Upload
robert-atkins
View
225
Download
0
Embed Size (px)
Citation preview
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
1/14an Security eBook
Understanding the
Security Challenges ofCloud Computing
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
2/14
2 Enterprise Cloud Computing: Risk and Economics
4 Cloud Computing Faces Security Challenges
6 Cloud Computing Requires Security Diligence
8 Three Steps to Secure Cloud Computing
10How Cloud Computing Security Resemblesthe Financial Meltdown
4
8
2
6
10
Contents
This content was adapted from Internet.coms Enterprise IT Planet, eSecurity Planet, CIOUpdate, and Datamation websites. Contributors: Sonny Discini, David Needle, Robert
McGarvey, and James Maguire.
Understanding the Security Challengesof Cloud Computing
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
3/14
2 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
veryone is talking cloud these days, and
why not? The oerings are maturing, and
the benets are starting to appeal to
those who want to solve enterprise risk
and economic issues still on the table. Things like pay-
per-use models now have us looking at how we assess
hardware and sotware costs. You can now pay or onlywhat you use instead o buying a
ull application suite. But can the
economic and risk actors drive
enterprises over to ull cloud
deployments?
A New Way of DoingBusiness
As I just mentioned, the
enterprise now has a new way
o looking at the economics
o operational IT. This extends
rom core apps right down
to enterprise security. Cloud
computing is better at optimizing capital investments
because it enables lower capital investments in hardware,
sotware, and real estate; instead o investing in them,
enterprises procure cloud services. This signicantly
lowers total cost o ownership, which traditionally has
been a signicant cost to the enterprise.
When we think o large enterprise IT, we cannot let go
o the old assumption that it is slow to move when it
comes time to make a change. Cloud oerings may
crush this old adage. Cloud computing typically requires
signicantly less time and eort to provision additional
resources or existing applications or new resources
or new applications. The straightorward procurement
model and use o shared inrastructure also leads to
greater agility o the cloud computing model.
Another area where costs have been traditionally high
has been in IT talent. Cloud models will allow the
enterprise to tap talent pools or a raction o the cost o
retaining in-house sta. This will give IT pros heartburn,
but or those who are able to shit on the fy, IT pros willbe able to turn their ocus to
solving business problems. The
enterprise can then ully ocus on
business objectives and allocate
more resources to solve business
problems, even the ones that
were practically insolvable with
in-house sta. From another
angle, the cloud model now
gives small organizations
access to IT services and talentpreviously out o reach. The
small organization now has the
ability to tap the same level o
talent and services as the large
enterprises.
You Cannot Shift Risk
Cloud computing oers computing architectures and
innovation potential never beore seen in large and small
enterprises. It is important to understand that risk doesnot evaporate in the cloud; nor does it shit to the cloud
provider. Enterprise security proessionals have been
waving the red fag to C-level executives interested in
migrating to the cloud. Questions must be asked such as:
Whichrisksrelatedtoservicereliability,
availability, and security arise?
HowmuchcontrolcantheuserexertovertheIT
E
Enterprise Cloud Computing: Risk and EconomicsBy Sonny Discini
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
4/14
3 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
services provider?
Whatcontrolmustbegiventotheproviderand
what trust assurances exist?
Given that cloud models are new, even with the SLAs
provided today, an enterprise can quickly nd that what
it thought it was getting may not be the case at all. Legal
departments are also seeing cloud issues or the rst
time, so it is extremely important to involve all enterprise
teams when looking at cloud contracts, potential
litigation exposures, and o course security risks.
Cloud computing oers signicant benets to the
organization in terms o economics, agility, innovation,
simplicity, and even social impact. However, the devil
is in the details, and while there are many benets to
the cloud model, the trust and risk aspect o the cloud
is still widely unknown, and hence, very dangerous.
When enterprise architects and security pros design
controls around business processes, they will have
to take traditional tools and rene them to provide
sucient protection to the enterprise in this new dawn o
computing.
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
5/14
4 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
s cloud computing adoption hurt by security
issues, compliance concerns, or just a poorly
chosen name?
The worst thing we ever did was coin the term cloud,
which takes a business process and makes it sound ... out
there, said Thinkstrategies analyst Je Kaplan.
