Q&A: How to mitigate third-party risk

The Soha Third Party Advisory Group recently identified secure, third-party access trends and priorities and discussed what they were doing within their own organisations to mitigate third-party risk.

Advisory Group members who participated in this interview include Derek Brink, vice president and research fellow, Aberdeen Group; Slava Kavsan, founder and CEO, CKURE Consulting; Jim Rutt, CTO, The Dana Foundation; and Mark Carrizosa, CISO and vice president security, Soha Systems.

What are the most important secure third-party access trends you’re seeing today?

Derek Brink: There’s clearly growth in providing third parties with access. Why? Because it’s helpful to business! This is the “enablement” motive that security pros like to talk about whenever they can. Third-party access can also be referred to as a “rewarded” risk – the type of risk associated with enabling assets, creating value and maximising upside. Of course, there’s also increasing attention on the traditional security concerns of providing third parties with access to corporate resources – these are the “unrewarded” risks of defending assets, protecting value and minimising downside. And as if these risk-based perspectives weren’t enough, there’s also a growing wave of regulation that allows you to outsource an activity to a third party but the regulation does not allow you to abdicate your responsibility for complying with security and privacy requirements.

Slava Kavsan: As more organisations move their digital assets to public clouds, there is a need to better understand the security and privacy implications of third-party access within this environment, especially when the cloud provider itself is acting as the third party. Operators and cloud service providers often need to have high-level access privileges to their customers’ data and to the applications they host in order to configure and secure the resources in their custody.

Jim Rutt: I’m seeing third-party solution adoption in a number vertical-specific industries, such as the healthcare sector. Healthcare solutions, in particular, have been built with the underlying assumption that third-party access relationships have to be explicitly defined and implemented rather than be based on a more generic private cloud approach. The rise of standards such as FIDO will provide momentum towards a more universal approach to this problem. However, different business models will need their own implementations and abstractions for third-party access, as the regulatory and governance requirements are too specific to apply to disparate industries.

Mark Carrizosa: The only trend I’ve seen is inactivity, and that’s part of the problem. Third party access methodologies have changed very little in the last decade. What’s worse, from a technology perspective, solutions assumed to be “new” and “innovative” continue to utilise the same underlying concepts that have been around for 20-plus years. It’s evident that bad actors understand where the weak points are, and based on the number of breaches related to third-party actions, it’s clear they are actively exploiting them.

What’s happening with secure third-party access that IT and security professionals aren’t paying attention to, but should be?

Derek Brink: If there’s one thing IT and security professionals aren’t paying enough attention to it’s that these are business decisions, and as subject-matter experts and trusted advisors, they should be expressing these risks properly, in terms of likelihood and business impact. Risk should not be expressed through hand-waving, techno-babble or the latest headlines; it must be explained quantitatively and with a proper sense of the inherent uncertainties.

Slava Kavsan: When organisations deploy their digital assets to the public cloud, IT and security professionals need to pay special attention to requirements for achieving additional transparency into the provider’s access to their data, applications and networks. They also need to make sure that under normal conditions, provider operators and services do not have accounts on their customers’ Virtual Machines and are prevented from gaining any access to an organisation’s assets. In situations when provider operators and services need temporary access, the process of obtaining permissions for such access has to be justified, logged and approved (manually or automatically) for the specific asset and the period of time required to perform the maintenance operation.

Jim Rutt: We still lack a cohesive third-party plan of access that includes other critical stakeholders’ peripheral to IT and tech security, such as traditional risk disciplines and line-of-business areas. IT professionals alone have traditionally borne the burden of both securitising and assessing risk. However, IT professionals have not been as strong in formulating proper vendor management and vendor communications ecosystems that help close the gap on the human-factor influence on third-party security. There needs to be a better standard for contingency planning in the event of a third-party breach, rather than reinventing the wheel for every breach incident.

Mark Carrizosa: The management of third-party access lifecycles has become one of the most tedious and time-consuming efforts within enterprise IT/security functions. As with other such tasks, such management is only given priority when absolutely necessary or when an event such as a data breach triggers a deep dive into existing processes. Organisations should re-prioritise their efforts and budgets to account for the new normal, where dependence on third parties is an integral component of current business models.

What are a few things you are doing within your organisation to help secure third-party access?

Jim Rutt: We’ve created a vendor management plan in conjunction with our business units and developed a solid communications plan. This allows us to firm up our internal disaster-recovery plans, review third-party direct-report plans on a regular basis and enforce testing. In addition, we do a yearly insurance risk-review to ensure that we carry the correct amount of insurance.

Mark Carrizosa: In cloud-based working environments, all users are considered remote and operate similarly to how third parties have historically been provided access. What is different in our approach is a fundamental change in access methodologies; we incorporate concepts such as zero-trust, network abstraction, extended identity validation and full-session recording to effectively reduce overall risk and isolate any potential impact caused by third parties or any remote users.

Rick Popko