Subscribe
  • Home
  • /
  • TechForum
  • /
  • Extreme vetting: evaluating the security posture of third-party vendors

Extreme vetting: evaluating the security posture of third-party vendors

Yaki Faitelson, Co-Founder and CEO of Varonis, responsible for leading the management, strategic direction and execution of the company, says monitoring the security of providers and other third parties can be very useful.


Johannesburg, 05 Feb 2018
Yaki Faitelson: Co-Founder and CEO of Varonis.
Yaki Faitelson: Co-Founder and CEO of Varonis.

Smart organisations know that their businesses are at risk if they don't secure their data. Recently, three high-profile companies indirectly experienced breaches through the vendors and service providers with whom they shared their data. Netflix, UK cyber florist Debenhams Flowers and dating Web site Guardian Soulmates were all victims of attacks launched against outsiders entrusted with their data. And let's not forget that the massive Target breach from a few years ago was the result of hackers gaining network access from a compromised HVAC vendor.

Varonis outsources data processing and other work to third parties because of their expertise in a specific area, but not necessarily because of their security capabilities, says Yaki Faitelson, Co-Founder and CEO of Varonis, responsible for leading the management, strategic direction and execution of the company.

Is there a way for companies to enforce security standards on service providers?

These types of issues are typically resolved through special contracts. Popular data security standards such as PCI DSS or the NIST 800 series even ask companies to enforce security controls on service providers through legal contacts.

For data that falls under data security and privacy laws - say, HIPAA regulations in the US for medical information or EU rules on consumer data like the fast-approaching General Data Protection Regulation (GDPR) - there are additional requirements to have contracts containing specific data protection and privacy provisions. In other words, it's illegal not to have these contracts with outside service providers. If they can't sign the contract, find another provider!

A quick peek at standard contracts

As with any potential business relationship, you'll want to do your due diligence. This can involve checking public records of your future partner and asking to review their data security policies, their security technologies (two-factoring authentication, VPNs) and their incident response plans.

While evaluating the security preparedness of your partner is important, you'll still need to have a data security contract that ensures your data is protected.

You'll want, at a minimum, definitions of the data being protected, (account numbers, e-mail addresses, etc.), the authorised users who are allowed to access the data and what constitutes a breach or security event. Then comes the core of the contract.

There are many resources on the Web to reference - the International Association of Privacy Protection (IAPP) is a good place to start - but there are a few clauses that are nearly universal:

* First, an overall data safeguards obligation that tells the service provider that they should maintain the security, confidentiality and integrity of customer data is essential. It's really the minimum the provider needs to do to protect the data.
* Second, there's typically a restriction that data can't be disclosed to anyone other than authorised users within the provider, preventing it from being shared with others, except under limited conditions.
* Third, requirements to notify your company when there is a breach or incident (within a reasonable timeframe) are also a standard part of security agreements.
* Last, you'll need language to handle expenses, fines and legal judgments associated with a breach. The company purchasing services naturally would like to hold the provider responsible for reasonable costs associated with a breach, as well as being indemnified against lawsuits and other unknowns. You'll want your attorneys to handle these details.

Data-centric security

The variable parts include the specific security controls that the provider needs to implement and monitor to protect the data. If you're not in an industry (medical or financial in the US) that is regulated, then you'll have more freedom in working out the technical details. Legal and technical staff involved in drafting these contracts can selectively choose from ISO 27001, NIST 800-171 or other popular data standards.

In using these data standards to work out the contract language, organisations can also take a practical shortcut through the security controls based on what we know about the types of threats in the real world.

We're now in an era where stealthy attackers enter systems undetected, often through phishing e-mails or by leveraging previously stolen credentials. Once inside, they can fly under the monitoring radar, find and then remove monetisable data within your file system.

While standards often have broad language for monitoring and protecting IT assets, it doesn't mean we can't fine-tune them for real-world conditions.

It makes far more sense to have data security contracts that call for the provider to scan file systems for protected data, ensure that access control lists (ACLs) or file permissions are limited to authorized users, and spot unusual file access behaviours that can be signs of a data breach.

Security SLAs

You've done your due diligence and you've crafted a data security contract that reflects current security threats.

It's still not enough!

You have to ensure that the data security contract with the service provider is being met after it's signed.

In the tech world, we're used to service-level agreements (SLAs) that require providers to meet certain metrics and to report back periodically to the customers. SLAs have a longer tradition in the world of networking, where providers have to meet certain metrics and then provide credits back when they fall short.

We're not quite at that point with security SLAs. However, monitoring the security of providers and other third parties can be very useful. The more you know, the better position you're in for evaluating whether the contract is currently being met.

I'll close out this article with a few security-related reports I'd like to see from providers with whom I've contracted:

* A list of users who have accessed folders or directories where protected data is stored within the last 30 days.
* Any changes to ACLs or permissions on these folders.
* Any changes to security groups (new or deleted users or subgroups) that have access to the protected data.
* Unusual activities on these folders - excessive copies or rapid accesses - and the users (along with the group memberships) responsible for the activity.

Share

Varonis

Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cyber security companies. Varonis focuses on protecting enterprise data: sensitive files and e-mails; confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property.

The Varonis Data Security Platform detects insider threats and cyber attacks by analysing data, account activity and user behaviour; prevents and limits disaster by locking down sensitive and stale data; and efficiently sustains a secure state with automation.

With a focus on data security, Varonis serves a variety of use cases including governance, compliance, classification, and threat analytics. Varonis started operations in 2005 and, as of September 30, 2017, had approximately 5,950 customers worldwide - comprised of industry leaders in many sectors including technology, consumer, retail, financial services, healthcare, manufacturing, energy, media, and education.

This article originally ran in Forbes

Editorial contacts