In the tech industry, collaborations, integrations, and interconnectivity are standard practice. It would be great if your app could be everyone’s one-stop solution, but that would be resource-intensive and inefficient. You’d also be missing out on many great advantages and features of other fantastic platforms. Partnerships help companies fill in gaps, speed time to market, and often provide the best experience to their customers within a more efficient timeframe and budget.
However, one notable caveat is that partnerships and integrations also increase the security risk you have to manage. By integrating more platforms to enhance your core technology base, you potentially compromise the security of your own platform—and really should expand your security program accordingly.
Recent posts in our 3-part blog series on Risk Management covered supplier risk management and how subcontractors contribute to your digital supply chain’s complexity. In this final installment, we’re turning the spotlight to platform partners and their security risks. Learn how to leverage supplementary technology without jeopardizing your system’s integrity.
What’s a platform partner?
Platform partners provide you with various solutions to support your product development and customer experience needs. Examples include cloud computing providers, code repositories, API providers, data exchanges, and SaaS partners.
These partnerships serve various purposes, such as extending functionality, tapping submarkets, avoiding single vendor lock-in, growing the customer base, and building market share.
As growth-oriented as these goals may be, platforms leave many security elements outside the control of customers and partners—or even able to evaluate directly. Platform providers are responsible for ensuring their physical data center security, network security, and compute-level security.
Whether you’re a software partner or customer of one, pay close attention to your platform partners’ security practices, additional security controls, and auditing procedures. As we see it, it’s the best course of action to ensure that your security program remains as robust as possible—even when you don’t have direct access to your partners’ security controls protecting underlying technologies.
Security vs. compliance: Their significance in platform partnerships
In our previous installments, we discussed how security and compliance sometimes overlap. But while both protect your platform integrity, they’re not the same entirely.
Security refers to the safeguards that prevent unauthorized users from accessing your company’s assets, whether through a breach, leak, or cyberattack. Strengthening security is often a shared responsibility between you and your tech partner.
Many platform providers publish guides explaining how responsibilities are divided under a “shared responsibility model.” To cover your lane, ensure you fully grasp your product security posture end-to-end, including integrations. Data sharing requires additional security measures as well.
The shared responsibility model is nuanced and specific to each solution. Maintaining organizational accountability while platform partners fulfill their key responsibilities requires transparency, collaboration, and vigilance. Responsibilities also differ based on the type of service delivered. Case in point: cloud security is different from data center security.
Compliance, on the other hand, involves meeting standards mandated by third-party regulatory bodies. Standards are often established according to best practices and legal requirements. By creating guidelines and frameworks, third-party institutions protect various data types and consumers’ rights.
Expect a reputable platform provider to have a comprehensive set of compliance reports available upon request. Compliance reports usually cover the platform providers’ responsibilities and any use of sub-service providers or integrations.
Seek these compliance reports periodically. Most providers furnish their credentials online, but access to reports may require a non-disclosure agreement or some other type of customer relationship. You can start your due diligence as soon as you have them in hand.
Using the NIST Cybersecurity Framework to secure your system
Aside from fulfilling your end of the bargain by upholding the shared responsibility model, you can layer your platform’s protection using security frameworks.
Aquiva Labs uses this process, particularly the NIST Cybersecurity Framework, to determine what our platform provider’s assurances cover and where we need to strengthen our internal controls. Seventy percent of IT and security organizations consider it a best practice.
From our perspective, NIST IR 8374 offers an excellent and practical tool for assessing an organization’s end-to-end security readiness. You can evaluate your organization’s preparedness for ransomware attacks and overall security posture. While ransomware is only one type of attack, NIST IR 8374 details the right areas to focus on for many organizations, laying a solid foundation.
For instance, NIST IR 8374 provides specific controls for each NIST Framework’s function. For each of these cases, it’s essential to understand what the platform partner covers and what the subscriber is responsible for:
1. Identify
Understanding your organization’s vulnerability and security posture is essential to reducing corporate risk. As such, it’s logical to start there. It’s presumably safe to rely on your partners’ internal controls to inventory and safeguard physical assets, but it’s prudent to inventory and protect the platforms and applications you configure.
2. Protect
This function helps you defend against cyber threats proactively. Under Protect, the platform provider’s data centers monitor and control security, but you’re still responsible for remote access and management.
3. Detect
The Detect function enables the timely discovery of cybersecurity events. It allows you to allocate the right technology, processes, and personnel to deal with security incidents. Your platform partners will provide excellent tools and alerts, but you need a team (or third-party partners) to receive, process, and respond to those alerts.
4. Respond
The Respond function involves proactively developing plans, such as an Incident Response Plan, to mitigate the impact of a potential cybersecurity incident. It also includes regular checks on the plan’s effectiveness.
5. Recover
The Recover function assists in restoring normal operations following a security incident, but the process depends on the type of attack.
The implementation of this framework requires continuous learning. We encourage organizations to apply lessons learned and iterative updates to all five functional areas as they test their controls and their systems evolve.
Build stronger platform partnerships
Platform partnerships play a crucial role in strengthening your digital supply chain, but they can impact your security posture, create risk, and potentially harm your brand if not carefully vetted. Ensure there are no weak links by adhering to security and regulatory requirements, implementing cybersecurity frameworks, and sharing responsibility for data protection.
Is it time to re-evaluate your security risk management strategy?
What steps can you take to protect your business better? Let’s talk. We can guide you through our security risk management assessment framework—or teach you how to design and implement your own.