Episode Summary

11:11 Systems Director of Cloud Market Intelligence Brian Knudtson is joined by guests Paul Woodward, James Charter, and Jason Carrier for a conversation about the dangers to both on-premises and cloud supply chains. They discuss how customers need to evaluate their partners, how cloud providers protect their services, and what we should expect from our vendors. They’ll help you ask the hard questions when investigating a vendor, but if you aim to build a partnership, these questions should be easy to ask.

Panel

Cloud Conversations

Topic 1

[03:24] Paul, how do customers typically investigate their hardware and software vendors to ensure they’re protecting their products and testing for vulnerabilities?

Topic 2

[12:29] James, you talked a little bit about, as a cloud service provider, having focus on security. So maybe we can talk a little bit about how a cloud service provider evaluates their own supply chain and how customers can actually learn about their cloud providers and what they’re doing to reduce the risk to them by protecting their own supply chain.

Topic 3

[18:36] Jason, you’ve obviously had some experience there on the vendor side of these and as part of the attack that happened at SolarWinds. So, the incident and vulnerability responses that we have to those types of things from our upstream vendors are critical. What should customers expect and how should they manage it in order to minimize the risk beyond just having those communication channels?

Cloud Bites

[01:53] “When it comes to supply chain, I think it boils down to customers have to do their own due diligence. But at the end of the day, they are, in fact, at the mercy of the vendor.”  — Paul Woodward 

[10:37] “I think you can work to get yourself in a position where you’re not perfect, but you’re more perfect-er so that the threat actors are going to move on and they’re going to go for the next easy target. I think that is a legitimate strategy in this market.” — James Charter 

[15:27] “Even if you already have skills, you can educate yourself further or you can farm it out and get a specialty organization that’s what they do every morning when they get up.” — James Charter

[16:59] “Ask them questions about how they deal with common threats, ask them about how they do their lifecycle management, how do they deal with CVEs when they’re published. All good questions that anyone could ask a prospective partner or organization.” — James Charter

[19:26] “They should expect, and I would go beyond expect and say demand, transparency from the organizations that they’re working with.” — Jason Carrier

[23:05] “You don’t have to be the security focused person to be alert and then to bring that back in.” — Paul Woodward

[25:32] “If you’re doing it over and over and over again, when some bad thing happens, you can just adapt to it very quickly.” — Jason Carrier