But John Weinschenk, CEO o security rm Cenzic, said
cloud security is ar more o a
pressing concern. Its actually
impossible to secure the [public]
cloud today, he said. You just
dont know i your inormation
is going to be processed in
Czechoslovakia or Russia, and
what theyre going to do with it.
And i anything goes wrong, whodo you sue?
John Desantis, CEO o identity
management provider Tricipher,
agreed. There is a thin veil that
is clearly being penetrated, he
said.
But Weinschenk and Desantis
made clear they were talking about public, consumer
service-style cloud providers. Weinschenk said the utureor enterprises lies in private and semi-private clouds that
are more closed systems where the security parameters
and service guarantees are known.
Nicholas Popp, vice president o product development
at domain management and security provider Verisign,
however, disagreed to the extent that he said companies
like his have the potential to make cloud services even
more secure than traditional datacenter solutions.
Customers think security is the cloud issue, but its really
a trust issue ... a governance issue, Popp said. Can I set
the policies I want to and impose them? And second, can
I veriy that the policy works? Its about governance and
control issues.
You never sell security, he added. You sell compliance
to those who need it. When
we look at people embracing
the cloud, its really rom the
big guys who control a private
cloud and can scale it to realize
the benets. The other buyers
are SMBs who are looking to
outsource everything.
Randy Barr, chie security ocer
at Qualys, said enterprises are
demanding their cloud service
providers oer greater visibility
to make it clear that the systems
are secure a service his rm
provides.
You can get scans o the cloud
system or vulnerabilities, he said. Were seeing more
transparency rom providers to meet this demand.
CIO Objections
Security isnt the only concern enterprise buyers have
about cloud computing systems, which in theory can save
an order o magnitude in costs over companies buying
and managing their own computing inrastructure.
I
Cloud Computing Faces Security ChallengesBy David Needle
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
6/14
5 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
From an enterprise perspective, the CIO wants to hold
o, said Joe Tobolski, a partner at Accenture Technology
Labs. But he warned that cloud services are already
popular, i you include social networks like Facebook
and Twitter as well as e-mail services like Gmail, in the
mix. These services are ridiculously easy to sign on to.
There is going to be a clash o the command and control
inrastructure that a lot o CIOs preer to those people
who want to get stu done.
Charles Carmel, vice president o corporate development
at Cisco, said that trends like the cloud and sotware-as-a-
service (SaaS) in particular are causing one o the largest
disruptions across the IT landscape.
But Marc Benio, CEO and ounder o one o the best
known and most successul SaaS providers, Salesorce.
com, conceded that the vast majority o sotware is still
with companies in their datacenters.
Thats the opportunity, Benio added. I try to educate
people because companies want to hold [us] back, like
the people that want to sell more servers.
http://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/Secureandcompliantcollaborationandaccess.pdfhttp://assets.devx.com/IBM/EscapingPCIpurgatory.pdfhttp://assets.devx.com/IBM/Developeffectiveusermanagement.pdfhttp://assets.devx.com/IBM/TakeaHolisticapproachtobusiness-drivensecurity.pdfhttp://assets.devx.com/IBM/Enhanceandsecurecriticalbusinessoperations.pdf8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
7/14
The UlTimaTeenTerprise ThreaT and risk
managemenT plaTform.
The ArcSight ETRM Platform is the worlds most advanced system for safeguarding
your company against data theft, complying with policies and minimizing internal
and external risks. Finely tuned to combat cybertheft and cyberfraud, the ArcSight
ETRM Platform gives you better visibility of real-time events and better context for
risk assessment, resulting in reduced response time and costs.
ArcSight Headquarters: 1-888-415-ARST | 2010 ArcSight. All rights reserved.
Learn more at www.arcsight.com/etrm
http://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrmhttp://www.arcsight.com/etrm8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
8/14
6 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
foading IT inrastructure to a cloud
computing provider can result in great
cost savings and more streamlined, fexible
operations. Need more compute power
or storage? Cloud systems like Amazons readily scale
so theres no need to go through a time-consuming
purchasing process or scrambling to nd more room or
an expanded datacenter.
But the cloud is not a panacea,
and the need to adhere to
inormation management best
practices remains, Symantec
executive Deepak Mohan told
InternetNews.com.
Mohan should know.
In his position as senior vice
president o Symantecs
Inormation Management Group,
he oversees a range o products
and services including archiving
and backup o inormation
management and regularly
meets with enterprise customers.
The company also works with leading cloud providers like
Amazon to ensure their services are compatible.
He jokes that the cloud is very cloudy when it comes to
enterprise adoption as companies are still experimenting
with the best way to leverage it and eel condent their
data is secure. Mohan said hes requently seeing a hybrid
approach where companies rely on a cloud provider or
storage or certain applications, but also maintain on-
premise backup or security and recovery and to make
sure they can adhere to compliance requirements.
Inside the cloud, customers need the same level
o security and data protection, said Mohan. While
managed service providers oer service level agreements
(SLA) and security assurance, Mohan said companies can
and should take extra steps to ensure there inormation is
sae.
There are many security endpoints with cloud services
and thats where authentication becomes very important.
Its a big area o investment
or us, said Mohan, noting
Symantecs $1.28 billion purchase
o VeriSigns authentication
services unit.
Amazon is going to encrypt and
store your les, but the backup
data stream may be unencrypted
So things like security in transit
are services we provide that
support the hybrid, cloud and
on-premise use cases.
Mohan also said its important
or companies, particularly those
in highly-regulated industries
like nance and health, to be
sure their inormation on the cloud is organized both or
retention and compliance.
The cost o legal e-discovery can exceed government
nes. Its very expensive to do on a reactive basis and
lawyers love it because they charge by the hour and the
page, said Mohan. What you want to do is instrument
your inormation on the way in, not ater the act.
Symantec is one o many providers that have services
to index and protect data. Mohan said Symantecs
Enterprise Vault archiving platorm ollows the EDRM
(Electronic Discovery Reerence Model) and oers
Cloud Computing Requires Security DiligenceBy David Needle
O
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
9/14
7 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
dierent export ormats or outside council that are
admissible in court.
Some companies are ahead o the curve and moving
proactively to make sure their inormation is being
managed eectively, said Mohan. Another class o
companies really gets serious ater their rst litigation
request.
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
10/14
Find the cybercriminal.(Never mind. ArcSight Logger already did.)
Stop cybercriminals, enforce compliance and protect
your companys data with ArcSight Logger.
2010 ArcSight. All rights reserved.
Just downloaded the customer
database onto a thumb drive.
Learn more at www.arcsight.com/logger.
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
11/14
8 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
ou can close your eyes and pretend it is
not happening many CIOs are doing
exactly that but ace this reality: Cloud
computing is with us to stay. Everybody
will soon be using it.
At least this is the prediction o Jim Haskin, CIO at
Websense, a San Diego-based data security provider,
and others.
A scary thought? For many CIOs,
yes. They are panicking about
this, said Kirill Sheynkman, CEO
o San Francisco-based Elastra,
a developer o applications
currently deployed in association
with Amazons cloud computing
oering. The panic is well-
ounded, isnt it? Because o the
security concerns that come with
jumping the rewall?
Sheynkman snorts: Security
is not the issue. Do you think
your IT department knows more
about data security than Amazon
does?
Reality check: Data security in the cloud is no dierent
than data security at a remote data center, said John
Lytle, a senior consultant with IT consulting rm Compass
in Chicago.
In many cases, data at most companies are more at risk
in their own environment than in a well-managed cloud,
said Mike Eaton, CEO o Cloudworks, a Thousand Oaks,
Cali.-based provider o cloud-based services, primarily to
small and mid-sized businesses.
Capable Hands?
The big cloud players Amazon, Google, Oracle/
Sun, Salesorce.com know more than a little about
maintaining online security and, considered in that
context, worries about outsiders knocking down the
security walls and having their way with your data indeed
seem over-wrought. Theres been a lot o over-reaction,said Sheynkman.
The question should not be
about data security in the cloud,
elaborates Haskin. We need to
be asking other questions that
probe exactly why we are araid
o cloud computing and certainly
as a group, CIOs are resisting it.
But just maybe that has to end
because time to dither may berunning out or CIOs.
Bill Appleton, chie technical
ocer at Mountain View, Cali.-
based Dreamactory, a develope
o cloud-based applications,
ominously warns: The cloud
may skip IT and sell directly to end users. It might simply
bypass the command and control system o IT.
