Strengthening Supply Chain Security with Zero Trust Architecture

in DevOps , Kubernetes , DevSecOps , Cloud Computing , Configuration Management

Zero Trust Architecture

- The Risk of Supply chain Attacks.

- What is Zero Trust?

- How Zero Trust Works?

- How Zero Trust Can Prevent Supply chain Attacks?

    This Article was Originally Published at Magalix

    The December 2020 “supply chain attack” against SolarWinds® is considered a landmark event in cybersecurity circles. This attack, resulting from security gaps in SolarWinds’ Orion software, allowed hackers to compromise the systems of hundreds of companies worldwide.

    Earlier, in 2017, hackers perpetrated the “NotPetya” supply chain attack. By planting a “backdoor” in widely-used accounting software, they were able to infect the systems of and steal data from hundreds of companies. Over the years, hackers have launched supply chain attacks by attacking PDF editor applications, third-party data aggregators, and even HVAC service vendors (the infamous Target attack of 2014).

    To protect themselves from such attacks, organizations must look past the traditional, risky “trust but verify” approach of network security. Instead, they must adopt a more robust and reliable “never trust, always verify” security approach. And this is what Zero Trust is all about.

    The Risk of Supply Chain Attacks

    Over the past few decades, global supply chains have become increasingly interconnected and complex. Today’s organizations depend on other third parties to streamline operations, save costs, and achieve economies of scale. These benefits notwithstanding, these third parties also leave organizations vulnerable to supply chain attacks.

    Many such attacks, such as SolarWinds, stem from compromised software or hardware. By adding malicious code into a vendor’s trusted software; threat actors can simultaneously attack all the vendor’s client organizations. The risk of such attacks also increases due to data leaks at the vendor’s end, their use of Internet-connected devices, and their reliance on the cloud to store data.

    To prevent such attacks, organizations should take supply chain security more seriously. They must also assume that no user or third party can be trusted, and adopt Zero Trust security.

    What is Zero Trust?

    Traditional IT security is rarely considered “insiders”, including third-party vendors, as potential cyber threats. Between 2018 and 2020, the number of insider incidents increased by 47%, showing that this thinking is not only erroneous but also dangerous. It’s critical to acknowledge that insider threats exist and to take steps to mitigate them. Here’s where Zero Trust comes in.

    Zero Trust means that organizations should not automatically trust anything or anyone trying to access their network, systems, applications or data. This principle of never trust, alwaysverify is one of the cornerstones of Zero Trust. It suggests that every user and device should be treated as a potential threat, and their identity and access level should always be verified before they’re allowed access.

    How Zero Trust Works

    Zero Trust relies on a few key principles to boost enterprise network security. One, it assumes that a threat can come from anywhere, both inside and outside. In addition, Zero Trust leverages the “Principle of Least Privilege” (PoLP), where every user or device is only given the bare minimum access permissions needed to perform its intended function. By controlling the access level and type, PoLP reduces the cyber attack surface and prevents supply chain attacks.

    Zero Trust also strengthens enterprise security through micro-segmentation. This method of creating smaller segments around IT assets also helps reduce the attack surface. It also supports the implementation of granular policy controls to protect the organization from breaches and restrict the lateral movement of attackers.

    How Zero Trust Can Prevent Supply Chain Attacks

    A report by the European Union Agency for Cybersecurity (ENISA) predicts that there will be four times more software supply chain attacks in 2021 compared to 2020. This is why ENISA suggests that organizations must implement “new protective methods that incorporate suppliers”. Zero Trust is one such effective method. It can prevent supply chain attacks in 4 key ways:

    1- Securing The Provider

    Software supply chain attacks take advantage of third-party providers with poor security practices. If the provider implements Zero Trust, the probability that an attacker might gain access to their network or move laterally through it – which is what happened with the SolarWinds attack – is greatly reduced.

