VSA and Evaluating the Security of Third-Party Providers

For efficiency and expertise, businesses are more reliant on third-party services than ever. As this reliance grows, so does the likelihood that these trusted third parties will have access to business-critical network segments, equipment and data. Vendor evaluation can be a drawn-out process – with interviews, forms, certificates, even audits – that often involves several stakeholders. It is understandable that vendors’ security protocols can be under-investigated in this process. In the end, businesses are seeking a partner that they can trust but compromised vendor systems are among the most frequent culprits in cyber-security breaches.

Recently, nine leading-edge tech companies announced a not-for-profit alliance to improve options for evaluating the security of third-party service providers.  The newly-formed Vendor Security Alliance (VSA) brings together infosec and compliance experts from Airbnb, Atlassian, Docker, Dropbox, GoDaddy, Palantir, Square, Twitter, and Uber in an effort to streamline compliance and create a set of standards for evaluating vendors’ security practices.

VSA Board Member George Totev, Head of Risk and Compliance at Atlassian, writes that “having an independent entity manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use. Each cloud company will be evaluated, audited, and scored based on a set of common criteria that measures cybersecurity risk, policies, procedures, privacy, vulnerability management, and data security.”

Each year, the VSA will release a questionnaire that companies can use to qualify vendors and identify controls that need to be put in place. The first questionnaire was released in October 2016 and is available from the Vendor Security Alliance website.

At Netop, we are glad to see these companies banding together to tackle the challenge of evaluating vendor security. We know – and have written about – how third-party access can create a significant vulnerability if it is not correctly managed or conducted with insufficiently secure remote tools. Enterprises and managed service providers in the financial, retail and manufacturing spheres turn to Netop because of their mutual understanding of the need to use enterprise remote control tools with the security options necessary to protect themselves and their customers.