Your past experiences with vendors and service providers might have painfully pointed out the importance of securing your organization’s supply chain for physical goods and services. But what about your digital supply chain?

When you think of cloud service providers as part of the digital supply chain, you can apply lessons learned to help ensure the resiliency of business processes that depend on cloud services. Cloud services present unique risks that must be qualified on top of those risk attributes you may have already considered in third-party risk assessments of legacy vendors and service providers.

This means that you can’t stop at accrediting cloud service providers’ core cybersecurity control capabilities, commercial insurances (especially cyber liability coverage) and ongoing financial viability, as you’ve been doing for all vendors/service providers. Your cloud service provider review scope must expand to consider cloud-specific cybersecurity requirements. It must also place an even greater emphasis on cloud service providers’ business continuity and disaster recovery capabilities in concert with your organization’s own plans for supplementing (or replacing) cloud services when they unexpectedly become unavailable or constrained.

Any risk review should strive to assure you that implementing services won’t unacceptably raise your risk profile. If it could, then you need to map and implement additional controls required to reduce related risks to tolerable levels prior to the go-live date. Performing a risk review of cloud service providers is no different; make sure to benchmark their risk profiles against your own.

Finally, to ensure the confidentiality and integrity of the information being shared in the cloud, and to ensure the reliable ongoing availability of dependent business processes, make sure you also review cloud-specific risk attributes. These include data segmentation and partitioning, virtualization security, data sovereignty, and secure coding practices, among others. Take extra care when confirming the viability of associated recovery plans.

Next steps

  • Classify the cloud service: Is it Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS)? Moving from SaaS to PaaS to IaaS is called “down the stack,” and the further down the stack your subscribed cloud service lies, the more responsibility you must take for the design, application and effectiveness of the associated cybersecurity controls.
  • Identify all essential service provider and user entity controls: Review assurance reports from the cloud provider to identify their controls. Those they direct must exist at the user entity to protect the information to be shared into the cloud.
  • Establish and benchmark the cloud service provider’s risk profile: Use service provider/user entity controls knowledge to estimate the level of cybersecurity risk that information shared into the cloud will expose to. Measure this in context of information sensitivity and controls strength, and benchmark to the information’s risk profile when it’s on the internal network.
  • Emphasize continuity/recovery plan viability: Deep-dive both the service provider’s business continuity and technology disaster recovery plans, as well as your own. Any gaps or insufficiencies you accept will create weakness in your digital supply chain.