Downstream Exposure to Sensitive Information

These days, it is more and more common to use cloud, technology, and integration partners in our IT environments.  Consider the use of a cloud-software or application provider.  You me leverage these services to deliver your respective products and services or as a means of operating business.

Take, for example, a SaaS (Software as a Service) application that you use to conduct your business operations.  There is a high probability that you use a SaaS solution from a specific provider and, in turn, that provider does not directly host that application.  They may leverage a cloud provider, such as Azure or AWS to host the application.

Should we have a high confidence level that the downstream partners are providing a secure environment?  Most of the time, the answer is a resounding “yes”.  These types of companies are favorable because they have invested in a security infrastructure that is not easily achievable without significant investment.  The redundancies, monitoring tools, encryption, and other controls that are in place provide us an opportunity to share the risk on a platform that is proven and technologically advanced.

How can we be sure?

As an upstream customer to these services, we have elements of accountability in the protection of this information.  At the same time, however, we do not have the ability to personally and physically inspect or audit these providers.  So, we rely on our vendors to verify that the proper controls are in place and implemented.  There are some actions you can take:

1. Communicate with your direct vendor and discuss your security requirements. Verify that they are aware your obligations and that, between the multiple tiers of companies, those requirements are being addressed.
2. Develop a responsibility matrix that illustrates which organizations in the supply chain account for which security control requirements.
3. Request that your direct vendor obtain copies of the downstream partners SOC 2, ISO, PCI, FedRAMP or other industry recognized certifications. While this is not the same as conducting an inspection or audit yourself, it does demonstrate your vendor’s efforts at proper due diligence.
4. Periodically request updates on the downstream security posture. Regulations and the threat landscape are constantly changing and evolving.  Verify that the organizations with exposure to you and your customer’s sensitive information are addressing those changes in the environment.