Vulnerable supply chains
In the past 12 months, supply chain attacks such as Kaseya and SolarWinds have compromised thousands of businesses, costing us tens of millions of dollars. Those are just a couple of the high profile attacks – keep in mind many companies don’t disclose all their breaches, especially if they paid a ransomware fee to recover their data. For example, supply chain specialist Sonatype estimated that there were over 400% more supply chain attacks in the past year than in the previous four years combined.
Secure supply chain is now business critical
These aren’t just breaches which cost us money. These are breaches which are stopping businesses, and disrupting our supply chains. This is a drastic difference from even a few years ago in which a breach would be costly, but would usually not stop our businesses, disrupt our supply chains, or even extinguish our business (60% of small and medium sized enterprises are put out business by cyberattacks, according to this Verizon study).
Secure supply chain is incredibly difficult
There are a few main problems which are lead to these multi-million dollar supply chain attacks:
Problem #1: firewalls are full of holes
This is an actual diagram from a well known firewall/SD-WAN/VPN vendor. I removed only the labels which identify their company name. The name is not relevant because the reality is this is the (obsolete) architecture of every firewall/SD-WAN/VPN vendor.
If you treated this diagram as a maze, and tried to find a path from the Internet to the “Internal Network” then would you find one? Yes! And that means there are paths for malware, ransomware and other nasty data flows to get to our data. The firewalls etc. are like Swiss cheese – riddled with open inbound ports and configured ‘exceptions’. And this is touted as a secure architecture! Talk about a false sense of security and a massive problem in trying to secure our supply chains.
Because today’s bolted-on infrastructure approach is full of holes, we end up trying to police the data flows which get through the holes at the networking layers after the data is already flowing. This is like trying to control fans at a World Cup finals match by first letting everyone in the stadium, without checking for tickets, and then trying to find and eject anyone who entered the stadium who didn’t actually have a valid ticket, or had someone else’s ticket. Yeah, good luck with that. In our case, it is ever worse: the stadium (our network) can hold near infinite people (software, e.g. malware), and those people can easily hide anywhere. Ouch. This bolted-on, perimeter-based, reactive approach makes it almost impossible to secure our supply chains.
Problem #2: wide open networks
So, due to leaky firewalls and a lack of upfront identification, authentication and authorization, we end up with a bunch of people (or viruses, malware and ransomware) crashing our party. And it gets worse. Our LAN and WANs are basically wide open – they were built on the assumption that only people we invited to the party could get into the network. Well, due to the leaky firewalls and lack of upfront authorization problems described above, we end up with lots of party crashers. And, since our networks are wide open, those party crashers (e.g. ransomware) can quickly infiltrate lots of party rooms. And fly through our connected supply chains. But these party crashers didn’t come to party – they infiltrated our wide open network and supply chain, so that their owners (cyberattackers) could party, with your money, and at the expense of your customers and your supply chain partners.
Problem #3: I have a business to run
Most of us are not in the cybersecurity business. Our jobs revolve around delivering excellent products and services to our customers. Other than large enterprises, many businesses are fortunate if they have more than 1-5 people focused on cybersecurity. Large enterprises may have more people and tools, but also usually have to deal with more cyberattacks (they are often juicier targets), and often across a larger surface area (more apps, devices and users). So we end up with relatively small internal security teams fighting against thousands of very motivated cyberattackers with increasingly sophisticated tools, while most of us are focused on delivering excellence to our customers.
Due to that dynamic of focusing on our businesses and our customers, we often turn to our MSPs and MSSPs for solutions. However, it takes time for MSPs and MSSPs to build solutions, and they are often at the mercy of their existing suppliers (primarily the firewall, VPN and SD-WAN vendors which are now scrambling to rebrand their solution, steer their massive ships to adjust to the new landscape or integrate the acquisitions they just made in this area). However, we can’t wait – the cyberattackers certainly are not waiting – we have customers, businesses and supply chains to protect, now.
We can strengthen supply chain security
Let me be clear: there is no magic bullet. We can’t completely solve the problems described above in an overnight type manner. We won’t have completely secure connected supply chains, but we can strengthen our security by taking a new approach. We can build towards a stronger, systems-level architecture, guided by a set of principles which are designed for today’s businesses and today’s application security challenges, and can immediately help:
Decrease the risk
Make our supply chains into smaller and more difficult to find targets. Limit the attack surface. This includes reducing targets as well – reducing our developing and delivery of vulnerable software (and hidden vulnerabilities within the software, e.g. from third-party libraries) – although our attitude needs to be there will always be vulnerable software and therefore our job is to limit the attack surface by which attackers can get to the vulnerability.
Limit the damage of any successful attacks
Stop a specific application breach, preventing it from spreading across our entire supply chain. Limit the blast radius. Again, there will always be vulnerabilities to attack. Quarantining that attack however is much different than enabling that attack to spread.
