How zero-trust architectures can prevent supply chain attacks

Over the last few decades, global supply chains have become increasingly interconnected and complex. Organizations today depend on third parties to streamline operations, reduce costs and more. Although, third parties also leave organizations vulnerable to supply chain attacks.

Many attacks originate from compromised software or hardware. By adding malicious code to a target vendor’s trusted software, threat actors can attack all the vendor’s client organizations simultaneously. The risk of such attacks also increases from data leaks at the vendor’s end, their use of internet-connected devices, and reliance on the cloud to store data.

A preventive measure organizations can lean on to mitigate supply chain attacks is to assume that no user or third party can be trusted. That means adopting zero-trust security into one’s supply chain security environment.

Supply chain vulnerabilities   

Supply chain attacks happen when one of your trusted vendors is compromised, and access to your environment is gained either directly or from a service, they provide. Maintaining security includes practices ranging from restricting access to sensitive data to assessing the risk associated with third-party software. 

There are several types of supply chain attacks and response measures differ depending on whether the attack is performed through hardware, software or firmware. In most cases, third-party suppliers gain access to a company’s processes, data and “secret sauce,” creating risks for the success of the company they supply. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently released guides for developers and suppliers to make organizations aware of the importance of maintaining the security of supply chain software and the underlying infrastructure. CISA also warned that hackers and criminals could target government and industry through contractors, subcontractors and suppliers at all supply chain tiers. Such risks are manifold, and cyber risk is no less critical than operational risk or business risk, as a cyber event can trigger a whole cascade of consequences. 

Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, says that cyberattackers tend to be opportunistic. It’s usually much easier to exploit a smaller link in the supply chain than to directly attack a larger company up the chain. 

“Often smaller companies, particularly companies whose business or services are not primarily technical, tend to have fewer resources focused on cybersecurity,” Janssen-Anessi told VentureBeat. 

“In some cases, the vulnerabilities are there because resources are focused on normal business operations and continuity [as opposed to] cyberdefense, which includes timely patching or mitigation. Therefore, continuously monitoring yourself and your supply chain for vulnerabilities is critical to move towards a preventative and proactive cybersecurity posture,” she said. 

Janssen-Anessi said that as the supply chain cybersecurity risk management space is still evolving, a recommended measure is to complement it with zero-trust architectures. These provide organizations with an additional layer of security when there is a compromised component. 

“Every single internal or external engagement from or to your organization is a vulnerability. By implementing a zero trust-based supply chain architecture, one can acknowledge this and ensure that the organization is continuously proactive against cyberthreats,” said Janssen-Anessi.

Importance of zero trust for supply chain environments

Zero trust leverages the principle of least privilege (PoLP), where every user or device is given only the bare minimum access permissions needed to perform their intended function. By controlling the access level and type, PoLP reduces the cyberattack surface and prevents supply chain attacks.

Previously, supply chain organizations followed a legacy approach for protection, i.e., a simple VPN connection to the organization. An issue with legacy protection approaches such as VPNs was the lack of a clear way to specifically limit users to particular systems or aspects of the internal network without extensive customization. A VPN user would usually have full access to the internal network infrastructure and internal systems in that same network space. 

“As zero trust inherently requires validation at every stage, the possibility of a single system getting compromised, and the attacker pivoting to other systems, is significantly decreased,” said Delbert Cope, chief technology officer at FourKites. “With zero-trust architecture, a user has access only to specific systems that are assigned to them, which gives a user only what they need for a specific period.”

Zero trust also strengthens enterprise security through microsegmentation. Creating smaller segments around IT assets helps reduce the attack surface and supports implementing granular policy controls to protect the organization from breaches and restrict the lateral movement of attackers.

“Global supply chains are the most disconnected they will ever be from this point forward, and involving more parties in the supply chain increases insider threats,” Sean Smith, cybersecurity and logistics expert at Denim, told VentureBeat. “Zero trust requires all parties only to have the access they need for the time they need it. This includes physical segregation with biometrics and access cards and virtual security like virtual private networks, VLANs and network segmentation. Zero trust can not only help eliminate supply chain attacks, but also reduce the impact of those attacks and contain the damage.”

