Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth I'm an analyst and advisor at KuppingerCole Analysts. My guest today is Dr. Phillip Messerschmidt and we together will dive into a topic that has lots of acronyms, lots of four letter, five letter acronyms, but we want to add real life to that and we want to dig into real applications of this principle. want to talk about. Supply Chain Risk Management or Cyber Supply Chain Risk Management and for looking into this I welcome Phillip. Hi Phillip, good to have you.
Matthias nice to be here today and to talk about that interesting topic with you.
Right. Usually I ask my guests about the definitions. This time I do it myself. So Supply Chain Risk Management, at least as a starting point, that is the risk that we assign to everything that not originates within our own organization. So it's the process of identifying, assessing and mitigating risks that we inherit from the Supply Chain, from services that are provided by third parties and we want to make sure that everything that comes in from the outside and that can be anything that could be digital services, that can be physical services, goods, or just information that this is well maintained. So we want to make sure that Cyber Supply Chain Risk Management minimizes disruptions. And is there a reason to do that? Yes, of course, but is there a reason that is imposed on us? Yes. And it's really getting bigger because many of the newer regulations, think of DORA in finance, think of NIS-2 in anything critical, they demand for Cyber Supply Chain Risk Management. They want you to look at the Supply Chain. When we translate that into Cyber Supply Chain Risk Management, it's of course everything that we inherit that we that we receive digitally from third parties and that can be anything again from information, from services that are provided through cloud providers and even software that we incorporate within our own products. And we need to watch the Supply Chain and not only single step, but multiple steps. So the Supply Chain for the Supply Chain for the Supply Chain for us. but in the end, is this really a threat, Phillip? Why is this important?
So it is really a threat. When I remember correctly, very high percentage of threat comes from the Supply Chain. So we have seen that in the past year with the SolarWinds incident. And we have seen the result of that incident and how many organizations were part of that incident. And I think it's more important that we face this challenge because in the end, if one fails, one organization fails, one software fails, we all fail like little dominoes. And the effect is on a very large scale so that a lot of companies are part of this incident in the end. So there is a large threat, especially due to the high digital landscape that we have. Any company, every company is part of this Supply Chain in the end. So we are connected to all of our suppliers, and they are connected to their suppliers, and so on. So in the end, if one fails, potentially all fail until we reach somebody that blocks this incident for a reason. We have seen that with SolarWinds. This was just one organization, one thing that failed, and hundreds of organizations were a victim of that threat in the end.
Right, and if we look at this demand that can come from our own security departments that says, make sure that you take care of your Supply Chain. and as I said, there are external drivers that make us take care of that. How can we do that? So this looks like a very high goal, but in the end, we need to provide a proper foundation to look into actually operationalizing this Cyber Supply Chain Risk Management. what can I do? What are typical key components that organizations need to deploy to make sure that they comply with this request?
So out there are a lot of components that you can apply to mitigate that risk. So examples would be risk identification, so that you are able to understand your own Supply Chain and the risk that emerged from that. The supplier risk management, so not just the identification, but also evaluation of your supplier and the risks and threats that come with the supplier. Then you can react. Threat detection monitoring. So if you see that, you need to be conscious of that threat and react to that threat in the end with mitigation strategies. So that means if you find a threat by monitoring or by detection, you need to know what to do in the end. And this is also part of the business continuity or resilience so that you are always aware. If something happens, what do I need to do? And that you do that regularly as an exercise so that everyone knows what is the next step. What you can do is also to follow certain compliance and certain standards, certain regulations out there. So you mentioned that already. And yeah, these are just some components that you can have in place. But there are certainly more than that and they are much more detailed than what we can cover right.
I like the idea of bringing together two other episodes of this podcast that I just did. I did an episode with Alexei, our colleague, and he talked about the more modern, the more AI, even the dark web monitoring aspect of cyber threat intelligence, which is really this proactive looking at threats. And that is part of the Cyber Supply Chain Risk Management as well. So understanding the constantly changing threats. That are out there even involving your suppliers in the end. So that is the more technological, the more forward looking AI style and technology thingy. On the other hand, I did an episode with Christopher around cyber hygiene, which is in the end just making things right, even on a manual basis, on a day-to-day basis. And I think for Cyber Supply Chain Risk Management, both come together. We need to understand the risk. We need to understand the attack surface. On the other hand, we want to make sure that we do things right in all relevant areas. And saying all relevant areas, we both are advisors, analysts in the area of Identity and Access Management. So now we've come full circle. The question is, if we want to do a Cyber Supply Chain Risk Management or just Supply Chain Risk Management properly and on a daily basis. That of course also has some influence on the way we do IAM and especially when we look at Identity Management for specific identities saying partners, business partners, the Supply Chain. So now that I've talked that long, how can IAM support Cyber Supply Chain Risk Management?
