The impact of your supply chain on your digital footprint

My last posts talked about your company's digital footprint and the different items composing it. But often, the impact of your supply chain is omitted from this.

Often, the assets that compose your digital footprint, like the server on which your website runs, or your email infrastructure, is not hosted on your premisses but somewhere in the cloud. This might mean that the management of that system is out of your zone of control. In case you find any weaknesses on this system you should trigger an internal process to start a communication and remediation process with said supplier. Same goes for the web application running on top of that system. Chances are it's not developed internally but by an external party, and probably a different supplier than the cloud company. You'll need to start a second process to communicate with that party as well.

Let's think this scenario through. We've performed a scan on our company's digital footprint. We found a bunch of exposed assets amongst which a web application that is developed by an external supplier, and hosted on a system managed by yet a different external supplier. We need to understand that while our digital footprint is assigned to us, our company, it is actually composed out of different bits and pieces spread over different suppliers and even geographic locations.

Hence, if we'd like to have a full view on the exposure our digital footprint brings to our company we need to take not only into account the exposure of our own systems and applications, which are securely under our direct control, but also of those located outside our direct zone of control, lying with different suppliers.

A following question we need to ask is how far does this exposure go? Is our web application located on a single or multi tenant environment? If the acquisition of the system and contract negotiation went through the normal approved processes chances are you already have this information. But what if another department went ahead and ordered the web application and hosting outside of normal processes? Also, was the supplier chosen from a list of pre-approved suppliers? Or did they (randomly) pick their own supplier? If this is the case, how can we make sure that this supplier practices sound security principles such as secure coding, regular security tests on their code and systems, manages our company's data securely, have a business continuity plan in case there's an impact on the availability of your asset, etc ... ?

Measuring the exposure and the risks of assets in our zone of control is pretty simple. We can run active vulnerability scans, execute penetration tests, check the configuration, etc. But it's not as simple with external suppliers. Are you allowed to run a vulnerability scan or require them to perform a penetration test? Do you have an idea on how they are organised internally concerning secure coding and other security and risk management practices?

In my post next week I'll delve deeper into how to check and maintain a view on the security and risk exposure of your digital footprint, and your suppliers'. Don't hesitate to send me a pm or mail when you got a remark or a question, happy to help you out!