Supply chain examination: Planning for vulnerabilities you can’t control
Seemingly, there are numerous occurrences when the customer’s personally identifiable information stored by an organization’s third-party provider is set loose by malicious intentioned actors. Threats take on many different shapes and sizes and aren’t someone else’s problem or responsibility to control or mitigate.
Data breaches are not only caused by elusive thugs outside of the firewalled perimeter, but also from well-intended professionals inside the system. These individuals may not be security consultants but they’re a key part of the supply chain attack – a breach of information caused in a stand-alone moment that ripples through the rest of the supply chain unintentionally.
The supply chain starts with a request for service and ends with a fulfillment that includes all the moments of data-at-rest, data-in-transit and intersystem communication vital for service fulfillment. Every person and every asset have a responsibility to secure these multiple stages of the supply chain.
On an international scale, a larger conversation is taking place about how to secure data at all levels within the organization. Securing the supply chain is a pivotal process in understanding the complete threat landscape. Here are some common-sense ventures to evaluate and discern the varying degrees of supply chain security.
Supply chain examination
When providing services to your organization, it’s valuable to reach an understanding about what various partners are doing. There is the concept in some cybersecurity spaces of technological roll down. This means that whatever standard the primary company has the partner companies should also adhere to. There are legal and liability reasons why it is suggested to come to an agreement with your partners about how they treat your companies’ applications and data if not hosted internally, or even if it is hosted internally but administered by a vendor.
In one case study of how important it is to vet the vendor, an actor gained access to internally vulnerable systems through a non-mission critical ingress. Companies outsource things like telephone network administration or air conditioning monitoring or printer maintenance. You have probably seen these situations and can probably think of some examples where a trusted, industry recognized partner did not perform the same kind of hardening your company demands, leaving an ingress open to attack.
The first way you can combat this kind of vulnerability is to simply ask, in writing, how they plan to handle any concerns your organization has. The government supply chain, for example, includes an inquiry and design review process that must be followed regardless of whether it is a prime or subprime supplier. From a liability standpoint, this places the risk more on the partner than the consuming organization of the service but doesn’t absolve the customer of all risk.
Own all your data
Another strong way of eliminating risk in your enterprise is to own control of all your data. This can take many forms and does not necessarily mean that your organization needs to go back to the data center to build, administer and maintain infrastructure. It could mean building a hardened platform with built in controls that consider the big questions, including the following:
- What happens if someone breaks into the cloud provider and steals your logical volumes from the host OS?
- What happens if the cloud provider has a misconfiguration and an actor comes in through the defined ingress point to attempt to access your data?
- What happens when a true disaster happens?
Each question can be answered relatively easily if you take these issues into consideration when building a platform, application or enterprise. Having a quality three-tier PKI solution and hardened identity and access management platform are two ways to help gain control of your data, even in the cloud. The use of hardened ingress points in conjunction with a quality IAM solution, that includes a two-factor authorization option, can eliminate unwanted egress of data by restricting where the data can flow to, or even be requested from. Going through a methodical process of encrypting valuable data at rest, in transit and at the application layer, can help ensure confidentiality.
Even in the unlikely event that your environment is comprised, the data is useless without the proper encryption keys.
The last part of this equation is to ensure whatever you do to protect your data can be quantified, measured and audited on a regular basis to allow for your customer and intellectual property to be both safe guarded safe from unwanted access.
Proper encryption
The overall goal of encryption is to protect data. The first step in the encryption process is knowing the types data that must be protected. While there are regulatory and compliance requirements mandating what type of encryption should be used, it is always good practice to protect any type of personally identifiable data, system inventory and any payment card, health care or government related data. By understanding the types of data a company needs to protect, security professionals can better identify the regulatory requirements that will be placed on the data in scope for encryption.
An effective approach to encryption is to apply it wherever sensitive data is being processed, stored or viewed. For example, in the cloud the user must access the cloud over the internet. It is the responsibility of the service provider to provide the end user with a secure platform to access data. Here, good encryption practice would entail encrypting the first initial connection as well the session and post session activity as well. By taking the approach of applying encryption at all levels of the supply chain, an organization is reducing its attack surface.
While it is the service provider’s job to provide the platform, it is the end-user’s responsibility to understand how their data is being kept and accessed. Encryption dos and don’ts are simple: Apply the principle of least privilege and restrict access to the encryption keys to individuals or on specialized hardware such as a Hardware Security Module. By not properly securing the Master encryption keys, an organization inadvertently open the door to human error and increased risk surface. This can easily be reinforced by instituting a centralized management service and keeping your keys in a separate environment from your data. By separating the keys from the data an organization can better guarantee the security of the environment.
Yet encryption is only as strong as the policies and procedures in place to support it. Working with operations teams enforce encryption standards and key management is a two-sided struggle. Take the time to educate your employees and conduct good end-user training to ensure that users know and understand their role in the data security process.
These steps help secure an organization’s data and provide a level of guarantee the provider is doing everything in their power to keep up with industry trends and security. This action then harnesses trust between the provider and users in a way to help drive business goals while meeting industry standards.
A supply chain that’s secure
By securing the supply chain and educating end-users, security organizations can increase security while also driving operational efficiency. By vetting the supply chain, organization’s gain a competitive edge by knowing how their data is processed, stored, and its overall usage. This drives efficiency by giving organizations a way to demonstrate their ability to merge security and operations while providing a viable secure solution that fulfills the company’s goals and requirements.
Contributing author: Thomas Smith, Senior Security Consultant in Vulnerability Management, Atos North America.