<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=306561&amp;fmt=gif">
Skip to content

From Chaos to Control: Edwin Kwan’s Roadmap for Third-Party Risk in the Cloud

Finance Sector's Edwin Kwan addresses third-party risk in the cloud, delving into structured classification system, robust assessments, strong contractual agreements, continuous monitoring, and a push toward standardisation to address the complexities of vendor security and supply chain vulnerabilities.

 

As organisations increasingly rely on multiple cloud vendors, managing third-party risks has become a complex yet critical part of securing their operations. Edwin Kwan shares his perspective on the challenges and strategies involved in navigating this intricate landscape.

 

With so many organisations now relying on multiple cloud vendors, how do you decide which third-party providers are worth the risk?

Having a classification of third-party providers and determining the risk appetite for each classification level helps. The classification is based on the sensitivity of the workloads managed by the third party and the criticality of their services to our organisation. Security assessments are done on all third parties with the level of detailed and depth of those assessments being dependent of their classification level. It could be as simple as requesting and reviewing of security certifications, such as ISO27001, SOC2 Type II, to requesting for an independent pen-testing of their in-scope services. Should there be any identified findings from the assessment, the risks will be reviewed to determine if there are any compensating controls and if they are within appetite.

 

What’s been the biggest surprise—or challenge—you’ve faced when managing third-party risks in the cloud?

The biggest challenge is just how hard it is to assess a third-party. Some organisations send out a questionnaire for their assessment and some rely on certifications like ISO27001. However, those approaches don't always paint a full picture and doesn't tell you about the effectiveness of their security controls. I've also experienced the approach of using third party assessment tools which scan the third party's public foot point to provide an overview of their security posture, such as them having servers running on outdated and vulnerable apache/nginx servers. However, I've found those tools to also have their limitations. The assessments are also point in time assessments and we don't always know if and when the third-party security controls change. And lastly, unless you are a big organisation spending lots on the third party, most of the time, the third party wouldn't entertain your request for further information. If you're lucky, they would just refer you to their Trust Center.

 

How do you make sure your third-party vendors stay accountable for security once the contract is signed?

This is a hard one as per the previous question. The approach which I have taken, that has worked well for me is to have good contracture clauses. This includes establishing clear SLAs and including the right to perform an audit. However as previously mentioned, your mileage would vary here as some third-parties wouldn't entertain them. I also use a third-party assessment tool to do continuous monitoring of the third-party. They provide a scorecard for the third party and would trigger and alert if the score drops below a threshold or if a data breach impacting the third party was made public.

 

How do you tackle risks that go beyond your direct third-party vendors, like fourth- or fifth-party suppliers in the chain?

This is also a hard one to manage, there's been lots of vendor breaches in the last year and many of them were attributed to their supplier being compromised. Most of the time you would have no visibility of the fourth or nth level supplier. I'm sure for many of the organisations which used third-parties that suffered supply chain attacks, reading about it in the news is probably the first time they discovered that their third-party had outsourced to that affect company. Strong contract clauses would be my approach for managing downstream suppliers, along with a review of the third-parties third-party risk management practices.

 

If you could change one thing about how organisations manage third-party supply chains in the cloud, what would it be?

I wish there was a single gold standard for third party security assessments, rather than having organisations define their third-party assessment processes. Similar to the health star rating on the back of grocery shopping items. As a consumer, we don't know how the food producer manages the ingredients from their suppliers, we just know that if it’s a 5 start health rating, it’s a healthier choice than a similar product with few stars. If only managing third-party supply chain would be that simple.

 

As the cloud landscape continues to evolve, it’s clear that managing third-party risks will require organisations to adopt innovative strategies and maintain vigilance. By combining robust assessment frameworks, strong contractual agreements, and continuous monitoring, organisations can navigate the complexities of third-party risk management and safeguard their operations against an increasingly sophisticated threat environment.

 


Edwin will be speaking at CISO Sydney 2025 and Cloud Security Sydney on the 12th of February. 


Join him and you will take away some practical tips on how to approach cyber security and cloud security and learn to devise a roadmap on how you can implement some quick wins in your organisation. To find out more about his session, check out the agenda and register to attend, simply click the links above! 

Photo by Growtika on Unsplash