Woman managing cloud technology on laptop
Article

Managing security risks when using third-party hosted solutions

Cybersecurity is a broad topic, and as such there are many facets a company must understand to properly implement it into your business. This article is the second part in a series that will cover how to properly manage your risks in the cloud, read part one.

Movement to third-party hosted solutions

As businesses have continued to focus on their core products and services, many organizations have found the development of internal proprietary applications no longer align to their long-term strategic goals or objectives. Several organizations began to transition on-site data centers to co-location facilities so that the organization could offload the day-to-day management of physical IT assets. Next, organizations chose to outsource the technical staff managing the day-to-day operations to contractors or third-party service providers. Now the final transition away from internal IT services is underway as more organizations adopt third-party hosted solutions such as Microsoft Office 365 or Salesforce.

This transition to third-party hosted solutions has left many organizations with minimal internal IT services. The IT services that remain are usually centered on managing end-user computers, providing stable in-office network connectivity and managing user access to third-party hosted solutions. Costs have shifted from internal headcount to ongoing service contracts, as many organizations no longer have internal application development teams. However, while resources and costs have shifted, many of the risks remain.

Security risks and end-user responsibilities

While an organization can outsource its IT services, the organization still retains many of the risks related to those services.

Availability and disaster recovery

Organizations that outsource their IT operations to a co-location data center may believe they no longer need to be concerned about the availability or management of basic services such as network connectivity or power supply; however, the organization should perform a due diligence effort before accepting that those risks have been appropriately managed. The organization should review the co-location’s disaster recovery capabilities, including the use of redundant internet suppliers, the use of a power generator and the use of uninterruptible power supplies (UPS) to ensure risks to the availability of data center infrastructure has been mitigated. Additionally, the organization should review the co-location’s processes to manage physical access to its facility to reduce the risk of accidental actions that may cause a loss of power and network connectivity.

Organizations that have chosen to outsource their IT solutions to a third party as software-as-a-service (SaaS) also must manage availability and disaster recovery risks. When evaluating contracts with SaaS providers, the organization should evaluate the service level agreements (SLAs) that the service provider is guaranteeing. Normally this will include 98% up-time provided over an annual period. This allows for the SaaS provider to perform maintenance on their solutions, as well as for the occasional unplanned outage. In addition, organizations should consider data backup services as part of evaluating SaaS providers. Does the provider perform data backups as part of the standard service package, or are there additional costs? The organization may want to perform their own backups of the data for long-term archival, at which point they should look into how the SaaS provider allows data to be extracted from their solutions as a bulk data export.

Access controls and data encryption

When an organization makes the decision to use non-internally hosted solutions (whether through a co-location data center or through a SaaS provider), concerns arise about how access to the data and systems is managed as well as how the data is protected from accidental exposure.

When utilizing a co-location data center, the first consideration is determining how physical access is managed to the facility. Here are some questions to consider asking:

  • Does the service provider require pre-approval for all site visits?
  • Is a visitor log maintained and periodically reviewed?
  • Do they check IDs and require biometric access controls?
  • Do they perform background checks on their own employees?

These are all considerations the organization should review prior to selecting a co-location provider. Once the systems have been deployed at the co-location, certain security controls need to be implemented to maintain the security of the data stored at that facility. These include managing logical access to the networking equipment and servers, encryption of the physical hard drives and encryption of the data on the hard drives. Organizations should remember that once you no longer maintain control over the physical devices that your services are built on, maintaining control around the server and data layers becomes even more critical and complex.

The same level of scrutiny must be applied to access controls and data encryption when utilizing SaaS providers. Prior to executing a contractual agreement, the organization should understand how the SaaS provider manages access, as well as how the organization is expected to manage access for its own employees. Will access be provided using single sign-on (SSO), or will employees have to manage a separate username and password? Who will be responsible for maintaining employee access to the SaaS solution? How will administrative privileges be managed and are there additional levels of security that can be applied, such as multi-factor authentication?

Managing access is not the only important consideration. Since the SaaS solution is hosted and managed by a third party, data encryption is also very important. Organizations should consider whether data encryption services are provided as part of the standard package, or if additional costs are incurred to encrypt the data at rest. Is the data encrypted only while at rest in the production database or is data encryption also applied to data backup services provided by the SaaS provider? We often see encryption only applied to client services and not the back office operational services performed by the service provider.

Ongoing risk and compliance management

Organizations should implement ongoing risk management programs to continuously monitor and evaluate IT risks. Threats evolve, risk tolerance levels change, new regulations are passed, and businesses develop new service offerings – all of which require continuous re-evaluation and ongoing management.

Organizations that have outsourced IT services to co-location facilities or to SaaS providers should review those services for new risks on a periodic basis. The movement of a new critical service to a co-location facility could increase the impact of a service outage or loss of data. Storing sensitive personal information that falls under regulatory compliance obligations in a SaaS solution could increase the impact if that SaaS provider suffers a data loss. These risks should be monitored, documented and reviewed for new security controls or acceptance of the newly identified risks. 

In order to assist in ongoing risk and compliance management, most co-location facilities or SaaS providers undergo regular third-party audits and provide their customers with those audit reports. These audit reports include System and Organization Controls (SOC) 1 reports, SOC 2 reports, ISO 27001 certification, FedRamp certification and the newly adopted Cybersecurity Maturity Model Certification (CMMC). Organizations should request and review these audit reports from their outsourced service providers on at least an annual basis to ensure new risks are properly identified and ensure any control gaps identified in those audit reports are evaluated for their impact to the organizations services and security.

Successfully navigating the technology

The majority of services organizations provide to their customers, and employees, are supported by multiple levels of technology. Technology risks affect the availability and security of those services. New threats are being identified and exploited by attackers every day, with cyberattacks increasing at an exponential rate.

Many organizations have chosen to outsource IT-related services in order to transfer some of that responsibility and liability. However, in order to protect your organization from technology risks, you should understand the controls those outsourced providers put in place, as well as the expectations and responsibilities your organization must still manage. This is made easier through utilizing independent audit reports, such as the SOC 2 reports, but in the end – every organization must manage its risks to a level that is acceptable to them. Baker Tilly’s knowledgeable cybersecurity professionals are prepared to assist your organization in understanding your risks and implement solutions to mitigate those risks.

Read part one of this series

Brian Nichols
Director, CISSP
Pennsylvania state capitol
Next up

Pennsylvania COVID-19 County Relief Block Grant program: key audit and compliance considerations