Any business that has vendors, partners and/or customers, has a supply chain, and its most sensitive data flows along the entire length of that supply chain. Every link in the supply chain represents a potential vulnerability for a cyber attack. In other words, it's no longer good enough to secure yourself from your enemies, you also have to secure yourself from your friends.
Complicating security today is the fact that all or a portion of the supply chain of any given company resides in the cloud, often the public cloud, meaning the data from that organization must pass through the cloud. Particularly when you consider that XaaS (anything-as-a-service) is becoming the most common way to deliver networked services, it's a sure bet that suppliers and vendors are sending and receiving corporate data to and from the cloud. Deploying services in the cloud exposes those services to a whole new set of security risks associated with cloud delivery, changing the probability of success for a threat source and increasing the impact of an attack.
Unauthorized Use, Insecure Interfaces and Insufficient Access Management
XaaS providers typically have on-demand, self-service arrangements. They do little to no vetting of their customers. That makes them, and by consequence an organization’s entire supply chain, vulnerable to malicious and unauthorized use of their service. This is especially true if their service has inadequate cyber protection.
Nearly everything in the supply chain is automated today, requiring very little human intervention. Where feasible, companies try communicating machine-to-machine using an application program interface (API). APIs are exposed to the open Internet and are extremely difficult to make 100% attack proof. It only takes one vulnerable API along the entire length of a supply chain to put a company at risk.
Access management are the controls used to manage authorized access to a system or application, like XaaS. Often this involves a password chosen by an end user. It only takes one poorly-chosen or compromised password, anywhere along a company’s supply chain, to put the company at risk.
Multi-Tenancy and Cloud Service Provider Compromise
Companies that deploy their services in the cloud share those cloud resources (e.g. servers, databases) with other companies. It's analogous to tenants in different apartments sharing an apartment building. While cloud service providers (CSP) do their best to install stringent tenant-to-tenant security measures, this can still be a point of weakness - one that puts an entire supply chain at risk. CSPs themselves have a supply chain and any vulnerability in that supply chain gets passed on to the CSP, and by proxy, to its customers. Complicating matters, in an effort to protect their business, CSPs rarely report a data breach. So not only are customer’s supply chains at risk, but they are also in the dark about it.
A Viable Solution
Deploying a service in the cloud increases the attack surface of that service. This translates to an increased attack surface for the entire supply chain, and therefore, an increased risk to the company. It is extremely difficult to assess supply chain risk because it is not feasible to vet every individual vendor, partner and customer. And even if it were possible to vet their policies and processes, there would be no way to know for certain if they were actually enforced. The bottom line is that no company will ever be able to fully trust its supply chain. Instead, the safest course of action is to assume the supply chain is vulnerable and act accordingly. The data moving back and forth between an organization and its supply chain must be protected, and the supply chain cannot be counted on to provide that protection - it must come from the organization itself.
Companies must insist that the entities within their supply chain communicate with them securely and lock down their endpoints. Secure communication links can be established between all parties within a supply chain by requiring the implementation and use of a highly secure solution to encrypt data, filter Internet and data traffic and deny unsolicited data requests. For the solution to be practical for most supply chains, it must also be affordable and deployable via public cloud, private cloud and on premises, without requiring an update to legacy equipment.
Attila’s GoSilent is a NIAP-listed solution that provides CNSA Top Secret (TS) level security for protecting data over any network. GoSilent will lock-down an entire supply chain by upgrading the organization’s network-security footprint, without compromising daily business operations. GoSilent is also affordable and is flexible enough to layer in with legacy systems. Learn more about Attila’s products and next-generation edge security. Sometimes the best solution to a complex problem, like supply chain security in the cloud, is the simplest.