A Cloud Security Conundrum: Protecting Your Company from Third-Party Software Supply Chain Gaps

By Vrinda Khurjekar, Senior Director, AMER business, Searce

The sky is the limit for cloud migration as Gartner predicts that worldwide end-user spending on public cloud services is forecast to grow upwards of 25% in 2023, led by software-as-a-service (SaaS) as the largest public cloud services market segment, forecasted to reach $176 billion in end-user spending in 2022. The average number of SaaS applications used by organizations worldwide jumped from 16 in 2017 to 110 in 2021. In the last half-decade of rapid mass cloud adoption, tech businesses enjoyed a newfound sense of cybersecurity in dispensing with on-premises perimeters. However, in 2022, 45% of data breaches occurred in cloud services. With enterprises increasingly turning to public cloud, multi-cloud and hybrid cloud environments, securing third-party SaaS platforms will need to come of age swiftly to keep pace with increasingly sophisticated cyber criminals.

Software supply chain challenges in cloud environments

CISOs and other security leaders are already prioritizing securing their data and ensuring compliance in their cloud software supply chain. Thirty-eight per cent of business, technology, and security executives expect more serious attacks via the cloud in 2023. With so many third-party solutions in use, companies are most challenged by their lack of visibility into user data and activities and managing application configurations with consistency. Employing 10, 20, or 100 cloud solutions with virtual machines and various storage containers means a much wider attack surface to defend, numerous identity and admin privileges to manage, and greater potential for misconfigurations and unpatched 3rd party servers. The 2021 Volkswagen Group data breach exposing sensitive financial data involving 3.3 million customers was caused by one of its vendors, who left a storage service unprotected for almost two years.

Criminals attack the cloud from all directions

Many enterprises are still migrating to cloud services and must get up to speed on the inherent vulnerabilities present in cloud environments, primarily misconfiguration, insufficient identity access management security, insecure APIs and interfaces, and inadequate change controls. Ransomware, once a minimal threat in cloud environments, is growing rapidly in line with increasing cloud adoption. Distributed Denial-of-Service (DDoS) attacks are rising in which criminals attempt to block the company from conducting business and then extract relevant information. Meanwhile, martech and adtech companies provide numerous cloud tools to every big brand imaginable for digital advertising and marketing, which are proving to be the highest dataset and broadest spectrum of consumers that makes them fruitful targets for criminals. Financial services, education, manufacturing, and healthcare are sectors bearing the most losses at the hands of bad actors.

There’s money in hacking healthcare

Most experts name the financial and healthcare industries as the most vulnerable to data breaches. Attackers are swarming to healthcare organizations to harvest personally identifiable identification (PII) data and to financial institutions to capture valuable financial data. For the 12th year in a row, healthcare had the highest average data breach cost of any industry, at $10.10M in 2022. Hospitals now in the midst of digital transformation are a prime target for cyber villains. Some hospital administrators store all their X-rays in one location and often use two third-party vendors to send X-ray data in a digital format. Plus, they call upon external machine learning vendors to help make advances like predicting cancer five years earlier than we can today, which is great. However, if they haven’t vetted the receiving entities’ security posture, how they host their applications and how they run their models, hospitals are exposing their patients and themselves to highly sensitive risks.

Third-party vendor’s responsibility or my responsibility?

When a tech company adds another cloud vendor to its software supply chain, its buyer may assume the liability rests with the SaaS provider to make sure their environments are properly controlled. Although tech companies and cloud providers are engaged in a shared responsibility model (customer’s responsibility + service provider’s responsibility), it is sensible for security leaders to adopt a more authoritative mindset, since ultimately it is their sole responsibility to safeguard a company’s data and identities, devices and applications. And the reputational and financial damage will fall squarely on the company instead of its vendors.

Scrutinize cybersecurity when shopping for third-party vendors

The fact is that, while they should, all enterprises fail to run cybersecurity risk assessments on each and every SaaS they onboard. Given the setups and the nature of the accesses that are inherently granted to third-party vendors, there is a lot less clarity on where security gaps can be for an organization. It can be especially tempting for a startup or early-stage cloud native company to focus on acquiring customers, building a cost-effective tech stack, and raising the next round of funding first, and then think about how to secure the organization’s data assets later. For small and medium sized businesses, a data breach and the subsequent business interruption can be potentially catastrophic. Rigorous vetting standards should be normalized for every enterprise that is onboarding a third-party vendor. They should scrutinize a third-party vendor’s security posture as much as they scrutinize the cost and the quality of the offerings.

Avoid a set-it-and-forget-it vendor security approach

In addition to the intensive vetting of third-party cloud solutions’ cybersecurity posture during the purchasing process and risk assessments during the onboarding process, CISOs should also endeavor to avoid a set-it-and-forget-it approach. Lot of enterprises have recently started thinking more about software supply chain security vigilance, but they’re not yet performing it actively. They implement no alerting or monitoring tools until some incident has already happened. They should identify and track all third-party cloud software, conduct periodic reviews of the third-party resources to remove unnecessary products, and revoke access or permissions as needed. Since cloud technology is advancing at a furious pace, quarterly security reviews, just like quarterly business reviews, should become the norm in the c-suite. Even after purchase, SaaS vendors are going to keep adding new modules and new offerings, which may require new security standards to stay current with the technology. Finally, as the Cloud Security Alliance recommends, CISOs should do regular penetration-testing of applications, use secure coding practices, and use static and dynamic application security testing solutions.

Governance of the entire vendor journey

About 94% of enterprises now use cloud services for virtually all business functions, from human resources and customer relations to supply chain management. CISOs should build different governance models for each stage of the vendor journey, from the buying stage to onboarding and implementation, and then on an ongoing basis. Company leaders can take a great first step in securing cloud software supply chains by ensuring their own security posture meets the modern standard, because cybersecurity frameworks from 2005 or 2010 will not protect against today’s threats nor will they meet regulatory standards, no matter how robust a vendor’s posture. Many forward thinking CISOs and CTOs are enforcing their third-party vendor security standards by building in, for example, three-month benchmarks into the contracts, no matter how essential a particular software might be for their go-to-market plans. In some cases, we’ve observed that these third-party providers aren’t refusing to fortify their security posture. Many times, they either don’t know the best route or they’ve just not yet been compelled or even asked to follow through.

About the Author

Vrinda Khurjekar – Sr. Director – AMER Business – Searce. A genuine problem solver at heart, a compassionate listener and a trusted client partner, Vrinda Khurjekar is the Sr. Director – AMER business at Searce leading the AMER region. A techie turned business leader, Vrinda is passionate about driving technology-led transformation and helping businesses futurify by leveraging the latest technologies. Vrinda has been in various roles over the last 14 years at Searce, is a Happier Culture ambassador at Searce and a core member of the Searce global exec team. Vrinda has personally participated in leading many large clients through their digital transformation journeys. Vrinda believes in the power of customer empathy, listening to clients & partners & being a trusted partner to anyone she works with.

Vrinda can be reached at: https://www.searce.com/.