What are the Third-party risk management and the cloud?
Risk is inevitable when you work with outside companies, especially where a sensitive company or customer data is concerned. As the cloud becomes more and more of a target for malicious attacks, third-party risk management will become a more mission-critical security practice in the coming years. Let’s look at problems and solutions that companies might face.
Third-Party Risk
A cookie where you’ve kept your passwords is like an open
door into the enterprise that was otherwise well-protected. A third party who
handles your data processing has fallen prey to a simple phishing attack via
email. Your partners may have other partners, and even though you do not
necessarily control all of them, nevertheless this does not mean that those
relationships should be neglected.
As a security manager, you need to conduct third-party risk
assessments prior to providing access to sensitive data or outsourcing critical
business processes with third-party vendors. Continually assess every vendor as
you would any other service level and it'll help you keep track of their
performance over time - ensuring they can guarantee that they'll consistently
meet your security requirements (and all of your other non-negotiables).
Cloud security service providers are vendors too and must be
taken into account during the TPRM process. However, by making online services
easily available to the people who use them, a lot of security risks can be
introduced. Say you have Fred in accounting who has volunteered to assist with
the purchasing of cloud services for your organization because he feels
confident in his ability to do so without involving the IT team at all. He
might see an inexpensive host offering hosting and sharing products disguised
as a SaaS service for Twitter or some other popular social networking site,
download it using company money for employees' expenses, and start putting
sensitive client data on it without any concern for how it will be used or how
it will have been protected from unauthorized access. If Fred or anyone else
that's untrustworthy within your organization doesn't recognize the
tools/services clearly labeled private, then is he really capable of taking
care of such tasks on his own?
What is Shadow IT?
Scenarios such as these remove significant protections that
keep sensitive information safe. You may have some defenses in place that catch
things after the fact or even prevent them from happening - perhaps your
firewall will block service from communicating with the network, or finance
might be able to spot suspicious activity before it happens. However, these are
not universal solutions for catching everything and everyone will know about
your new system before you do!
Shadow IT is a big issue. Additionally, when it comes to cloud technology you might lose your capability to negotiate terms with third parties. Not even fourth parties, existing or potential ones. But the bottom line is that if you can’t guarantee compliance with security regulations for yourself and for the client, then not doing business with them is clearly your best option in this case where things are pretty black and white.
Share responsibility matrix with third-party cloud security services:
The specific security services your Cloud Security and Cloud Computing Services provider offers
will vary based on the type of service: Infrastructure-as-a-Service (IaaS),
Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). At one end, IaaS
controls the cloud fabric and infrastructure, and you get a bare virtual
server. From the Operating System (OS) level on up, security is mostly your
responsibility. On the other end, SaaS gives you an application with limited
ability to configure it. While you control things like access, much of the
underlying security is an absolute obligation of your provider’s team. Note
that the categories may bleed into one another. For instance, Microsoft Azure
and Amazon Web Services offer plenty of services that would fall into PaaS at
some respective level or another!
Vendor risk assessments:
In order to be successful in a Preliminary Vendor Risk
Assessment, it is important for one to know what data is flowing to the cloud,
what happens with that data after it reaches the cloud, how does it flow back
to you or your organization, and if any portion of that information flows back
out to third parties. One might also want to consider how well the cloud
service provider implements its security controls as this can expose weaknesses
and flaws which present significant risks. This high-level assessment should determine
whether your organization has enough knowledge of a given vendor's security
posture before a full-blown NIST 800-30 or FAIR risk assessment is conducted.
Every cloud provider and the new vendor will have their data
flow mapped, and every vendor risk assessment you perform should take steps to
validate that the data elements mapped are still valid. Be sure to map the data
flows even if they originate from multiple sources because in the end, they’re
collectively one comprehensive picture to help you steer clear of any lurking
threats. A multi-pronged discovery effort is usually required for this purpose,
including interviews with users, review of procurement records to identify
ongoing payments, firewall traffic analysis and, if you have one, use of a Cloud
Access Security Broker (CASB). The CASB is an indispensable tool in guarding
against shadow IT because it ensures information security as well as compliance
with all your policies – so be sure to keep it on and running at all times!
Entrust on External Audits?
Very often, a business owner like you might have to rely on
an external audit (ISO, SOC, etc.) conducted by an outside agency on the cloud
security provider. These audits can provide an in-depth, objective, and
technical review of the third party’s security system. What they demonstrate is
that the provider is working hard to align their security program with a
commonly accepted standard for this industry. These reports might be your best
available resource for understanding some risks regarding a cloud provider—make
sure you read them carefully!
Is there a risk if you share responsibilities with another party?
Let's assume that you do have documented access to your
provider, per their contract requirements with you. The likelihood - not the
certainty - is they've taken basic security hygiene steps.
Comments
Post a Comment