102015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
participatinginthecybersecuritycommunityratherthandictatingitsownITvendoragenda.
VMwareseekstofacilitatethisrelationshipwithsecurityresearch,workshops,benchmarks,securityeducation,andsocialmediacampaigns.
WithitsTrust&Assuranceinitiative,VMwareistakinga360degreeperspectiveoncybersecuritythatencompassesitsproducts,partners,customers,employees,andthecybersecuritycommunityatlarge.
Inthisway,VMwarehasnotonlyrespondedtoitsenterprisecustomers'needforgreatertransparencyrelatedtocybersupplychainsecurity,butisalsosettinganexamplethatshouldbeemulatedbyotherITvendors.
TheBiggerTruthCISOsfaceadauntingareaofchallenges.
Cyberthreatsgrowmorevoluminous,sophisticated,andtargetedwhileITinfrastructuregetsmorecomplexasnetworkperimetersdisappear.
Yes,thesechangesdemandanincreasingcommitmenttocybersecurityoversight,riskmanagement,andtightsecuritycontrolsbuttheseeffortssimplycan'tbelimitedtocorporateLANs,WANs,anddatacenters.
Rather,CISOsmustunderstandtherisksassociatedwiththeircybersupplychains,andestablishbestpracticesforcybersupplychainsecurity.
ESGresearchindicatesthatthistransitionisalreadyinprogress,causingmanyorganizationstoauditthesecurityoftheirITproductandservicesvendors.
Leadingedgeenterprisesarealsomakingpurchasingdecisionsbasedupontheirvendors'cybersupplychainsecurityassuranceprograms.
Movingforward,moreorganizationswilllikelyfollowsuit.
UnlikemanyotherenterpriseITvendors,VMwareiswellpreparedforthisincreasinglevelofcybersecurityoversight.
Infact,theVMwareTrust&Assuranceinitiativeisdesignedtomeetandexceedthegrowingneedforgreatertransparencyrelatedtoenterprisecybersecurity.
Assuch,VMwareissettinganexamplefortheITindustryatlarge.
CISOswouldbewellservedtodemandsimilarcybersupplychainsecurityassurancefromALLoftheirstrategicITvendors.
20AsylumStreet|Milford,MA01757|Tel:508.
482.
0188Fax:508.
482.
0218|www.
esg-global.
com
2015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance22015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ContentsExecutiveSummary3CyberSupplyChainSecurityRealities3CyberSupplyChainSecurityCanBeDifficult4CISOsareBolsteringCyberSupplyChainSecurityOversight.
5CyberSupplyChainSecurityAssurance.
7TheVMwareTrust&AssuranceFramework.
8TheBiggerTruth10Alltrademarknamesarepropertyoftheirrespectivecompanies.
InformationcontainedinthispublicationhasbeenobtainedbysourcesTheEnterpriseStrategyGroup(ESG)considerstobereliablebutisnotwarrantedbyESG.
ThispublicationmaycontainopinionsofESG,whicharesubjecttochangefromtimetotime.
ThispublicationiscopyrightedbyTheEnterpriseStrategyGroup,Inc.
Anyreproductionorredistributionofthispublication,inwholeorinpart,whetherinhard-copyformat,electronically,orotherwisetopersonsnotauthorizedtoreceiveit,withouttheexpressconsentofTheEnterpriseStrategyGroup,Inc.
,isinviolationofU.
S.
copyrightlawandwillbesubjecttoanactionforcivildamagesand,ifapplicable,criminalprosecution.
Shouldyouhaveanyquestions,pleasecontactESGClientRelationsat508.
482.
0188.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance32015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ExecutiveSummaryThecommonsaying,"mayyouliveininterestingtimes"isactuallytheEnglishtranslationofatraditionalChinesecurse.
ThisrealityissomewhatironicasCISOsandcybersecurityprofessionalswouldlikelyagreethattheyindeedliveinaveryinterestingbutdifficulttime.
