Understand Your IT Supply Chain Risks to Protect Your Digital Assets
By Bill DeLong, Senior Compliance Engineer, DataBank
Security Is Only as Strong as the Weakest Link
The Scottish philosopher Thomas Reid once said, “A chain is only as strong as its weakest link.” So too is your ecosystem of vendors.
Every company faces many IT risks and challenges when sharing digital assets and integrating systems with third parties. If vendors let their guard down when exchanging data with your IT systems or providing software and hardware devices, cybercriminals could very well find their way into your IT infrastructure. The hackers can breach one of your vendor’s digital assets first, traverse their connection to your organization, and then hide in your network.
A good example of supply chain risk is SolarWinds, which provided an IT security tool called Orion used by 33,000 customers, including the U.S. Government. In December 2020, Russian hackers compromised the Orion infrastructure, which resulted in numerous IT organizations and security service providers suddenly questioning the toolsets on which they were relying. This highlights the importance of understanding supply chain IT security.
Multiple Levels to Secure
The make-up of your IT supply chain will vary depending on your industry and your business model. In essence, the chain includes any vendor that provides you with data, an IT asset, or online services. This includes data exchanges and application interfaces as well as the hardware components in your servers, desktops, tablets, smartphones, and other devices.
They all present opportunities for cybercriminals to breach a system, which, in turn, may allow those with ill intent to attack one of your systems. It is, thus, critical to ensure every entity in your downward supply chain meets your security requirements.
Validating each of their security postures and their compliance with pertinent regulations is crucial; not all vendors have sufficient budget and resources to secure every IT asset properly. Each vendor also has its own set of downstream suppliers, representing your fourth-party and fifth-party supply chain. They can all potentially have weak links that threaten your IT infrastructure.
For example, a SaaS company engages a managed services or colocation data center provider (third party) to host enterprise applications provisioned to customers. The data center provider also relies on a vendor (fourth party) from which they buy server hardware to run the applications. That server vendor depends on another vendor (fifth party) to provide antivirus software. If there’s a security weakness at any point in this supply chain, it can threaten the infrastructure of every other company across the supply chain.
Validate Vendors Though Independent Auditors
As you work with your vendors to verify their security posture, be sure to carefully construct your SLAs so vendors know what you require for a security posture, how security should be maintained, and that you need to verify the posture on a recurring basis. Also, check if your vendors follow a security framework such as NIST, ISO, or CSA STAR (See acronym glossary below). If not, that’s a red flag their security capabilities will require close examination. Therefore, ensure they can prove compliance to one of these standards via a third-party audit and that you can gain access to that report.
Following a framework like NIST tells you a vendor has good cyber hygiene. Another burgeoning, robust framework is CMMC, which is also based on NIST standards. It’s a third-party risk management framework with which the federal government requires all Department of Defense (DoD) contractors to comply. Like NIST, CMMC can also be leveraged by the private sector.
To validate a vendor’s security posture, determine if an independent auditor has attested to the correct design and deployment of the controls. Going one step further, some organizations provide an extra layer of assurance by validating auditors.
For example, SSAE auditors are monitored by AICPA while A2LA verifies FedRAMP and CMMC auditors, also known as 3PAOs (third-party assessment organizations). Reports generated by either of these groups give you additional peace of mind—you know the auditor is an experienced professional who is not just rubber-stamping what they heard from the vendor.
Maintaining a Strong Link Within Our Customer Supply Chains
At DataBank, we base our security methodology on NIST 800-53. Following this framework, we apply 325 security controls across all our colocation and managed services data centers. Many of those controls also roll down to our supply chain partners, depending on the type of service or hardware they provide. The controls can include any of the eighteen NIST categories such as access control, physical and environmental security, security awareness and training, and the application of other specified security controls.
We validate our vendors by examining their SSAE auditor reports. We also make our SSAE and CSA STAR audit reports available to our customers, as well as proof of compliance with PCI-DSS and HIPAA. These audit reports make it easy for customers to evaluate our security posture within their supply chains.
Getting Supply Chain Ecosystems to Work Together
Third-party risk can be tricky because many parties want to blame someone else when risk is exposed. Eventually, supply chain partners need to realize they are part of a complex ecosystem that needs to get on the same page to protect each other.
Such teamwork is vital because we all face a constant cat-and-mouse game with cybercriminals, defending against the many known and unknown vulnerabilities that keep emerging. The good guys will keep battling the bad guys, and to keep up, we need to rely on frameworks and multiple tactics to ensure our downstream and upstream digital assets stay secure.
Glossary of Acronyms
Security/Compliance Organizations, Regulations, and Government Agencies
About the Author:
An active member of ISC2, ASIS International, COMPTIA, CSA, and ISACA, Bill DeLong joined DataBank in May of 2021 as a Senior Compliance Engineer and is responsible for maintaining the company’s security compliance programs. Bill has more than 25 years of extensive information security and technology experience in a wide range of industries and institutions. He also holds a master’s degree in Business/Organization Management from Webster University and an MBA in Information Security Management from Saint Leo University. In addition, Bill has earned many security and technical certifications and qualifications (CISSP, CISA, CDPSE, GSEC, CySA+, CCSK, DoD IAT Level III, IAM Level III, IASAE Level II, CSSP Analyst, CSSP Infrastructure Support, CSSP Incident Responder, CSSP Auditor) and is an expert in interpreting FedRAMP, HIPAA and PCI-DSS compliance requirements.