In the ever-changing ecosystems that organizations operate in, business needs can change as rapidly as the weather. It’s abundantly clear that organizations must be agile so they can adapt and react to the business storms on the horizon. Budgetary constraints and increased transaction velocity have forced organizations to look at alternative solutions to their everyday needs. One such alternative is Third-Party Service Providers (TSP).
TSP and cloud services are widely used and continue to expand. Business has grown accustomed to cloud computing use, terms, and concepts, such as Application as a Service or Software as a Service, where you pay a monthly fee usually per user to use a TSP application like Office 365, Electronic Medical Record software, accounting applications, etc. Then there is Infrastructure as a Service, where you are utilizing the hardware and physical assets of a TSP to host your application, web page, or other information either onsite or offsite. These, along with storage virtualization, online backup, collaboration tools, and a TSP that offers full IT outsourcing, including help desks, virtual data centers, and hosted (platforms) data centers, can in many cases be an attractive alternative program to support your assets and team. When you add in those “other” TSPs - those that use your data as part of delivering their services to you such as a HIPAA Business Associate, a third-party credit card processor, a law firm, an accounting firm, a data aggregation company, bank statement processor, a managed security service provider, etc. -that makes your TSP list long and in many cases not as well understood for risk management.
But how does using a TSP and its “cloud” impact business risk? How would your enterprise survive the compromise, loss, theft, or unapproved access of highly sensitive business and client information you have given a TSP to hold or interact with? How would you deal with the resulting fines, sanctions, and lawsuits? Who is responsible for identifying and directing risk management?
However, despite the “pros” to a TSP relationship, there are corresponding “cons” that if not effectively assessed at contract engagement, annually, and at every data concern or breach have the likely outcome of exacerbating the potential for harm from centralizing and sharing resources. That risk can grow to a level that can quickly exceed the business case savings for the TSP or cloud service. This enhanced risk must be understood by every organization contemplating the use of a TSP and cloud solution so that you can succeed and thrive.
The Silver Cloud—Measurable Savings?
The benefits of using cloud computing are numerous. The shared nature and larger scale of a TSP and cloud provider allow clients to add collaboration, access, reporting, and availability, and even quickly and easily scale their systems up or down to meet changing demands. This can reduce the inefficiencies of a traditional internal ecosystem in which an overdesign of capacity to ensure acceptable performance at peak demand is done. Likewise, TSP data availability 24x7x365 enables users to access information from any web browser, even the latest smartphone and tablet platforms, and a user’s consumption of resources can be maximized for collaboration, communication, client service, and management output.
Additionally, the TSPs can leverage expensive resources, such as system administrators, backup infrastructure, and network infrastructure, across multiple clients. Enterprises that utilize TSPs can avoid several physical, technological, or other asset and power expenditures; however, you are extending your data protection responsibilities to those TSPs and could be adding to your risk profile, as a TSP with many clients’ data is a more attractive target for data theft.
The “Dark Lining” Of the TSP & Cloud
The benefits of using a TSP are tempered by the very real potential to introduce uncontrolled or unforeseen risks and threats to your information. And don’t forget, just because you’ve shared information with a TSP, that doesn’t remove your responsibility for data protection.
Just look at all the recent issues reported by organizations such as Databreaches.net, which lists over 27,000 breach incidents along with 1,300+ subcontractor data loss issues, with titles like “44% of Healthcare and Pharmaceutical Organizations Have Experienced a Data Breach Caused By a Third Party in the Last 12 Months”.
We all understand that the information needed to run a business is a valuable asset, but have you measured what that data and information is worth to you if it becomes unavailable or compromised?
- Do you know how much it would be worth to a cybercriminal?
- What could a hacker do with the information and how long can they keep it?
- What would it cost you if a malicious entity compromised your TSP and acted as a TSP employee who was normally allowed access and changed, deleted, or transferred your data?
- And even outside a hacker, what would you do if you lost information, or access to it, due to a disaster at the cloud provider?
The bottom line is that using a TSP has the potential to significantly increase your risk of a cybersecurity or data incident. That incident can expose you to the costs, legal remedies, and other losses that follow such a breach. Data, and access to it, has real value to the continued operations of an enterprise and especially to the clients it serves. At times, most assuredly, data is valuable enough for someone, some enterprise, or even some country to want to steal, manipulate, or otherwise compromise the information. How much the data is worth to a cybercriminal directly translates into an enterprise’s threat posture. Attackers weigh their risks against their reward for getting that information. When using a TSP cloud, the question becomes: What does centralizing data with the data of dozens, or hundreds of other enterprises do to an enterprise’s threat posture? The simple fact is that a business with data in a TSP cloud has absolutely no direct control over where that data actually lives.
Any time a TSP is engaged, data controls need to be reviewed, and at least the following six core questions need to be answered and documented and reviewed by those with governance (Board, Audit Committee, CISO, etc.) responsibilities:
How would you be harmed if…
- the asset became public and widely distributed?
- an employee of the cloud provider accessed the asset?
- your process or function were manipulated by an outsider?
- the process or function failed to provide expected results?
- the information / data was unexpectedly changed?
- assets were unavailable for a period of time?
Cost Of a Data Breach
In today’s world, rampant ransomware, misappropriated data, stolen and lost physical assets, and unintentional and intentional breaches occur with frightening regularity to every type and size of business. It doesn’t matter what industry or vertical market you are in; if you have data that is critical to your business, the clientele you serve, and the other business interactions you have, you are a target. While the most common initial threat vector in the 2021 Cost of a Data Breach Report (CODBR) from the Ponemon Institute and IBM Security was compromised credentials, cloud TSP misconfiguration was the third most-common threat, accounting for 15% of breaches.
