How Many Vendors does your Vendor Have?
If you asked me for a list of how to run a secure software or IT department, number one on that list would be reduce the surface area.
Reducing the surface area all boils down to this: if there are less places to attack you, you will get attacked less and it's easier to defend what's left.
That's not to say that things like encryption, intrusion detection, and RBAC aren't valuable; I'm saying that the most pragmatic thing to do is to limit your vulnerabilities in the first place. Realistically, no one is going to break encryption, but someone might discover a key in a really old commit in a public repo or some credentials accidentally pasted into a public Slack used for customer support - in these cases, the breach will almost certainly look like legitimate access in which your encryption doesn't matter and at best your IDS will be a forensic log.
One thing that matters a lot in these cases is where the compromised service lives. Is it a public multi-tenant SaaS app? Ope, that sucks. How about a cloud vendor? Dang, sucks to suck. If instead the compromised key belongs to an internal application running inside of a private network without a public entrypoint? Nice bullet dodge. (still tho, clean up your keys).
Keeping the surface area small is a core part of infrastructure architecture - put a load balancer in a public internet and have it control traffic to services inside of a private network. Large companies recognize it as part of how you responsibly run a business, which is why we have concepts like federated identity. Which brings us back to the topic at hand...
How many vendors do you have?
The SaaS era birthed so many domain specific tools, most folks probably don't know off the top of their head how many tools it takes to run their team or business. There are your big ones like email, documents, storage, and hosting. There are your team's specific needs like sales tools and CRMs. There are the quiet ones that run in the background like data exfiltration detection. There are boring company wide vendors helping do things like HR and payroll. Have contractors? They probably have their own stack of tools too.
Now ask yourself, how many vendors does a given vendor have? Don't know? Check out a company's privacy policy, most companies are nice enough to list the major vendors that act as "data subprocessors" (that is, their vendors that they send your data to). Most at least. Here's what OpenAI says:
To assist us in meeting business operations needs and to perform certain services and functions, we disclose Personal Data to vendors and service providers, including providers of hosting services, customer service vendors, cloud services, content delivery services, support and safety services, email communication software, web analytics services, payment and transaction processors, search and shopping providers, and information technology providers.
If you actually wanted to know who those vendors are, you need to head on over to their trust center and fire off some requests for documents. So this is where the trouble begins - if OpenAI is a major, critical vendor for your company, your surface area is pretty vague, at least until they respond to your requests (get the SOC2 Type 2 report at a minimum).
Companies selling agents tend to use a lot of vendors for delivering their services; most are a little nicer than OpenAI and will tell you in plain language where your data gets shipped off to. Take a peak at Genspark's policy https://www.genspark.ai/privacy. You get Azure, Stripe, Google Workspace and then inference providers: Anthropic, xAI, Google again, ElevenLabs, and our old friends OpenAI. So if Genspark is a vendor that means OpenAI is a 3rd party, now their vendors are 4th parties to you. It's concievable that the prompts you slam into the app are now stored not only on OpenAI but on a telemetry vendor too and all of a sudden a data breach at any of three different companies could result in sensitive info getting leaked. This is the real surface area you are dealing with.
How do you reduce the surface area?
There are two obvious paths here, both have traditionally been expensive - roll your own or self host.
"Roll your own" refers to building out your own solution to a problem. The SaaS era was predicated on an app solving a class of problems and then spreading the cost of it out among as many customers as possible. Building internal software projects means there is only one company to absorb the cost of the project; that was a problem once upon a time, now however coding agents have made this cheap and fast.
"Self host" refers to taking off the shelf software (open or closed source) and running it on your own hardware or cloud. Even if the software is open source, you will spend engineering time deploying and maintaining it. This approach is probably the most familiar to anyone who has worked on a team or sold software to a company in a regulated industry or one that deals with sensitive data. Most of the time, you see companies that run infra via a cloud vendor or hybrid with some racks that they own and access control tends to be locked down, but otherwise is not a dramatic departure from running infra on a typical public cloud. You will still find that self hosting means maintenance but when you aren't engineering for a public SaaS platform it makes a lot of decisions much easier - skip Kubernetes, schedule maintanence and don't bother with high availability deployments if you don't have to. Sometimes you can even forget about the whole pets vs cattle thing and just run a VM configured with a few bash scripts - the level of sophistication should match the need but don't over do it.
Either approach (or both at the same time) gives you the ability to limit access by design which is rather nice! Put things in private networks, only build for a specific identity provider, design for single tenacy - all the things that make your life easier and the surface area smaller. The key takeaway is that this is a pragmatic choice; reducing the surface area can and should simplify your stack at the same it makes you more secure.