3 Golden Rules of Modern Third Party Risk Management – DARKReading | Region & Cash

SaaS-to-SaaS integrations are a staple of modern enterprise Software-as-a-Service usage, and the adoption of third-party services is rapidly scaling to accommodate. Malicious actors are not lagging behind. They realize the lucrative benefits of using these integrations to steal, lose, or misuse corporate resources.

Traditional third-party risk management solutions (TPRM) have been adopted to streamline and automate compliance processes. Recent supply chain breaches, such as the malicious third-party OAuth token abuse that affected GitHub customers, show how threats increase as SaaS usage scales, making it imperative that business needs evolve in terms of risk assessment and change the management of third parties. The cybersecurity community’s approach to these risks needs to change accordingly.

While TPRM solutions serve a noble purpose – evaluating the security of an organization’s vendors – their value stops there. A vendor could be considered healthy in terms of its security controls with a low risk score, but only as a standalone vendor and independent of its required integration and interaction with the organization and its valuable assets. Risk assessments, questionnaires, and aggregated data are time-consuming and costly to manage, and offer minimal value without the right context and holistic strategy to drive them.

Here are three key considerations to prioritize when evaluating and engaging third-party vendors:

Can you continuously assess their level of access and business impact risk?

Existing TPRM solutions typically lack the context needed to understand the scope and nature of SaaS-to-SaaS integrations with third parties. Given the dynamic nature of SaaS proliferation, this can pose enormous (otherwise avoidable) risks. As part of the onboarding process, companies need to be able to accurately assess critical elements of this partnership: Does the initial business impact assessment match the actual interaction with the vendor? Is the initial vendor evaluation aligned with the vendor’s granted permissions and organizational needs? Has the vendor relationship or business need changed over time?

TPRM questionnaires must be customizable and allow companies to assess and manage suppliers according to the business risk involved. Vendors that are critical to your business and require access to sensitive information, such as employee or customer data, should be evaluated using different parameters than when evaluating a lower-risk vendor.

Adding to this complexity is interconnectivity between providers. As the number of providers grows, so does the number of connections. Supply chain management requires deep insight into all vendors and the vendors associated with them. Without such accountability, a company can be hurt by a third-party integration it didn’t even know existed in its supply chain. For example, Salesforce may have third-party plug-ins that access sensitive data and personally identifiable information (PII) in Salesforce and therefore may pose a risk to an organization that uses Salesforce but is unaware that other vendors are connected to it. In such a case, the providers behind such plug-ins should be checked accordingly.

Do you have a supplier offboarding process?

This is a deceptively simple question that has profound implications for third-party risk management. When an employee leaves the company, their permissions are revoked using a dedicated identity access and management (IAM) offboarding process, but there is no similar process to offboarding providers. To make matters worse, vendors are being onboarded by multiple functions across the enterprise on a daily basis. Even if a TPRM evaluation process is triggered, it will be set and forgotten without the necessary continuous re-evaluation over time as provider access deviates from the initial setup.

What follows is a veritable merchant graveyard. Some vendors may have been onboarded during a previous vendor selection process, one was selected but the other two remain inactive and associated with the organization, typically with high-privilege access that is never revoked. It’s important to note that even if you cancel your tenant on a provider’s platform, it doesn’t mean you’ve revoked their tokens for your environment.

Most organizations fail to put in place the necessary processes that answer this important question: Is the vendor still used by the business unit? Without regularly reviewing your providers, their access rights, who is using them and how – you have no way of determining and assessing their risk.

Can your supplier risk processes scale to support a decentralized IT organization?

Today, in a modern organization with tens or hundreds of SaaS applications, IT is decentralized and end users, citizen developers and business owners are onboarding new third parties every day. The lack of continuous supply chain risk assessment as the organization becomes more decentralized makes initial supplier assessments irrelevant and outdated. As a result, security teams are increasingly unable to detect whether a vendor has changed its characteristics, whether its access to the enterprise has been expanded, or worse – whether it has been compromised.

Therefore, it is important to ask whether the vendor’s business impact has increased over time and whether a reassessment is needed. Manually assessing vendor permissions and integrations is impractical and quickly becoming irrelevant in an increasingly agile and dynamic SaaS environment. Add to this the lack of awareness on the part of users, and even system administrators, of the importance of updating assessments and ensuring they are aligned with current needs and requirements. The lack of a clear policy defining when and how vendor integration inventories should be conducted prevents sensible changes from being implemented.

create space for change

A unified approach to third-party evaluation is a short-sighted partial solution to a dynamic problem.

Providers vary in their essential purpose, with some geared towards low risk and others requiring access to personal or financial customer information which, if leaked, lost or stolen, could cause significant harm. Therefore, the security community needs to extend existing TPRM approaches to align with the vendor risk management lifecycle and ensure their effectiveness in securing SaaS-to-SaaS integrations in dynamic digital enterprises.

Leave a Comment