In supply chain attacks, the initial attack vector is rarely the attacker’s final objective. Instead, attackers are always looking to access other parts of the victim organization’s network by moving laterally across it.

Sometimes, their goal is to corrupt targeted systems or steal data. The Target and SolarWinds attacks are both examples of supply chain attacks aimed at facilitating lateral movement across the victim’s network. Implementing zero trust can prevent attackers from moving laterally through the network and causing more damage.

A zero-trust architecture considers trust a vulnerability or weakness. To eliminate this weakness, it continually identifies and authenticates every user, identity and device before granting them access. It also cloaks the organization’s network to limit its visibility and prevent threat actors from moving laterally across it. With zero trust, organizations can protect their networks from remote service session hijacks, restrict threat actors’ ability to access resources and prevent them from installing malware.

Key considerations for zero trust-based supply chain security

The term “zero trust” applies to supply chain security architectures in two ways: to companies that provide the architecture, and to the products and services themselves. Component producers and service providers should have robust security programs — i.e., zero-trust architectures — that protect the products’ integrity. Component suppliers and service providers must work together to ensure that their products fit comprehensively into customers’ zero-trust strategies. 

Daragh Mahon, EVP and chief information officer at Werner Enterprises, said that security experts need to look for viable AI and SaaS-based solutions already on the market to build a fundamental base for zero trust-based supply chains. 

“Building a zero-trust architecture with [software-as-a-service] SaaS removes the need for constant updates and patching, freeing [IT teams] up for other tasks and projects,” Mahon told VentureBeat. “Organizations must also understand that transitioning from a brick-and-mortar tech stack will take some time, and they won’t see change overnight. During such a transition, IT teams must ensure that all day-to-day business functions can continue as the new system is launched, which often means a brief period where both legacy and zero-trust systems are in play.”

Mahon also said that implementing SaaS-based zero-trust solutions is less time-intensive and more sustainable than maintaining legacy brick-and-mortar counterparts.

“With zero-trust architectures, leveraging AI/ML for resource access/data access/network access and implementing robust trust policies is the key to success. Especially for high-risk data or processes where the trust policies are analyzed and reviewed, audited and fine-tuned,” said Muralidharan Palanisamy, chief solutions officer at AppViewX.

According to Janssen-Anessi, before implementing zero trust-based supply chains, organizations should consider doing the following:

• Consider additional cyber-risk factors related to network/endpoint resource utilization, user install base, and popularity among user groups with privileged access, such as human resources, legal, IT and finance.
• Continuously monitor the extended vendor ecosystem, using contextual analysis to prioritize zero tolerance and critical findings mitigation. Relying on questionnaires or point-in-time scans is insufficient to reduce risk and prevent compromise or lost production time.
• Finally, employ platforms or solutions that proactively track how critical vendors address externally visible misconfigurations, and that will work with the vendors directly to reduce risk across their exposed attack surface.

Challenges, and a future of opportunities

Moty Jacob, CEO and cofounder of Surf Security, believes that the main challenge today is defining the maturity level of organizations’ supply chain management, and that organizations should consider taking security more seriously.

“Process improvement needs to occur around two major aspects. Supply chain management must mature to the level of being collaborative and dynamic and the risk management framework needs to be proactive and flexible,” he said. “Zero trust is critical to use if organizations have any remote workforce, especially if their apps are in the cloud.”

Likewise, Kyle Black, security strategist at Symantec by Broadcom Software, said that currently, the most significant challenge is that zero trust forces already overburdened groups to work together to plan their governance structure before implementing tools. 

“In the future, a challenge will be the ever-evolving needs of the business, which is why planning and governance upfront is critical,” Black told VentureBeat. “Without a strong governance structure, each new technology will need to be reconsidered with [respect to] how it fits into an organization’s zero-trust model. Instead, that should be part of the decision-making process and not an afterthought.”  

Black added that automation would be key for supply chain risk management in the future. It will be the only way to scale. 

“Being able to analyze your data services and applications continuously against your organizationally accepted zero-trust architecture will help identify new threats quickly and understand the priority in which those should be addressed,” he said. “It will also drive better outcomes for security operations and engineering by ensuring they know at all times why they are doing what they are doing.”