And that may be the legitimate worry. Thats becausea CIO nightmare revolves around unauthorized use o
public cloud resources by employees who may be putting
sensitive internal data online at Web-based spreadsheets
or into slide shows.
Most CIOs worry a lot about employees putting
data that shouldnt be public in public places, said
Christopher Day, senior vice president o security
Three Steps to Secure Cloud ComputingBy Robert McGarvey
Y
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
12/14
9 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
services at Terremark Worldwide, a global provider o IT
inrastructure. That ear is justied. What would the board
o directors say i it discovered the companys strategic
plan was accessible in a public cloud? But Day also
suggests that CIOs can snu out this potential restorm
simply by taking a direct approach.
Just put into place clear policies, then educate
employees about them, said Day.
Pull your head out o the sand (or clouds as the case may
be) and directly attack this concern. That is how to make
it vanish. Understand too that employees who upload
sensitive data usually mean well. They are just looking or
better ways to work. Look or other, more secure ways to
let them do exactly that, adds Day. Take those two steps
and most likely cloud-based shadow IT will diminish in
your organization.
Securing the Logon
Another, lingering worry about cloud computing is that
with many providers log-ons are too primitive.
Large enterprise will not embrace the cloud until
security signicantly improves, fatly predicts JohnGunn, general manager at Chicago-based Aladdin, a
developer o digital security tools. The worry here is that
when barebones log-ons are in use, old-ashioned social
engineering techniques will let hackers learn employee
log-ons and, watch out, data leakage will be at food
stage.
But, said Gunn, the solution is simple: enterprises
should only permit data to migrate to the cloud where
two-actor, strong authentication is in use and, right
there, hackers probably are kept at bay. Take just that
step, suggests Gunn, and considerable big company
opposition to cloud computing would instantly
evaporate. Most mainstream cloud providers are hanging
back on this but, suggests Gunn, when enough users cry
out or saeguards the cloud companies will respond.
Here Today
A nal, big worry, particularly in todays unstable
economy, is the durability o the cloud provider, said
Raimund Genes, CTO at Trend Micro, the globalsecurity company. You need a provider that will be in
business three years rom now. When you give up your
IT inrastructure, you need a reliable service provider.
When a cloud provider goes bankrupt how accessible is
your inormation, by whom? Better not to deal with such
questions at all by instead going with cloud providers that
have the wherewithal or a long-haul contest.
Parting advice or CIOs who are still wringing their
hands in worry over data in the cloud comes rom
Elastras Sheynkman who reminds us: Its not all ornothing. It does not have to be. Put only the data you
are comortable with on the cloud. That is what most
companies seem to be doing. We are still in an era o
experimentation.
Take it in little steps but start taking some steps, thats
the smart way to embrace the cloud.
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
13/14
10 Understanding the Security Challenges of Cloud Computing an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, InBack to Contents
Understanding the Security Challengesof Cloud Computing
How Cloud Computing Security
Resembles the Financial MeltdownBy James MaguireHmmm as a client o a cloud vendor, Im eeling
nervous. But SAS 70 really does mean something, doesnt
it? Well, probably.
More troubling, at this point you might have a moment o
dj vu. Wasnt a similar confict o interest at the heart o
the recent nancial meltdown?
In the view o Jay Heiser, a
Gartner analyst who specializes
in security, the connection is
clear. Hes the author o the
research report Analyzing
the Risk Dimensions o Cloud
and SaaS Computing. Ater
reading Michael Lewiss account
o the nancial debacle, The
Big Short, Heiser told me, I
ound more parallels between
what happened in the nancial
services and cloud computing
than I anticipated.
Lets rewind the tape a bit. A
distressing act about the Crash
o 2008 is that the major credit rating agencies the very
groups tasked with protecting investors were tacitly
complicit.
The two biggest ratings agencies, Moodys and Standard
& Poors, ailed to send up red fags about subprime
mortgage-backed securities. These supposedly impartial
watchdogs evaluate the credit worthiness o securities,
enabling investors to make inormed decisions. Yet
instead o labeling junk as junk, they bestowed a top AAA
grade on highly risky assets.
