What You Need To Know About Vetting
Author Jose-Miguel Maldonado
We live in a world where we are constantly connected – whether that be through e-mail, social media, or communication apps. But, have you ever stopped to spend some time on doing due diligence on the apps and cloud services that you use?
Why Should I Care?
Have you ever scrolled through a EULA (End-User License Agreement) or Terms Of Service and just hit “I Accept” without actually reading what’s in these agreements? We’re all guilty of this. After all, who has time to read through all the legalese that is frankly, confusing and boring. The truth of the matter is that whenever you use an app or a cloud service, you should be reading the fine print to find out what permissions an app will have, what a cloud service will do with your data, and what rights you have as a consumer.
Okay, what should I look for?
Think of all the apps and cloud services you use personally – social media, e-mail, financial (e.g. budget apps), or even fitness and health services. It’s important to know how your data will be handled. Here are some things to consider when you’re evaluating an app or cloud service:
- Who has access to the app/cloud data?
Do they use PoLP (Principle Of Least Privilege) or does everyone have access to customer data?
- Is data encrypted in transit and at rest? (You’d be surprised how many companies don’t encrypt data)
- What is the data retention policy?
If you stop using an app or cloud service how long is your data retained?
- Is your data shared?
This is a big one. Many apps/cloud services will share your data with 3rd parties – whether that be for money or for other purposes. There are even some apps where you “agree” to allow the company to use any photos/videos you use in the app for Marketing purposes. These “gotchas” are often spelled out in the Terms Of Service, but people often overlook it.
If you are a decision maker for your company and get to choose the apps/cloud services that are used by employees, you will want to do even more vetting to protect your company:
- Do apps undergo third-party application security testing?
- Do cloud services have protocols in place to vet their employees?
This is important because I once vetted a very popular file sharing service and asked them this question and they said, “We just hire good people and don’t do any kind of background check. They have access to all customer data.” While this may sound fine in theory, the Insider Threat is real and something that you as a consumer should be mindful of when you’re choosing an app/cloud service.
- Do cloud service companies have any type of compliance?
e.g. ISO, PCI DSS, SOC 2, etc.
The bottom line is that it’s important to take a few moments to carefully examine any app/cloud service you are planning to use. You may be surprised with either the strong security companies have, or you may be frightened with how awful a company’s security actually is (e.g. no encryption, sharing or selling data, etc.).
About the author: Jose-Miguel Maldonado is the VP of Business Ops & Security at Rubica, a cybersecurity startup, and has acquired a reputation for creating cybersecurity champions out of non-technical people.