WhyCyberthreatshavebecomemoreubiquitous,stealthy,andtargetedwhiletheITattacksurfacecontinuestoexpand,drivenbycloudcomputing,InternetofThings(IoT)initiatives,andmobileapplicationuse.
EnterpriseorganizationsnowrealizethatweliveinauniquetimeofincreasingITriskandarerespondingaccordingly.
Corporateexecutivesandboardsareparticipatingmoreintheirorganizations'cybersecuritystrategiestomitigatebusinessandtechnologyrisk.
Manyfirmshaveincreasedcybersecuritybudgetsaswellandarenowpurchasinganddeployingapotpourriofnewsecurityanalyticssystemsandlayersofdefense.
Allofthisactivityisastepintherightdirection—butitisjustnotenough.
VMwarehasintroducedanewinitiativecalled"VMwareTrustandAssurance,"whichhelpsanswercustomers'questionsaboutVMware'ssecurityanddevelopmentpracticesandprovidesgreatertransparencyaroundhowitdevelops,builds,secures,andsupportsitsapplications.
Thiswhitepaperconcludes:Organizationsareexposedtovulnerabilitiesinthecybersupplychain.
Thecybersupplychainintroducestheriskthataproductorservicecouldbecompromisedbyvulnerabilitiesand/ormaliciouscodeintroducedadvertentlyorinadvertentlyduringproductdevelopmentormaintenance,dueinparttoincreasingglobalizationoftheITsupplychain.
Consequently,ITproductsandservicesbuiltonafoundationofbroaddiversecybersupplychainsmayincreasetheriskofadevastatingcyber-attacktocustomers.
ITrisksarenotlimitedtocorporateLANs,WANs,anddatacenters.
Rather,enterprisesremainatriskforcyber-attacksthattakeadvantageofvulnerabilitiesexistinginITequipment,businesspartnernetworks,non-employeedevices,etc.
Asthesayinggoes,"thecybersecuritychainisonlyasstrongasitsweakestlink.
"Regrettably,muchofthecybersecuritychainresidesoutsidetheperimeterfirewallandthusneedsproperoversight,cybersecuritybestpractices,andamplelayersofdefense.
CISOsarepushingbackonITvendors.
PragmaticcybersecurityprofessionalsnowrealizethattheirstrategicITvendorscanmakeorbreakthecybersecuritychain.
Intheworstcase,insecurepartnersorITsystemscanbeusedasastaginggroundforadevastatingdatabreach.
Tominimizerisk,manyenterpriseorganizationsareaddressingcybersupplychainsecuritybyauditingITvendors'securityprocessesandmakingpurchasingdecisionsbaseduponavendor'sabilitytomeetincreasinglyrigorouscybersecurityrequirements.
ITvendorsmustdevelopcybersupplychainsecurityassurancecapabilities;TheVMwareTrustandAssuranceFrameworkservesasamodelfortheindustry.
Enterprisecybersecurityrequirementswillcontinuetobecomemorerigidinthefuture.
Asthissituationevolves,CISOswillonlydobusinesswithtrustedITvendorswithdemonstrablecybersupplychainsecurityassuranceprogramsthatincludeallaspectsoftheirproductdevelopment,testing,distribution,deployment,customization,andsupport.
VMware'sTrust&Assuranceinitiativeservesasamodelofthetransparencyneededforcybersupplychainsecurityfortheindustry.
CISOsshoulddemandasimilarresponsefromallstrategicITvendors.
CyberSupplyChainSecurityRealitiesOrganizationslargeandsmallarechangingtheirbehaviorwithregardstocybersecurityinresponsetotheincreasinglydangerousthreatlandscapeandhighly-publicizeddatabreaches.
Infact,manyorganizationsnolongerconsidercybersecurityanITissuealone.
Alternatively,cybersecurityriskisnowabusinessprioritythatgetsampleattentionwithbusinessexecutivesandcorporateboards.
