Third-party cloud providers: Expanding the attack surface
In this interview with Help Net Security, Fred Kneip, CEO at CyberGRX, talks about the lack of visibility into third-party risk, how to address this issue, and what companies should consider when choosing the right cloud provider.
The pandemic has forced most organizations to accelerate their digital transformation and migrate to the cloud though third-party cloud providers. How has this impacted the threat landscape?
In the era of digital transformation, which is essentially an organization’s way of stating they are increasing their reliance on cloud-based services—enterprises’, digital landscapes are more interconnected than ever before. This means that the company you buy a technology function from may have downstream third-party providers that enable plumbing, infrastructure and development technology that drive their business.
With modern computing environments moving further away from the enterprise, the safety assumption paradigm is shifting. This has impacted the threat landscape because as organizations increase migration to the cloud (a third party), they must now consider that these newly onboarded third parties may have serious security issues that could present adversaries with opportunities to infiltrate your network.
Why is visibility into third-party risk always a problem and what can be done to address this issue?
Every time an organization shares data with a third party, they expand their attack surface and put data and customers at risk. Yet, many organizations don’t have the appropriate visibility into their third-party ecosystem to mitigate this risk. Traditional third-party risk assessment approaches are labor intensive and expensive, hindering an organization’s ability to conduct thorough assessments. As a result, these organizations either choose not to assess their third parties or only assess a small amount—missing other suppliers, vendors or partners that could have serious vulnerabilities.
In order to increase visibility into third-party risk, organizations need to seek solutions that are scalable, so that they cover the entire vendor ecosystem as it continues to expand, and involves standardized assessments so that organizations spend less time on third-party risk management and more time improving security. Deep levels of visibility, as well as powerful data and analytics, can show organizations the controls that their third parties have in place to defend against attacks and allow them to alert these vendors/partners to security gaps so they can remediate.
How to make organizations more aware of the challenges and threats when relying on third-party cloud providers and what should their priorities be when choosing one?
This starts with understanding who your providers are and what you share with them. Many companies will prioritize risk based purely on how much they spend with a given provider. But that is not always the best indicator. It is more important to understand what you are sharing with a provider and what type of connectivity they are requiring.
Anyone that connects to your network is now a potential path into your network. Anywhere you send your data is now a potential leak of your information. Think about the importance of that data and the level of security that you would hold yourself to. You should hold your partners to that same level.
The issues arise when your business wants to use a service and they don’t meet that level of security. This is where a tool to help you weigh the risks and share that with the business can be the most impactful. You cannot secure everything, but knowing what is most important and having a framework for discussion with the business line is the path to an effective program.
Why should organizations consider a third-party cyber risk management (TPCRM) program?
When you think of the major data breaches that have hit headlines, big consumer names come to mind—Target, Adidas, Amazon, AMCA Health (most recently exposed 11.9 million patient records)—all of which have one thing in common. These organizations and many others were not breached due to a lack in their own security practices, but rather via a third-party vendor that had access to their network.
A modern TPCRM program will either prevent third-party breaches from occurring within an organization or ensure very minimal damage if one were to occur. A successful program will put in place a collaborative approach that alerts suppliers and partners to vulnerabilities or gaps in their security controls and allows organizations to work together to identify potential risks and remediate them before an attack occurs.
However, many solutions that have been developed to solve the problem of TPCRM are missing the mark. In order to make the most impact, organizations should seek out solutions that bring together streams of data, including threat intelligence and business classification data, and use machine learning, statistical modeling and include human qualitative analysis to gain an understanding into the risk brought about by their third-party vendors.
How does the implementation of a TPCRM program affect a business? Does it have an impact on growth and reputation?
A robust TPCRM program can solidify your organization as trustworthy and secure, increasing the probability of companies wanting to work with you. A recent survey found that only 28% of small businesses have a response plan in place in the event of a cyberattack and it should come to no surprise that larger companies have expressed that they are hesitant to work with SMBs due to a lack of trust. These companies want to know that you are able to prevent or quickly mitigate a security incident within your organization before it has the opportunity to affect theirs. Therefore, having a TPCRM program can open the door for new business opportunities, allowing your company to grow.