By Ray Kruck, CEO and Founder of Tugboat Logic
External risk is still a significant problem for companies. Just because they did their own security due diligence doesn’t necessarily mean their partners did their own. The Solar Winds case is a prime example of this.
When collaborating or merging with larger companies, start-ups and smaller companies cannot assume that one partner has taken care of all security aspects or that their “one size fits all” approach will not exceed your security compliance burden. It’s important to be on the safe side, and that includes not being pressured to take too much risk.
Smaller companies also have to take responsibility
It can be tempting to take a head-in-the-sand approach rather than doing your own risk assessments for providers as they can be a significant burden. But sooner or later you will likely have to – especially if you can get SOC 2 or ISO 27001 certification.
Common attestations like this require your company to conduct a supplier risk assessment for all suppliers you have integrated with – whether you are a 100-person startup or a two-person company.
Instead, many smaller businesses and startups rely on their cloud infrastructure providers to have all of this covered. But if you do decide to get certification – even if you don’t do a full, auditable certification like SOC 2 or ISO 27001 – you need to gather a minimum of information in order to conduct a thorough review of your partners. For example, you may need to go to Amazon Web Services (AWS) and download or access their publicly available information about the AWS security logs to verify the security of your infrastructure. And that may be difficult to follow and difficult to understand; Knowing what to collect and what is enough information can be difficult.
The good news is that the big cloud providers know this is a requirement. Hence, they put this information first for customers nowadays. That was not the case a few years ago.
Important Third Party Partner and Security Considerations
For companies working with the partner (or merging with a larger company) it is important to take the time to answer these questions:
- What data will I collect or process in and out of this third party secure solution that I use?
- What solutions do I use in my own company that are part of the services I provide to my clients?
- What do I add to my customer’s network?
- What is left in my application?
Next, you need to figure out how to take advantage of many of the services these cloud providers already have – especially the big three: GCP, AWS, and Microsoft Azure. These companies already offer an enormous number of security controls for SMB customers, but most do not use them or use them improperly.
On the third-party risk management side, however, there is a movement for large companies to shift as much risk as possible onto their supply chain. Startups and small and medium-sized businesses can lead to onerous contractual obligations; if something goes wrong, the smaller company is on the hook.
Startups need to be careful that the whole burden is placed on them when working with a larger party. As a smaller, newer company, you need to be ready at any time to prove your security status or have yourself checked by a larger company. This process needs to go reasonably smoothly, and you need to make sure that you are only showing them what they really need to investigate – and nothing superfluous to mislead. Many companies don’t miss even a basic level of preparation, and this can lead to even further investigation by your partner.
Use the services of your native cloud provider for security and resilience in application hosting. When integrating third-party services into your own application, focus not only on the required resources and investments on the go-to-market, but also on the technical integration side. What many companies often do is buy some additional services from a large provider – as in “Can I just buy X hours of support services to manage the integration project?”
View your partner integration project like any other IT project with defined milestones, services and dependencies that are taken into account in your project scope. Check if you need an integration outsourcing partner to reduce the risk of successful co-development. It is important to dedicate 10 to 20% of the partnership cost to integration services. This way you get prioritized help – because if you only rely on your platform partner, you may not get prioritized help.
Understand the fine print
This may be obvious, but it is overlooked: Read the fine print of your partner agreement. Depending on how you use the data coming in through this API and how the data is handled back and forth, assume that if anything ever goes wrong, you have to assume that if something ever goes wrong, it can be your fault – and it can be.
This is why it is so important to make sure that you have done your due diligence. Check out all of the API integrations with third-party services, large or small, and understand that they could be exploited.
If there is a vulnerability, you are the one who will lose out for several reasons. You will be responsible for this vulnerability and provide the explanation for it. And in some cases, it can destroy your business, business model, or solution quality. So understand what you’re signing up for, understand how dedicated your company needs to be to that integration, and take integrations seriously.
Inbuilt due diligence
Basically, it is imperative for any company to control third parties and the risks they could pose to their Infosec requirements. Compliance and security are therefore key factors when onboarding new technology integration partners. Consider the above best practices to follow when working with a partner and use them to build third party due diligence into a security program.
About the author
Ray Kruck is the founder and CEO of Tugboat Logic, Inc. He has a career in enterprise security spanning more than 24 years with senior leadership roles in corporate development, marketing and sales at several leading companies including Check Point Software, Proofpoint, Websense and Voltage Security. In 2011, Ray co-founded Nexgate with a groundbreaking platform that helps brands discover, monitor, and secure their social presence. Nexgate was acquired by Proofpoint (NASDAQ: PFPT) as its largest acquisition in 2014. After Nexgate, Ray co-founded Pointgrey Partners, an early stage venture investment firm focused on deep tech strategies that drive competitive pressures in the enterprise and life science markets. Ray enjoys mentoring other startup companies through his participation as an associate in Canada’s premier technology venture mentoring program – Creative destruction laboratory. In 2017, Ray founded and became CEO of Tractor logic Inc, a security assurance platform that leverages advanced technology and embedded guidance to automate and simplify security management. Tugboat Logic helps customers demonstrate compliance and conduct transactions more effectively. To date, the company has raised over $ 15 million in venture capital and is a global leader with more than 400 corporate clients and over 20 strategic audit and solution partners.
The views and opinions expressed herein are those of the author and do not necessarily reflect those of Nasdaq, Inc.