AccordingtoESGresearch:WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance42015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Whenaskedtoidentifythebiggestdriverfortechnologyspendingoverthenext12months,46%oforganizationspointedtosecurityandriskmanagementinitiatives.
Thiswasthemostpopularresponse,quiteabithigherthanthesecondmostpopularanswer,"costreductioninitiatives,"whichcameinat37%.
Justoverone-thirdoforganizations(34%)saythatInformationsecurityinitiativesarethemostimportantITprioritythisyear.
Onceagain,thiswasthetopresponse.
59%oforganizationssaidthattheirITsecuritybudgetsfor2015wouldincreasewhileonly9%saidtheywoulddecreaseinfosecbudgetsthisyear.
1Increasingfocusoncybersecurityhasresultedinlotsofactivity,asmanyorganizationsaddlayersofdefensetotheirnetworks,implementnewsolutionsforincidentdetectionandresponse,andbolstersecuritymonitoringandanalyticsefforts.
TheseinternaleffortsareagoodstartbutagrowingnumberofCISOsrealizethatcybersecurityriskextendsbeyondtheLAN,WAN,andcorporatedatacenterstoalargerpopulationofcustomers,suppliers,andbusinesspartners.
Thislargercybersecurityuniverseissometimesreferredtoasthecybersupplychain,whichESGdefinesas:"Theentiresetofkeyactorsinvolvedwith/usingcyberinfrastructure:systemend-users,policymakers,acquisitionspecialists,systemintegrators,networkproviders,andsoftwarehardwaresuppliers.
Theseusers/providers'organizationalandprocess-levelinteractionstoplan,build,manage,maintain,anddefendcyberinfrastructure.
"Cybersupplychainsecurityissuesarenotuncommon.
Forexample:In2008,theFBIseized$76millionofcounterfeitCiscoequipment.
AspartoftheStuxnetincidentin2010,fivecompaniesactingascontractorsfortheIraniannuclearprogramhadtheirnetworkscompromisedinordertogaintrustedaccesstogovernmentnuclearfacilities.
Thesuccessful2013databreachatTargetCorporationwaseventuallytracedtosystemcompromisesatFazioBrothers,oneofTarget'sHVACcontractors.
HackersusedFazioBrothersasastaginggroundandusedthecompany'snetworkaccessasanattackvector.
CyberSupplyChainSecurityCanBeDifficultSomeCISOsrecognizetherisksassociatedwiththeircybersupplychainsecurityandthisisespeciallytruefororganizationsthatdependuponarmiesofexternalbusinesspartners,contractors,orsuppliersaspartoftheirbusinessoperations.
Unfortunately,cybersupplychainsecuritybestpracticesaren'teasyastheyrequireconstantoversightofthestateofcybersecurityrelatedtoITequipmentproviders,softwarevendors,connectedbusinesspartners,etc.
Infact,cybersupplychainsecurityseemstobegrowingincreasinglyproblematicforsomefirms.
InarecentESGresearchsurveyofcriticalinfrastructuresectororganizations(i.
e.
,chemicalsector,emergencyservices,energysector,financialservices,healthcare,telecommunications,etc.
),40%ofcybersecurityprofessionalsadmittedthatcybersupplychainsecurityhasbecomemoredifficultoverthepastfewyears,andthosewhodidsuppliednumerousreasonsforthatincreaseddifficulty(seeFigure1):44%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasimplementednewtypesofITinitiatives,increasingthecybersupplychainattacksurface.
TheseinitiativesincludeBYOD,cloudcomputing,InternetofThings(IoT)projects,andthegrowinguseofmobileapplicationsanddevices.
39%ofcriticalinfrastructuresectororganizationssaytheirorganizationhasmoresuppliersthanitdidtwoyearsago.
Thisistobeexpected,giventhewaveofITinnovationaroundsoftware-defineddatacenters,cloudplatforms,virtualnetworks,etc.
