Google and Salesforce create cybersecurity baseline for companies checking vendors

MVSP is presented in the form of a minimum baseline checklist that can be used to verify the security posture of a solution.

Google and Salesforce have announced the creation of a vendor-neutral security baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to "raise the bar for security while simplifying the vetting process." 

MVSP was developed and backed by Okta, Slack and more. Google vice president of security Royal Hansen said it was "designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines." 

"With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months," Hansen said. 

"MVSP is a collaborative baseline focused on developing a set of minimum security requirements for business-to-business software and business process outsourcing suppliers. Designed with simplicity in mind, it contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture. MVSP is presented in the form of a minimum baseline checklist that can be used to verify the security posture of a solution."

Companies have long had to create their own security baselines for their vendors that complicate the process. It is difficult to assemble for organizations and create a byzantine maze of baselines for complying vendors. 

Hansen explained that the MVSP will create an industry-wide baseline backed by practitioners that clearly communicates a set of minimum requirements. 

The requirements can also help organizations understand the gaps in their own process and identify areas where they need to be tougher on vendors. 

"MVSP provides a single set of security-relevant questions that are publicly available and industry-backed. Aligning on a single set of baselines allows clearer understanding from vendors, resulting in a quicker and more accurate response," Hansen said. 

"MVSP ensures expectations regarding minimum security controls are understood upfront, reducing discussions of controls at the contract negotiation stage. Referencing an external baseline helps to simplify contract language and increases familiarity with the requirements."

Hansen added that the companies were interested in feedback from the security community and others who may want to contribute. 

Salesforce said outsourcing operations to third-party vendors is a double-edged sword. A Salesforce official said it saves money but grants external access to critical systems and customer data. A recent study showed 59% of companies have experienced a data breach caused by one of their vendors. 

The MSVP checklist includes questions about whether a vendor performs annual comprehensive penetration testing on systems, as well as whether a vendor complies with local laws and regulations like GDPR. 

Questions also cover whether vendors have implemented single sign-on using modern and industry-standard protocols or apply security patches on a frequent basis. 

Does a vendor maintain a list of sensitive data types that the application is expected to process? Do they keep an up-to-date data flow diagram indicating how sensitive data reaches your systems and where it ends up being stored? These are all questions posed by the MSVP checklist. 

The checklist also includes questions about the physical security of facilities and whether vendors have layered perimeter controls or entry and exit logs. 

"With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months," Salesforce said.