Stratum performs an ever-increasing number of AWS security assessments for our customers from large to small. These deep-dive assessments help identify deficiencies within the customer's AWS configuration and processes that may expose the customer to risk. Example findings include specific configuration vulnerabilities such as overly permissive security groups, IAM privilege elevation, and poor operational procedures. Given our heritage building and operating a large SaaS on AWS, we apply real-world experience when assessing a customer's environment.
Recently, RiskRecon approached us with an interesting challenge. RiskRecon is a SaaS platform that allows organizations to perform 3rd party vendor risk assessments at scale. RiskRecon uses a variety of externally-available data to determine an organization's security program maturity and risk posture. It's an efficient and easy way to manage 3rd party risk.
One challenge for 3rd party risk professionals is how do you assess the risk of a 3rd party vendor or partner that uses AWS? From the perspective of a customer, a vendor using AWS is a black box. Assessing the risk of a 3rd party (e.g. a vendor) operating on AWS is a challenge. To meet this need, Stratum collaborated with the folks at RiskRecon to create the Amazon Web Services Core Assessment Playbook & Questionnaire.
The playbook is intended to be used by 3rd party risk folks to quickly and efficiently determine which vendors need a deeper dive into their AWS environment. You can think of the questionnaire as an "elevator pitch", except instead of making succinct and key points, you are asking succinct and key questions.