Breaking the Chain of Trust : Implementing zero trust into cyber supply chain environments
918.99 KB
avoin
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
Lataukset27
Pysyvä osoite
Verkkojulkaisu
DOI
Tiivistelmä
Cyber supply chains have become a common avenue for cyberattacks to target global organisations. Different threat actors use varying attacks from low level phishing to sophisticated zero-day attacks to drive their motives ranging from criminal theft to corporate espionage or harming the critical infrastructure. Cyber supply chains’ connected and complex nature makes them hard to control, thus making vulnerability management a difficult task. Furthermore, the consequences of successful attacks to cyber supply chains can cascade to multiple organisations and cause different damages to these supply chain partners. Traditional perimeter-based security models often fail to overcome the complex challenges of cyber supply chains, prompting interest in Zero trust, which is a potential approach to mitigate the risks coming from the cyber supply chain through continuous verification, strict least privilege access-policies, and proactive processes.
The purpose of this paper is to study how zero trust principles can improve cybersecurity in cyber supply chain environments. Thus, a literature review is conducted to identify key issues of cyber supply chains and how the characteristics of zero trust in theory could solve them. These results are then verified through the empirical study finding out what zero trust controls have been implemented across Finnish organisations.
This study takes a socio-technical approach using a people, process, and architecture framework to gain a holistic picture of how organisations approach mitigating the risks coming from cyber supply chains. The large size of cyber supply chains and their complex nature that is caused by the amount and heterogeneity of machine and human components in the cyber supply chain calls for a holistic solution, thus making the socio-technical approach suitable for this study.
In this paper a qualitative multiple-case study was used to study Finnish organisations across different sectors and sizes. The empirical data was gathered through semi-structured interviews with the people responsible for cybersecurity. The results were analysed using the Eisenhardt method through building case profiles of the organisations, dividing them into groups based on their size and zero trust maturity, and conducting within group and cross-group comparisons. These results show empirical evidence on how zero trust controls are implemented across Finnish organisations.
This study found that in the threat landscape surrounding cyber supply chains, phishing was the most critical threat due to their volume, but also more sophisticated attacks like malware were mentioned, thus being consistent with the existing literature. To mitigate the risks of cyberattacks to the cyber supply chains, the literature presents multiple foundational zero trust controls such as MFA, micro-segmentation, and background checks, which are suitable for protecting such large and complex environments. The empiric results of this study show that Finnish organisations have implemented zero trust controls to secure their cyber supply chains against threats, although the variance between organisations was high. The controls were found to be implemented in all three domains, thus showing that the implementation was not merely composed of technical controls. The results also showed that controls from the people domain were implemented more in low and medium maturity organisations, suggesting that those might be easier or cheaper compared to process or architecture controls. This study shows that zero trust is a viable solution for mitigating the cyber supply chain threats, and that elements of zero trust have been implemented by real life organisations. To contribute to the existing literature, this study provides empirical evidence of zero trust implementations in cyber supply chain environments.