When using cloud services, it's important to know what happens to your personal data. Your cloud service provider (CSP) may use subcontractors or sub-processors to handle some of the data processing on their behalf. The CSP needs to have processes in place to ensure any sub-processors protect your data to the same standards.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here. The matrix provides a comprehensive set of security controls that CSPs and cloud customers should consider implementing to protect data in the cloud.

Who should care?

This is relevant for:

• Chief Privacy Officers looking to ensure compliant handling of personal data
• Compliance managers needing to meet data protection regulations
• Procurement staff responsible for cloud vendor due diligence and contracting
• Developers and operations teams integrating cloud services that process personal data

What is the risk?

The main risk is unauthorized access to or misuse of personal data by the CSP's sub-processors. This could lead to:

• Data breaches exposing sensitive personal information
• Compliance violations and regulatory fines
• Reputational damage and loss of customer trust

Having the right contractual terms and oversight of sub-processors significantly reduces these risks. However, the CSP is ultimately liable for protecting the data, even when using sub-processors.

What's the care factor?

For organizations subject to data protection laws like GDPR, CCPA, or HIPAA, this is a critical issue. Non-compliance can result in major fines and reputational harm. Even if not legally required, customers expect their CSP to handle personal data responsibly through the supply chain.

All CSPs processing personal data and their enterprise customers should prioritize having the proper controls around sub-processors. Smaller businesses with limited sensitive data may have a lower care factor.

When is it relevant?

This control applies whenever:

• The CSP is processing personal data on behalf of the customer
• The CSP is using subcontractors or sub-processors for any part of the data processing
• The customer data is subject to data protection regulations

It may not be relevant if:

• The CSP does everything in-house and does not use sub-processors
• The CSP does not process any personal data for the customer
• The data is not subject to any particular laws or compliance standards

What are the trade-offs?

Proper sub-processor controls require:

• Upfront effort to define requirements and update contracts
• Ongoing work to assess sub-processors and respond to changes
• Potential switching costs if a sub-processor can't comply
• Limited pool of sub-processors willing to accept flow-down terms

However, this is a necessary cost of doing business and protecting customer data. It's negligent to ignore this issue for the sake of convenience or short-term savings.

How to make it happen?

1. Map the supply chain to identify all sub-processors that touch personal data
2. Define minimum security and privacy requirements that sub-processors must meet
3. Update contracts with sub-processors to mandate your requirements
4. Establish a process for sub-processors to notify you of any relevant changes
5. Set up periodic sub-processor assessments and audits
6. Implement processes to notify customers and obtain approvals for sub-processor changes
7. Put technical measures in place to limit sub-processor access to only necessary data
8. Continuously monitor sub-processors and have an action plan for issues

AWS provides tools to discover resources shared with 3rd parties and set up notifications:

• AWS Config rules to detect public access and external resource shares
• AWS Cloudtrail to log API activity related to resource sharing

What are some gotchas?

• Legacy sub-processor contracts may not have adequate data protection terms
• Sub-processors often resist stringent requirements and customer audit rights
• Complex, global supply chains make sub-processor tracking difficult
• Customers may insist on case-by-case approvals for sub-processor changes
• Modifying notification and approval processes can disrupt dev workflows

Getting this right requires coordination between legal, compliance, security and development teams. Be sure to get executive sponsorship.

Required IAM permissions vary based on services but often include:

ram:GetResourceShares
ram:UpdateResourceShare  
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
config:DescribeConfigRules
config:PutConfigRule

Refer to the AWS IAM documentation for more details.

What are the alternatives?

In addition to the centralized control approach, you could:

• Require sub-processors to undergo independent security certifications like SOC 2
• Provide a standard Data Protection Agreement for sub-processors to sign
• Leverage Open Processor Agreements like the one from TrustArc
• Use a data protection as a service solution to encrypt data before it goes to sub-processors

However, these options don't eliminate the need for oversight. They can supplement but not replace the controls described earlier.

Explore Further

• Download the CSA CCM for implementation details on this control
• Review the related CIS Control 12 on Boundary Defense and Control 15 on Service Provider Management
• See the EU GDPR text on processor requirements
• Learn more about protecting data shared with AWS sub-processors here

Hopefully this helps explain the importance of having proper controls and oversight any time you share personal data with sub-processors. Let me know if you have any other questions!