Closing the loop on third-party vendor data exposure incidents

Proper handling and use of proprietary or personal data has become the subject of significant scrutiny in light of recent privacy scandals involving large, multinational tech companies. Individuals have good cause to be concerned about how companies are using their data; however, enterprises also should be concerned about how third-party vendors use their data.

In some situations, as with SaaS applications, it’s clear that enterprise data will live within a third-party environment. However, for products that reside within enterprise data centres or cloud infrastructures, it is not clear exactly how much data those vendors phone home (also known as data exfiltration) to their own environment for analysis or other purposes, or how that data will be handled. While phoning data home is a common practice that can be used for legitimate and useful reasons, when customers are unaware of this data exfiltration from a vendor, sensitive data can be exposed in violation of increasingly strict privacy regulations. Also, when you consider the various devices that employees may connect to the network without the IT department’s knowledge, it becomes more difficult to know the details surrounding third-party vendors’ use of your company’s data. Unfortunately, the practice of phoning home data is a lot more common than many realise.

In our work, we have encountered many of these types of data leakage situations such as an unauthorised, network-connected security camera sending user traffic to an IP address known to be associated with malware downloads, domain controllers sending SSL traffic to multiple public cloud endpoints controlled by a security vendor, and a medical device management company phoning home highly sensitive data subject to HIPAA regulations. In each instance, the organisations learning that their data was being exfiltrated without their knowledge was a wakeup call that could have had massive regulatory consequences. It’s a challenge to truly understand what’s happening with data, and Singaporean businesses are as vulnerable as any other company to this type of exposure.

To minimise the risks associated with a third-party vendor phoning data home, companies should consider taking the following steps:

1.    Monitor for unexpected vendor activity on your company’s network, whether they are a vendor’s products currently in use, discontinued or no longer in use post-evaluation.

2.    Be aware of all traffic leaving the network, especially from sensitive assets such as domain controllers. When egress traffic is detected, always match it to approved applications and services.

3.    While under evaluation, track deployments of software agents and their communications back to the vendor.

4.    Understand and be informed about the regulatory and compliance implications of data crossing political and geographic boundaries.

5.    Understand and track whether data is used in compliance with vendor contract agreements.

Companies should also ask their vendors questions to understand how their data is being used, where it is going and the vendors’ protocols. These actions will hold vendors more accountable and help to limit the exposure of sensitive enterprise data.