April 11, 2019

Last Updated on January 13, 2024

Recently I came across this blog post, which raises concerns that Amazon Web Services (AWS), a major player in many government cloud contracts worldwide—including the US Department of Defense—may be outsourcing security services to a company run by Russian mobsters. I’m not saying this speculation is necessarily credible, but it raises a critical point that I don’t hear much about in either cloud security or third-party risk management (TPRM) circles: Do you really know who is handling the security services in whatever public cloud(s) your business is using?
If you didn’t do proper due diligence before you signed a contract, chances are you don’t.

View our free cybersecurity resources »

Do Your Cloud Vendors Outsource Your Services to “Fourth-Parties”?

All the major public cloud vendors (Amazon, Microsoft, Google, IBM, etc.) outsource various components of their services, both in North America and worldwide. For example, many SaaS vendors; e.g., Box or Zendesk, run their services on third-party infrastructure; e.g., AWS or Microsoft Azure. Similarly, public cloud infrastructure providers also outsource services, including backups, security, AI, analytics, etc. Even entire datacenters may be run by business partners.

Fourth Parties

For you, as a cloud consumer, these “fourth-parties” increase risk. They can make security practices non-transparent and difficult to audit, as well as complicate contracts and legal issues. All-in-all that means extra due diligence is required.

How to Limit Your Risk

As part of your evaluations, be sure to ask each cloud vendor to specify what services they outsource, and to identify the fourth-parties involved. Then ensure/contractually mandate that these vendors comply with the same security policies and procedures as the cloud vendor you’re contracting with directly. You might also want your contract to specify that you be notified if/when these fourth-party vendors change.


To further limit risk, if possible you might want your contract to state the main vendor provide all services, and that no subcontractors are involved at all. Another way to address third and fourth-party risk in the cloud is to ensure that your business continuity plan anticipates the failure of these services.

Define Your Requirements

It’s always good practice as a cloud consumer to define your cloud security requirements before you shop for cloud providers. This will help you prioritize your needs and educate you about various public cloud security models.

Roles and Responsibilities

Further, it’s a best practice to develop a “roles and responsibilities matrix” for your cloud security. This is a good idea even if you’re not looking to specifically address fourth-party risk. Every cloud vendor has different terms, conditions and service levels around security.

Gain a Comprehensive Understanding

Don’t take a “checkbox approach” to cloud security. You need to dive deep into the details to comprehensively understand who is responsible for what aspects of security—even at the level of the individual services.
Especially for firms in regulated industries like healthcare and financial services, this extra due diligence will not only protect you contractually but also enable you to answer questions like:

  • Where on the planet is our data stored?
  • What vendor is ultimately responsible for protecting our stored data?
  • Who has physical access to our data?
  • Who has virtual access to our data?
  • What are the physical and virtual security controls protecting our data?
  • Under what circumstances is our data encrypted, and how are the encryption keys managed and secured?
  • What security certifications do these vendors hold?

Are You Managing Your Cloud Security Risk?

As companies move more and more applications and data to the cloud, cloud security—which by definition includes third-party risk, managed or not—is becoming increasingly critical. Yet cloud security is a new realm even for many organizations that have mature on-premises security practices.
If you have questions or concerns about managing cloud security risk, from where to begin to how to evaluate vendors to how to provably demonstrate your cloud-based data is safe, contact Pivot Point Security.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!