Securing the supply chain: why it’s time for a zero trust approach

Vaibhav Malik, Head of Cybersecurity Advisory Practice, Integrity360, looks at the increasing risks to an organisation's supply chain and how to mitigate these threats with zero trust.
Vaibhav Malik, Head of Cybersecurity Advisory Practice, Integrity360, looks at the increasing risks to an organization’s supply chain and mitigate these threats with zero trust.

The past 18 months have pushed IT departments to the limit, with companies forced to develop the infrastructure and protocols to support remote, flexible and hybrid working models at lightspeed to survive. Almost a year and a half on, this transition has served to inspire the wider uptake of transformative cloud-based technologies and models, further expanding organizational reliance on the IT environment.

The pressure on businesses and their IT teams have been exacerbated by the evolving cyberthreat landscape. As early as April 2020, the FBI reported that the number of complaints about cyberattacks had risen as much as 400% compared to pre-pandemic levels. Yet it is not just the volume of attacks that has spiked. Equally, threat actors are targeting companies in more complex ways.

One major technique that has made headlines in recent times is supply chain attacks, SolarWinds being a prime example. SolarWinds is a leading US-based information technology infrastructure and solutions provider, one of its primary products being its network management Orion software, previously used by thousands of companies globally.

In March 2020, hackers broke into SolarWinds’ network, elevated their privileges, and gained access to its development environment. Here they injected malicious code in the Orion build pipeline, compromising the systems and servers of more than 18,000 companies, including 425 of the Fortune 500 firms and key US government agencies, during a routine software update.

Supply chain attacks in a changing landscape

By definition, a supply chain attack (also known as a value-chain or third-party attack) will see a network become infiltrated through an outside partner that has access to a company’s systems or data. In the case of SolarWinds, the adversaries hid malicious code within a trusted software – a relatively typical technique of supply chain attacks.

Why are these such a challenge in the modern day? They are simply the result of an increasingly expanding and connected digital ecosystem.

In the last couple of years, largely due to the pandemic, small- and medium-sized businesses have increased their reliance on public cloud and other critical services from third-party providers.

Where we previously had the on-premise infrastructure, we now have the cloud: a massive ecosystem of services, microservices and applications used by companies to optimize their offerings and drive their businesses forward. For many of these services to work, however, they require access to critical data.

This is a major challenge from a security perspective, and with significantly greater dependencies on third parties, the risk is equally dramatically increased.

It’s important to understand that when we use a specific cloud service or application, there will be various branches of those services outsourced to an external vendor, creating a string of many possible targets that are inexplicably linked. It could be a hardware provider, a source code provider, a physical asset provider, or other.

Because of this complicated, interconnected mesh of services, the Ponemon Institute recently revealed that more than half of all organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information.

Thousands of software inputs reside in complicated network environments, and understanding the extent of third parties involved isn’t entirely feasible. 

It’s a significant challenge, yet companies can take preventive measures and better protect themselves against supply chain-based threats.

In 2018 the UK’s National Cyber Security Centre (NCSC) released a cybersecurity framework built on 12 principles designed to help companies establish more effective oversight and control of their supply chains.

Of course, every company is different. How much infrastructure is on the cloud versus on-premises? How much software development is occurring in-house or outsources? Other similar supply chain-related factors will change the level of risk, and organizations will need to do their due diligence to understand how these guidelines can be incorporated in line with their specific models. However, steps that align with these principles can be highly effective in curbing supply chain threats adhered to properly and comprehensively.

The importance of zero trust

Zero trust is one example of a sound security practice that can help to deal with modern security threats.

Zero Trust is a security model that works on the premise that threats are omnipresent in different parts of the application and infrastructure stack. It relies on continuous verification via information from disparate sources to ensure that users and services are indeed who they claim to be and have the right privileges to access relevant resources. In a zero-trust environment, the source users and devices will be challenged to present the verification data about their identity, authentication, authorization, integrity and session.

In the context of reducing third party risk, this could mean:

  • Adopt a third-party risk-management framework.
  • Apply micro-segmentation for critical services, apply role-based access controls to applications, databases, and infrastructures, remove single-user accounts on highly privileged systems.
  • Enforce appropriate risk-based multifactor authentication (MFA) for all privileged role-based access.
  • Create incident guides for third-party supply-chain attack scenarios, and conduct tabletop exercises with key software vendors.
  • Mandate security training and certifications, service-level agreements (SLAs), and escalation protocols in third-party contracts.

Zero trust doesn’t mean there’s no trust. It simply means trust begins from zero rather than 100.

Traditional information security was built on the network perimeter – a concept that assumes all internal entities within a network are trusted while external parties are not trusted. The focus, therefore, was on hardening the security perimeter and keeping threats out.

Today, however, our systems are integrated with so many external entities via cloud services, microservices and applications that support and optimize the functioning of our business. As a result, there is no longer an easily defined, easily defensible perimeter. It is for this reason that zero trust is important.

Instead of trusting data and transactions after they have cleared your security perimeter, you must now verify every piece of data and operation outside and inside your system.

It’s not a case of distrusting people. Instead, it’s a policy of perpetual verification driven by automation to ensure your critical assets are more secure against modern threats such as supply chain attacks.

Stemming supply chain threats with appropriate policy implementation

So, how can a company achieve zero trust?

First, identify your users. Who has access to your data? Who are the people who look after your crown jewels? What kind of devices and software are they using? Second, understand how data flows in the organization. Who has privileged access, and what are the protocols and workflows that have been designed within the network?

Once you know the people, the assets, the workflows, you can begin to draft a policy that controls these environments. Finally, once various tools have been implemented and combined to create a zero trust framework, the next stage must be scalability.

We must understand that zero trust is not a product; it’s a set of principles, driven by various solutions and enabled by a Zero Trust Strategy.

No one tool will fully enable a zero trust environment. Instead, it is achieved through several different steps. While SASE, network segmentation, IDAM all help contribute towards zero trust, they do not enable it in themselves. Rather, they are just part of the zero trust puzzle.

READ MORE:

It’s not a case of implementation equals complete. There will be a series of additional smaller steps that organizations can take to ensure the maintenance and enhancement of zero trust frameworks. For example, have you run an incident response exercise to understand what might happen in the event of a breach? Are third party agencies who have access to your critical systems also subject to zero trust? Third parties become an extension of your business, so zero trust and other necessary security steps need to extend to them.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

An image of Zero Trust, Security & Data, Securing the supply chain: why it’s time for a zero trust approach

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...