For decades, on-premises data centers were the center of network infrastructure and security in organizations. These data centers were owned and run by the organizations themselves and were highly secure. Over the last two years, employees have been working remotely due to the pandemic, and this has brought about a shift in these traditional practices. With the increasing requirement for SaaS applications, organizations have been rapidly adopting cloud-based services. In fact, it is estimated that 94% of all enterprises use some form of cloud services, and 48% of businessesstore their critical data and resources in the cloud.
These cloud-based platforms and services are provided by third-party vendors This shift of processes from inside the enterprise perimeter to an external vendor poses a major challenge from a security perspective. As organizations become increasingly dependent on third-party vendors, they also become more vulnerable to cyberattacks.
When the cybersecurity landscape of an organization is compromised through an attack on an external vendor, it is called a supply chain attack (also known as a third-party attack). It is commonly observed that these attacks use ransomware or other malicious code to infect the supply chain vendor and then spread that to the vendor's customers.
For instance, if malicious code is embedded in a vendor's digital certificate it can easily make its way from the vendor into all the vendor’s customers' processes and resources with no additional effort since the vendor is trusted and granted access by default. Thus, the infiltrated vendor unknowingly distributes the malicious code to all its clients.
The recent Log4j vulnerability is one example of a supply chain attack. In December 2021, a remote code execution vulnerability was detected in Log4j, an open-source program used to log events. The vulnerability, known as Log4Shell, allowed unauthenticated remote code to be executed on computers running the vulnerable versions of Log4j. Since Log4j is used worldwide across most applications and services, the vulnerability has had a substantial impact on supply chain security, causing more than 840,000 attacks.
A report by ENISA estimated that there would be a quadruple increase in supply chain attacks by the end of 2021. Supply chain attacks are already one of the major threats to IT service providers. The A Crisis in Third-Party Remote Access Security report estimates that 51% of organizations have experienced some form of a data breach caused by an external vendor.
Supply chain vendors are a leading target for cyberattacks because they can give attackers easy access to hundreds or thousands of other companies (essentially the vendor's customers). The supply chain vendor may also outsource certain services that are out of its scope to another external vendor. In such cases, the attack surface grows; the potential harm that an organization may face keeps rising with all these third-party vendors intricately connected to each other. With each additional vendor in the loop of services used by an organization, the possible targets for cybercrime keep increasing as well.
This complex mesh of interconnected third-party vendors cannot be entirely monitored and managed by each organization. However, it is feasible for organizations to create strict security measures as part of their defense against supply chain attacks. Since the supply chain vendor’s customers were the main targets, cyberattackers focused on the vendor’s code in about 66% of attacks. Thus, organizations not trusting external vendors by default and validating the vendor’s software each time before use can help prevent supply chain attacks. Another approach is to deploy the Zero Trust concept of "never trust, always verify."
Zero Trust is a cybersecurity model that eliminates the idea of implicit trust. It ensures authentication and authorization are carried out before the beginning of each session using a unified organizational security policy. When an organization adopts the Zero Trust approach, all its user identities, devices, networks, etc. are monitored and records are maintained. Internal and external networks are treated the same, and no entity is trusted by default. This helps identify and monitor potential supply chain threats and paves the way for a quick action plan and resolution. Even in the case of a security breach, Zero Trust can help limit the spread of the supply chain attack and thereby reduce the possibility of sensitive data being lost.
The best way to implement Zero Trust as a defense against supply chain attacks is to deploy it through the client network. Service providers are often slow to adopt changes. Rather than risking the organization's security, the client can deploy Zero Trust measures to ensure continuous monitoring for possible threats each time a session is created between the client and the vendor.
With all the processes and data flowing through third-party vendors, organizations place a great deal of trust in them. Since external vendors are the greatest threat in supply chain attacks, they should be regularly audited for their level of cybersecurity awareness and the quality of their deployed security measures. Before opting for a vendor’s services, the customer must verify that the vendor complies with its organization’s cybersecurity policy. Also, service-level agreements should be put in place stating that the vendor is liable in case of a security incident.
Zero Trust forms the basis of all the upcoming comprehensive security models, like SASE. With employees continuing to work remotely and organizations being more distributed than ever, Zero Trust is the right solution to defend against supply chain attacks. But deploying an organization-wide, holistic Zero Trust environment is not a one-step process. It can only be achieved by implementing a series of steps that are continually performed at all times—on both the client side and the vendor side.
2020 Zoho Corporation Pvt. Ltd. All rights reserved.