Third party software vendors: what should data security look like?
Reports of data breaches have become more and more common in recent news. While hardly unique to the higher education industry, when they occur, data breaches understandably cause uncertainty among higher education providers.
Events such as the recent Canvas breach might lead anyone to ask: ‘Which third parties do we trust with our data?’
For us at ResearchMaster, this is an opportunity to open a conversation about data security.
Industry insiders will know that data security is always part of a series of trade-offs against data access. There’s a reason for that: the vast majority of breaches occur through the exploitation of human access points to technology systems, rather than through the technology systems themselves. When people enjoy privileged access to systems, they bring with them the potential for exploitation — often through social engineering tactics that take advantage of our feelings of anxiety or compassion. This is why carefully controlling who has legitimate access to which systems and educating personnel are always among the most vital pillars of cybersecurity best practice.
However, it does remain important that technology providers do their part and take their role as data custodians seriously. Generally, when looking at third party vendors, it’s worth considering whether they’re offering a secure solution that can help you avert cyber incidents.
Certifications
Externally assessed and audited security certifications are a good option to start with: organisations that have attained ISO27001 or the Payment Card Industry Data Security Standard (PCI-DSS) will usually tell prospective buyers up-front.
As these standards are externally assessed, you can rest assured that the basis upon which certification is issued is genuine, and you can expect a range of security benefits — for example, while the PCI-DSS applies primarily to payment processing, it also demands certificate-holders adhere to standards for physical access to systems, data architecture and processing that will help assure the security of a wider range of data.
Essential Eight
Other than appropriate certifications, there are other elements to consider. The Australian Signals Directorate offers its “Essential Eight” strategies for mitigating cybersecurity threats, which includes a range of tactics including regular patching, identity and access control, application control and hardening, regular backups, and restricting the use of MS Office macros to those which are reasonably necessary (and approved) for processes within the organisation.
Data backups
To protect against accidental data loss, find out how often, how, and where your third party provider plans to back up your data. As much as unauthorised access is the topic of the day, data loss is also a critical matter and any third party software vendor should have a plan for safeguarding your information against it.
For example, to prevent loss through catastrophe, ask if your vendors are backing up your data in geographically diverse locations. And to safeguard the security of those backups, they should be stored in certified facilities and appropriately protected and encrypted.
Identity and access management
Today, multi-factor authentication (MFA) should be a basic requirement for any software vendor under consideration. Multi-factor authentication demands different types of information, theoretically held only by the correctly identified account holder. It has the benefit of usually being widely accepted by users once implemented.
Strategies like Zero Trust Architecture and Just Enough Administration (JEA) and Just In Time Administration (JIT) can help ensure that personnel receive only the access to execute their required functions, and only at the time when they need it.
Encryption and anonymisation
Protected information is common in research settings, ranging from sensitive research proposals to personally identifiable information. Your third party software vendor should be able to facilitate the use and manipulation of records that include such information through anonymisation, data masking, or the provision of appropriately secure data clean rooms.
Network segregation and segmentation
A third party vendor should be able to describe to you the ways in which they plan to partition and isolate networks. These tactics are used to minimise the potential impact of any unauthorised access that does occur.
Data governance
More widely, any third party software vendor should be willing to operate with your organisation’s existing data governance policies. It needs to permit the university to define and enforce granular data access policies, monitor data usage, and report on activities within its systems.
Robust support
Any third party vendor should be willing and able to assist you with deploying the requisite cybersecurity processes in your organisation by offering robust support. This might include resources to assist with the technology itself, but it is also very likely to extend to training and education of non-technical but key personnel.
ResearchMaster uses secure technology to empower research across Australia and New Zealand. Find out more.
