Most organizations have historically focused their information risk and security efforts on what they can control and often ignore their IT supply chains, which they can only influence. Organizations are highly dependent on IT supply chains for their business operations and strategic success, but only recently have gained awareness of how fragile they can become if they are compromised. In many cases, organizations either fail to consider their IT supply chains in security risk assessments or rank the risk associated with them low enough so that such risk is not effectively or actively monitored and mitigated. Adversaries have become keenly aware of this and are shifting their focus from direct attacks on their intended targets to indirect ones through the vendors, services and capabilities on which organizations rely.
Securing the IT supply chain requires organizations to expand and mature their information risk and security methods and tactics beyond their own borders. This requires closer partnerships with suppliers and expanded governance and oversight. The successful implementation of IT supply chain security requires multiple layers of capabilities and activities that need to be consistently applied and constantly matured.
The following are five key considerations that organizations should account for when attempting to enhance the security of their IT supply chains:
- You cannot protect what you do not know. Develop and maintain an inventory of suppliers and the capabilities they provide—Many organizations lack a comprehensive and up-to-date inventory of products, capabilities and services that third-party IT providers supply to them. In the age of cloud services, open-source software and multitiered service providers, it is easy for organizations to lose track of with whom they are working and what services those vendors provide. It is important to identify the business processes and capabilities that rely on third-party technologies and capabilities to ensure transparency into potential business impact should the third party be compromised. These may include applications, services, solutions, infrastructure and data with which they interact. These data should then be populated into an inventory that includes a risk classification for the vendors and their associated capabilities based on their relative value and importance to the organization.
A configuration management database (CMDB) is often the ideal repository for the storage of technical details of all third-party IT capabilities operating within an organization’s environment. Information risk and security personnel can use the database to identify if and where an organization is vulnerable to an exposure once third-party vulnerabilities are made evident. The CMDB should also include dependency data on the business processes with which the capabilities support or interact. This will assist the organization in making risk-based decisions about protective and remedial actions they must take to manage and mitigate the risk posed by identified vulnerabilities. - Require disclosure of open-source software components—The use of open-source code is important to the success of many applications and vendors because it helps them keep pace with innovations that their customers and constituents expect. Much of the hardware and software componentry in modern IT systems used in organizations includes open-source software. High-profile and impacting vulnerabilities found in open-source code libraries such as Apache Log4j and Heartbleed have removed the idealistic notions surrounding open-source software. There has long been a belief promoted by open-source developers that they are consistently evaluating and/or enhancing the security of open-source code and software. Unfortunately, this has proven to be untrue in many cases. The current licensing models for open-source code and software come with no expectations that they are secure or will be secured in the future if security vulnerabilities are discovered.
To identify and mitigate the risk associated with open-source software and/or code, it is important to contractually require IT supply chain suppliers to disclose an inventory of all open-source components included in the products and services they provide. This inventory is known as a software bill of materials (SBOM). The SBOM should include the software version number, license details and the acquisition source of the open-source components that are used in the provided products and services.
If a vendor pushes back on the disclosure of open-source details included in their products and services due to the concern of disclosing trade secrets or proprietary information, an organization can use what is called the Coca-Cola rebuttal. Listed in the ingredients on every container of Coca-Cola soft drink are a list of open-source ingredients in addition to proprietary ingredients that are listed as natural flavors. The same principal can be applied in the release of the SBOM; A third-party supplier can list the open-source components of their software individually and then identify proprietary code as a unique category. This approach allows the vendor to disclose the entire inventory of their software without having to disclose any trade secrets or proprietary information. - Conduct a threat and vulnerability analysis of key third parties for your business—A threat and vulnerability analysis using a scenario-based structured methodology allows an organization to identify the possibilities of and plan for the probabilities of threats and vulnerabilities associated with its IT supply chain. The focus of the analysis should be identifying high probability scenarios that, if realized, could cause material impacts to the organization and its ability to operate effectively, including security incidents. Once an organization identifies and rationalizes the threat and vulnerabilities included in its IT supply chain, it can identify and categorize the risk. With this information it can then develop risk-based control frameworks, control requirements, governance approaches and response plans to treat and mitigate the risk appropriately.
- Create a technical and organizational measures contract addendum for supply chain contracts—A technical and organizational measures (TOMS) addendum provides IT supply chain guidance concerning the security expectations and requirements necessary for the third party to do business with the organization in question. The TOMS addendum should detail procedural and technical control expectations and requirements when services are being provided during which the third party will either interact with an organization’s applications, infrastructure and/or data. It should also explain the expectations and requirements for communication and notification of security incidents (e.g., a 48-hour notification period) and proposed methods and tactics for risk management and remediation. It is important that organizations clearly communicate methods and practices they expect their IT supply chain to use for notifications and the level of detail that is expected.
In the case of supplied software, the TOMS addendum should include expectations for application security testing, including, but not limited to, the use of static testing, dynamic testing and software composition analysis that will support the creation and maintenance of the SBOM. The addendum should also include software maintenance and accountability requirements. It is important for the organization to ensure that security deficiencies will be remediated at the supplier’s cost and within reasonable timeframes. The covered maintenance period for the applications should also be clearly defined and reasonable in terms of their expected useful life period. - Trust, but verify. Conduct evidence-based reviews of key third parties—It is important to deploy assurance capabilities to ensure that the expectations and requirements that have been created for key third parties are governed and monitored appropriately on an ongoing basis. These capabilities can be deployed in a risk-based approach wherein the basic assessment can begin with a questionnaire. Questionnaires should include comprehensive security-related questions and require that the answers provided be supported with objective evidence where possible and applicable. The contents of the expected evidence should be defined by the organization to ensure that there is no ambiguity or misinterpretation by the supply chain provider of what evidence is expected.
When developing questionnaires, organizations should include components that adequately assess the people, processes, procedures and technologies associated with the products and services that are being provided by the supply chain providers. For key providers, questionnaires should be followed up with interviews with supplier personnel to ensure that questions and evidence are accurate. Additional details and questions can be asked based on the answers provided to ensure that there is no doubt of the accuracy of the evaluation of the provider’s capabilities.
These assessments are intended to identify deficiencies that the organization believes should be addressed; corrective action plans should be developed with the provider to ensure that remediations occur within reasonable timeframes. It is important to establish a consequence management framework that will ensure that the supplier understands they are being held accountable for remediation activities. A clear understanding that negative outcomes will occur if they perform poorly or do not adequately complete the plans to an organization’s satisfaction will often lead to successful outcomes and stronger partnerships.
Most important is to establish an ongoing channel of communication and a relationship with the security personnel of key suppliers in an organization’s IT supply chain. A partnership ensures bidirectional intelligence and information sharing to allow an organization to make informal inquiries of their suppliers on an as-needed basis instead of only during formal audit and review periods. Peer relationships with suppliers allows an organization’s risk and security personnel to have an ongoing dialogue during which information can be shared without the fear of negative impacts.
Developing a continuous understanding
Effective IT supply chain security requires an organization to have a continuous understanding of how and in what areas it leverages third-party service and application providers. Following a trust, but verify approach to securing an organization’s IT supply chain provides both visibility and checks and balances to ensure that appropriate measures can be implemented to apply a risk-based approach. If an organization waits for security audits to be performed to identify supply chain security risk, it will likely be too late to effectively remediate it. Therefore, it is important for risk and security professionals to cultivate and maintain strong relationships to allow for the free flow of intelligence between partner organizations to support each other’s information risk management goals and objectives and strengthen the overall security of the IT supply chain.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CDPSE, CISSP, ISSAP, ISSMP
Is the president of IP Architects LLC.