Well, it finally happened: I got asked to audit information that is stored in a cloud by a third-party vendor.
I’ve acquired the controls, such as password polices, presented in a browser to my client. Several questions came immediately to mind:
1. Given that web browsers are still fundamentally insecure, how does the vendor address such issues? SSL is likely the easy answer here. Let’s hope so. Is data transmitted in the clear after the login? Let’s hope not.
3. Given the prevalence of phishing Trojans, how are vendors and clients going to address illegal and invisible capture of credentials? Do we had this to the vmware profile? That may be the only option. With VMWare Reader being free, one image can go on a lot of desktops (M$ may not like this much).
4. Where’s the confidential data sitting? Is it encrypted? Who has the keys? How is the vendor managing employee access?
I’ll keep you posted.