As organisations increasingly rely on third parties to provide a myriad of IT and business services, the boundaries between the enterprise and its suppliers have become ever more blurred. The result is a complex supply chain – with each element introducing additional risk.
It is often assumed that, by paying a partner to deliver the work, these risks are transfer to that third party. However, this is not the case. The risk is still the responsibility of the organisation, but different measures will be required to manage it now that a third party is involved.
When mitigating these risks, it is understandable that the organisation in question will want to extend its own policies and controls to cover third-parties. However, they themselves will be balancing the disparate requirements of many different partners.
Addressing supply chain risk is therefore a case of implementing various measures.
The first phase is to undertake systematic and rigorous screening of any potential business partner both up and down the supply chain (i.e. customers as well as suppliers). This is already mandatory in some industries (think anti-money laundering laws in the financial sector, for example), but it should be regarded as good business practice, regardless of legislation.
It is essential that every enterprise knows who it is working with – both directly and indirectly – and therefore who it is connected to around the world, with checks being far more in-depth than a tick-box form completed by the potential partner. Screening processes should be automated to handle the huge volume of checks that need to be undertaken to fully vet a partner, as well as continuous, as a previously compliant third party could undertake an activity that reverses their status.
Having onboarded a partner that has satisfied the initial screening process, contracts legally enforce organisational policies. These need to consider information handling and laying out how the enterprise’s data will be protected while it is stored, but also during transmission and processing, as well as the procedure for its deletion.
They also need to include security incident reporting, so that the business is notified of any event that could impact their information or data, and factor in training for the third-party partner on the organisation’s core security values.
While this is straightforward on the surface, the reality is often more complicated. Large third parties may wield their own policies with assurance that these already meet the necessary requirements – but it can be hard to verify the specific measures in place meet the organisation’s requirements or to alter the contract to cover the specific conditions of that particular agreement. At the other end of the spectrum, some potential partners may be too small to implement all the controls required without increasing the price of their service to the point where it no longer makes commercial sense to continue.
The “right to audit” is a critical contractual clause if the organisation is to retain any control by confirming that a partner is complying with its policies, but it can be challenging to have this included – and even more challenging to enforce it.
Corporate credit cards mean it is also possible for contracts to be signed without legal teams being involved – software as a service (SaaS) for a small project can be purchased, for example, or another project undertaken which is small enough to be implemented without going through an organisation’s full change management and service integration process. Despite “shadow IT” being a perennial problem, organisations often only look for software – services such as these are much hard to identify and are often overlooked.
Compliance and governance
With a contract in place, ensuring compliance is a key activity as the enterprise needs to know that the partner is adhering to the legalities agreed. Many third parties will rely on providing confirmation of certifications such as ISO27001, or regular reports such as SOC II Type 2. These may be sufficient in some cases, but there may be occasions where more details related to how the organisation is achieving compliance are required.
Monitoring for compliance can be a challenge, but if third parties are on an organisation’s network or in its applications, it might be possible to monitor via security information and event management (SIEM) tooling and privileged access management (PAM) tool logs, with activities reviewed to confirm they are not breaching agreements such as sharing IDs.
If a security operations centre (SOC) is in place additional monitoring of third-party activities, or the setting a higher priority on alerts can be critical in identifying non-compliance with organisational policies.
Integrating third parties with the organisation’s existing technology estate is a critical part of managing risks. However, this is often overlooked when designing identity and access management systems, with privileged access governance for third parties created that does not meet the control requirements for employees of the organisation.
For example, an application may be ruled “out of scope” for controls as it is managed by a third party, or there is no capability of extending tooling into the system as it is set up and managed completely separately.
Many organisations outsource their entire network management to third parties or integrate elements of third-party networks into it via secure tunnels and other mechanisms. This can change the entire dynamic of how data should be protected as it flows over the network between applications, and how insider threats are modelled, as the enterprise no longer has assurance over the safety of anything transmitted on its network. Concepts such as zero trust become more important as it cannot be assumed that all network traffic is owned, or visible to the organisation.
Once a contract is terminated, data that is no longer required should be disposed of (by the partner) in accordance with organisational policies, and evidence that this has happened provided. Ideally this should be enforced contractually, but it is often the case that smaller or time limited projects that have shared data, such as small data analysis exercises, are undertaken without a contract due to services being purchased outside the official procurement system (as referenced above).
Ensuring any third parties shut down network connections correctly when a service is no longer required is also essential to protect both the organisation’s network and its intellectual property, which could still be hosted with the partner and accessible long after the contract has been terminated. Data breaches can occur when a third party does not dispose of development or test environments, which can be comprised and used as a bridge into other organisations.
As always in the security world, there is no silver bullet that will resolve all the issues arising from today’s interconnected businesses and complex supply chains – and not all challenges require the same solution.
Assessment and knowledge however are key tools – an end-to-end approach for systems and processes that considers the people, data and applications that are part of every process can help to identify problem areas that are outside the scope of control of the organisation, and flag where this introduces risk. With this insight, the appropriate measures and controls can be negotiated and implemented.