Securing the supply chain: why it’s time for a zero trust approach

Vaibhav Malik, Head of Cybersecurity Advisory Practice, Integrity360, looks at the increasing risks to an organisation's supply chain and how to mitigate these threats with zero trust.
Vaibhav Malik, Head of Cybersecurity Advisory Practice, Integrity360, looks at the increasing risks to an organization’s supply chain and mitigate these threats with zero trust.

The past 18 months have pushed IT departments to the limit, with companies forced to develop the infrastructure and protocols to support remote, flexible and hybrid working models at lightspeed to survive. Almost a year and a half on, this transition has served to inspire the wider uptake of transformative cloud-based technologies and models, further expanding organizational reliance on the IT environment.

The pressure on businesses and their IT teams have been exacerbated by the evolving cyberthreat landscape. As early as April 2020, the FBI reported that the number of complaints about cyberattacks had risen as much as 400% compared to pre-pandemic levels. Yet it is not just the volume of attacks that has spiked. Equally, threat actors are targeting companies in more complex ways.

One major technique that has made headlines in recent times is supply chain attacks, SolarWinds being a prime example. SolarWinds is a leading US-based information technology infrastructure and solutions provider, one of its primary products being its network management Orion software, previously used by thousands of companies globally.

In March 2020, hackers broke into SolarWinds’ network, elevated their privileges, and gained access to its development environment. Here they injected malicious code in the Orion build pipeline, compromising the systems and servers of more than 18,000 companies, including 425 of the Fortune 500 firms and key US government agencies, during a routine software update.

Supply chain attacks in a changing landscape

By definition, a supply chain attack (also known as a value-chain or third-party attack) will see a network become infiltrated through an outside partner that has access to a company’s systems or data. In the case of SolarWinds, the adversaries hid malicious code within a trusted software – a relatively typical technique of supply chain attacks.

Why are these such a challenge in the modern day? They are simply the result of an increasingly expanding and connected digital ecosystem.

In the last couple of years, largely due to the pandemic, small- and medium-sized businesses have increased their reliance on public cloud and other critical services from third-party providers.

Where we previously had the on-premise infrastructure, we now have the cloud: a massive ecosystem of services, microservices and applications used by companies to optimize their offerings and drive their businesses forward. For many of these services to work, however, they require access to critical data.

This is a major challenge from a security perspective, and with significantly greater dependencies on third parties, the risk is equally dramatically increased.

It’s important to understand that when we use a specific cloud service or application, there will be various branches of those services outsourced to an external vendor, creating a string of many possible targets that are inexplicably linked. It could be a hardware provider, a source code provider, a physical asset provider, or other.

Because of this complicated, interconnected mesh of services, the Ponemon Institute recently revealed that more than half of all organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information.

Thousands of software inputs reside in complicated network environments, and understanding the extent of third parties involved isn’t entirely feasible. 

It’s a significant challenge, yet companies can take preventive measures and better protect themselves against supply chain-based threats.

In 2018 the UK’s National Cyber Security Centre (NCSC) released a cybersecurity framework built on 12 principles designed to help companies establish more effective oversight and control of their supply chains.

Of course, every company is different. How much infrastructure is on the cloud versus on-premises? How much software development is occurring in-house or outsources? Other similar supply chain-related factors will change the level of risk, and organizations will need to do their due diligence to understand how these guidelines can be incorporated in line with their specific models. However, steps that align with these principles can be highly effective in curbing supply chain threats adhered to properly and comprehensively.

The importance of zero trust

Zero trust is one example of a sound security practice that can help to deal with modern security threats.

Zero Trust is a security model that works on the premise that threats are omnipresent in different parts of the application and infrastructure stack. It relies on continuous verification via information from disparate sources to ensure that users and services are indeed who they claim to be and have the right privileges to access relevant resources. In a zero-trust environment, the source users and devices will be challenged to present the verification data about their identity, authentication, authorization, integrity and session.

In the context of reducing third party risk, this could mean:

  • Adopt a third-party risk-management framework.
  • Apply micro-segmentation for critical services, apply role-based access controls to applications, databases, and infrastructures, remove single-user accounts on highly privileged systems.
  • Enforce appropriate risk-based multifactor authentication (MFA) for all privileged role-based access.
  • Create incident guides for third-party supply-chain attack scenarios, and conduct tabletop exercises with key software vendors.
  • Mandate security training and certifications, service-level agreements (SLAs), and escalation protocols in third-party contracts.

Zero trust doesn’t mean there’s no trust. It simply means trust begins from zero rather than 100.

Traditional information security was built on the network perimeter – a concept that assumes all internal entities within a network are trusted while external parties are not trusted. The focus, therefore, was on hardening the security perimeter and keeping threats out.

Today, however, our systems are integrated with so many external entities via cloud services, microservices and applications that support and optimize the functioning of our business. As a result, there is no longer an easily defined, easily defensible perimeter. It is for this reason that zero trust is important.

Instead of trusting data and transactions after they have cleared your security perimeter, you must now verify every piece of data and operation outside and inside your system.

It’s not a case of distrusting people. Instead, it’s a policy of perpetual verification driven by automation to ensure your critical assets are more secure against modern threats such as supply chain attacks.

Stemming supply chain threats with appropriate policy implementation

So, how can a company achieve zero trust?

First, identify your users. Who has access to your data? Who are the people who look after your crown jewels? What kind of devices and software are they using? Second, understand how data flows in the organization. Who has privileged access, and what are the protocols and workflows that have been designed within the network?

Once you know the people, the assets, the workflows, you can begin to draft a policy that controls these environments. Finally, once various tools have been implemented and combined to create a zero trust framework, the next stage must be scalability.

We must understand that zero trust is not a product; it’s a set of principles, driven by various solutions and enabled by a Zero Trust Strategy.

No one tool will fully enable a zero trust environment. Instead, it is achieved through several different steps. While SASE, network segmentation, IDAM all help contribute towards zero trust, they do not enable it in themselves. Rather, they are just part of the zero trust puzzle.

READ MORE:

It’s not a case of implementation equals complete. There will be a series of additional smaller steps that organizations can take to ensure the maintenance and enhancement of zero trust frameworks. For example, have you run an incident response exercise to understand what might happen in the event of a breach? Are third party agencies who have access to your critical systems also subject to zero trust? Third parties become an extension of your business, so zero trust and other necessary security steps need to extend to them.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...