Managing security risks when using third-party hosted solutions

Cybersecurity is a broad topic, and as such there are many facets a company must understand to properly implement it into your business. This article is the second part in a series that will cover how to properly manage your risks in the cloud, read part one.

Movement to third-party hosted solutions

As businesses have continued to focus on their core products and services, many organizations have found the development of internal proprietary applications no longer align to their long-term strategic goals or objectives. Several organizations began to transition on-site data centers to co-location facilities so that the organization could offload the day-to-day management of physical IT assets. Next, organizations chose to outsource the technical staff managing the day-to-day operations to contractors or third-party service providers. Now the final transition away from internal IT services is underway as more organizations adopt third-party hosted solutions such as Microsoft Office 365 or Salesforce.

This transition to third-party hosted solutions has left many organizations with minimal internal IT services. The IT services that remain are usually centered on managing end-user computers, providing stable in-office network connectivity and managing user access to third-party hosted solutions. Costs have shifted from internal headcount to ongoing service contracts, as many organizations no longer have internal application development teams. However, while resources and costs have shifted, many of the risks remain.

Security risks and end-user responsibilities

While an organization can outsource its IT services, the organization still retains many of the risks related to those services.

Availability and disaster recovery

Organizations that outsource their IT operations to a co-location data center may believe they no longer need to be concerned about the availability or management of basic services such as network connectivity or power supply; however, the organization should perform a due diligence effort before accepting that those risks have been appropriately managed. The organization should review the co-location’s disaster recovery capabilities, including the use of redundant internet suppliers, the use of a power generator and the use of uninterruptible power supplies (UPS) to ensure risks to the availability of data center infrastructure has been mitigated. Additionally, the organization should review the co-location’s processes to manage physical access to its facility to reduce the risk of accidental actions that may cause a loss of power and network connectivity.