According to the CODBR, companies with higher levels of TSP and cloud migration had an average cost of breach of $5.12 million USD, compared to $3.46 million USD for those with low levels of cloud migration.
Regulatory Compliance for Your TSP
Your compliance requirements pass to your TSP. Period. That is routinely stated or implied in just about every rule, law, regulation, and standard (Payment Card Data Security Standard). Those rules are modified on a frequent basis as market and cyber risk conditions change. You may need to meet the requirements of one or more laws or regulations, and if you are required to meet those, you will likely have a mandatory requirement to contractually bind your TSP to meet them as well.
You’ll need a thorough understanding of not only how your compliance actions affect your internal controls, but also how those same controls are applied at your TSP. And if you ever suffer a regulatory audit, you will most likely have to prove that your TSPs have at least the same or similar controls in place as yours and that you have a policy and program to validate those controls.
Assuring The Cloud
The use of a TSP and cloud resources can be highly beneficial to most enterprises—but one should always know the risks and use the appropriate resources and experts from the cyber audit and legal community to assess your agreements, and every TSP with any interaction with your data has to be prepared to answer at least the following questions:
- Who has access to my data?
- How is my data encrypted at rest and in transit?
- How is my data protected from unauthorized access?
- How is my data disposed?
- How is your internal security handled?
- What are your Administrative, Physical, Logical, and Personnel controls?
- What rights and abilities does my enterprise have in the case of a suspected or known breach?
- What reporting obligations do you enforce to notify clients of security breaches?
- What actions has the TSP taken to prevent attacks?
- How much ability does the provider give its consumers to perform their own assurance procedures, such as security scanning or audits?
- How does the provider handle logical access for multi-tenanted sites?
- Have you documented all the laws, rules, regulations, and standards to be met by the TSP?
- Have you documented a data inventory for all data the TSP will interact with?
- What compliance standards does the TSP meet?
- How will compliance be maintained at all phases of data interaction?
- What third-party assurance (e.g., SOC 2, Type 2, ISO27017, ISO27018, FedRAMP, CSA, etc.) are performed annually and delivered to you?
- How can you track the physical location of its data for compliance, e.g., certain laws prevent data from being stored in certain countries?
- Are you ready to maintain the needed internal controls and compliance actions for all the levels required by your TSP?
- How much uptime is guaranteed?
- Is there a guaranteed service level? Who monitors it? What reimbursements will occur if the guaranteed level is not met?
- Now that all services are accessed over the Internet, does the enterprise have enough bandwidth for all of its employees, and/or does the provider have enough power and bandwidth to service the enterprise’s needs and all of their other clients?
- Can service be interrupted based on the activity of nonrelated TSP consumers?
- How is information segregated between clients for recovery?
- How will assurance be provided by the cloud provider with regard to availability?
- What are your and your TSP disaster recovery and business continuity plans?
- Have you or any of your TSPs had a reportable breach in the last 18 months?
- Where (physical location) is my data kept?
- What does the TSP require for internal staff training, testing, and background checks?
- How can the enterprise monitor the load and performance of the cloud?
- How can the cloud provider assure the enterprise that it is being billed fairly for usage?
- What tools are available and allowed to monitor security in the cloud?
- Do they have adequate cyber-liability coverage, and can you be a named organization on the TSP’s cyber-liability policy?
Fourth Party Concerns
Your TSPs have vendors, some of which could interact with all your and other TSP client data and may be supporting multiple TSPs. Those vendors are your fourth party. Just as it is critical that you understand the TSP and its controls, you need to apply the same structured approach to your fourth party understanding.
Have You Heard About ZTA?
Zero Trust Architecture is an IT security model that eliminates the notion of trust to protect networks, applications, and data. This is a major contrast to the traditional trust but verify and perimeter security model, which presumes that bad actors are always on the untrusted side of the network, and trustworthy users are always on the trusted side. With Zero Trust, these assumptions are nullified, and all users are presumed to be untrustworthy.
According to Forrester Research, a leading research and advisory firm, a Zero Trust solution must:
- Ensure that only known, allowed traffic or legitimate application communication is allowed by segmenting and enabling Layer 7 policy.
- Leverage a least-privileged access strategy and strictly enforce access control.
- Inspect and log all traffic. Otherwise, it can be fairly simple for an attacker to gain access to a company’s network.
These principles may be straightforward (maybe not “easy”) to implement in an enterprise network, but how do they apply to your TSP? Can your TSP apply the same concepts to their ecosystem? It may be prudent to have the implementation used by your TSP inspect all traffic for all applications, or it is not truly delivering Zero Trust.
As TSP adoption and the associated cloud computing continue to push deeper into the mainstream of information processing, data storage, data support, and communication, it is critical that the risks to your data are consistently reviewed and that the threats identified are mitigated to a level commensurate with the value of the data. The value of a cloud computing infrastructure is measurable - savings can be achieved in data accessibility, customer relationship management, and decreased hardware costs and infrastructure support - but the costs of a breach or of lost data can easily outstrip any savings with the potential regulatory agency fines, civil lawsuits, and reputational damage.
Remember that it is always the enterprise’s responsibility to keep its data confidential, maintain its integrity, assure its availability, meet its obligations under regulations and laws, keep cybersecurity forefront in any TSP relationship, and not get lost in the clouds.