36%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasconsolidatedITandoperationaltechnology(OT),increasingthecomplexityofcybersupplychainsecurity.
Inthesecases,CISOs1Source:ESGResearchReport,2015ITSpendingIntentionsSurvey,February2015.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance52015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
areforcedtosecurebusiness-criticalbutunfamiliartechnologieslikeprogrammablelogiccontrollers(PLCs)andsupervisorycontrolanddataacquisition(SCADA)systemsusedforindustrialoperations.
2Figure1.
ReasonsWhyCyberSupplyChainSecurityHasBecomeMoreDifficultSource:EnterpriseStrategyGroup,2015.
AsidefromtheassortmentofissuesdescribedinFigure1,CISOsoftenvoiceotherconcernstoESG.
Forexample,manysecurityexecutivesareanxiousaboutthegrowinguseofopensourcecomponents(andvulnerabilities)aspartofcommercialsoftware(i.
e.
,Heartbleed,OpenSSL,Shellshock,etc.
).
CISOsalsoworryaboutthingslikerogueinsidersworkingforITsuppliersanddataprivacyrelatedtosensitiveinformationmovedtothecloudbyITvendorsandbusinesspartners.
Dataprivacyandcybersupplychainsecurityissuescanalsobeasourceconcerndrivenbyglobal"follow-the-sun"developmentpracticesandcloudarchitectures,aswellasemergingregulationsliketheEUDigitalSingleMarketinitiative.
CISOsareBolsteringCyberSupplyChainSecurityOversightAscybersecuritymorphsfromatechnologytoabusinessissue,CEOsandcorporateboardsaregainingabetterperspectiveofcybersupplychainsecurityrisks.
Thisisdrivingachainreaction—businessexecutivesarepushingCISOstomitigatecybersupplychainrisk,causingcybersecurityexecutivesandpurchasingmanagerstoplacemorestringentcybersecurityrequirementsontheirITvendors.
2Source:ESGResearchReport,CyberSupplyChainSecurityRevisited,September2015.
AllESGresearchreferencesandchartsinthiswhitepaperhavebeentakenfromthisresearchreportunlessotherwisenoted.
34%34%36%39%44%0%5%10%15%20%25%30%35%40%45%50%MyorganizationhassourcedITproducts,components,andservicesfromothercountriesoverthepastfewyearsandthesechangesmaybeincreasingcybersupplychainsecurityriskMyorganizationhasincreasedthenumberofexternalthird-partieswithaccesstoourinternalITassetswhichhasincreasedthecybersupplychainattacksurfaceMyorganizationhasconsolidatedITandoperationaltechnologysecuritywhichhasincreasedthecomplexityofcybersupplychainsecurityMyorganizationhasmoresuppliersthanitdidafewyearsagoMyorganizationhasimplementednewtypesofITinitiativeswhichhasincreasedthecybersupplychainattacksurfaceYouindicatedthatcybersupplychainsecurityhasbecomemoredifficultatyourorganizationoverthepastfewyears.
Whydoyoubelievethatthisisthecase(Percentofrespondents,N=180,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance62015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ESGresearchillustratesthistrendwithanextensivearrayofsecurityconsiderationsforITvendorsascriticalinfrastructuresectororganizationsevaluateandpurchaseITproductsandservices.
Forexample,35%examineavendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsoftwarepatches,35%lookatavendor'soverallsecurityexpertiseandreputation,and32%contemplateavendor'sreputationandindustryexpertise(seeFigure2).
Figure2.
CybersecurityEvaluationConsiderationsforITPurchasingofProductsandServicesSource:EnterpriseStrategyGroup,2015.
TofurtherappraiseITvendorsecurity,manyorganizationsarealsoadoptingaformalcybersecurityauditprocessaspartoftheirITprocurementprocess.
Forexample,91%ofcriticalinfrastructuresectororganizationsauditthecybersecurityoftheirstrategicsoftwarevendors(i.
e.
