Can a 'Zero Trust' Approach Work in the Supply Chain?Experts From Cisco, Microsoft Discuss Third-Party Security
For years, enterprises have struggled with securing their supply chains, trying to reduce the pervasive risks in an increasingly interconnected world. Now, it's time to try a "zero trust" approach, specialists from Cisco and Microsoft told Information Security Media Group in an interview at the RSA 2020 conference in San Francisco.
Edna Conway, vice president of global security, risk and compliance at Microsoft Azure, and Wendy Nather, the head of advisory CISOs at Cisco, said enterprises should start redefining how they apply the concept of "trust" to their third-party suppliers.
Over the years, the platform economy, exemplified by companies such as Amazon, Airbnb, Uber and others, has taken hold across the globe. As a result, companies are not always sure who they are dealing with and the amount of opacity within the supply chain has increased, Conway says.
These developments, Conway says, are one reason why the dialogue around supply chain security should be changing and why different approaches are needed. "For those of us that make things, whether they are tangible goods or services, we have an end-to-end 'value chain.' ... We're still talking about supply chain security as if it's something new that hasn't been tackled," Conway says.
Conway says that security teams should be considering what methods of building trust across the full spectrum of the third-party ecosystem will prove most effective, while acknowledging that it's not possible to know everyone or trust everyone within the ecosystem.
Reducing threats to U.S. supply chains has been listed as one of the top priorities for 2020 by the National Counterintelligence and Security Center, the agency that leads counterintelligence efforts for the U.S. Protecting the supply chain includes identifying high-risk software vendors and other firms selling technology services to American firms and government agencies, the center states (see: US Counterintelligence Outlines 5 Key Priorities)
'Zero Trust' and Supply Chain
Companies now have to clarify the basis on which they are going to trust third-party providers and agree on the right people and technologies to trust, according to Conway.
While it's not possible to know everything about all the firms that make up the value chain, Nather says that companies have determine whether their security is good enough. And while Nather would prefer a different term, the concept of zero trust can help businesses better consider their approach third-party risk.
"If you have a user with a device, you can say: 'Look, I don't care what you do with your device until you come to access our resources, and then we care a whole lot and we're going to set up requirements that you have to meet. But until then, we don't need to know the rest of what you are doing.'"
Enterprises used to be able to control more of the supply chain process, but now there are more third-party and even fourth-party vendors taking control of bits and pieces of the supply chain from the earliest stages, Nather says.
"Now we have this economy where people are taking over control of slices and you cannot see things underneath anymore, she says. "So you have to trust - and that means you have to decide on what basis you're going to trust."
The basis for trust needs to be defined more explicitly, whether it's through a questionnaire with probing questions or by conducting additional verification at the point of execution for a transaction.