With Third-Party Providers, Trust is in Short Supply

There is little cause to expect the rate of growth in supply chain complexity to diminish. Third-party offerings – whether they are SaaS productivity suites, hyperscale storage and compute provision, or physical devices – are now an essential tool for increasing agility and finding efficiencies. Few organizations can afford to reinvent the wheel for each tool they need to do their work. Innovation, therefore, increasingly necessitates outsourcing.

This raises an important question: where should you draw the line on trust in an enterprise network? Should you automatically trust that a mobile device connected to your office block’s Wi-Fi is not malicious? How about a laptop which, because it is connected via Ethernet, is at least definitely inside the building? Are the VoIP desk phones which you purchased from a vendor trustworthy? Or the hard drives in an on-premises server? Or the building’s networked CCTV cameras?

For a long time, the question of trust in cybersecurity has only been at play in certain cases. With end-user devices such as laptops and mobile phones, trust has been initially conferred on the basis of proof of identity – logging in to networks and services with a password or similar – and bolstered by tools such as two-factor authentication and ongoing virus detection. Once that initial check is passed, the device is assumed to be trustworthy until the next identity check is triggered; in this ‘castle and moat’ model, a one-off breach can be all that is needed to cause significant damage.

In other cases, though, the question of trust often never comes under serious review. A business might, for instance, buy a wireless networking solution and assume that the vendor has ensured that the solution is robustly secure, while the vendor itself will have purchased hardware from manufacturers on a similar assumption, and those manufacturers will have acquired off-the-shelf parts to build the hardware from other manufacturers, and so on.

This problem also pertains to software and services: as technology grows more advanced and complex, supply chains grow longer and more difficult to thoroughly vet.

The supply chain security outlook
Supply chain security will be a growing part of cybersecurity discussions in coming years, for two major reasons. First: fundamental infrastructure, even in its simplest form, is now joining end-user devices in the list of network endpoints, with everything from lighting to heavy manufacturing equipment being connected to the network in the interest of automation, efficiency, and oversight.

Second: attackers are getting to grips with the array of potential entry-points that these connected devices represent and using them as a vector for intrusion.

A few months ago, the French aircraft maker Airbus reportedly suffered just such an attack – in this case, the vector was software-based, with the attacker apparently compromising the virtual private networks of the company’s key suppliers and using them as a stepping stone to steal information from Airbus’s network itself.

That this is a growing threat is also borne out in the most recent round of research from the Neustar International Security Council. In an in-depth survey of cybersecurity professionals, nine out of ten stated that they are worried about the potential for compromised third party suppliers to affect them, while just 24% suggested that they are confident in the efficacy of the barriers they have in place against this kind of attack.

Questioning trust
‘Zero trust’ will not be an unfamiliar term for cybersecurity professionals; it was first coined in in the late 2000s, with Google going on to release a whitepaper on its internal implementation of zero trust principles a few years later.

However, in a context where network attack surfaces are rapidly growing bigger, more diverse, and more unpredictable, there is a sense that zero trust is now coming of age.

As opposed to a model in which everything within a given logical perimeter is granted a green tick and so is trusted to interact with the network, zero trust security starts from a position in which every device and service has, by default, no such privileges.

By actively choosing to trust certain behaviors rather than trying to pre-empt potential attacks by disallowing behaviors, zero trust promotes a stance in which errors are less likely to leave the network open to attack.

Making trust an active choice can also lead to a more flexible security strategy, as rather than constructing a static overall security architecture, access for new devices and services must be provisioned on a case-by-case basis. This flexibility will be vital as the number of third-party relationships a business has blooms and security teams can no longer enjoy the luxury of one-size-fits-all policy design.

The challenge, as ever for cybersecurity teams, is thorough risk assessment and auditing, gaining a clear understanding of the extent of the network, and validating the security of third-party devices and services.

Checklists and frameworks, such as the Cybersecurity Maturity Model from the US Department of Defence, will be important tools to aid this process. This year, it might be time to move your thinking from ‘trust, but verify’ to ‘verify and verify’.

What’s Hot on Infosecurity Magazine?