Businesses clearly see there are many functional and financial benefits to allowing third-party information access to partner organisations and other supply chain partners. Suppliers, not surprisingly, are equally enthusiastic about being able to genuinely partner with their clients and gain access to helpful and valuable client information. It tends to be the security and compliance practitioners who are not quite as enthusiastic about it as they can see the pitfalls and possible lack of 360° oversight on all aspects, including security measures, that are required when it comes to allowing third parties access to sensitive information.
The enthusiastic rush to implement such access can mean vital areas are overlooked, skipped or ignored and this is where the security practitioners start to get hot under the collar. While there are many technologies that will allow identity and access management facilities to be extended outside an organisation, this is not only about technology. There are often many other non-technical factors overlooked because of a technology-led approach.
It should be standard procedure that each individual supplier should be risk-assessed, based on the nationality of the service provider, geographical location of the service provider and their datacentres, the service they are supplying, levels of access required and sensitivity of information assets to be accessed or stewarded. It must be appreciated that just because a service provider is physically located in Europe, their "home" nationality may mean that non-European legislative or governance factors may also need to be considered. For example, the recent issue that Microsoft encountered when a US judge ordered that they must hand over data, which is not stored in the US, to US Federal agencies on request. The actual location of the data was deemed secondary to the home location of the business. This is a legal area that will continue to cause consternation as local legislation will be constantly called into play to handle global data issues.
There should be formal agreements in place with each third-party service provider, including reference to security standards to be adhered to, vetting and background-check requirements, reporting mechanisms and the right to audit. Once formal agreements are in place, they need to be carefully managed and monitored to continuously assure the business that adherence is maintained. This assurance will be required by all key stakeholders, which could include clients or other supply chain partners. It would also be necessary to make sure any classification of information was appropriately handled across organisations, so there is consistency.
Any training needs should be identified in the third-party supplier regarding data handling or management. There should be strict controls over who is allowed access to what information, for what purpose and for how long. This should also include any temporary or contract workers that the third-party supplier uses. These workers are frequently overlooked. Governance around their login credentials should be in place and they should be clearly identifiable as individuals in the same way standard employees are. This would mean ensuring they do not use recycled or existing employee logins. All information handling should have a traceable audit trail for any interaction with it. Any technologies the third party may be using to process the organisation’s data should be agreed in advance and any new versions, updates or changes be notified and appropriately tested and approved. This should all be subject to monitoring and regular review.
As long as all of these non-technical elements form part of the planning, there is no reason why the abundance of technologies I mentioned at the top of this article cannot be safely exploited for the benefit of businesses and their suppliers.
Mike Gillespie is director of cyber research and security at The Security Institute
This was first published in September 2014