So when we think about IAM, we can split it up in Identity Management and Access Management. And in each of the areas, there are multiple possibilities to support Cyber Supply Chain Risk Management. So that means, for example, third party Identity verification. In general, the onboarding and offboarding of identities, especially the external identities or the B2B identities. Then a centralized Identity Management is always a good thing, not just for B2B identities, but in general. And an important thing is also how you handle federated identities. So your Federated Identity Management is also an important thing when you think about the Supply Chain. On the other end, we have the Access Management part. And there, it's all about authentication authorization. So when you think about that, properly authenticating identities, and doing the authorization part properly. mentioning RBAC, ABAC, PBAC, but in general, the vendor and third party access controls. I really want to know who is accessing my data, my information, and when and where and so on. So that is really important. That does not end with the access controls and the access governance, but also more around the topic of auditability and compliance and risk. And on top of that, when we think forward and about the trends that we see in the market, we can also think about zero trust implementation. So this is something where you raise the minimum requirements for excess a lot, especially for the B2B identities. That is important with respect to reactive controls. Incidents response and recovery is also one of the components of IAM that becomes much more important when it comes to handling the identities itself and their access.
Right, and if we look at, if we go back to the Identity part, so really understanding who somebody is before we even assign access to that, why is that at all a topic when it comes to B2B IAM? Usually we take care of our own lifecycle processes. Of course, we have a proper, well-designed, well-functioning, highly automated Identity and Access Management that takes care of our own identities. What changes when we federate identities when we inherit identities from somebody else. Where are the threats in that scenario?
So when we think about Identity Federation, I think the main challenge is that we rely on somebody else's processes and controls. So basically we give that part away to somebody else. And the idea that we have is, okay, he will do the job and I believe that he does a good job there. So the processes are in place, they are at least on the same level as my processes are. The trust level of that Identity and then the information of that Identity are at least on the level where I need them to be. And I think that's a little bit the gamble that we have here when we think about Identity Federation. So a lot of companies rely on that Identity Federation without checking that. So they just say, OK, whoever is coming, I federate that person based on Microsoft technology, for example. And I don't check what the company is doing. I don't really control the processes behind that. So if that person has a weak password or has received a token in a very insecure process, or received a second factor very easily within that organization, that is usually not checked. And if we think about the zero trust approach to say, I frequently check the access or the authentication or whatever, for example, every five minutes, that does not really help if the person has a very weak password or very weak second factor due to a very weak process. So that is, in my personal opinion, a real challenge.
Right, and I think in the end we end up with the concept of trust, which might be and can be a very weak principle unless it is well funded in processes and well managed when it comes to dealing with trust. And that's maybe also some reason, highly interesting reading, although it is not really a thriller. You might want to lead at NIST SP 800-63, which comes with three concepts, the Identity Assurance Level, the Authentication Assurance Level, and third important, the Federation Assurance Level. How much can you trust a federation on a technological level? On the other hand, also on a trust level. And this is something that you need to make sure that you properly understand it when you federate with a third party, with a Supply Chain member downstream in your Supply Chain that you really understand, are these processes all that you just described? Are they well managed? Are they really well understood? And do you understand as the consuming organization what actually changes mean within that? And I said before we move over to Identity layer, if we move to the access layer, the same holds true for everything else. If you assign access based on attributes from an Identity that is federated, you have to rely on these attributes. If this guy is no longer or this lady is no longer within that position, they should not have proper access to some of your systems. You rely on the proper management of that. And I think if we translate that from Identity and Access Management to anything else in Supply Chain, think of consuming software libraries. You rely on that, that they are properly tested, that the software provider applies proper testing according to established standards. And they assure you with that. So you rely on that. It's trust in the end. Going back to zero trust, and never trust always verify. The question is, how can we verify? How can we deal with that? So in the end, Cyber Supply Chain Risk Management is getting more more important. Question mark.
Yeah, absolutely. When we think about the example of the libraries, the big question would be, did you check that? Did you ask the right question? And if you ask the right question and you stumble upon this information that there are libraries used that are no longer supported and therefore pose a threat, what would you do about that? So would you as a person or would you as an organization accept that risk?