Make the business case much worse for cyberattackers
The more money the attacks cost the attackers, especially unsuccessful attacks, the less attacks there will be. Decrease the number of attacks.
Zero Trust is the approach which is most often cited as key to strengthening our overall cybersecurity, and Zero Trust certainly has applicability in strengthening our supply chain security. For example, here in the US, President Biden put a spotlight on Zero Trust’s importance in these areas with this May 2021 “Executive Order on Improving the Nation’s Cybersecurity”. The Executive Order states “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture…and within 60 days of the date of this order, the head of each agency shall develop a plan to implement Zero Trust Architecture.”
So, what is Zero Trust and how does Zero Trust help address the problems described above? How can businesses with security teams leverage Zero Trust to improve supply chain security? How can MSPs and MSSPs use Zero Trust to better protect businesses, and their supply chains? Let’s dive in.
Let’s define Zero Trust
First of all, we need to cut through all the marketing fluff, and look at Zero Trust in a vendor neutral manner. Let’s look holistically at what Zero Trust is and isn’t. Nobody wants Zero Trust itself, or any technology – we want solutions to our problems such as strengthening our supply chain security.
What isn’t Zero Trust?
There is so much noise in the market that it is helpful to start by focusing the conversation. If a “Zero Trust” solution has any of these characteristics, then it is not Zero Trust at a systems level, which means it will not actually solve our problems:
Firewalls with open inbound ports (holes) for ‘web’ (ports 80 and 443) traffic are not Zero Trust. Do you trust the Internet? Then why does your firewall and how is your system Zero Trust when you trust the whole planet?
SD-WAN or MPLS WAN architectures which identify, authenticate and authorize data flows after they are on the network. These architectures inherently trust flows based on where they came from (e.g. “inside the network”). Does that sounds like Zero Trust to you?
IPsec or GRE based VPNs which open up entire networks between point A and point B (even if point B is a “security cloud”). Again, you are trusting the endpoints just because they are on your network, and you are trusting the security cloud, and then you are trusting the connection between the security cloud and wherever your app is actually going. Hmmm.
In summary, all three of those add bolted-on infrastructure solutions are part of architectures which are inherently not secure, regardless if we relabel them as Zero Trust. In today’s world of massively distributed apps and hyperconnected supply chains, anything bolted-on is going to fall short (and be very expensive). In fact, what is bolted-on often adds complexity and is itself vulnerable (e.g. almost all of the most impactful security breaches during the first year of COVID-19 were successful attacks on bolted-on infrastructure such as firewalls). In a world of connected supply chains, one vulnerable piece of bolted-on infrastructure can then be used to cascade viruses, malware or ransomware throughout the supply chain. The negative impact of the vulnerable bolted-on infrastructure is multiplied by the number of parties in that supply chain.
What is Zero Trust
Zero Trust is an approach by which we try to make things secure by design. With that principle as our North Star, the architectural aspects become rather simple, and in fact are widely used in other areas of cybersecurity:
Identify, authenticate and authorize before data flows are permitted.
All doors (e.g. firewalls) are closed to all other flows, or even invisible to other flows, even if those flows are considered “inside” or “internal” (this concept is where the Zero Trust label is derived from…don’t trust networks, firewalls, etc.). This is particularly important in a supply chain because any vulnerability, anywhere in the supply chain, can cascade throughout the chain if we don’t take this approach.
Even for properly authorized data flows, only grant least privileged access.
This can be at a the level of an individual application, or at the granularity of a specific service within an application. This helps isolate or contain any damage (we should assume that any architecture can and will be breached). This is again incredibly important in a supply chain. Most vendors or business partners in a supply chain do not need access to entire VPNs or networks. Restricting this access by definition restricts the ability of any infections (ransomware etc.) to spread.
Prioritize visibility, controls and policies.
This includes eliminating infrastructure and configurations which block our visibility, as well as processes and org cultures such as DevOps, SecOps, DevSecOps and NetOps which put security into the heart of our development and delivery lifecycle (the ultimate degree of secure by design).
One beautiful aspect of Zero Trust, if done correctly, is it often also resolves the age-old tug of war between security and business velocity (I am using velocity as an umbrella term to include innovation, agility, extensibility and automation). This is because both security and velocity have a common enemy: bolted-on infrastructure. Zero Trust architectures can replace bolted-on infrastructure with built-in security (built-in security, as code, orchestrated from the cloud). In a supply chain context, the chain can often only be as fast as the slowest link. This type of business velocity helps lift the entire supply chain.
