What are the Third-party risk management and the cloud?

 Risk is inevitable when you work with outside companies, especially where a sensitive company or customer data is concerned. As the cloud becomes more and more of a target for malicious attacks, third-party risk management will become a more mission-critical security practice in the coming years. Let’s look at problems and solutions that companies might face.

Third-Party Risk

A cookie where you’ve kept your passwords is like an open door into the enterprise that was otherwise well-protected. A third party who handles your data processing has fallen prey to a simple phishing attack via email. Your partners may have other partners, and even though you do not necessarily control all of them, nevertheless this does not mean that those relationships should be neglected.

As a security manager, you need to conduct third-party risk assessments prior to providing access to sensitive data or outsourcing critical business processes with third-party vendors. Continually assess every vendor as you would any other service level and it'll help you keep track of their performance over time - ensuring they can guarantee that they'll consistently meet your security requirements (and all of your other non-negotiables).

Cloud security service providers are vendors too and must be taken into account during the TPRM process. However, by making online services easily available to the people who use them, a lot of security risks can be introduced. Say you have Fred in accounting who has volunteered to assist with the purchasing of cloud services for your organization because he feels confident in his ability to do so without involving the IT team at all. He might see an inexpensive host offering hosting and sharing products disguised as a SaaS service for Twitter or some other popular social networking site, download it using company money for employees' expenses, and start putting sensitive client data on it without any concern for how it will be used or how it will have been protected from unauthorized access. If Fred or anyone else that's untrustworthy within your organization doesn't recognize the tools/services clearly labeled private, then is he really capable of taking care of such tasks on his own?

https://cyraacs.com/

What is Shadow IT?

Scenarios such as these remove significant protections that keep sensitive information safe. You may have some defenses in place that catch things after the fact or even prevent them from happening - perhaps your firewall will block service from communicating with the network, or finance might be able to spot suspicious activity before it happens. However, these are not universal solutions for catching everything and everyone will know about your new system before you do!

Shadow IT is a big issue. Additionally, when it comes to cloud technology you might lose your capability to negotiate terms with third parties. Not even fourth parties, existing or potential ones. But the bottom line is that if you can’t guarantee compliance with security regulations for yourself and for the client, then not doing business with them is clearly your best option in this case where things are pretty black and white.

Share responsibility matrix with third-party cloud security services:

The specific security services your Cloud Security and Cloud Computing Services provider offers will vary based on the type of service: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). At one end, IaaS controls the cloud fabric and infrastructure, and you get a bare virtual server. From the Operating System (OS) level on up, security is mostly your responsibility. On the other end, SaaS gives you an application with limited ability to configure it. While you control things like access, much of the underlying security is an absolute obligation of your provider’s team. Note that the categories may bleed into one another. For instance, Microsoft Azure and Amazon Web Services offer plenty of services that would fall into PaaS at some respective level or another!

Vendor risk assessments:

In order to be successful in a Preliminary Vendor Risk Assessment, it is important for one to know what data is flowing to the cloud, what happens with that data after it reaches the cloud, how does it flow back to you or your organization, and if any portion of that information flows back out to third parties. One might also want to consider how well the cloud service provider implements its security controls as this can expose weaknesses and flaws which present significant risks. This high-level assessment should determine whether your organization has enough knowledge of a given vendor's security posture before a full-blown NIST 800-30 or FAIR risk assessment is conducted.

Every cloud provider and the new vendor will have their data flow mapped, and every vendor risk assessment you perform should take steps to validate that the data elements mapped are still valid. Be sure to map the data flows even if they originate from multiple sources because in the end, they’re collectively one comprehensive picture to help you steer clear of any lurking threats. A multi-pronged discovery effort is usually required for this purpose, including interviews with users, review of procurement records to identify ongoing payments, firewall traffic analysis and, if you have one, use of a Cloud Access Security Broker (CASB). The CASB is an indispensable tool in guarding against shadow IT because it ensures information security as well as compliance with all your policies – so be sure to keep it on and running at all times!

Entrust on External Audits?

Very often, a business owner like you might have to rely on an external audit (ISO, SOC, etc.) conducted by an outside agency on the cloud security provider. These audits can provide an in-depth, objective, and technical review of the third party’s security system. What they demonstrate is that the provider is working hard to align their security program with a commonly accepted standard for this industry. These reports might be your best available resource for understanding some risks regarding a cloud provider—make sure you read them carefully!

Is there a risk if you share responsibilities with another party?

Let's assume that you do have documented access to your provider, per their contract requirements with you. The likelihood - not the certainty - is they've taken basic security hygiene steps.

You can also use your contract to offer a guarantee of quality by transferring some of the risks onto the cloud provider. Keep in mind, however, that providers will have limited interest in assuming the risk – you’ll want to make sure their contracts and service level agreements demonstrate this. If their quality assurance is “little or none,” then look for cybersecurity insurance policies. Review them closely to determine whether they cover appropriate risks at an adequate level and are endorsed by legal experts.

Comments

Popular posts from this blog

Cyber Security

Cyber Security Threats

Index