Shockingly, virtually all o the AAA-rated subprime-
mortgage-backed securities issued in 2006 have now
ow do you know i a cloud computing
vendor is secure?
Ater all, you trust them with highly
sensitive data and business critical processes. Your entire
business may rest on your ability to evaluate their level o
security.
When they make claims about
their nearly absolute level o
saety, should you just take their
word or it?
Goodness no, say the vendors,
weve got a third-party
certication to back up our
claims. Specically, they point to
their SAS 70 certication. SAS
70 is a set o auditing standards
used to measure the handling
o sensitive inormation. It was
created by the impressively
named American Institute o
Certied Public Accountants
(those olks know how to ll out
orms). SAS 70 was around beore cloud computing, and
has been shoehorned into use by vendors seeking an
impartial third-party credential to reassure nervous cloud
customers.
But heres where it gets dubious. Guess who writes a
check to the SAS 70 certiers? Believe it or not, its the
vendors themselves. I you were a cynical, non-trusting
type (which you should be i your companys data is at
stake) you might wonder i that is a confict o interest.
Dont accounting rms have a vested interest in granting
SAS 70 certications to those cloud computing vendors
who can pay or them?
H
8/6/2019 7532 7531 Understanding the Challenges of Cloud Computing Security Spon With Ad New
14/14
Understanding the Security Challengesof Cloud Computing
been downgraded to a junk rating.
It was a clear confict o interest. These ratings agencies
are paid by the issuer o the security. Perhaps its not
surprising that they labeled some rotting sausage as
high-grade bee. I one o the agencies had threatened to
give a low (but accurate) rating, the issuer would simply
shop at another ratings agency. The system itsel was set
up to provide alse assurance.
Now back to cloud computing and SAS 70. OK, let me
get this straight: the cloud companies pay accounting
rms or SAS 70 certications just as the nancial
organizations paid Moodys or an investment-grade
rating?
Yes, i you see someone who claims to be SAS 70, they
have paid an accounting rm. Not only have they paid
an accounting rm to go do the test, but theyve told
the accounting rm what processes need to be tested,
Heiser says.
And you see a distressing number o providers that are
claiming, Well, were secure, or we have availability it s
proven by the act that we have a SAS 70.
This statement echoes a key nding that Heiser noted in
his report:
Third-party certifcations are immature, are unable to
address all aspects o cloud-computing risk, and should
be relied on only ater a thorough evaluation o the
written report.
To be air, a SAS 70 is likely more than a mere piece o
paper. It may prove more than the act that the vendorhas the money to hire an accounting rm. Perhaps it
should be thought o as a good starting point. Still,
the responsibility remains squarely on the client to
evaluate the SAS 70s written report and make their own
determination. Were the right controls included? Were
they evaluated to the appropriate degree?
In other words, buyer beware. You have to do your own
digging. From Heisers report:
Do not accept the claimed existence o a certifcation
or other third-party assessment as being adequate
proo o security and continuity ftness or purpose.
Thoroughly review the assessors written report to ensure
that the scope o evaluation is adequate, and that all
necessary processes and technologies were appropriately
addressed.
But is it IT?
An additional question bedevils the debate over cloud
security: Is SAS 70 even i administered by an impartialthird party (which its not) an insightul evaluation o a
cloud computing vendors security?
SAS 70 was never designed or this use, though in theory
it could address an IT risk scenario. Call me a cynic, but
SAS 70 is an auditing standard originally intended to be
used against processes relevant to nancial statements,
secondarily to nancial transactions, Heiser says.
So the thing starts very, very ar away rom anything
that would traditionally be considered an inormationsecurity or a business availability assessment. Its done by
accounting rms.
A common perception o the nancial evaluators involved
with alse credit ratings is that they were not the cream o
the Wall Street elite. Those brighter talents were pursing
vastly more remunerative activities.
In contrast, I would expect that whoever is doing a SAS
70 is a airly ambitious [staer] at a CPA rm, Heiser says.
Still, are they auditors? IT? Did they go to Purdue andget a Masters degree in Inormation Security? Whats
their background or all this?
The moral o this cautionary tale is best summed up with
a last key nding rom the Gartner report:
Be skeptical o vendor claims, and demand written or in-
person evidence.