CCAK

 View Only
Expand all | Collapse all

Third Party Risk Assessment for Cloud Hosted Applicaitons.

  • 1.  Third Party Risk Assessment for Cloud Hosted Applicaitons.

    Posted Jun 11, 2021 08:07:00 PM
    Hello experts:
    I have been assigned to project TPRM. The scenarios are as below:

    Scenario 1: We have outsourced our applications hosting to third party. The TP will host the application on their cloud. The application is managed by us. But OS, Database and Infra managed by TP.
    Query:
    1. As TPRM assessor, what high level points that I need to focus? And how this will be different than On Prem hosted application?
    2. Can we consider this as PAAS?
    Scenario 2: We have completely outsourced the Application hosts as SAAS to TP. Means App, OS, Database and Infra managed by TP.
    Query:
    1. As TPRM assessor, what high level points that I need to focus? How my TPRM approach will differ here from Scenario 1?
    2. What special consideration, I need to consider for Data assuming it is GDPR scoped data.
    Scenario 3: Assume we are only opting IAAS to host our app. Means only Infra is managed by TP. And App, DB, OS is managed by us.
    Query:
    1. As TPRM assessor, what high level points that I need to focus?


    **Assume that TP is vendor who may use any cloud e. g. Azure / AWS …..

    ------------------------------
    Kaustubh Ponkshe
    Associate Security Consultant
    Tech Mahindra
    ------------------------------


  • 2.  RE: Third Party Risk Assessment for Cloud Hosted Applicaitons.

    Posted Jun 14, 2021 05:17:00 PM
    Hello Kaustubh,
    Would suggest the following steps for your consideration:
    1. Scenario 1  (PAAS)
      1. Check the contract between your organization and TP (Third Party ). The contract should specify  include the services provided 3rd party, the SLA to be met, the regulations and legislations to be complied, the conditions for the SLA's met and the right to audit for areas under your responsibility and independent 3rd party reports of the areas under their responsibility 
      2. then you can assess the risks related to your applications ( which is under your responsibility ). There will be interfaces from your applications to PAAS services provided by the cloud provider. This should have been specified in the contract. For this area, cloud provider should provide independent 3rd party report to show how cloud provider the controls to ensure that only your application is communicating to the PAAS and unauthorized parties are blocked.
    2. Scenario 2 ( SAAS)
      1. Check the contract between your organization and TP (Third Party ). The contract should specify  include the services provided 3rd party, the SLA to be met, the regulations and legislations to be complied, the conditions for the SLA's to be  met and the right to audit for areas under your responsibility and independent 3rd party reports of the areas under their responsibility 
      2. In this scenario, the assessment is related to who can access  your application functions and the data processed through this application. The rest is the responsibility of the TP. TP should provide a report like SOC1 and SOC2 reports. Use the report to assess the Risks. In addition you may also use CSA STAR registry where the service provider has reports. These are generic.
    Brgds
    Ram

    ------------------------------
    Ram Marappan
    Trainer and consultant
    Self employed
    ------------------------------