Cloud Security Part 2: Understanding & Managing Third Party Risk
In chapter 2 of our 4-part series on Cloud Security, we explore the issues surrounding third party risk and look at ways to secure your digital ecosystem. (and if you haven’t already, why not catch up with part 1 about Understanding Your Attack Surface).
The topic of risk around third-party providers, frequently referred to as supply chain risk, is a hot topic. As organisations strive to move quickly and become more agile, there are often some gaps in decision making leading to potential risks in the ecosystem.
Even if the decision-making process was not driven by speed and agility, vendor selection should be a more thorough process than perhaps it once was. So how do we understand and deal with the potential risk a partner may introduce to an organisation’s ecosystem?
The first step to managing the risk is accessing and understanding all the third-party providers that exist in the ecosystem. This could be everything from malware and back-up solutions to finance systems and data lake connections via an API – the list is almost endless and vary dependent on the type of business.
So, you understand your digital ecosystem, now what?
All the third parties need to be recorded and mapped accordingly with the services and data that is consumed as well as how they are consumed, from what location, on what network etc. In larger environments there are specific tools to help with this process. It’s also important to ensure sufficient security measures are met by third party suppliers.
It’s not always appropriate to accept their way of doing things or their methods of data transfer. An effective partner relationship is bi-directional, and third parties should be included in risk mitigation and planning processes as it creates a fruitful and trustworthy relationship. The aim is for end-to-end supply chain visibility and mutually agreed communication contracts.
How do I strengthen my supply chain?
Effective protection from risk introduced by third party providers often starts internally. Below is a suggestion of some activities that would benefit organisations looking to strengthen their supply chain:
– Ensure all insider threats are identified, as threats are not always intentionally malicious. It is a good idea to perform an attack surface management discovery exercise, which is the continuous discovery, monitoring, evaluation, prioritisation, and remediation of attack vectors within an organisation’s IT infrastructure.
– Have strong IAM policy and control mechanism including privileged access management. This is a critical component of not only risk mitigation but forms the basis of any good Cloud deployment process.
– Implement a Zero Trust architecture. This will go a long way to protecting against both internal and external threats.
– Minimise access to sensitive data. Although this activity should be a given, extra attention should be paid to data that is sensitive to an organisation.
– Implement strict shadow IT controls. Monitoring the Cloud applications and data flow from employees is an important part to understanding and controlling data breaches.
– Staff education plays a big role in stopping malicious activity. Help employees understand phishing, smishing and ransomware threats as a minimum.
In addition to the internal protection, general good practices for managing third party risks would include the following:
– Map out vulnerable resources or the resources that are at higher risk and make sure they are protected effectively.
– Regular third-party risk assessments are paramount in effective protection.
– Follow DevSecOps practices by integrating security into the development lifecycle.
It is also worth noting that there are several areas in an ecosystem that are not particular to managing third party risks but can greatly help to reduce the potential of issues especially for organisations that have a diverse environment encompassing hybrid architectures.