Vaibhav Malik, Head of Cybersecurity Advisory Practice, Integrity360, looks at the increasing risks to an organization’s supply chain and mitigate these threats with zero trust.
The past 18 months have pushed IT departments to the limit, with companies forced to develop the infrastructure and protocols to support remote, flexible and hybrid working models at lightspeed to survive. Almost a year and a half on, this transition has served to inspire the wider uptake of transformative cloud-based technologies and models, further expanding organizational reliance on the IT environment.
The pressure on businesses and their IT teams have been exacerbated by the evolving cyberthreat landscape. As early as April 2020, the FBI reported that the number of complaints about cyberattacks had risen as much as 400% compared to pre-pandemic levels. Yet it is not just the volume of attacks that has spiked. Equally, threat actors are targeting companies in more complex ways.
One major technique that has made headlines in recent times is supply chain attacks, SolarWinds being a prime example. SolarWinds is a leading US-based information technology infrastructure and solutions provider, one of its primary products being its network management Orion software, previously used by thousands of companies globally.
In March 2020, hackers broke into SolarWinds’ network, elevated their privileges, and gained access to its development environment. Here they injected malicious code in the Orion build pipeline, compromising the systems and servers of more than 18,000 companies, including 425 of the Fortune 500 firms and key US government agencies, during a routine software update.
Supply chain attacks in a changing landscape
By definition, a supply chain attack (also known as a value-chain or third-party attack) will see a network become infiltrated through an outside partner that has access to a company’s systems or data. In the case of SolarWinds, the adversaries hid malicious code within a trusted software – a relatively typical technique of supply chain attacks.
Why are these such a challenge in the modern day? They are simply the result of an increasingly expanding and connected digital ecosystem.
In the last couple of years, largely due to the pandemic, small- and medium-sized businesses have increased their reliance on public cloud and other critical services from third-party providers.
Where we previously had the on-premise infrastructure, we now have the cloud: a massive ecosystem of services, microservices and applications used by companies to optimize their offerings and drive their businesses forward. For many of these services to work, however, they require access to critical data.
This is a major challenge from a security perspective, and with significantly greater dependencies on third parties, the risk is equally dramatically increased.
It’s important to understand that when we use a specific cloud service or application, there will be various branches of those services outsourced to an external vendor, creating a string of many possible targets that are inexplicably linked. It could be a hardware provider, a source code provider, a physical asset provider, or other.
Because of this complicated, interconnected mesh of services, the Ponemon Institute recently revealed that more than half of all organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information.
Thousands of software inputs reside in complicated network environments, and understanding the extent of third parties involved isn’t entirely feasible.
It’s a significant challenge, yet companies can take preventive measures and better protect themselves against supply chain-based threats.
In 2018 the UK’s National Cyber Security Centre (NCSC) released a cybersecurity framework built on 12 principles designed to help companies establish more effective oversight and control of their supply chains.
Of course, every company is different. How much infrastructure is on the cloud versus on-premises? How much software development is occurring in-house or outsources? Other similar supply chain-related factors will change the level of risk, and organizations will need to do their due diligence to understand how these guidelines can be incorporated in line with their specific models. However, steps that align with these principles can be highly effective in curbing supply chain threats adhered to properly and comprehensively.
The importance of zero trust
Zero trust is one example of a sound security practice that can help to deal with modern security threats.
Zero Trust is a security model that works on the premise that threats are omnipresent in different parts of the application and infrastructure stack. It relies on continuous verification via information from disparate sources to ensure that users and services are indeed who they claim to be and have the right privileges to access relevant resources. In a zero-trust environment, the source users and devices will be challenged to present the verification data about their identity, authentication, authorization, integrity and session.
In the context of reducing third party risk, this could mean:
- Adopt a third-party risk-management framework.
- Apply micro-segmentation for critical services, apply role-based access controls to applications, databases, and infrastructures, remove single-user accounts on highly privileged systems.
- Enforce appropriate risk-based multifactor authentication (MFA) for all privileged role-based access.
- Create incident guides for third-party supply-chain attack scenarios, and conduct tabletop exercises with key software vendors.
- Mandate security training and certifications, service-level agreements (SLAs), and escalation protocols in third-party contracts.
Zero trust doesn’t mean there’s no trust. It simply means trust begins from zero rather than 100.
Traditional information security was built on the network perimeter – a concept that assumes all internal entities within a network are trusted while external parties are not trusted. The focus, therefore, was on hardening the security perimeter and keeping threats out.
Today, however, our systems are integrated with so many external entities via cloud services, microservices and applications that support and optimize the functioning of our business. As a result, there is no longer an easily defined, easily defensible perimeter. It is for this reason that zero trust is important.
Instead of trusting data and transactions after they have cleared your security perimeter, you must now verify every piece of data and operation outside and inside your system.
It’s not a case of distrusting people. Instead, it’s a policy of perpetual verification driven by automation to ensure your critical assets are more secure against modern threats such as supply chain attacks.
Stemming supply chain threats with appropriate policy implementation
So, how can a company achieve zero trust?
First, identify your users. Who has access to your data? Who are the people who look after your crown jewels? What kind of devices and software are they using? Second, understand how data flows in the organization. Who has privileged access, and what are the protocols and workflows that have been designed within the network?
Once you know the people, the assets, the workflows, you can begin to draft a policy that controls these environments. Finally, once various tools have been implemented and combined to create a zero trust framework, the next stage must be scalability.
We must understand that zero trust is not a product; it’s a set of principles, driven by various solutions and enabled by a Zero Trust Strategy.
No one tool will fully enable a zero trust environment. Instead, it is achieved through several different steps. While SASE, network segmentation, IDAM all help contribute towards zero trust, they do not enable it in themselves. Rather, they are just part of the zero trust puzzle.
- Why every company needs to implement Zero Trust
- Why companies should implement Zero Trust
- Zscaler is set to be the industry’s first security vendor to integrate active defence into a Zero Trust architecture
- Why Zero Trust is Vital – and Achievable – for Endpoint and IoT Security
It’s not a case of implementation equals complete. There will be a series of additional smaller steps that organizations can take to ensure the maintenance and enhancement of zero trust frameworks. For example, have you run an incident response exercise to understand what might happen in the event of a breach? Are third party agencies who have access to your critical systems also subject to zero trust? Third parties become an extension of your business, so zero trust and other necessary security steps need to extend to them.