An interesting and potentially troubling event happened in the information security world on Wednesday, August 16, 2017. It wasn’t a major hacking attack or a massive data breach. It wasn’t the release of a new security tool, or the failure of a critical data center.
It was a decision by a single CEO to remove a website and an account.
For those of you who might be unfamiliar with the company CloudFlare, it is one of the largest cloud hosting providers on the market. It has over 100 data centers around the world, and hosts websites from some of the biggest names in the world, including Cisco, the Library of Congress and Nasdaq. Until recently, CloudFlare also hosted the website of a fringe white supremacist group called The Daily Stormer.
The CEO of CloudFlare, Matthew Prince, woke up on that Wednesday and decided that he didn’t want a group that most people find exceptionally offensive using his company’s service. So, according to this source quoting Prince, he simply closed their account and removed their website. In his own words, this was an entirely arbitrary decision.
So why is this so troubling? Because, even according to Mr. Prince himself, it is “dangerous” for this kind of power to be concentrated in anyone’s hands, even his own. In order to prevent fraud and errors, more than one person should be required to complete this type of task. This risk management concept is known as Segregation of Duties, or SoD.
Good Intentions, Bad Precedents
One of the difficulties in doing third-party risk management (TPRM) is we often lack the kind of internal insight that is taken for granted in conventional information security auditing. In most cases, we can’t go into a third-party and test their processes, take samples, and physically inspect their processes. In most cases, we must look in from the outside, and this often involves paying attention to significant happenings and making educated inferences from them.
No individual in a company should ever have unlimited power over IT systems. One thing auditors look for is appropriate Segregation of Duties. One person should not be able to (for example) enter a payment request, approve that request, and issue the payment. And no CEO should be able to simply remove a customer account and a website “arbitrarily” as Mr. Prince, with the best of intentions, did.
That Mr. Prince was able to do so makes me wonder about the control environment at CloudFlare. If the CEO can remove (or change) a client’s website directly (either physically himself, or by ordering another person to do it), then does the organization have appropriate SoD controls in place to keep anybody else from, for example, accessing sensitive personally identifiable information (PII) about specific customers that might be stored on their machines? Or modifying prices on my company’s web page?
Questions to Ask Your Hosting Provider About Segregation of Duties
When looking at a hosting provider, there are several questions we can ask that directly relate to the segregation issues highlighted by the Cloudflare incident. Sometimes, the best way to understand a company’s security is to ask not about specific controls, but to learn about how it prevents something bad from happening. With the above in mind, if I was looking at a hosting provider, I would likely ask:
- How do you ensure nobody modifies my web pages without explicit permission?
- How do you prevent somebody inside your company from accessing any sensitive data that I’m storing in my accounts or systems?
- How do you audit these controls? How do you test to see that they are actually working?
- How do you ensure any changes to my website and other systems are appropriately logged so I can review them, and how do you ensure those logs are protected?
An even more important question relates to the control environment: Since your CEO feels entitled to, and has the means to, change or delete a web page for a client on a whim, how can we trust you as a company to adhere to the controls that are supposed to be in place?
Because, even though many would agree with Mr. Prince’s choice, as an information security professional I find his methods and the fact the controls in place didn’t stop him to be highly troubling.
Contact Pivot Point Security to talk about your company’s third-party risk issues and how best to reduce them with duty segregation.