As networks grow in size to a global scale, we have to take a moment to think about the reality that we are exposing our flank.
The security of the digital supply chain is an issue that has arisen due to the interconnected nature of companies and their suppliers online. Last week I delivered a talk on this subject at RSA Asia 2014, which was held in the Marina Bay Sands in Singapore. I have lived through many supply chain related stories and I have come to realize that this is a subject that has not been receiving proper amount of discussion.
When I was a kid, I would listen to my grandfather share tales of his time in the navy and the work that his ship did to help protect supply routes in the North Atlantic against U-Boat attacks. I would also hear tales about my other grandfather, who served as a captain in the merchant marine. As a result of these stories I inadvertently developed a fascination with supply chain security issues.
Over the past couple decades I have watched as networks have grown from the antiquated castle and moat approach into globally diverse and intricate designs. With the added complexity comes exposures along the way. As networks have expanded so to has the reliance on outsourcing IT functions such as help desk, code development and the expansion of partner networks.
Think about it for a moment. Do you have an outsourced help desk function? How often are the details of an incident or the configurations for a router or switch recorded in a ticket? At one organization that I worked for I went trawling through the tickets for passwords, configs and SNMP strings. What I found was very troubling. The worrisome aspect was that all of this information was stored in the databases of a third party that was located over seas. The transport was over HTTP and I had no idea as to the state of the database or if any record contained within it was encrypted. In short order we had it remedied but, this was a problem that had been in place for some time before I had look at it. How much internal data had been leaked in the interim? The move by the CIO to get this project up and running quickly had failed to take into account any security. I wonder, how often this scenario plays out in organizations around the world every day?
Gartner mentioned in one of their publications that “By 2017, IT supply chain integrity will be identified as a top three security-related concern by Global 2000 IT leaders.” I’d offer that they were right, to a point. This is a problem that is here now. Organizations need to adjust their thinking about security as it applies to their IT infrastructure in their digital supply chain. Complexities in networks are ever increasing and the refrain “we have a firewall” is now dated.
Another perspective is that of outsourcing code development. These development centers can be a huge financial savings for an organization. They are able to get good code for an much cheaper price but, what is the hidden cost? What does an organization surrender in a situation like this code development scenario? In one organization that I know of they were developing a product set with encryption in their code. Not a big deal until you take into account that this was a US based firm that was using outsourced developers in Russia. In a rush to get the infrastructure in place the support teams did not put the requisite security controls around the code and the Russian developers had access to the encryption portion. This was a problem as there was no export license in place to cover this access.
IT shops all have time to market issues. This I fully understand. But, if we rush headlong into setting up remote access for developers or not having proper controls around your outsourced help desk you run the risk of fines or worse depending on the legislation that your firm has to operate under. Don’t forsake security in a effort to make a deadline. The cost could be higher in the long run.