On January 29th we released our Hacker Intelligence Initiative Report (HII) which covered the Yahoo hack via third party code that was compromised via a cloud partnership. In the HII we raised the problem that organizations have when they include third party alliance software or service within their own offering.
The cloud opens opportunities for businesses to grow using third party platforms, and embedding their services within their own platforms saving time, money and stepping up their offering.
Yesterday, In a Blog post by Zendesk they disclose the fact that they have been compromised and that the data of their customers may have leaked. Some of their customers are Tumblr, Twitter, Pinterest as revealed by Darkreading. This means that if you are a user of these companies, your data might have been compromised.
What should companies do ?
When a company builds its security model it usually does not take into account elements that are not in their control, which creates the security hole.
- Implement policies both on the legal and technical aspects to control data access and data usage.
- Require third party applications to accept your security policies and put proper controls in place
We are not saying that you should avoid third parties. These services are pure business enablers and help your organization drive revenue with less cost to it. But when you do that, wear your security hat on!