Facilitating Partner Onboarding with an Eye Toward Security
By Ray Kruck, CEO and founder, Tugboat Logic
Third-party risk continues to be a significant problem for companies. Just because they’ve done their own security due diligence doesn’t necessarily mean their partners have done theirs. The Solar Winds case is a prime example of this.
For startups and smaller businesses, when it comes to partnering or merging with larger companies, they can’t assume that a partner has taken care of all things security or that their “one size fits all” approach will not over scope your security compliance burden. They must make absolute sure, and that also means not allowing themselves to get pressured into assuming too much of the risk.
Smaller businesses must also take responsibility
It can be tempting to take a head-in-the-sand approach rather than to conduct your own vendor risk assessments, as these can be a significant burden. But sooner or later, you’re probably going to have to do it – especially if you obtain a SOC 2 or ISO 27001 attestation.
Common attestations like this require your company to do a vendor risk assessment for all the vendors you’ve integrated with – whether you’re a 100-person startup or a two-person company.
Many smaller businesses and startups are instead relying on their cloud infrastructure providers to have covered all this. But if you go for an attestation – even if you don't do a full-blown, audit-ready certification like SOC 2 or ISO 27001 – you'll have to gather a minimum amount of information to complete a basic vetting of your partners. You may have to go to Amazon Web Services (AWS), for example, and download/get access to their publicly available information about the AWS security protocols to verify their infrastructure security. And that might be hard to follow and hard to understand; it can be tricky to know what to gather and what constitutes enough information.
The good news is that major cloud providers know this is a requirement. So, they are putting this information front and center for customers these days. That wasn’t the case a few years ago.
Key considerations for third-party partners and security
For the business working with the partner (or merging with a larger company,) it’s key to take the time to answer these questions:
- What data am I going to be collecting or processing in and out of this safe third-party solution that I'm using?
- What solutions am I using within my own company that form a part of the service I'm delivering to my customer?
- What am I putting in my customer’s network?
- What’s staying in my application?
Next, you need to figure out how to take advantage of many of the services already available from these cloud providers – especially the big three: GCP, AWS and Microsoft Azure. These companies already provide a tremendous number of security controls for the SMB customer, but most don’t use them or fail to use them correctly.
But on the third-party risk management side, there’s a movement for large companies to shift as much risk as they possibly can onto their supply chain. Startups and SMBs can end up in onerous contractual obligations, if anything goes wrong, the smaller company will be on the hook for it.
Startups need to watch out for having all the onus placed on them when they partner with a larger party. As the smaller, newer company, you need to be ready at a moment's notice to provide proof of your security posture or allow the larger company to audit you. This process needs to be somewhat seamless, and you need to make sure that you’re only showing them the things they really need to examine – and nothing extraneous that may give a false impression. Many companies fail to even do a basic level of preparedness, and that can lead to even further investigation by your partner.
Take advantage of the services being offered by your native cloud provider for security and application hosting resilience. When integrating third-party services into your own application, don’t just focus the level of resources and investment needed on the go-to-market but on the technical integration side, too. What many companies often do is buy some extra services from a large vendor – as in, “Can I just buy X number of hours of support services to manage the integration project?”
Look at your partner integration project as any other IT project with defined milestones, deliverables and dependencies that are accounted for in your project scope. Verify if you need an integration outsource partner to reduce the risk of a successful joint development effort. It’s important to set aside 10% to 20% of the cost of partnership towards integration services. That way, you get prioritized help – because if you only rely on your platform partner may not get prioritized help.
Understand the fine print
This may be obvious, but it still gets overlooked: read the fine print of your partner agreement. Depending on how you use the data that comes through that API and how the data gets handled back and forth, you must assume that if anything ever goes wrong – and it can – you’ll likely get the blame.
That’s why it is so important to make sure you’ve done your due diligence. Look at any API integrations to third-party services, whether large or small, and understand that they could be exploited.
For several reasons, if there's any vulnerability, you're the one that's going to get the short end of the stick. You're going to be on the hook for accounting for that vulnerability and providing the explanation for it. And in some cases, it can destroy your business, your business model or your solution quality. So, understand what you're signing up for, understand how committed your company must be to that integration and treat integrations seriously.
Built-in due diligence
At a fundamental level, it's imperative for any business to control third parties and the risks they could present to their infosec requirements. Thus, compliance and security are key factors when onboarding new technology integration partners. Consider the above best practices that you will need to apply when engaging with a partner and use them to build third-party due diligence into a security program.
About the author
Ray Kruck is founder and CEO of Tugboat Logic, Inc. He has a 24+ year enterprise security career with executive leadership roles in Corporate Development, Marketing and Sales at several leading firms, including Check Point Software, Proofpoint, Websense, and Voltage Security. In 2011, Ray co-founded Nexgate with a breakthrough platform to help brands discover, monitor and secure their brands social presence. Nexgate was acquired by Proofpoint (NASDAQ: PFPT) as their largest acquisition in 2014. After Nexgate, Ray co-founded Pointgrey Partners an early-stage venture investment firm focused on deep technology plays that drive competitive disruption in the enterprise and life science markets. Ray enjoys mentoring other startup ventures with his participation as an Associate in Canada’s leading technology venture mentorship program - Creative Destruction Lab. In 2017, Ray founded and became CEO of Tugboat Logic Inc, a security assurance platform that leverages advanced technology and embedded guidance to automate and simplify security management. Tugboat Logic helps clients prove compliance and transact more effectively. To date, the company has raised over $15M in venture capital and leads its market with more than 400 enterprise clients, over 20 strategic audit and solution partners worldwide.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.