Third Party Outsourcing Issues

A third party is a resource provider between the organization and its customers. Cloud services make up today's third-party outsourcing solutions, and there is a strong business case for their use. Organizations benefit by reduced equipment and personnel costs, more flexibility in customizable services offered, predictable cash flows, and increased security. Virtualized redundant services are scalable on demand and resilient to hardware component outages.

Some problematic issues for government customers are unpredictable data location, shared services, and cloud provider certification. More generally, since processing, storage and administration are not location-specific, jurisdictional legal issues are common.

The Federal Risk and Authorization Management Program (FedRAMP) significantly mitigates risk while containing costs for federal agencies by arranging for commercial cloud providers who compete in the federal marketplace. Authorized cloud providers must offer a strictly standardized set of security controls and binding memoranda of agreement (MOA). Secure private, public and hybrid cloud options are available through tailoring.

Third-party outsourcing, using FedRAMP or non-FedRAMP providers, reduces security requirements, but the organization is still responsible for any residual risk. Just as with in-sourced IT, organizations should contain risk in their dynamic environments by implementing continuous monitoring auditing controls and user training.

Resources

Software as a Service (SaaS) and Infrastructure as a Service (IaaS)

Check Your Knowledge

Choose the best answer to each question:

Question 1

Which of the following is a disadvantage of third-party (cloud) outsourcing to organizations?

Cloud costs cannot be controlled.

Data storage location is too unpredictable.

Data storage location is too predictable.

By definition, data cloud storage is shared among cloud users.

Incorrect. Cloud costs can be controlled, and controlled (metered) operation costs are an advantage of cloud computing.

That's correct. Unpredictable data location creates legal issues in some jurisdictions.

Incorrect. Although cloud data location can be predictable, it is not generally a disadvantage to cloud outsourcing.

Incorrect. Public clouds are generally configured to share server hardware among users, but users will have dedicated virtual machines for processing and storage, as well as dedicated virtual network components. Private clouds do not even share hardware.

Question 2

Risks in third-party outsourcing (cloud use) include _______.

potential data integrity loss in public clouds

third-party administrators may not be adequately cleared

cloud providers keep their security policies private

all of these choices

Incorrect. This is a potential risk, but "all of these choices" is a better answer.

This is the best answer. Although none of the responses shown is common, any of the three can potentially increase risk in a cloud solution.

Question 3

The Federal Risk and Authorization Management Program (FedRAMP) significantly mitigates risk for federal agencies using cloud services, while containing costs, by producing authorized commercial cloud providers who compete in the federal marketplace.

True

False

That's correct.

Incorrect.

Question 4

Authorized cloud providers must offer a strictly standardized set of security controls but do not have to be binding to a memorandum of agreement (MOA).

True

False

Incorrect. Authorized cloud providers must offer a strictly standardized set of security controls and binding memoranda of agreement (MOA).

That's correct. Authorized cloud providers must offer a strictly standardized set of security controls and binding memoranda of agreement (MOA).

Question 5

A third party is a resource provider between the organization and its customers.

True

False

That's correct.

Incorrect.