How can you ensure Cloud services meet the security and compliance requirements of your organization?
As part of your vendor risk management (VRM) or third party risk management (TPRM) program, you’re performing vendor risk assessments to understand and manage the inherent risk that a cloud provider could bring to your organization.
Taking this a step further, our ThirdPartyTrust TPRM automation tool has integrated Netskope capabilities that will allow you to identify all cloud services and websites being used, assess enterprise readiness of SaaS and IaaS, and mitigate risk to your organization.
As a security leader, it’s critical that you know the enterprise readiness of your most important third party cloud services. Your enterprise will benefit from having Netskope evaluate your cloud services based on an objective yardstick, as well identify security and compliance gaps.
ThirdPartyTrust introducing Netskope CCI and CCL to enhance vendor risk management
Customers use TPRM by ThirdPartyTrust to manage their end-to-end vendor lifecycle, from due diligence and risk assessments to continuous monitoring and reassessments. Our tool improves visibility over third party vendors across the extended supply chain, and reduces the time spent on requesting and reviewing security documents through process automation, document storage, and workflow management capabilities.
In order to make your vendor management program more comprehensive, ThirdPartyTrust integrates and brings together objective data from several sources, including BitSight, the standard in security ratings; and Netskope, developer of cloud security solutions.
A few months ago, we launched the first phase of our ThirdPartyTrust and Netskope integration, designed to improve visibility over the vendor network by automatically detecting Shadow IT cloud applications, and adding them to the monitored vendor inventory.
Today, we’re announcing the integration of Netskope CCI and CCL indicators, designed to help you comprehend the impact of using a cloud app and its inherent risk in relation to your security standards.
With this new feature, you will be able to:
- Gain an objective, third party assessment of your most important cloud services
- Understand and quantify your third party risk
- Learn insights that can help you shortlist cloud services for adoption
- Identify your services’ security and compliance gaps so you can address them or arrange for compensating controls
What are the CCI and CCL indicators?
CCI stands for Cloud Confidence Index, a database of more than 49,000 cloud apps that Netskope has evaluated based on 30+ objective criteria adapted from the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).
The CCI score is a quantitative measure that indicates the enterprise readiness of a cloud app, taking into consideration its security, auditability, and business continuity.
Each app is assigned a CCI score of 0-100, and based on that score, is placed into one of five Cloud Confidence Levels (CCL):
- Poor
- Low
- Medium
- High
- Excellent
The CCI is a numeric score, while the CCL is the risk category to which it belongs. The higher the CCI score, the higher its CCL level will be.
How can you leverage Netskope CCI and CCL as part of your vendor management?
The ultimate goal of the Netskope CCI is to help you assess cloud service enterprise readiness, which is a core function of your TPRM program.
In essence, the CCI score is another tool you can use to make a decision about a potential third party vendor, as part of your risk assessment and monitoring. You can also use it to set policies based on the levels above. For example, you can decide whether to let users share content in cloud storage apps rated Medium or below.
As a result of this new feature, for any given vendor -say Google, for example- ThirdPartyTrust will show customers a new section titled “Cloud Security Stack”, as you can see below:
Each cloud service has its own CCI score and CCL category displayed. With a Netskope subscription, customers will see additional data elements to assist them in making informed decisions about their vendors, namely: the amount of users who are connected to it, the amount of uploaded and downloaded corporate data, and the connections.
Using data to vet cloud service vendors
Whether your IT team is aware of it or not, most employees use several cloud services daily, including collaboration, file-sharing, backup, messaging, or email apps. With the shift to Cloud computing and the accelerated digital transformation after the pandemic, cloud services have penetrated enterprise ecosystems in nearly every area: from measuring employee performance, to automating marketing or tracking sales, to managing software development.
Keeping track of thousands of cloud apps is not a simple task, especially when 32% of employees admit to using cloud apps that were not approved by IT, and 58% affirm they’re not comfortable with their technology stack.
We’ve written extensively about the Shadow IT issue and how the solution does not lie in eliminating cloud services, but rather in gaining a deep understanding of their usage. Organizations can -and should- be open to cloud services without fear of the contents that are exchanged between the enterprise and cloud.
Our solution to achieving that deep understanding is integrating Netskope’s CCI and CCL into our end-to-end vendor risk management platform. We’re confident this will help you comprehend the impact of using a cloud app on your company’s overall goal of security and data integrity.