    Ideally, providers should implement robust Zero Trust by combining multiple tools and technologies, such as multi-factor authentication (MFA), identity and access management (IAM), identity protection, endpoint security, data encryption, and email security. Customer organizations should further strengthen their own networks with micro-segmentation, least privilege controls, and endpoint security.

    2- Limiting Vendor Permissions

    By implementing Zero Trust and limiting third-party users’ access to their network, organizations can minimize cybersecurity risk, and prevent supply chain attacks. For this, they must apply advanced security controls such as MFA and credential vaulting. Credential vaulting allows vendors to login to customer systems, while protecting credentials, maintaining internal network security, and preventing inadvertent or malicious customer network intrusions from the vendor’s end.

    It’s also important to implement Vendor Least Privileged Access Management (VPAM) technology. VPAM gives vendors the granular least privilege that Zero Trust embodies, and ensures that they can access only the applications they need to function.

    3- Monitoring External Software

    Software supply chain attacks usually target the vendor software’s source code, update mechanisms, or build processes. The SolarWinds’ Orion attack is one such example. In some cases, they take advantage of zero-day vulnerabilities, i.e. vulnerabilities that the software vendor knows about, but has not yet developed a patch to fix the flaws. This is what happened with the supply chain attack on the Accellion File Transfer Appliance (FTA). In February 2021, nearly 100 organizations worldwide experienced data breaches due to 4 zero-day vulnerabilities in Accelion’s FTA. Ironically, such third-party software is commonly overlooked as a potential source of third-party risk. This is a dangerous mistake, as the victims of both attacks realized later.

    Before onboarding any software vendor, organizations must conduct a thorough assessment of the vendor’s security processes during the software development lifecycle. It’s vital to implement strong controls to prevent threat actors from introducing malicious code into this software.

    Every organization that uses third-party software assets must continuously monitor and control its access. They should implement MFA, granular controls, and Zero Trust policies that specify the criteria for authorized users, and which software resources they can access. All these actions can limit the impact of compromise via external software.

    4- Preventing Lateral Movement

    In supply chain attacks, the initial attack vector is rarely the attacker’s final objective. Almost always, attackers are looking to gain access to other parts of the victim organization’s network by moving laterally across it. Sometimes, their goal is to corrupt targeted systems, or steal data. The Target and SolarWinds attacks are both examples of supply chain attacks aimed to facilitate lateral movement across the victim’s network. Implementing Zero Trust can prevent attackers from moving laterally through the network and causing more damage.

    Zero Trust considers trust as a vulnerability or weakness. To eliminate this weakness, it focuses on continually identifying and authenticating every user, identity, and device before granting them access. It also cloaks the organization’s network to limit its visibility and prevent threat actors from moving laterally across it. With Zero Trust, organizations can also protect their networks from remote service session hijacks, limit the ability of threat actors to access resources, and prevent them from installing malware.


    In addition to Zero Trust, Security-as-Code is a reliable way to secure cloud supply chains. With Magalix Security-as-Code, organizations can strengthen their cloud infrastructure with customizable policies, clear governance, and contextual visibility. They can codify cloud security, enforce it at every step, and continuously monitor their security posture to stay ahead of supply chain attackers.

    Get similar stories in your inbox weekly, for free

    Share this story:

    Magalix is a cloud security enabler, leveraging security-as-code and compliance-as-code, to embed security at every stage of the software development lifecycle.

    Latest stories

    How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

    We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

    AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

    In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

    A Review of Zoho ManageEngine

    Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

    Should I learn Java in 2023? A Practical Guide

    Java is one of the most widely used programming languages in the world. It has …

    The fastest way to ramp up on DevOps

    You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

    Why You Need a Blockchain Node Provider

    In this article, we briefly cover the concept of blockchain nodes provider and explain why …

    Top 5 Virtual desktop Provides in 2022

    Here are the top 5 virtual desktop providers who offer a range of benefits such …

    Why Your Business Should Connect Directly To Your Cloud

    Today, companies make the most use of cloud technology regardless of their size and sector. …

    7 Must-Watch DevSecOps Videos

    Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …