Tech vendors create neutral 'security baseline' to simplify protection

The MSVP is a checklist of precautions and processes that should speed up procurement and outsourcing

Google and Salesforce are among the tech firms that have teamed up to create a vendor-neutral security baseline, which should help raise the minimum bar for security while simplifying the vetting process.

Called the Minimum Viable Security Product (MVSP), the new baseline takes the form of a checklist for B2B software and business processes, enabling users to verify the security posture of a vendor's solution.

The checklist is designed with simplicity in mind: it contains only those controls that must be implemented, at a minimum, to ensure a realistic security posture.

The main purpose of MSVP is to eliminate complexity, uncertainty and overhead during the procurement, request for proposal (RFP) and vendor security assessment process by establishing minimum acceptable security standards, said Google VP of security Royal Hansen.

It is also designed to increase clarity during each phase so both parties (customer and vendor) can achieve their goals, and reduce the onboarding and sales cycle by weeks or even months.

Google, Salesforce, Okta, and Slack are among the companies that are backing the MSVP.

Outsourcing operations to vendors or third parties is a popular business strategy. It saves money for organisations while also enabling them to raise efficiency. However, it can also create significant security risks; a study by Opus and the Ponemon Institute showed that 59 per cent of firms have experienced a data breach due to a vendor or third party.

The MSVP tries to addresses the issue by creating a checklist that includes several questions for vendors, such as whether they:

• Perform annual comprehensive penetration testing on systems
• Comply with local laws and regulations, such as GDPR
• Enforce single sign-on using latest and industry standard protocols
• Implement security patches on a regular basis
• Keep a list of sensitive data types that the application is expected to process
• Maintain an up-to-date data flow diagram showing how sensitive data reaches systems and where it is stored
• Have layered perimeter controls or entry and exit logs

The checklist also includes questions about the physical security of facilities.

"We welcome community feedback and interest from other organisations who want to contribute to the MVSP baseline," Hansen said.

"Together we can raise the minimum bar for security across the industry and make everyone safer."