Reducing supply-chain security risks by controlling vendor sprawl

IT administrators have long had to find the right balance between two strategies. On one hand, the convenience and simplicity of concentrating security and other functions with a single vendor is compelling.

On the other, the resilience and flexibility of an infrastructure built from best-of-breed point solutions for each IT security function also promise benefits. Using multiple vendors means there’s no single point of failure for the entire security infrastructure.

How you strike that balance for your organization will depend on many factors. And some of those factors are subject to change.

One important ongoing change is the growth of software supply-chain attacks. This attack strategy relies on compromising systems and networks higher up in the vendor supply chain and using them to distribute that compromise widely and launch attacks against downstream organizations like yours.

A recent example was the massive January 2022 Illuminate data breach, which exposed data from school districts across the country that used the compromised service. For more about this and other supply-chain attacks — along with technical strategies to minimize risk with robust security — see this July 2022 blog post.

Large attack surfaces, complex risk

Software supply chains can be very complex. Say you’re using a SaaS ERP solution. That vendor might have outsourced different parts of its product development to multiple subcontractors.

Each of those subcontractors has development teams that use lots of existing functional code and calls to external libraries or utilities to assemble their code. Many of these are called or downloaded only as the app is run, making malicious changes hard to detect. And each of these links in the supply chain — dozens or hundreds — is a potential point of compromise.

Strategies to minimize risk

Growing supply-chain risks argue for a greater concentration of functions and capabilities among fewer vendors. Reducing the number of software suppliers can dramatically reduce your supply-chain attack surface.

It’s also important to optimize your security, incorporating advanced email security and inbox protection, Zero Trust Access, and other advanced capabilities. In today’s complex threat landscape, a single-vendor, platform-based security infrastructure can provide more robust, comprehensive protection thanks to integrated capabilities, system-wide threat-intelligence sharing, and single-point visibility and control.

Barracuda is leading the way in the trend toward platform-based, comprehensive security delivered via the cloud:

• Barracuda Email Protection protects your Microsoft 365 deployment with advanced security, incident response, awareness training, and more
• Barracuda Cloud Application Protection is our Web Application and API Protection (WAAP) package, built around the robust, proven, easy-to-use Barracuda WAF-as-a-Service
• Barracuda Network Protection combines SD-WAN and firewall capabilities with Zero Trust Access and other features to help you build a complete Secure Service Edge (SSE) architecture.

Managing up-chain risk

In addition to technical solutions, you need to enhance procurement practices to ensure that security considerations are built into every contract and partnership agreement. This means you need to develop a dependable system for rating the reliability and security of potential partners and suppliers.

The U.S. National Institute of Standards and Technology (NIST) publication “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations” provides an excellent discussion of best practices and specific, actionable recommendations. As Gartner says in announcing the release of “Top Trends in Cybersecurity 2022”:

“Digital supply chain risks demand new mitigation approaches that involve more deliberate risk-based vendor/partner segmentation and scoring, requests for evidence of security controls and secure best practices, a shift to resilience-based thinking and efforts to get ahead of forthcoming regulations.”

Finally, it’s critical to build security into every aspect of application development, even if this means sacrificing some DevOps speed.

Because software supply-chain threats are so diffuse, and the attack surface so large and complex, there is no silver bullet that can protect you. But by limiting vendor sprawl; implementing comprehensive, platform-based security; and adopting more security-aware business processes, you can keep risks to a minimum.