,alwaysconductauditsordosoonanas-neededbasis),90%auditthecybersecurityoftheircloudserviceproviders,and88%auditthecybersecurityoftheirstrategicITinfrastructurevendors.
9%14%17%18%20%22%24%29%31%32%35%35%0%10%20%30%40%Locationofvendor'scorporateheadquartersLocationofvendor'sproductdevelopmentand/ormanufacturingoperationsVendor'suseofthird-partiesaspartofitsoverallproductdevelopment,manufacturing,testing,andmaintenanceVendor'sformalanddocumentedsecureproductdevelopmentprocessesVendor'sISOcertificationSecuritybreachesofvendororganizationVendor'semergencyresponse/problemescalationproceduresVendor'sprofessionalservicesofferingsforsecureITproductassessment,planning,anddeploymentVendor'sreputationandexpertiseinourindustryVendor'scybersupplychainriskmanagementprocessesVendor'soverallsecurityexpertise/reputationVendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsubsequentfixesofitsproductsThefollowingisalistofsecurityconsiderationsanorganizationmayevaluatebeforepurchasingITproductsandservices.
Whichofthefollowingconsiderationsaremostimportanttoyourorganizationduringtheproductevaluationandpurchaseprocess(Percentofrespondents,N=303,threeresponsesacceptedperrespondent)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance72015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Theseauditsarebecomingincreasinglycomprehensive.
AsESGresearchillustrates,ITvendorcybersecurityauditsincludethingslikehandsonreviewsofavendor'ssecurityhistory,reviewsofavendor'ssecuritydocumentation,processes,andmetrics,andreviewsofvendors'owninternalITandcomplianceaudits(seeFigure3).
Figure3.
MechanismsUsedInITVendorAuditsSource:EnterpriseStrategyGroup,2015.
CyberSupplyChainSecurityAssuranceTheESGresearchpresentsaclearpicture—high-securityenterpriseorganizationsareincreasinglydemandinggreatercybersecuritybestpracticesfromtheirstrategicITvendors.
Furthermore,vendors'cybersecuritypolicies,processes,andmetricsarebecomingadeterminingfactorforITprocurementasadvancedorganizationsarenowselectingstrategicITvendorsbaseduponanewstandard,cybersupplychainsecurityassurance,definedas:28%30%40%42%44%49%51%52%54%0%10%20%30%40%50%60%SendvendorastandardlistofquestionsonpaperandthenreviewtheirresponsesOn-siteinspection(s)ofvendor'sfacilitiesReviewanyrecentpenetrationtestingresultsandsubsequentremediationplansDemandvendorcertificationsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssecurityprocessesHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'sproductdevelopmentprocessesReviewofvendor'ssecurityauditsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssupplychainsecurityprocessesHands-onreviewofvendor'ssecurityhistoryYouhaveindicatedthatyourorganizationconductsauditsofitsITvendors'securityprocesses.
WhichofthefollowingmechanismsdoesyourorganizationusetoconducttheseITvendorsecurityaudits(Percentofrespondents,N=294,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance82015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Cybersupplychainsecurityassuranceisthepracticeofmanagingcybersupplychainrisksrelatedtothepeople,processes,andtechnologiesusedtodesign,develop,produce,distribute,andimplementIThardware,software,andservices.
Toparsethisdefinitionfurther,cybersupplychainsecurityassuranceincludes:Secureproductdevelopment.
Thisincludesasecuresoftwaredevelopmentlifecycle,assessment,andtestingofopensourceandthirdpartycodeincludedinvendorproducts,andconsiderationofthecybersecuritypracticesofallcontractorsandsuppliersthatparticipateinsoftwaredevelopmentorhardwarebillofmaterials.
Adequatesecurityskills.
Tominimizerisksassociatedwithhumanerror,productdevelopers,testers,andotherhandlersmusthavesuitableandup-to-datecybersecurityskills.
Therightcybersecurityprocessesandprocedures.
