How many third-parties does your product rely on? A 2020 study from SlashData reveals that 69% of developers use third-party APIs in their projects. Third-party integrations allow companies to provide value to their customers while saving development time and money. For instance, FinTech companies would rather rely on open banking APIs rather than build their own banking features from scratch. This is the classic “build vs. buy” debate, but for features rather than full software suites.
Although beneficial, the use of third-parties is risky if you’re sharing personal or sensitive data. You have little control over the data protection practices of your third-party partners, which may result in lower security standards. If any of these partners suffer a data breach, the data you have shared may be exposed. That’s why monitoring data sharing with third-parties is a basic requirement of most information security frameworks (NIST, ISO 27001, CIS) and data regulations (GDPR, CCPA, PCI-DSS, HIPAA).
Discover and catalog third-parties
The first step is to set up a clear procurement process to evaluate all new providers—including third-party APIs—and ensure their security and privacy standards fit your data protection policy. Make sure to catalog new providers in the process, and that your engineering and product team have enough training to follow your guidelines. If you are a company with less than 100 employees, spreadsheets and a manual process should work.
Once you’ve outgrown the manual approach, look to automation to ensure your inventory of third-party providers remains complete and up-to-date. Third-party risk management platforms streamline this process for the Software-as-a-Service (SaaS) you buy. When it comes to third-party dependencies within their code, mature technology companies often lack visibility due to large and complex engineering organizations.
Here’s a list of the most common approaches to discover and catalog your third-party APIs automatically:
- Outbound proxies and API marketplaces: all outgoing API calls go through an outbound proxy and third-parties are cataloged along the way.
- Log analysis: you look at your application’s logs in real-time to detect API calls to third-parties.
- Live monitoring: you inspect all API requests as they happen through an in-app agent or an API Gateway.
- Code scanning: you look for third-party dependencies by looking at the codebase.
See our article about Shadow APIs for more information about the pros and cons of each approach.
Map data flows to third-parties
Once you discover a new third-party API within your codebase, you will have to assess its risks against your data security and privacy policies. Make sure to document:
- The applications that integrate with the third-party API.
- The business owner.
- The engineering owner.
- The purpose of the integration.
- The hosting location of the provider.
- The data shared with the provider: data subject, data type (e.g., email, social security number), data category, data sensitivity level.
- The security standards of the provider: security measures, security certifications (e.g., SOC 2 or ISO 27001).
- The privacy standards of the provider: lawful basis for data sharing, data retention policy, privacy notice.
- Legal documentation such as the Data Protection Agreement (DPA). Under GDPR, a DPA is necessary between your organization and any third-party that processes personal data on your behalf.
You can send a survey to the business and engineering owners to collect the above-mentioned information. And then assess risks for each third-party using your company’s risk scoring methodology. Make sure to assess security and privacy risks on a regular basis (like every quarter), specifically for third-parties processing sensitive data such as personal, health or cardholder data.
The trickiest part of this process is to map data flow accurately over time. Most parameters of your risk assessment framework won’t change abruptly (such as security standards). However, data flows can evolve significantly without you noticing it right away. For instance, a new feature may involve new sensitive data flow to an existing third-party. Such changes happen all the time in fast-growing tech companies and can go unnoticed for months. Automating data detection and classification across your products allow you to proactively detect these changes.
See our article How to discover sensitive data across your products for more details.
Monitor data flows to third-parties continuously
Monitor applications processing sensitive data regularly.
Once you identify which engineering services process your most sensitive data, focus your attention there. It is even more important in a microservices architecture with dozens or even hundreds of engineering components. Start by mapping data flows between these applications and third-parties, check that you signed a DPA and that data sharing is in accordance with it. Do this job proactively once every quarter to ensure your business is not at risk.
Monitor new third-parties proactively.
Look out for new third-parties. Whenever you detect a new third-party you should sign a document data sharing, audit security controls and sign a DPA if it processes personal data. Set up a monitoring system to be alerted automatically, else new third-parties and data sharing can go unnoticed for weeks.
Monitor new data processing proactively.
Look out for new data processing in your applications. First, set up a process to classify new data processing. If an application processes a new type of data that you categorize as high-risk, audit the third-parties connected to the application to see if it is shared with them and if you are authorized to do so by the DPA you signed.
Monitor data flows to third-parties in real-time.
Lastly, you can monitor data flows between your applications and third-parties in real-time. You’ll need to rely on solutions that are intrusive and complex to deploy, like proxies and agents. But you will watch the traffic in real-time, so you can even set up your own alerting rules to detect whenever new or unauthorized data flow happens. Powerful but costly.
Get visibility, reduce third-party risks
Back to our original question: do you know all the third-parties you integrate with? Many companies don’t, and even fewer know which data they share with them. You’re not alone. Third-party risk management is one of the cornerstones of data security. That’s why Bearer brings its users clarity over their third-parties, so they can prevent unauthorized data sharing easily.