How to manage third-party risk in the cloud

What to consider for third-party data risk

Organizations need to look at two critical elements before making decisions:

1. What kind of cloud service is in scope: SaaS, PaaS or IaaS?
2. What is its shared responsibility model?

Customers often have less control over SaaS security capabilities than PaaS and IaaS. This means SaaS might have a higher risk from a third-party perspective, largely because providers hold all the responsibility for data protection, availability and service resiliency, as well as threat detection and response.

The types of data stored or produced and their sensitivity within cloud service environments and third-party access are also paramount to consider. Understanding these can help determine criticality and priority of cloud service risk evaluation -- particularly if the data is covered by regulations or industry compliance requirements.

How to determine third-party risk for the cloud

Regardless of service model, organizations should ensure cloud services -- especially those critical to business operations -- are incorporated into ongoing third-party risk management practices.

Follow these key steps.

1. Ask CSPs critical security questions

Cloud customers should request information about security practices and policies from CSPs just as they do any other vendor or third party. While some security questions are in line with standard best practices -- common policies, core types of security controls, etc. -- many cloud-centric questions must also be answered.

PaaS and IaaS cloud services, for example, often make heavy use of proprietary and custom virtualization hypervisors. CSPs should disclose at least some information about how they are configured and locked down.

The Cloud Security Alliance offers numerous questions to ask in its documentation. Its Consensus Assessments Initiative Questionnaire; Cloud Controls Matrix; and Security, Trust, Assurance and Risk Program, for example, provide questionnaire answers and other reputational information to help customers make more informed risk decisions about CSPs and their security practices.

2. Deploy a third-party risk platform

Organizations using multiple cloud services could benefit from using a third-party risk management platform to keep track of the rapidly changing risk landscape across providers. Platforms such as ProcessUnity, Prevalent and Bitsight include extensive details about CSP reputation and threat intelligence, including dark web monitoring, noted incidents of all types and customer feedback.

3. Use cloud service threat modeling

Organizations should incorporate cloud service threat modeling that includes business continuity scenarios into their third-party risk management program.

As more and more organizations rely heavily on cloud applications and infrastructure for day-to-day functions, the impact to an organization if its CSP experiences a breach or a major outage could be devastating.

4. Assess third-party risk tolerances

For any mission-critical cloud services -- for example, email, collaboration tools and financial reporting -- security teams should determine and document tolerable downtime, impacts of delays or complete lack of access for a period of time, and whether any workarounds exist.

For any possible breaches at a CSP, security teams should look to get the following information as quickly as possible:

• How bad is the problem?
• Does it affect us or our data?
• Do we need to notify regulators or law enforcement?
• When can we expect updates?
• What are the next steps?

As with any third-party security incident, responsiveness varies depending on the provider and the particular circumstances. The important thing to do is update internal security practices, processes, communication plans and continuity models to account for unexpected situations that could arise at any CSP.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.