How Zero Trust helps secure our supply chains
Third party vendor access – across the ICT supply chain – is one of the main culprits for the recent ransomware attacks. For example, both the Kaseya and SolarWinds supply chain attacks leveraged third party vendor access to spread ransomware across the victims networks. Now that we have defined Zero Trust, let’s circle back to the problems we discussed at the top – the problems which have been endangering our supply chains:
Problem #1: firewalls are full of holes
When Zero Trust is done correctly, at a systems level, you will close your firewalls to all inbound traffic. No more holes. You can leave your firewalls there as an extra layer of defense, but you close all their holes and strip away all their complexity – the 100s of 1000s of ACLs and firewall rules which define the holes.
Vendor implementations vary but fortunately you can eliminate 95% of them by seeing if they close all the inbound firewall ports or not. SDP/SPA approaches often result in closing these ports so are worth looking at, and there are a few vendors in that category. In the case of NetFoundry, we take two additional steps to close down all the inbound:
Identity. We embed identity into the applications and endpoints, as SaaS with pre-integrated CAs (so customers are not managing PKI infrastructures, although we can chain to any existing CAs if a customer wishes). We believe Zero Trust starts with identity, so we build it right into the solution.
Data plane security. We use our global Zero Trust Fabric as the data plane such that customer endpoints can open outbound-only sessions to their private Fabric overlay routers, and can only open these sessions in an ephemeral manner, after proper identification, authentication and authorization.
Problem #2: wide open networks
The more segmentation, the better. Air gaps, at an extreme, when viable. Most businesses have historically done segmentation with network layer constructs, such as VLANs. In today’s world, those segments are often still too inclusive and open – hence the supply chain attacks. Most Zero Trust vendors will provide a better form of segmentation. The result should be that attacks can’t spread beyond their initial hit. This can be critical for mitigating attacks like ransomware which need the ability to ‘call home” and spread in order to do real damage.
NetFoundry takes this to the extreme of providing application level microsegmentation – essentially ephemeral networks of one for each application session. For example, if you are an MSP, MSSP or ISV, and you need access to your customer’s assets for specific apps or services (e.g. RDP, SSH), then you can actually embed NetFoundry’s Zero Trust into that app or service, so that you can close down all the open VPNs and firewall ports, which dramatically decreases the chances that you will become the next Kaseya ISV or one of Kaseya’s MSP/MSSP partners (even if you do have a vulnerability in your software, it makes it much more difficult for the attacker to land in the first place).
Problem #3: I have a business to run
There is not an easy answer here. As we have been in Zero Trust for longer than anyone, we have seen some recipes that work better than most:
A commitment to an overall security culture.
Even if your ‘security team’ is 1 or 2 people, security can be infused into your development and delivery lifecycles, and your overall corporate culture (remember that attacks like ransomware are often using ‘human engineering’ to infiltrate). This is a proactive step which will prevent the pain of reacting to a breach in the future.
Incorporate DevOps, NetOps and DevSecOps best practices.
Again, this is a mix of people, skills, cultures, processes and tools. Not easy but it starts with the commitment and we have watched some of our customers make incredible progress in this area. This is also a step towards proactive supply chain security and leading DevOps, NetOps and DevSecOps teams will often be the first to adopt Zero Trust tools.
Avoid Zero Trust “point solutions”
(Unless they are your only answer to a massive headache). The world will change again, and again it will be unpredictable. The best way we can prepare is by taking a platform approach to problems like security. In the case of NetFoundry, we take this to the extreme, providing an open source based, cloud native, API first platform, with turnkey SaaS services to enable businesses to address immediate headaches. Even our approach is not for you, we recommend looking at platform-based solutions ahead of point solutions.
MSPs and MSSPs
The most capable MSPs and MSSPs can be extremely helpful. Look for the ones which have proven they can move fast to protect you from modern supply chain threats. For examples, MSPs and MSSPs who offer their services to you in a Zero Trust manner (MSPs and MSSPs are a critical part of your supply chain security, so often their first step is to secure their part of the supply chain – their connection to you). NetFoundry often helps businesses secure their supply chains via MSPs and MSSPs, and those MSPs and MSSPs often use many other security solutions as well, and add a tremendous amount of value in implementation, integration and support.
Those items can help multiply the effectiveness of any teams – even small teams – as proactive security, including Zero Trust, is ultimately much less time consuming than today’s model of reactive damage control.
Supply Chain Security is a Journey
There is a reason why our supply chains are being victimized. It is difficult to secure them. NetFoundry, as the first Zero Trust provider, has learned a lot about what it takes to secure a supply chain (which goes beyond Zero Trust), and so we wanted to pass on some of those learnings to you. We do want to be clear that this is a journey and there is no silver bullet. Zero Trust is very helpful in that supply chain security journey, because it helps shift our security stance from reactive to proactive. Zero Trust can help embed security into our DNA as a company, and into our application development and delivery lifecyles. All of that takes time – hence the journey – but Zero Trust can solve immediate pain points as well – enable you to close leaky firewalls, eliminate VPN vulnerabilities, contain the damage of any successful attacks, and essentially multiply the impact which small security teams, MSPs and MSSPs can have on improving supply chain security.