Yeah, exactly, its always possible to fail someone if ANYTHING is outsourced. Keep on digging digging digging. For example Amazon is PCIDSS level 1 and more than willing to provide docs to prove it, so if you need pcidss 1 or less, that "should" be OK. OK fine, keep digging. In more detail you can see AWS brags about having linked their HR system to their security system so when someone is terminated their security access is immediately automatically revokes. OK fine, keep digging. I demand to see the python script or whatever that they wrote and I'd like to examine the system logs on both sides to verify operation of that security system. Ah got them now. OK now I demand to read the source code for the BIOS of the computer that connects those two systems. Can't do it? You're now officially insecure, cancel the deal.
You can shut down deals that aren't outsourced by demanding more difficult stuff like viewing the manufacturing masks for the microcontrollers in the badge scanners. No not a generic mask for the CPU family or similar model of slightly different capacity, I mean the mask that was specifically used to make the specific chips in the individual badge scanners. You do audit that, don't you? Why can't I have the firmware to the chip in your usb keyboard, are you guys hiding something in there like a password grabber? Can you provide the source code of your on premises Cisco routers for our security review? Does Cisco know you can do that (LOL?)
Security is not a checkmark, its always been a spectrum, and if you want to torpedo a deal its always possible to crank up the demands until the other side quits. It may not be useful or provide a business advantage, but nothing is ever truly secure. Probably the AWS stuff is better than average, LOL.
You can shut down deals that aren't outsourced by demanding more difficult stuff like viewing the manufacturing masks for the microcontrollers in the badge scanners. No not a generic mask for the CPU family or similar model of slightly different capacity, I mean the mask that was specifically used to make the specific chips in the individual badge scanners. You do audit that, don't you? Why can't I have the firmware to the chip in your usb keyboard, are you guys hiding something in there like a password grabber? Can you provide the source code of your on premises Cisco routers for our security review? Does Cisco know you can do that (LOL?)
Security is not a checkmark, its always been a spectrum, and if you want to torpedo a deal its always possible to crank up the demands until the other side quits. It may not be useful or provide a business advantage, but nothing is ever truly secure. Probably the AWS stuff is better than average, LOL.