Vendorsmustbacktheirday-to-dayoperationswithcybersecuritybestpracticesforriskmanagement,threatprevention,andincidentresponse.
Additionally,ITvendorsmustemploycybersecuritybestpracticesforinternalITthemselves.
Field-levelcybersecurityexpertise.
EvenwhencybersecurityfeaturesareembeddedinITsystems,overwhelmedcustomersmaynotknowhowtoconfiguredevicesorcustomizesystemsfortheirindividualsecurityneeds.
Vendorswithleadingcybersupplychainsecurityassuranceskillshavefield-levelemployeesorpartnerswhocanhelpcustomersconsumeandbenefitfromproductsecurityfeaturesandfunctionalityupondeploymentandcontinuallyovertime.
Strongcybersecuritycustomersupport.
Whilevendorsshoulddoalltheycantodevelop,distribute,anddeploysecureproducts,theyalsomusthavetherightpreparationforinevitablesecurityvulnerabilities.
Cybersupplychainsecurityassurancedemandsthatvendors'securityteamsmonitorthelatestattacktrendsandworkwiththegreatersecuritycommunitytoensuretimelyawarenessofnewvulnerabilitiesthatcouldimpacttheirproducts.
Oncevulnerabilitiesaredetected,vendorsmustalsohavehighlyefficientprocessesfordeveloping,testing,anddistributingsoftwarepatches.
Finally,vendorsmusthaveahighlytrainedstafftoguidecustomersthroughsecurityfixesasneeded.
TheVMwareTrust&AssuranceFrameworkESGbelievesthatcybersupplychainsecurityassuranceisstartingtohaveamarketimpact,creatingaclearlineofdelineationbetweenITvendorswithtruecybersecuritycommitmentsandthosethatremainbehind.
Sadly,manyITvendorshavenotembracedtherightlevelofcybersupplychainsecurityassurance,puttingtheircustomersatrisk.
Sinceitsformationin1998,VMwareCorporationhasgrownandevolveditsroleatenterpriseorganizations.
Earlyon,VMwareservervirtualizationtechnologywasusedprimarilybyITdepartmentsforsoftwaretestinganddevelopment.
Overtime,largeorganizationsembracedVMwareinproductiondatacentersforserverconsolidation.
Mostrecently,VMwarehasbecomeastrategicITvendoratmanyenterpriseorganizationsasVMwaretechnologyisoftendeployedonendpoints,indatacenters,andacrosspublicandprivatecloudinfrastructure.
AsitadvancedfromtacticaltostrategicITvendor,VMwarefacedapatternofincreasingcybersecurityscrutinyfromdemandingpublicandprivatesectorcustomers.
Toaddressthis,VMwaremanagementintroducedaninternalfocusoncontinuouscybersecurityimprovementseveralyearsago.
ThiseffortculminatedrecentlywithaninitiativecalledVMwareTrust&Assurance,whichiscomposedoffourguidingprinciples:Reliability.
WithintheVMwareTrust&Assuranceframework,thecommitmenttoreliabilityincludes:ProductperformanceandscalabilityinordertoensurethatVMwareproductscanmeetenterprisedemands.
ApervasivecultureofevangelismandeducationtokeepVMwareemployeesandcustomerseducatedandengagedonrapidly-changingcybersecurityrisks.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance92015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ResearchdedicatedtoenhancingVMwareproductperformanceandreliabilitywhileworkingwithcustomersonassociatedprojectplanning,testing,deployment,andoptimization.
QualitymetricsandcontinuousimprovementassociatedwithVMwareproducts,people,andpartners.
Integrity.
ThisprinciplealignswithVMware'ssoftwaredevelopmentandcomprises:TheVMwaresoftwaredevelopmentlifecycle.
VMwarehadbuiltadevelopmentprocessthatincludesformalrepeatableprocessesforsoftwaredesign,testing,documentation,release,andongoingsupport.
Complianceandrisk.
