In February, security researchers reported that Walmart vendor Limogés Jewelry exposed confidential data, such as names, addresses, zip codes, phone numbers, email addresses, and passwords from over 1.3 million customers. Worse, the data also contained numerous records for other retailers such as Amazon, Overstock, Sears, Kmart, Target and others
The exposure involved a database stored in a publicly accessible Amazon S3 cloud bucket which was left accessible after January 13th of this year. In addition, internal mailing lists, payment information, promotional codes, order information and encrypted credit card data were also exposed. Some of the records went as far back as 2000.
The database has since been secured by Walmart, but there is no assurance that the data it contained has not been stolen and utilized. The chief communication officer for Kromtech, the company whose researchers discovered the breach wrote:
"The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon s3 buckets is simple ignorance. Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them."
This issue emphasizes a key concept when it comes to data security. No matter how comprehensive, detailed or successful your own security practices may be, once you hand data off to a third-party affiliate your controls become meaningless. This literally places your company reputation and success in someone else's hands.
How to reduce third party risk
Reducing third-party risk depends on appropriate vendor selection. Vet all potential vendors to ensure they have share the same values as your organization when it comes to data privacy and risk management.
Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire, feels that protecting customer data from exposure doesn't require the latest security tools. "Ensuring that systems are secure when deployed and monitoring them for changes is part of doing the basics right," he said. "Those security basics apply as much to the cloud as the data center."
He acknowledged, however, that technical controls are difficult to impose on third parties and stressed the importance of contractual agreements. "It's vitally important that suppliers and third parties that will be handling sensitive data not only agree to protect that data, but also be able to demonstrate that they are doing so," he said.
Erlin recommends contractual agreements that not only specify data protection but also a standard for measuring that effort. There are many security standards available in the market to choose from, such as those from the Center for Internet Security or the NIST 800-53 standard.
Where possible, contractual agreements should also involve indemnification of your organization should the vendor suffer a breach.
Standards are a key factor to ensure compliance. If your organization is governed by PCI, HIPAA, SOX or other standards, those should also be enforced and monitored among and third party vendors with whom you share data.
SEE: Hiring kit: IT vendor manager (Tech Pro Research)
It's also worth looking into obtaining Service Organization Control (SOC) audit reports to ensure vendor compliance. These are available in what is termed SOC1 and SOC2. A SOC1 report is the more basic option and analyzes and records internal controls over financial reporting. The more comprehensive SOC2 report will contain details regarding an organization's security, availability, processing integrity, confidentiality and privacy. SOC2 reports can best help ensure third party vendors are playing by the rules.
There are two kinds of SOC reports: Type 1 and Type 2. Type 1 is a single glance report that shows the status of organization controls as of a specific date. A Type 2 report covers a period of time (such as a year or less) to establish how controls have operated over that timeframe. A Type 2 report is the way to go for the best assurance that controls are working as expected.
If you decide to start requiring SOC reports make sure they cover all areas where a third-party vendor might store or process data, whether internally or externally to their premises. On-premises data centers should provide information on the report on the physical and environmental controls as well as security-related configurations.
If you aren't willing or able to obtain SOC reports, it's still possible for you to conduct your own periodic audits upon third party vendors. Also make sure that your company documentation outlines which data is stored where and share the bare minimum amount of data needed for third-party vendors to align with your business (the ideal scenario would be retaining the data on your systems and allowing them access to it, rather than handing it off if you can avoid that). Strong ongoing communication with the vendor(s) is also a key factor in keeping up to date with their practices and operations, to avoid a "set it and forget it" mindset which can lead to negligence.
Last but not least, I speak from experience when I state that where possible a physical face-to-face meeting and data center or server room tour with a third party vendor can work wonders in establishing trust and reliability. It builds personal relationships and can assist in verifying that security specifications are up to your company's standards.
- Nearly 50% of organizations willing to pay extra for security guarantee from cloud vendors (TechRepublic)
- 6 ways to prevent shadow IT by offering vendor management services (TechRepublic)
- 4 tips for improving your company's vendor relationships (TechRepublic)
- Vendor Security Alliance scales up efforts, aims for faster vendor vetting (ZDNet)
- UpGuard intros risk mitigation platform to boost vendor oversight (ZDNet)
- Is it time to have that confrontational meeting with a poor vendor? (ZDNet)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.