Top 5 Questions to Ask When Securely Deploying & Managing Remote Devices
Does my vendor do Penetration Testing?
Penetration testing, also known as pen testing, tests for vulnerabilities that an attacker could exploit on a device, network, or web application. Ideally, device manufacturers should submit to frequent (quarterly) pen testing by external contractors AND ad-hoc pen testing by interested customers.
What security certifications does my vendor maintain?
You want to see an active security office and security model, not just lip service. Having a dedicated security office means ensuring that security best practices are incorporated into the engineering design process. This approach incorporates accepted guidelines and processes that take into consideration product design and testing such as those defined by the third party organizations such as the American Society for Quality/ Failure Mode Effects Analysis; iSixSigma/DFMEA; ISO9001 SDLC, Penetration Testing Execution Standard and OWASP; as well as emerging standards such as the Online Trust Alliance (OTA).
How does/should my vendor generate true random numbers and secure key storage?
A secret code is only as good as the random number it is based on. Computers are inherently deterministic—so how can they make a truly random number? True Hardware Random Number Generators (TRNG) use the random properties of the physical world to create truly random numbers based on quantum noise.
When Was Your Vendor Last Audited, What Did They Find, and What Did You Do About It?
Does your vendor provide ongoing threat measurement and monitoring services as well as performing internal and external security audits on a regular basis? Regular audits ensure up-to-date security patches, and provide ongoing proactive communication regarding upcoming threats. Certain industry security frameworks, like PCI DSS require these regular audits.
What will this cost us?
As a general rule, you should only pay a recurring fee if the vendor is making a recurring investment. For example, you should pay once for a great firewall and you should pay ongoing for ongoing device management. It is a good idea to make evaluate the total-cost-of-ownership between different vendors. Our competitor’s total-cost-of-ownership tends to always be higher because they charge for security services, or worse, they offer them at all.