Zero Trust: This Is The Way

We've all seen the trends, and with each wave comes many companies pitching how their product can solve our problem(s). The result? A tangled mess of buying cycles, installations (some more successful

than others), and complications relating to support, integration, and upgrades (otherwise known as technical debt). Then came along terms like Service Oriented Architecture (SOA) to try and bring some organization to the chaos. But, unfortunately, none of this solved the growing issues at hand.

What did they all have in common? They trusted. That is not the way.

Until a few years ago, the idea that we would move away from Castle and MOAT Security was almost unheard of. The notion that all individuals inside the castle (typically accessing via outdated VPN connections from external sources or from inside users on trusted VLAN networks where everyone had unrestricted access) would be deemed trustworthy seemed just as foreign. The results of those outdated processes gave rise to spearfishing, sometimes called social engineering campaigns, aimed at gaining access. Some were for a political exploit, others for illegal means. But, no matter the reason, the pain and loss that simple access created was real.

Then, a new idea formed. A new way. A belief that no person, device, or service should be trusted. This belief is known as Zero Trust.

Zero Trust is a security model that requires organizations to verify and authenticate every user, device, and network request, irrespective of their location, in relation to the network perimeter. When the architecture model was first released, it focused on reducing the risk of cyberattacks and protecting sensitive data by assuming all traffic was malicious until proven otherwise.

However, as the architecture evolved, it shifted focus to a broader range of impacting items that impact Zero Trust goals. Among them (and ignored until recently) is an often-overlooked component of the supply chain.

The supply chain is the network of suppliers, in this case, software and hardware vendors, that work together to deliver a product or service to customers. It's a critical component of any cybersecurity environment and a key vulnerability. Several high-profile attackers have targeted the supply chain in recent years, such as the SolarWinds attack, where attackers compromised SolarWinds' software update system to access their customers' networks.

So, why is the supply chain important to Zero Trust? The answer is simple: because it is an extension of the organization's network. A supply chain attack can grant a malicious actor direct access to an organization's network, bypassing security measures. Therefore, ensuring that all suppliers and partners follow Zero Trust principles is crucial.

Here are some ways to incorporate the supply chain into a Zero Trust model:

1. Verify and authenticate all suppliers and partners: Before doing business with anyone, verifying their identity and authenticating their access to your network is essential. This includes verifying their certificates, digital signatures, and other security measures.

2. Use encryption: Encrypt all communication between your organization, suppliers, and partners. This will help prevent any unauthorized access to your network.

3. Monitor your supply chain: Monitor your suppliers and partners for suspicious behavior or activity. This includes looking for unauthorized access to your network or changes to the software or hardware they provide.

4. Have a response plan: In case of a supply chain attack, have a response plan in place. This plan should include steps to contain the attack, mitigate damage, and restore normal operations as quickly as possible.

In conclusion, the supply chain is critical to any organization's cybersecurity strategy. Incorporating it into a Zero Trust model can help reduce the risk of cyberattacks and protect sensitive data. Organizations can ensure that their supply chain is secure and aligned with their Zero Trust principles by verifying and authenticating all suppliers and partners, using encryption, monitoring the supply chain, and having a response plan. This is the way!