What are the Third-party risk management and the cloud?

 Risk is inevitable when you work with outside companies, especially where a sensitive company or customer data is concerned. As the cloud becomes more and more of a target for malicious attacks, third-party risk management will become a more mission-critical security practice in the coming years. Let’s look at problems and solutions that companies might face.

Third-Party Risk

A cookie where you’ve kept your passwords is like an open door into the enterprise that was otherwise well-protected. A third party who handles your data processing has fallen prey to a simple phishing attack via email. Your partners may have other partners, and even though you do not necessarily control all of them, nevertheless this does not mean that those relationships should be neglected.

As a security manager, you need to conduct third-party risk assessments prior to providing access to sensitive data or outsourcing critical business processes with third-party vendors. Continually assess every vendor as you would any other service level and it'll help you keep track of their performance over time - ensuring they can guarantee that they'll consistently meet your security requirements (and all of your other non-negotiables).

Cloud security service providers are vendors too and must be taken into account during the TPRM process. However, by making online services easily available to the people who use them, a lot of security risks can be introduced. Say you have Fred in accounting who has volunteered to assist with the purchasing of cloud services for your organization because he feels confident in his ability to do so without involving the IT team at all. He might see an inexpensive host offering hosting and sharing products disguised as a SaaS service for Twitter or some other popular social networking site, download it using company money for employees' expenses, and start putting sensitive client data on it without any concern for how it will be used or how it will have been protected from unauthorized access. If Fred or anyone else that's untrustworthy within your organization doesn't recognize the tools/services clearly labeled private, then is he really capable of taking care of such tasks on his own?

https://cyraacs.com/

What is Shadow IT?

Scenarios such as these remove significant protections that keep sensitive information safe. You may have some defenses in place that catch things after the fact or even prevent them from happening - perhaps your firewall will block service from communicating with the network, or finance might be able to spot suspicious activity before it happens. However, these are not universal solutions for catching everything and everyone will know about your new system before you do!

Shadow IT is a big issue. Additionally, when it comes to cloud technology you might lose your capability to negotiate terms with third parties. Not even fourth parties, existing or potential ones. But the bottom line is that if you can’t guarantee compliance with security regulations for yourself and for the client, then not doing business with them is clearly your best option in this case where things are pretty black and white.

Share responsibility matrix with third-party cloud security services:

The specific security services your Cloud Security and Cloud Computing Services provider offers will vary based on the type of service: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). At one end, IaaS controls the cloud fabric and infrastructure, and you get a bare virtual server. From the Operating System (OS) level on up, security is mostly your responsibility. On the other end, SaaS gives you an application with limited ability to configure it. While you control things like access, much of the underlying security is an absolute obligation of your provider’s team. Note that the categories may bleed into one another. For instance, Microsoft Azure and Amazon Web Services offer plenty of services that would fall into PaaS at some respective level or another!

Vendor risk assessments:

In order to be successful in a Preliminary Vendor Risk Assessment, it is important for one to know what data is flowing to the cloud, what happens with that data after it reaches the cloud, how does it flow back to you or your organization, and if any portion of that information flows back out to third parties. One might also want to consider how well the cloud service provider implements its security controls as this can expose weaknesses and flaws which present significant risks. This high-level assessment should determine whether your organization has enough knowledge of a given vendor's security posture before a full-blown NIST 800-30 or FAIR risk assessment is conducted.

Every cloud provider and the new vendor will have their data flow mapped, and every vendor risk assessment you perform should take steps to validate that the data elements mapped are still valid. Be sure to map the data flows even if they originate from multiple sources because in the end, they’re collectively one comprehensive picture to help you steer clear of any lurking threats. A multi-pronged discovery effort is usually required for this purpose, including interviews with users, review of procurement records to identify ongoing payments, firewall traffic analysis and, if you have one, use of a Cloud Access Security Broker (CASB). The CASB is an indispensable tool in guarding against shadow IT because it ensures information security as well as compliance with all your policies – so be sure to keep it on and running at all times!

Entrust on External Audits?

Very often, a business owner like you might have to rely on an external audit (ISO, SOC, etc.) conducted by an outside agency on the cloud security provider. These audits can provide an in-depth, objective, and technical review of the third party’s security system. What they demonstrate is that the provider is working hard to align their security program with a commonly accepted standard for this industry. These reports might be your best available resource for understanding some risks regarding a cloud provider—make sure you read them carefully!

Is there a risk if you share responsibilities with another party?

Let's assume that you do have documented access to your provider, per their contract requirements with you. The likelihood - not the certainty - is they've taken basic security hygiene steps.

You can also use your contract to offer a guarantee of quality by transferring some of the risks onto the cloud provider. Keep in mind, however, that providers will have limited interest in assuming the risk – you’ll want to make sure their contracts and service level agreements demonstrate this. If their quality assurance is “little or none,” then look for cybersecurity insurance policies. Review them closely to determine whether they cover appropriate risks at an adequate level and are endorsed by legal experts.
Location: 7, Aurobindo Marg, 4th T Block East, KV Layout, Jayanagar, Bengaluru, Karnataka 560011, India

Comments

Post a Comment

Popular posts from this blog

How to protect your startup Business against cyber attacks?

Image
 In today's digital age, the success of a startup business often depends on its ability to leverage technology. While technology can significantly enhance productivity and growth, it also exposes businesses to cybersecurity risks. Cyberattacks on startups can be devastating, leading to data breaches, financial losses, and damage to reputation. Therefore, it's crucial for startups to prioritize cybersecurity from the very beginning. In this comprehensive guide, we'll explore effective strategies to protect your startup business against cyberattacks. 1. Understand the Threat Landscape To defend against cyberattacks, you must first understand the threat landscape. Cyber threats are constantly evolving, and staying informed about the latest trends and attack techniques is essential. Some common cyber threats to be aware of include: Phishing Attacks: These involve tricking individuals into revealing sensitive information, such as login credentials or financial data, through dec
Read more

5 Tips for Choosing a Cyber Security Provider in the Dubai, UAE

Image
  The UAE is a global hub for business, and as such, it is a target for cyber attacks. In 2022, the UAE was ranked as the 12th most targeted country in the world for cyber-attacks. This means that businesses in the UAE need to take cybersecurity very seriously. One of the most important things that businesses can do to protect themselves from cyber attacks is to choose a reputable cyber security provider. There are many different cyber security providers in Dubai , UAE, so it can be difficult to know which one to choose. Here are 5 tips for choosing a cyber security provider in Dubai, UAE: Do your research.  Before you choose a cyber security provider, it is important to do your research. This means reading reviews, comparing prices, and looking at the provider's track record. You should also make sure that the provider is accredited by a reputable organization, such as the International Organization for Standardization (ISO). Consider your needs.  When you are choosing a cyber sec
Read more

Top Cyber Security Companies in India | CyRAACS

Image
  CyRAACS is a leading top cybersecurity company in India that offers a wide range of services, including consulting, auditing, and training. The company was founded in 2017 by a team of experienced cybersecurity professionals, and it has since grown to become one of the most trusted names in the industry. CyRAACS's services are designed to help businesses of all sizes protect themselves from cyber threats. The company's consultants have extensive experience in assessing and mitigating cyber risks, and they can help businesses develop and implement comprehensive cybersecurity programs. CyRAACS also offers a range of training courses that can help businesses build a strong cybersecurity culture. CyRAACS is a CERT-In empanelled company , which means that it is recognized by the Indian government as a trusted provider of cybersecurity services. The company is also ISO 27001 certified, which demonstrates its commitment to the highest standards of cybersecurity. If you are looking
Read more