Suppliers, vendors, and service providers may at times require connectivity to - or gear plugged into - your network in order to provide better service to you and yours.
Making life easy for both parties is a great benefit, but there can be a dark side to these types of arrangements. Allowing third parties access to company resources can open up serious cybersecurity holes; in fact, some folks are estimating that up to 80% of cybersecurity breaches originate in the supply chain - also classed as an 'insider threat'. As scary as that sounds, allowing third-party access to your high-value IP and sensitive data does not have to end badly. Following a few best practices can help you lock down third party access to your network and ensure that their cybersecurity woes do not become your own.
All good cybersecurity controls have solid policies backing them. If you routinely permit access to partner or vendor organizations in your supply chain, you need to provide appropriate parameters within which such access is granted. Once you have these policies in place - and accompanying standards - they cannot be negotiable. You know your organization and its various IT environments, and therefore you must be in charge of your cybersecurity. These procedural controls provide the foundation for secure transactions between your organization and those in your supply chain.
If a vendor or service provider tells you that they need access to your environment via virtual private network, on-site appliance, or any other means, they need to ensure they comply with your organisational standards. Does your organisation need to control both ends of the VPN tunnel? Do you need to place a third-party system into an enclave where it cannot reach or be reached by any other resources? Do you want to test all third-party equipment and software for vulnerabilities regularly? Then make those requirements known. If a provider is not willing to accept your rules, then there are generally other companies out there who will. Don’t believe that you need to bend over backwards to prevent your supply chain from breaking.
Once a supplier has agreed to your terms, get exact specifications for required solutions. Sometimes scope creep can affect the implementation of a solution, causing teams to cut corners in order to meet dates. The end result is rarely optimal. You need to know what the third party absolutely requires to run their solution. Appropriate documentation - including network diagrams - should be provided for your networking and security engineers. Of course, you need to ensure that any requirements that do not meet your standard for cybersecurity be revised. At the end of the day, you should not be caught off guard when a supplier asks for extra resources or network flows, and do NOT accept “permit any” as a requirement from anyone in your supply chain; do not compromise cybersecurity, lest your assets or data be compromised.
Once you have exchanged requirements and agreed upon a solution architecture for third-party access from your supply chain, you need to ensure that you maintain oversight of implementation. Your security team should always be monitoring for threats, your network and infrastructure operations teams should be keeping an eye on any new gear added to the environment, and your management team should be up to speed on overall progress. If you’re going to spend the time creating requirements, policies, and standards, and then go through the pain to ensure that your suppliers are adhering to your requirements, it doesn’t make much sense to forego oversight of the project. You are the client, and you have the final say; use that power for good.
Feel free to blur the lines between what is yours and what isn’t. At least when it comes to monitoring. If you have workstations in your network that belong to a third-party, you will need to ensure that they have appropriate endpoint protection. If you are already using an agent-based endpoint monitoring solution on your own workstations, ensure that it is implemented on their systems as well. If your supplier has a server or other appliance on your network, have them send Syslog to your SIEM or data analytics platform. If a third-party connects through a VPN, monitor both endpoints. Use your policies, standards, and architecture to determine which type of security monitoring policies are required, then configure your sensors to watch for any deviation from the solution agreed upon by customer and vendor, as well as other breaches of security best practices.
The key take-away here is that you need to treat any systems that may be installed in - or connected to - your environment from a third-party as if they are your own. Don’t let your supply chain dictate how you run your network or security practice. From the get-go, you should provide all policies and standards, solution requirements, architecture guidance, and implementation oversight. Don’t be afraid to make the supplier bow to your will before you let them into your environment. The last thing you want to do is get famous the way so many big organizations have these days: by getting breached through your supply chain.