The move to cloud dramatically increases dependency on third-party software and cloud services. This introduces new and significant security, regulatory, and operational risks. Unfortunately, many organizations lack the tools and visibility to know whether third-party SaaS, cloud services, and microservices expose them to data loss, compliance failures, or other business liabilities. And with only two percent1 of organizations identifying and monitoring all their subcontractors, it comes as little surprise that 80 percent2 of organizations have suffered a data breach originating in their vendor ecosystems.

 

Third-Party Software Saturation

Organizations increasingly rely on an expanding ecosystem of third-party software to broaden their capabilities and expand their reach. A recent study found that a typical organization has more than 1,900 unique cloud services3 currently in use.  But 90 percent of third-party code4 is out of compliance with the OWASP Top 10. Even businesses that follow security and risk blueprints often don’t know if third-party software and their dependents follow suit. And when organizations merge third-party cloud stacks with theirs or share data with external resources, exposure to security, regulatory and operational risks is practically unavoidable.

But whatever the challenges, third-party software risk has to be managed.

 

The Three Keys to Managing Third-Party Software Risk in Cloud

These are the three primary keys to getting the risks of third-party cloud software under control:

  • Comprehensive defense-in-depth cloud policies must be extended to third-party SaaS and cloud resources.
  • Continuous runtime assessment to guard against ongoing changes in third-party SaaS and cloud software and assess risk from drift, cyberattack, updates, and human error.
  • Proof of third-party compliance with a system of record and a verifiable, auditable database for reporting third-party risks at any point in time.

 

Manage Third-Party Software Risk with Concourse Labs

With Concourse Labs, third-party software risk management is finally a reality. Now, organizations can establish policies as code and test third-party systems for compliance with those policies instead of relying on contracts, questionnaires, and unstructured data. They can perform third-party assessments continuously instead of periodically and simultaneously create an immutable historical record of third-party software risk posture for auditors and the Board. Governance is thus transformed from a trust-and-sometimes-verify model to never trust and always verify.

Learn more about Concourse Labs and how we help organizations manage cloud risk, including the inevitable risks of relying on third-party cloud software.

 

1: https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-EERM%20Report%20INTERACTIVE.pdf

2: https://www.prnewswire.com/news-releases/bluevoyant-research-reveals-four-in-five-firms-have-suffered-a-cybersecurity-breach-caused-by-a-third-party-vendor-301136072.html

3: https://www.mcafee.com/enterprise/en-us/assets/skyhigh/white-papers/cloud-adoption-risk-report-2019.pdf 1900

4: https://www.veracode.com/security/what-is-third-party-software-security