“Is access control for supply chain ok?”
Due to rapid expansion of remote work around the world in recent years, it has become possible to access the environment that was previously protected at the perimeter from anywhere. In addition, with the recent globalization, companies are interacting with more companies both domestically and internationally. It seems that there are more cases to access information at data centers located in Japan, overseas, and utilization of SaaS services.
The days when a company only needs to protect its internal network are over and it has become necessary to take security measures across the landscape, including the supply chain.
In “10 Major Security Threats 2021” (For Organizations), “increasing attacks that exploit weaknesses in the supply chain” is ranked 4th and it seems that the organizations continue to pay attention to the security of supply chains.
Now, how can we utilize security measures for the supply chain? In this article, we will explain best practices of supply chain management, particularly focusing on access management.
What is Supply Chain?
What is the supply chain in the first place?
Information-technology Promotion Agency, Japan (IPA) defines it as “a form in which business related to IT systems and services is outsourced to affiliated companies and business partners, and the outsourcing is chained”. It can be said that the supply chain in IT fields refer to a series of flows from design, procurement, development, sales, and the operation of software and hardware, that construct the system.
The following are examples:
- Supply chain of affiliated companies
The systems for large company and group company are developed by outsourced companies, including multiple subcontractors under the outsourced company
- Domestic and international supply chain
Domestic datacenter is accessed from an overseas outsourced development base
- Software/Hardware supply chain
Operation using software/hardware developed and sold by other companies is carried out
Figure1:Supply Chain Examples
Threats for Supply Chain
What are the threats to these supply chains?
The following are possible threats related to access control for supply chain:
- Unauthorized access from the outside
- Internal fraud
Usually, companies act against these threats individually, but what about the entire supply chain that involves multiple companies?
It can be a daunting task to verify security measures in every detail of a widespread supply chain with so many and diverse business partners involved in most companies.
Let’s sort out the threats in the three examples of supply chain scope.
Case 1: Unauthorized access of group/affiliated companies of target company
Where development and operation are outsourced in the “supply chain of affiliated companies”, some common systems are used, and the networks are connected to each other.
In this case, there is a possibility that a company with insufficient security measures is intruded, the target company is illegally accessed via a legitimate route, and confidential/personal information is tempered with and obtained.
Case 2: Internal fraud in domestic and international supply chain
This is a case of accessing a domestic data center from an overseas development base such as offshore development.
If there is a user whose ID is assigned with higher privileges than the business requires, it enables the user to access and browse confidential information unnecessary for the business, which can lead information leakage of confidential/personal information.
Case 3: Internal fraud in software/hardware supply chain
In the “software/hardware supply chain”, unauthorized access is possible to the software developer working for the target company. Malware and/or backdoors can be installed into the source code.
In this case, if the user of the software/hardware applies an update without knowing that it has been tampered with, the source code containing the malware/backdoor will be infected/implanted in the user environment, and the attacker will exploit the vulnerabilities to attack the company.
Figure2:Threats for Supply Chain
Best Practices of Access Management
How should we deal with these threats in access control?
The following three measures are considered, especially for access control of the supply chain:
Countermeasure 1: Appropriate access management
The most targeted information in an attack on the supply chain is the information of the user ID (privileged ID) and password that can directly access the system and/or database, and hold administrator privileges, root privileges, etc.
By properly controlling access to privileged IDs, unauthorized access to important systems and lateral movement (horizontal deployment) can be prevented.
It is recommended to verify the user who is accessing each system is the person that is assumed to have access. Examine if the privilege assigned to each user ID is appropriate for business and if access from internal or external is anticipated.
Countermeasure 2: Appropriate acquisition and management of logs
Next, it is necessary to acquire and store access logs appropriately.
By acquiring and storing access logs of the privileged ID that has administrator rights, it is possible to identify specific operations as to “who”, “where”, and “what” were performed in case an incident occurs.
Proper management of logs helps investigate the appropriate range of impact in incident response. In addition, notifying the user of log acquisition also leads to suppression of internal fraud, so proper management of logs is very important.
On the other hand, it requires caution if an ID is shared within the organization. Even if the logs are managed, it is difficult to identify “who” perform the operation, so sharing IDs is not recommended.
Countermeasure 3: Periodical audit
Finally, it is important to conduct audits periodically.
Internal fraud and unauthorized access can be prevented and detected by regularly checking whether access to the system was approved by access management, and whether the operation was necessary for business.
By implementing the above three measures, it is possible to prevent unauthorized access and internal fraud in access management of a supply chain, and detect unauthorized operations by log audit.
Products and Solutions for Access Management
So far, we have explained security measures for access management of supply chain.
It turns out that the most important thing is how to protect the information of user IDs (privileged IDs) and passwords associated with administrator rights and root privileges, which is most targeted in the supply chain by the attacker.
By now, some of you may have noticed and be concerned that manual operation of these three measures can be costly and burdensome, even though it is understandable that all the measures should be applied to each relevant supply chain.
If so, we recommend installing a privileged ID management product or solution that covers these measures.
For example, in Fig. 3 “Project/Solution for Access Management”, privileged ID management products placed between company A and affiliated company B/C achieves access control from the contractors to the data center, log acquisition, and audit.
This allows control of access to the data center by users who are not approved, and also control the range of servers to be accessed. Even if a malicious user of company A, or an attacker who infiltrated an affiliated company with poor security, tries to access the data center of the company A, unauthorized access can be controlled and mitigated.
Figure3:Project/Solution for Access Management
We are entering an era in which security measures are taken not only for our own company, but also across the supply chain of contractors.
Even if you strengthen your company’s security, there is a possibility that serious incidents, such as information leakage and ransomware infection, may occur from unauthorized access that pretends to be legitimate access because the security of the supply chain is weak.
Privileged identity management solutions are useful to “make it harder” to commit a crime for malicious internal users by controlling access for use by appropriate user for an appropriate purpose during the approved period only.
In addition, the acquisition of the operation log with privileged ID works for “increasing the risk of being caught”. By incorporating it not only as rules but as a mechanism, it can be achieved with standardization and labor savings.
NRI Secure provides “SecureCube Access Check”, a privileged ID management solution that enables access control, log monitoring, and request/approval/trail management with quick deployment at low cost. As a company specializing in information security, we have been actively expanding its functions for more than 15 years.
If you would like to learn more details on a privileged ID management solution, please feel free to contact us.
<Features of SecureCube Access Check>