When it comes to digital security, the use of third party firms to supply you with IT solutions is generally a risky option. A third party firm is anyone who you pay to supply IT services, and that has access to your data. You may rely on a company to store certain documents, for example. The risk here is that your data is exposed to their system administrators to view, share and, should they choose to, sell. This potentially valuable data could find its way into the hands of your competitors, and cause irreparable damage.
The problem with third party IT support companies offering services such as cloud storage, is that although they may have the capability to supply them, they will almost certainly not have the depth of security skill necessary to keep them protected. In many ways it is like asking a GP to perform brain surgery for you, simply because they are a qualified doctor. In reality you need a specialist surgeon, someone that understands the brain and gives you the better chance of a positive outcome. When your security is concerned, choosing this specialist is vital.
When working with third party firms it is important to remember that what you have is actually a Service Level Agreement, with little to no mention of data security, and certainly no guarantees that you will remain protected. The agreement will state that responsibility continues to lie with the data owner, taking away all accountability from the third party and ultimately making your relationship with them based entirely on the hope, and nothing more, that they will adequately protect your data.
A third party firm is likely to work for multiple companies too, meaning the possibility that your data is on a shared service with unknown others. Should there be any problems, there is the distinct possibility that these other companies will be able to view and access your data. As well as worrying who else might have access to the data, you will also have little information as to where your data is backed up to as well. Some data cannot leave the country, and even if it does go to a third party as a backup, is the data protected? Often it is not, leaving you exposed to another party that you have not agreed to, or even know.
The cost of third party services is yet another issue. Often reasonable in general terms, the price can become excessive when specialist areas such as security and security changes are required. An example would be a firewall rule change, something a third party will take a long time to implement, and often do not get right. Each change has to be scheduled within agreed maintenance time and so they can’t react quickly. We have seen costs of £1000’s per rule change which can mean 10 changes per month.
For small companies, what is needed is a combination of third party firms. In a cloud solution requirement, for example, use a company to store the data and provide the infrastructure to gain access, but use another company to provide the encryption. This means the cloud company have access to the data, but can’t read it. Should they back it up to another cloud service, then the data is still protected because it is encrypted and the key is not stored with it.
The encryption service provider too may have the encryption key, but they have no access rights to the data. The only entity which has both the access rights and the encryption key is the data owner. This separation of duty is the best model to have when considering a third party route. It puts the power of control and audit back into the data owner’s hands and gives third party companies nowhere to hide on poor service.