Is Your Data at Risk Due to Third-Party Cloud Applications?

Wednesday, August 02, 2017

Scott Schneider


In May of 2017, it was discovered that an exposed data repository, an AWS S3 bucket, had allowed semipublic access to the details of at least 2.2 million customers of Dow Jones & Company. The mistake was a simple one: the bucket's permission settings were set up incorrectly, allowing anyone with a free Amazon AWS account to access the content.

This leak highlights the ease with which a simple mistake in one security setting can jeopardize the personal information of your customers. The costs of such carelessness are regulatory fines, a damaged reputation and a possible lawsuit.

You may not think that it could happen under your watch – but how much of your data security is really under your control?

Do You Know Where Your Data Is Stored?

It’s likely that your business is using tens, or potentially hundreds, of third party SaaS applications to do everything from manage prospects and clients to help handle accounts. These applications save your business time and money – but they also put your data in the hands of someone else.

Most of these applications store their data in the cloud, much of it in the same type of data repository as was the leaked Dow Jones Data. What guarantee do you have that your data hasn’t been left unencrypted and accidentally made public?

Your Biggest Data Security Mistake

When most businesses hand over data to a third party, they do so under the mistaken belief that this company now has responsibility for securing that data, barely giving data security a second thought once the application is in use.

Although third parties should and do provide security, the overall responsibility for protecting the data is still yours. If the data gets leaked, it is you and your team who will be held accountable by your shareholders and customers, not the third party.

Even if the third party is contractually obliged to cover the costs of any data security problems, you must still retain oversight.

You Need A Complete Overview of the Data Chain of Custody

You rarely have detailed insight into how third parties are handling data, which means there are a lot of unanswered questions:

  • What security policies do they have in place?
  • Where is your data stored?
  • Do they regularly use contractors? What access do they have to your data?
  • Which other third-party services do they rely on ­­­– could any other businesses access your data?

The problem with getting this information is twofold: Firstly, third parties are only likely to reveal the amount of security information required contractually, but this may leave out critical information. Secondly, with most businesses using many third parties, the job of tracking them becomes time-consuming and expensive.

Implementing a Third-Party Risk Program

Manually tracking the security policies that your third parties use is impractical, if not impossible. A platform that enables businesses to access up-to-date risk assessments for a diverse range of third-party organizations is needed.

By outsourcing and automating your third-party risk assessments, you benefit from a considerable increase in efficiency and a corresponding reduction in cost and complexity. This allows you to easily assess and reduce your exposure to risk, helping you decide which third parties to deal with and which to reject.

The time-and-cost savings a robust third-party cyber risk management plan provides allows you to invest more resources into your own security, further reducing your risk.

About the author: As Head of Business Development, Scott Schneider is responsible for implementing CyberGRX’s go-to-market and growth strategy. Previous to CyberGRX, Schneider led sales & marketing at SecurityScorecard, Lookingglass, iSIGHT Partners and iDefense, now a unit of VeriSign.

Possibly Related Articles:
Enterprise Security Policy
SaaS data security security setting cyber-risk
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.