Not long ago, the traditional enterprise would have its own servers on-site, and would buy physical licenses so that it could offer software to its employees. Security in this environment meant legacy solutions like hardware firewalls and antivirus services, and it was the responsibility of the organization to protect itself. Modern enterprises no longer centralize their most critical and defining business flows within a brick and mortar headquarters, but rather spread them out between cloud resources, hosted on servers owned by third party vendors and stitched together with APIs to create a working digital supply chain. Using this model often means that vendors have or exchange sensitive information about their customers and even their customers’ customers, so even though more companies share responsibility for their collective data privacy, hackers can pick from a variety of targets to hit and make off with the same amount of loot. The exploitation or hacking of a third party vendor to get at its customers is called a supply chain attack. When the vendor is popular and successful enough to have equally enormous customers – such as governments and other industry multinational companies – the damage that can stem from a single supply chain attack is astounding. But if you’re a modern enterprise using a multi-cloud strategy, how can you reduce your exposure to your suppliers?
The world saw the impact of a big supply chain attack when SolarWinds was breached in mid-December of 2020. SolarWinds’ Orion software, which includes on its list of customers Fortune 500 companies, the US military, US Treasury Department and Department of Homeland Security. Undetected for months, hackers used a backdoor in Orion to spy on SolarWinds’ more than 33,000 customers, and the damage is literally impossible to tally. It’s true that the revelation of government and military data is worrisome, but less spotlight is cast on the smaller firms which relied on Orion to help with their IT management. The Shared Responsibility Model for data security is important to think of in light of events like these, as it acts like a Terms and Conditions for assessing post-breach accountability. Orion’s breach led to a domino effect in which even trusted security firms like FireEye were exposed with no recourse, but that’s the rub when network perimeters no longer exist. If this is what companies are up against, is there any solution?
The ability for an internal IT team to protect against supply chain attacks is actually greater than one might think, but it doesn’t involve the integration of new tools or implementation of new models, all it requires is transparency. Most of the responsibility for ensuring supply chain strength will fall on the upper ranks of security management, like the CTO or CISO, who will need to do an audit of the company’s software vendors. A good first step is to only trust vendors who will have access to your data if they are compliant with some of the strictest measures of data security, like SOC 2 or ISO 27001/2. Experts agree that a company can reduce the majority of its exposure to supply chain attacks just by ensuring the correct compliance among vendors, but this doesn’t mean they’re immune. It seems banal, but always patching on time is crucial, and is a way to reduce exposure to known vulnerabilities while also watching out for unknown supply chain cracks by requiring visibility in core components. Vendors will in the best cases have a “bills of materials” that they use in their work, which should include details on where hardware and other core components were sourced from.
Due to supply chain attacks gaining prominence – and multiplying in occurrence by over 78% in 2019 – more vendors offer information that can prove their security, and it’s easy to imagine that soon there will be an international standard for producing supply chain data that vendors must follow. Until then, there’s another way to reinforce your supply chain without pestering vendors about their own transparency. Some vendors are busy building their own custom, self-managed cloud solutions, and are therefore easily able to produce the degree of supply chain transparency that smart customers require. Others are helping boost supply chain confidence by hiring outside penetration testing services, and making the reports available to potential customers. At the end of the day, it’s possible to be almost sure of the integrity of your vendors with enough effort, but SolarWinds proved that getting to 100% certainty isn’t in the cards. Thankfully, things are changing quickly, and security professionals today are far from helpless in the battle for supply chain security.