Due Diligence

Due diligence is the “process through which organizations proactively identify, assess, prevent, mitigate and account for how they address their actual and potential adverse impacts as an integral part of decision-making and risk management.” (ISO 20400:2017)

The core concept of due diligence is about making informed decisions. A decision should be made based on sufficient information and justifications. If a decision-maker can’t do so, he or she doesn’t exercise due diligence. 

Shared Responsibility Model

Trust, but verify

The principle of “Trust, but verify” is borrowed from the political arena. However, when it comes to security, people may use it inconsistently. For example, some may argue “trust, but verify” is not enough; instead, we should never trust but always verify like “Zero Trust.” On the contrary, some other people consider trust is essential, and it is earned after frequent verification. Therefore, they align “trust, but verify” with “Zero Trust.”

If we have subscribed to cloud services provisioned by a cloud service provider after thoughtful evaluation, we trust the services and the provider. However, we have to keep verifying those services and the provider. Reviewing SOC reports is one of the verification activities. Since we are still in the process of evaluating cloud services and shared responsibility, we are exercising due diligence and don’t trust them yet.

Netflix is a good example of exercising the “trust, but verify” principle. As a customer of AWS, it trusts AWS but uses “Chaos Monkey” to verify AWS’s cloud services constantly and randomly.

Netflix was one of the first places to make overall chaos engineering popular several years ago with a tool they called Chaos Monkey. It was designed to test the company’s Amazon Web Services infrastructure by constantly – and randomly – shutting down various production servers. This always-on feature is important because no single event will do enough damage or provide enough insight to harden your systems or find the weakest points in your infrastructure. 

Source: RSA

Defense in Depth

Defense in depth is a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system’s life cycle.

Source: Wikipedia

Defense in depth is appropriate when designing controls and grouping them into layers to protect information assets.

Reference

• Due Diligence
• API Rants – Trust but verify
• Trust, but Verify…
• IDENTITY PROTECTION: TRUST BUT VERIFY
• A Review of Intrusion Detection and Blockchain Applications in the Cloud: Approaches, Challenges and Solutions
• Securing chaos: How Security Chaos Engineering tools can improve design and response
• How Netflix pioneered Chaos Engineering

---