About the Author
Ruchir Kumar is our Senior Director, Architecture and Protection. He is a globally–respected cyber leader with over 15 years of experience successfully delivering advisory and implementation engagements across North America, Europe and Asia. He brings a unique blend of consulting and industry experience, with successes spanning across diverse industry sectors (e.g., Crown/federal government, private equity, banking and financial services, and utilities). Ruchir has grown and mentored high performance teams in an inclusive, empathetic way and provided thought leadership on cyber risks at leading security community speaking engagements. Ruchir has a proven track record in assisting organizations with cyber risk, digital transformation, assurance, and governance services that enhance their business resilience and security posture.
Supply Chains and the Expanding Attack Surface
Enterprises rely on third parties to expand their capabilities to be competitive and remain agile. However, embracing SaaS and expanding to multi-cloud environments creates a much broader attack surface than in the traditional IT world. In my years of experience in the cyber field, I’ve seen the difficulties that security teams can have in this area. The changing landscape can make it challenging to maintain visibility into their networks and fully grasp the scope of the risk they have assumed by bringing in third parties and suppliers. The protection of sensitive data is now a shared responsibility between security teams and providers, which means that security professionals have additional considerations and challenges to address. A significantly different and deeper level of planning, control, and visibility is required.
The Risks are Real
A supply-chain attack can occur when a threat actor exploits a vulnerability at third party to gain unauthorized access to that organization’s systems or infrastructure. The attackers then might exploit trusted access granted to the third party to gain unauthorized access to their customers, or they could inject malware onto the organization’s systems and infrastructure which is then inherited by the third party’s customers. In effect, this approach allows the threat actor to hack once, and exploit many times.
There is a long list of successful cyber attacks exploiting supply chains through third parties – among the highest profile victims in recent years have been SolarWinds, MOVEit, Snowflake, (which affected companies like Ticketmaster and Spanish financial institution Santander), and the recent attack on CDK Global that disrupted auto dealerships across North America. All of these incidents have ripple effects that affect thousands of victims. And make no mistake – these are not isolated cases: Gartner predicts that nearly half of organizations worldwide will have experienced attacks on their software supply chains by 2025.
The View from the Front Lines
Despite the importance of having an effective third-party cyber risk program, we at ISA Cybersecurity see organizations struggle to address this area. The difficulty arises from the need to collaborate across multiple internal and external stakeholders with an effective process that is scalable without being onerous.
Here are some of the recurring themes we’ve seen when conducting supply chain risk assessments:
- Shadow IT: Cloud services can be easy to access, but not as easy to secure. We found that business units were frequently tempted to adopt SaaS applications out of expedience, without going through formal corporate due diligence, approval cycles, and – crucially – secure configuration, implementation, and management processes.
- Weak Credentials: Residing outside a security control structure, we found many cloud services often featured weak, reused or compromised passwords.
- Security Shortcuts: We found that some employees access federated SaaS apps directly, bypassing SSO and multi-factor authentication (MFA). Further, we found that cloud services were spun up using default credentials or incomplete security configurations.
- Poor Identity Management: Incomplete offboarding of app identities with access to sensitive data were discovered, a finding that has wide-ranging implications for regulatory compliance requirements. Former employees that should have been offboarded still had access to SaaS apps containing sensitive company information, while numerous shadow identities existed across the organization due to third-party software.
Keys to Supply Chain Resilience
There are ways to mitigate these risks. These are some of the key recommendations we have for customers that need to strengthen the resilience of their supply chains and third-party relationships:
- Conduct thorough risk assessments to identify control gaps that could introduce vulnerabilities within their supply chain.
- Assess the SaaS vendor based on the Cloud Control Matrix from the Cloud Security. Alliance (CSA), informed by their own specialized corporate and industry security standards and requirements. Thoroughly vet all business partners to ensure they adhere to (at a minimum) their cyber standards and practices. This can include reviewing their software and hardware design processes, security awareness training programs, vulnerability management, incident response capabilities, and track record of previous incidents.
- Ensure that contracts and agreements for all third-party vendors and service providers include requirements like maintaining appropriate security standards, provisions for prompt incident reporting, formal notification process, and right to audit.
- Gather software bills of materials (SBOMs) for third-party software applications to understand the exposure should external components or resources be compromised.
- Implement robust email authentication protocols such as DMARC, SPF, and DKIM to prevent email spoofing and phishing attacks, should the third party be breached.
- Update their security awareness training programs to make staff aware of new relationships and expectations. Similarly, update their incident response, crisis communication, and business continuity plans to reflect the new relationship. Put simply, they need to know what to do if their partner is breached.
- Take a risk-based approach to reviewing security architecture with strong foundation of zero-trust principles. Despite everyone’s best efforts, assume a breach will happen: focus on minimizing the impact of an incident by limiting access to individual enterprise resources through dynamic, continuously verified, per-session, as-needed basis. Authenticate every device, user, and network flow. User and entity behavior analytics (UEBA) are valuable here, too – understand when, how, and from where are third parties expected to request access to their resources, and be prepared to respond quickly to anomalous behaviour.
- Adopt a risk-based approach to monitor each SaaS vendor’s security posture, access to enterprise data, DLP rules, etc. Assign risk and maturity ratings to the vendor and monitor them accordingly. Document all new access points granted to the new partner, so they can be managed appropriately.
- Establish continuous monitoring practices for third-party vendors, XaaS partners, and other service providers.
- Ensure that comprehensive offboarding procedures are documented, followed carefully, and audited regularly.
Act Today and Manage Your Risk
Cloud-based third-party services offer flexibility, scalability, and efficiency, making them an invaluable asset for modern businesses. However, with these advantages come significant cybersecurity risks that must be understood and managed carefully. By conducting thorough risk assessments, implementing robust security measures, and fostering a culture of cybersecurity awareness, I am confident you can harness the full potential of cloud services without sacrificing the confidentiality, integrity, and availability of your critical data and systems. This isn’t just a “best practice” – it’s a necessity in today’s interconnected digital landscape.
ISA Cybersecurity has extensive experience in securing cloud services – contact us today to learn how we can help you too.
