Securing supply chains is becoming a more crucial aspect of information risk management. But the definition of the supply chain is evolving.
The supply chain, from an IT security perspective, often is perceived as the hardware and software an organization acquires from vendors as well as online offerings furnished by service providers.
Suddenly, Dropbox is a supplier, and the business or government agency doesn't even know it.
Here's one example of a supply-chain threat: using hardware produced by two Chinese manufacturers, Huawei and ZTE. Some members of Congress contend the Chinese government could use the hardware to pilfer intellectual property or top-secret plans from corporate and government computers [see House Panel: 2 Chinese Firms Pose IT Security Risks].
But Hugh Thompson, chief security strategist at People Security, an enterprise security education provider, and chairman of the program committee at the RSA security conference, sees a new component of the supply chain, what he calls "the shadow supplier." By this, he means providers of consumer technologies, such as easily accessible cloud computing services or employee-owned 4G mobile devices, that are used on the job.
Take a look at the latest catalogue of security controls from the National Institute of Standards and Technology regarding the supply chain, NIST Special Publication 800-53 Revision 4, and the shadow supplier doesn't quite fit.
Supply Chain Protection
According to control SA-12: Supply Chain Protection, organizations use acquisition and procurement processes to require supply chain entities to implement necessary security safeguards to reduce the likelihood of unauthorized modifications at each stage in the supply chain and protect information systems and their components, before taking delivery of such systems and components.
But that's not quite how it works with shadow suppliers. Those running IT and IT security at government agencies and businesses don't always know that a system or component has been acquired. That's because the technology was not acquired through the normal procurement process.
Here's how Thompson sees organizations acquiring a service such as Dropbox, which allows individuals to easily share documents through a public-cloud service: Colleagues sitting around a conference table want to share a document, but the document owner, after five attempts, can't access Microsoft SharePoint, a document management system that operates on the internal corporate network. Frustrated, the document owner uploads the document to Dropbox, where his colleagues can easily access it.
"Suddenly, Dropbox is a supplier, and the business or government agency doesn't even know it," Thompson says. "This is a huge area of the supply chain that now exists that is completely shadowed."
Not Being Rebellious
Of course, NIST offers other controls to deal with cloud services, such as requiring that information stored on the cloud be encrypted for added security. And many organizations have implemented controls to limit or ban the use of employee-owned devices and cloud services, such as Dropbox.
But Thompson says as long as employees can find better technology than their employers offer, they will concoct ways to use them. "Even if there is a policy against doing it, people are naturally doing it anyway, not to be rebellious but just to be more productive," he says.
And, Thompson says, organizations must be more agile in developing policies and adopting controls because there are too many choices in the marketplace. Years ago, organizations provided their employees with the best technology; not so today.
"Today, the technology provided by the business is usually the worst technology you have; you have a worse experience at work than you do at home," Thompson says. "There are so many great consumer services and devices, all of that rich technology experience. I bring that up because it has created a big dilemma for business and government agencies because the natural human push is that they want the same experience at work as they do at home. ... People are just going to go for whatever is the coolest, easiest solution instead of following legitimate company policy."
The shadow supplier may be a new way to think of the evolving threat consumer technologies pose to organizations. But it's a reminder that organizations must think broadly as they secure the supply chain.