Preventing supply chain attacks with zero trust

516 Views

COVID-19 has created one of the most trying periods in modern history, testing the resolve of even the most resilient communities and economies in every imaginable way. Within the adversity, however, several silver linings have emerged.

Consider how things might have been different if the pandemic had happened 20 years earlier.

Not only has healthcare innovation come on leaps and bounds in the past two decades, spurring on effective COVID-19 treatment and vaccination efforts, but societies and companies have equally been able to stay extremely well connected during the past 18 months thanks to the brilliance of modern technology.

Owing to implementation of national lockdowns, organisations were forced to adapt almost overnight, adopting technologies capable of supporting remote working models at an extremely heightened pace – uptake that isn’t showing signs of slowing any time soon.

According to Gartner, worldwide end-user spending on public cloud services is forecast to grow 18.4% in 2021 to $304.9 billion, with almost 70% of organisations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by COVID-19.

Yet such connectivity does not come without its challenges. As the global digital landscape continues to expand at a rapid rate, cybercriminals have begun to leverage highly sophisticated techniques to capitalise on growing opportunities, supply chain attacks being a prime example.

Recently described by IT industry stakeholders as a new wave ‘cyber pandemic’, supply chain attacks are repeatedly catching organisations and security professionals off guard by compromising trusted vendors that have access to a company’s systems or data.

The SolarWinds attack is an infamous case in point. In March 2020, threat actors infiltrated the company’s network, elevated their privileges and accessed the firm’s software development environment. They then injected malicious code into its Orion software – used by 18,000 client organisations, including US government agencies and 425 Fortune 500 companies, for network management purposes.

When Orion’s next routine software update was released, it infected the networks of SolarWind’s clients, the incident remaining completely undetected until December 2020.

Indeed, the SolarWinds attack is a prime example of the security-centric challenge that comes with increasing connectivity, particularly in relation to third party vulnerabilities.

The risk stems from the supply chain. When a service or application from a third-party provider is used, there are branches to that service where the third party themselves may have outsourced development. It could be that they have sought external assistance with a specific part of their software development, hardware development, source code development or other aspect, creating a string of connected entities that are inexplicably linked.

A recent study from Ponemon Institute reveals that 51% of organisations have experienced a data breach caused by a third party, in large part because of poor supply chain security practices.

Indeed, it is likely that there are hundreds or thousands of various third-party inputs residing in a company’s network environment, yet neither mapping nor monitoring this intricate web is all that feasible.

That said, there are steps enterprises can take to better prepare themselves against supply chain attacks.

The Ponemon Institute study also states that 74% of companies that had experienced breaches in the past 12 months revealed that it was the result of giving too much privileged access to third parties, such a statistic highlighting the vital importance of adopting zero trust as a security policy.

Zero trust is the idea that organisations should not automatically trust anything (third parties, users, data or otherwise). Rather, it should verify anything and everything.

It is somewhat ill defined: Rather than meaning that is no trust at all, it advocates that trust should begin from zero as opposed to 100 percent.

In an increasingly connected world, where the network perimeter has been displaced by cloud-based structures, traditional approaches to security are no longer suitable. But how can an organisation transition its security policies effectively and efficiently to achieve zero trust?

Understanding who has access to your data and how this flows throughout the organisation is the first step. Once understood, a company may begin to draft a policy that helps to control these environments.

In 2018 the UK’s National Cyber Security Centre (NCSC) released a cybersecurity framework built on 12 principles, designed to help enterprises establish greater control of their supply chains. It is advisable that any approach should align with these guidelines to be as effective as possible.

That said, there are no shortcuts to achieving zero trust.

It’s not a product – it is a principle that is driven by the combination of various relevant solutions. SASE, network segmentation and IDAM won’t singlehandedly enable zero trust themselves. Rather, they will help paint the overall picture.

Once you have a framework in place this needs to be scalable, not just internally but equally for external entities. Third parties are an extension of your business, often with access to critical data and systems. For this reason, zero trust and other necessary security steps must extend to them.