Alongwithitspartners,VMwaredevelopedthecompliancereferencearchitectureframework(RAF)thatalignsitstechnologywithregulatorycompliancerequirementsacrossindustries.
Softwaresupplychainmanagement.
VMwareisaddressingitsowncybersupplychainpracticesinanumberofareasincludingIPprotection,sourcecodesharing,riskmanagementassessment,andproactivesoftwaresecurityprogramswithstrategicpartnersandsuppliers.
Privacy.
Toprotectcustomerprivacy,VMwaredefinesitsprivacypolicytocustomers,specifyingwhatdataitcollectsandhowitisused.
VMwarefollowsa"privacybydesign"frameworktoprovidetransparencyonprivacyasitrelatestoproducts,services,andsupport.
Security.
VMwarehasintroducedstrongcybersecuritythroughoutitsorganization.
Examplesofthisinclude:Productsecurity.
VMwarehascreatedaproductsecurityteamresponsibleforoversightofallproductsecurity.
Thisgroupsupervisessecuritydevelopmentprocessesandmetricswitheachproductteamandisresponsiblefordemonstratingcontinuousimprovement.
Securitydevelopmentlifecycle.
Thisextendsbeyondthesecuresoftwaredevelopmentlifecycleandincludessecuritytraining,planning,serviceability,aswellasresponseplanning,productsecurityrequirementsassessment,andoverallsecuritymonitoring.
Thesecurityresponsecenter.
VMwareemploysateamofsecurityresearchers,softwaredevelopers,andsupportstafftofindvulnerabilities,developfixes,andworkwithcustomersandpartnersfortimelydistributionanddeploymentofsecurityfixes.
ITsecurity.
Likealllargeenterprises,VMware'scorporateinfrastructureisundercontinualattacksfrommaliciousindividualsandentities.
Toaddressthisrisk,VMwaremaintainscybersecuritybestpracticesoninternalnetworksandsystems.
Commitment.
Tomakecybersupplychainsecurityassurancepervasiveineverythingitdoes,VMwarehasmadecybersecuritypartofitscorporateculture.
Ofcourse,thisrequiresatruecybersecuritycommitmentincluding:Continuingproductdevelopment.
VMwarehasestablishedacontinuingproductdevelopmentorganization,whichactsasasinglepoint-of-contactforaddressing,escalating,andresolvingproductandcustomercybersecurityissues.
Ecosystemservices.
VMwareunderstandsthatitscybersecuritysupplychainincludesanetworkofhundredsofotherITvendorandservicespartners.
VMwareprovidestechnicalsupport,testing,cooperativesupportservices,andrules-of-engagementtoensurestrongcybersecurityinthefield.
Customeradvocacy.
VMwarerecognizesthatcybersecurityprofessionalsareacommunityoflike-mindedindividualswithafewcommongoals—mitigatingITriskandprotectingcriticalITassetsanddata.
Tosucceed,VMwaredependsuponapartnershipofequalswithVMwareWhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance102015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
participatinginthecybersecuritycommunityratherthandictatingitsownITvendoragenda.
VMwareseekstofacilitatethisrelationshipwithsecurityresearch,workshops,benchmarks,securityeducation,andsocialmediacampaigns.
WithitsTrust&Assuranceinitiative,VMwareistakinga360degreeperspectiveoncybersecuritythatencompassesitsproducts,partners,customers,employees,andthecybersecuritycommunityatlarge.
Inthisway,VMwarehasnotonlyrespondedtoitsenterprisecustomers'needforgreatertransparencyrelatedtocybersupplychainsecurity,butisalsosettinganexamplethatshouldbeemulatedbyotherITvendors.
TheBiggerTruthCISOsfaceadauntingareaofchallenges.
Cyberthreatsgrowmorevoluminous,sophisticated,andtargetedwhileITinfrastructuregetsmorecomplexasnetworkperimetersdisappear.
