Are Supplier Ecosystems Your Weakest Link?
Every organization should have cybersecurity practices in place to help mitigate risks.
By Scott Murphy, VP Strategic Business Development,
Data Perceptions Inc.
Published January 20, 2021
There’s a new spotlight in the cybersecurity world due to the recent SolarWinds/Orion compromise. For those unfamiliar, SolarWinds, a provider of IT management software, recently fell victim to a cyber attack within its Orion platform. The hack itself is nothing new, but the impact and publicity are more significant than ever before. At the very base level, the hack approach is simple and divided into three parts:
Hack a software provider that has lots of customers.
Insert some malicious code inside the software provider's application.
Let the software provider send out the malicious code in the next update to all of their customers.
The hacker piggybacks on the solution provider's trusted customer relationships to infiltrate many thousands of systems. This trick isn’t new either. Hackers have been doing this for decades. The hack's timeline and scale have changed with software automatic updates and global use of many applications.
This hack has spotlighted how organizations need to secure their supplier ecosystems, not just their own systems. It also highlights solution providers, including software-as-a-service (SaaS) providers, and how they secure their software development lifecycle (SSDLC) to prevent malicious code from being hidden in their software.
Secure Supplier Ecosystems
Businesses are more interconnected than ever before, and that connectedness is increasing at a blinding pace. Supplier and customer ecosystems connect with software, online services, and application programming interfaces (APIs). Data and other information are flowing back and forth in near real-time. Software updates and patches are happening automatically, and we’re trusting our ecosystem in more ways than ever before. For the most part, this is fantastic! Businesses run better, processes are automated, and things are happening faster.
The challenge is to put some checks and balances into the process to mitigate an ecosystem compromise risk. Most security frameworks, e.g., ISO 27002 and SOC2/SSAE 18, have controls to reduce these risks to your supplier ecosystem. The mitigation process starts with the supplier onboarding process, where part of the screening process includes a security questionnaire. You must confirm that your supplier has cybersecurity practices and systems in place to mitigate risks to your company.
Some of these questionnaires include almost 1000 cybersecurity and operations questions. A common source of relevant questions is the Standardized Information Gathering (SIG) questionnaire. Many suppliers, like Google and Microsoft, publish their answers to the SIG and cybersecurity certifications online.
Answering the questionnaires is certainly onerous on suppliers and the purchaser since they have to evaluate the answers. There has been a trend for many suppliers to address this challenge by becoming cybersecurity certified (see Should Your Organization Get Certified in CyberSecurity?). The certification route can also simplify the customer's process, as they can rely on a third-party audit of the supplier.
Whether it is the questionnaire or the certifications, the questions or controls should include the SSDLC of the supplier organization.
Secure Software Development
One of the world's largest software developers is also the focus of most cybersecurity attacks. Love them or hate them, Microsoft has defended their applications very well. Microsoft's secure software development lifecycle is one of the most mature in the world. The good news is that they have published their best practices publicly so that other software development organizations can learn from their years of securing and defending their solutions. Their framework can be used as a reference to establish the critical SSDLC practices that can work for the organization - Microsoft Security Development Lifecycle Practices.
Following is a high-level summary:
Define security requirements
Define metric and compliance reporting
Perform threat modeling
Establish design requirements
Define and use cryptography standards
Manage the security risk of using third-party components
Use approved tools
Perform static analysis security testing (SAST)
Perform dynamic analysis security testing (DAST)
Perform penetration testing
Establish a standard incident response process
Putting an SSDLC in place takes time and effort. The effort is worthwhile. I know of several companies that no longer exist; they didn’t survive the customer relations nightmare of their code getting hacked. Having a mature SSDLC benefits the entire business ecosystem.
Beyond the SSDLC
And Knowing is Half the Battle
Suppliers should also have mature cybersecurity operations. That’s especially important for SaaS providers, as they are responsible for hosting their code and critical customer data. Make sure that secure communications are in place. Ensure that data is encrypted in transit and at rest.
The customer or user of the SaaS or software solution also has the responsibility to take advantage of the solution's security configuration options. Most importantly, make sure you configure strong authentication for the application, ideally using Single Sign-On (SSO) with multi-factor authentication (MFA). Know where your data and logs are stored. Ensure that your data and logs are being backed up and know where the backup is stored.
Every organization should know its business ecosystem and have cybersecurity practices that will mitigate risks to the organization. Annually refresh this knowledge and log the information in your asset register. Make your life easier by selecting business partners with cybersecurity certifications like SOC2, ISO 27001, CIS, or NIST.
If you’re looking for assistance in completing your supplier ecosystem's security assessment, please reach out to Data Perceptions.
If you want to read more on the SolarWinds hack, here are a couple of links: