Keeping your Third-Party Service Provider in Line
Apr 8, 2011 5:00 AM PT
It seems that every time we turn around, another major security breach has occurred.
The latest was the data breach at Epsilon, which manages customer databases and provides third-party email marketing services to 2,500 corporate clients, including some of America's biggest firms.
That breach has led to the loss of client data at more than 50 major companies, including the Hilton hotel chain, Victoria's Secret and Verizon.
It could endanger millions of consumers, who can now be targeted directly by hackers using spearphishing techniques such as the one that successfully cracked the defenses of IT security giant RSA.
The potential fallout for Epsilon clients is huge. They could not only lose money, but also may suffer from bad publicity, lawsuits filed by angry consumers, and the scrutiny of authorities.
What can corporations outsourcing various services to third-party providers do to protect themselves -- or at least try to ensure that the best security tools available are being used to safeguard their customers?
The Epsilon Caper
It's not yet known how Epsilon's systems were breached; neither the company nor its parent, Alliance Data, is disclosing any details.
Epsilon posted a notification on its website April 1, stating that it had detected a breach of its email systems March 30, and that only email addresses and customer names were stolen.
On Wednesday, Alliance Data confirmed on its website that only customer names and email addresses were stolen from Epsilon's systems.
About 2 percent of Epsilon's total client base was impacted, Alliance Data said. Epsilon has about 2,500 clients.
Epsilon spokesperson Jessica Simon declined to comment further to TechNewsWorld on the issue.
Questions Raised by the Breach
Given that many corporations are outsourcing various services to cut costs, the breach at Epsilon gives rise to many questions, David Meizlik, director of product and marketing communications at Websense, told TechNewsWorld.
These include what controls Epsilon had put in place to protect its data, what controls it was contractually obligated to have in place, what data it had that it shouldn't have had, how the breach occurred, and how it was detected, according to Meizlik.
"These questions and many more will likely be the basis of many chief security officer discussions in the years to come," he remarked.
"Third parties like Epsilon don't ensure adequate protection," Ulf Mattsson, chief technology officer of Protegrity, told TechNewsWorld. "That became apparent when Epsilon declined to answer why the email addresses were not encrypted."
Wouldn't it have been prudent on Epsilon's part to have encrypted email addresses and client names on the off chance that its systems could have been breached? After all, the conventional wisdom among IT security professionals now is that it's not a question of if your systems will be breached, but when.
Perhaps Epsilon, like other third-party service providers, is doing just what's needed under the law, and it's the laws that need revision.
"The states here in the U.S. currently have data breach notification laws in place and do establish the need for encryption, but they fail to specify what type of encryption or other security measures are adequate," Mattsson pointed out.
That leaves things open to interpretation, with possibly disastrous results.
"An organization may believe that its security solution complies with various laws and regulations, only to find out after a security breach that this is not the case," Mattsson said.
Dealing With Service Providers
Companies outsourcing functions to third-party service providers should have service level agreements that ensure the data being shared is being protected by the strongest measures appropriate to the level of sensitivity of that data, Meizlik suggested.
Specific criteria for what that protection includes should also be defined as part of the agreement. Some service providers and cloud platforms let clients restrict access to their data, he said.
However, companies must first have controls in place in-house to ensure that only the right data is being exported, Meizlik warned. Further, they should conduct audits periodically and oversee security to ensure it's current.
Looking to the Payment Card Industry
Businesses could look to the Payment Card Industry Data Security Standards, or PCI DSS for guidance, Protegrity's Mattsson stated.
Administered by the PCI Security Standards Council, PCI DSS adopts technologies such as tokenization, modern encryption approaches such as formatted encryption, and models for point-to-point-encryption, Mattsson noted.
The PCI DSS standards "represent a good best practice set of criteria for industries where data protection is critical," Julian Lovelock, senior director of product marketing at Actividentity, told TechNewsWorld.
The PCI Security Standards Council has certified Quality Security Assessors to audit companies against PCI DSS guidelines.
Managing the User
Further, corporations should ensure both they, and their third-party service providers, work to enforce security and help staff understand it better.
"Organizations trust internal people, but trust should not be a policy," warned Protegrity's Mattsson.
In addition to enforcing security rules, corporations should invest in training staff on security.
"Continuous, periodic training is the only way to bring down users' vulnerability and keep them at an acceptable level," Rohyt Belani, CEO at PhishMe, told TechNewsWorld.
That has to be combined with the technology to identify advanced malware and the ability to respond quickly to breaches, Belani added.