Yes,thesechangesdemandanincreasingcommitmenttocybersecurityoversight,riskmanagement,andtightsecuritycontrolsbuttheseeffortssimplycan'tbelimitedtocorporateLANs,WANs,anddatacenters.
Rather,CISOsmustunderstandtherisksassociatedwiththeircybersupplychains,andestablishbestpracticesforcybersupplychainsecurity.
ESGresearchindicatesthatthistransitionisalreadyinprogress,causingmanyorganizationstoauditthesecurityoftheirITproductandservicesvendors.
Leadingedgeenterprisesarealsomakingpurchasingdecisionsbasedupontheirvendors'cybersupplychainsecurityassuranceprograms.
Movingforward,moreorganizationswilllikelyfollowsuit.
UnlikemanyotherenterpriseITvendors,VMwareiswellpreparedforthisincreasinglevelofcybersecurityoversight.
Infact,theVMwareTrust&Assuranceinitiativeisdesignedtomeetandexceedthegrowingneedforgreatertransparencyrelatedtoenterprisecybersecurity.
Assuch,VMwareissettinganexamplefortheITindustryatlarge.
CISOswouldbewellservedtodemandsimilarcybersupplychainsecurityassurancefromALLoftheirstrategicITvendors.
20AsylumStreet|Milford,MA01757|Tel:508.
482.
0188Fax:508.
482.
0218|www.
esg-global.
com
- attentionstealthy相关文档
- HowtheF-35AandtheF-15EXcompare
- denesstealthy
- ensurestealthy
- approachstealthy
- CYBERstealthy
- victoriousstealthy
wordpress专业外贸建站主题 WordPress专业外贸企业网站搭建模版
WordPress专业外贸企业网站搭建模版,特色专业外贸企业风格 + 自适应网站开发设计 通用流行的外贸企业网站模块 + 更好的SEO搜索优化和收录 自定义多模块的产品展示功能 + 高效实用的后台自定义模块设置!采用标准的HTML5+CSS3语言开发,兼容当下的各种主流浏览器: IE 6+(以及类似360、遨游等基于IE内核的)、Firefox、Google Chrome、Safari、Opera...
CUBECLOUD:香港服务器、洛杉矶服务器、全场88折,69元/月
CUBECLOUD(魔方云)成立于2016年,亚太互联网络信息中心(APNIC)会员,全线产品均为完全自营,专业数据灾备冗余,全部产品均为SSD阵列,精品网络CN2(GIA) CU(10099VIP)接入,与当今主流云计算解决方案保持同步,为企业以及开发者用户实现灵活弹性自动化的基础设施。【夏日特促】全场产品88折优惠码:Summer_2021时间:2021年8月1日 — 2021年8月8日香港C...
BuyVM老牌商家新增迈阿密机房 不限流量 月付2美元
我们很多老用户对于BuyVM商家还是相当熟悉的,也有翻看BuyVM相关的文章可以追溯到2014年的时候有介绍过,不过那时候介绍这个商家并不是很多,主要是因为这个商家很是刁钻。比如我们注册账户的信息是否完整,以及我们使用是否规范,甚至有其他各种问题导致我们是不能购买他们家机器的。以前你嚣张是很多人没有办法购买到其他商家的机器,那时候其他商家的机器不多。而如今,我们可选的商家比较多,你再也嚣张不起来。...
stealthy为你推荐
-
域名注册com如何申请域名后缀是.com的官方网站?php虚拟主机如何选择PHP网站虚拟主机免费域名空间求速度快的 免费空间 带域名的 谢谢大家成都虚拟空间空间服务商那个好香港虚拟主机虚拟主机大陆的还是香港的好?100m虚拟主机100M虚拟主机有多大,能放多少东西山东虚拟主机济宁梦网科技下载虚拟主机虚拟机下载完之后如何安装虚拟主机99idc网站后台织梦系统重装、空间转移、及上传技巧有哪些?安徽虚拟主机合肥金马网络科技有限公司怎么样?