True, and that is important because all of us, we scroll through all these terms and conditions and in the end say yes, just to access a service. And if you're in a hurry and in a rush and you consume a library that provides all this fine functionality that you really need for your software, you either neglect that or you check it. There are mechanisms in place. And now going back to more serious tone again, it's really something that they are working on that. We are working on that from an IAM perspective to ensure that there's proper B2B Identity and Access Management for partners, for large customers, which come with their own Identity life cycles. This is something that we need to do and that every larger organization needs to do. If we look at software, there's this software bill of materials as a technological proof that proper regression testing and everything has taken place. And that is all packed into a single BOM that is digitally signed and trustworthy. And that is exactly these types of measures and controls mitigating the cyber Supply Chain risk. So in the end, sometimes you have to rely on somebody else's way of doing things on their control, and then it's trust, and then maybe it's just a contract that is behind that. But it's much better than when you can, again, can verify. So make the proper controls in place, have the processes in place, maybe even going a step further. What else could you do when it comes to checking that? Really trying to break systems?
I'm not sure about the breaking part, to be honest. But the question is, if you identify something that you don't agree with, how would you react? So would you say, I accept that risk? Or would you say, I don't use that software? And what we often see is that companies react with a risk exception. And when we think about that risk. Isn't that really a good move? When we think about one individual that might be OK, but we see a lot of companies doing that. So what would that mean if all of the companies would accept that risk? That would basically mean that this vendor is not forced to improve that risk. And at a certain point, that risk will kick in. This is just a question, a matter of time until an attacker will find that vulnerability and will probably compromise that software. So if we as an organization or an individual, it doesn't matter, don't have the confidence to say, I don't install that software, please vendor, improve or update your software. Unless we are doing that, they will not change it. So if every company, every organization accept that risk, we are not able to change it. We will have these vulnerabilities in the software that we use. And this is definitely a challenge.
Right, and now we've come the second time full circle because the term is Cyber Supply Chain Risk Management. And this is everything that it's about. We need to understand the risk that it poses and we need to assess the risk and really identify and decide what actually we are doing. Are we restrictive? And that is what I meant with breaking the system. If the risk is too high, don't do it. That could mean that you break a service that you do not fully deliver on what your promises were towards your customers, towards your Supply Chain, but you make sure that you provide a system that is compliant to this principle of Cyber Supply Chain Risk Management by being restrictive. Or you do this risk acceptance that you said, so really making sure that you say, okay, I get the risk, it's not that high, I can accept it temporarily, and I maybe add some additional mitigating measures. But that would be something that needs to be done on purpose. I think this is what we should focus on. Risk management means understanding risk in the first place and then identifying the right controls. often we need to, in my opinion, make sure that we just don't do it unless it is really fixed. And the more components we integrate, and if you look at cloud native software development companies, there's not only a single source of software, a single source of threat information, of digital services that they consume, cloud service providers providing infrastructure services. There are so many digital services that they consume. Cyber Supply Chain Risk Management is a real task in these environments. But from your opinion, having worked with lots of highly regulated industries, is this yet fully understood and are organizations. Are they restrictive as necessary?
I think so. Most of the companies I'm working with, they have this not on their radar. You can see that especially when you think about the Federated Identity challenge that we just talked about, but also on the other hand, when you think about every external Identity that is coming to an organization that is not federated. So basically onboarding and offboarding of B2B identities or external identities. When we think about that, number that is coming in and going out, which is just an estimation, is around 50 % of the actual identities this organization has. So that would mean if you have an organization or a company with 100 employees, you would have a yearly fluctuation of around 50 external employees over the year. That means you have one new external Identity coming in every week. And for that Identity, you have basically no idea about its access and how long it would stay within your company. That could be an hour. It could be a minute. It could be a week. You simply don't know if you don't check it, if you don't assess that. So the question around that and the real challenge is, if your company is around 100 employees, and you check every new Identity, one every week, is that economically feasible? And I think the question must be, you have to check this Identity. So you need to ensure that this person that is coming in is really the person it should be, it says it would be, and that you control all access that this person has. Otherwise, and this is important, these identities usually have even privileged access to your systems. So you would have an Identity in your systems that you are not aware, but then has privileged access. And you don't know if that person is in your system right now, is not in your system right now, or if that person is somebody else. So yes, people should be aware of Cyber Supply Chain Risk Management or Supply Chain Risk Management. And Identity proofing or at least Federated Identity Management should be the first part that IAM can deliver to that security measure. But usually organizations are not aware. So with the weak onboarding process for externals, this is a real threat to all organizations in that Supply Chain, not just the organization itself.
Right, and weak onboarding is just the starting point. Weak lifecycle in the end with onboarding being an important part of that and just continues that story. So I think we did a great job in giving our audience a bad conscience. That's good. So really make sure that you really look into your own systems. And if you want to take one suggestion maybe that from us from practical experiences. Everybody loves working together with your Supply Chain or with your partners or with us as analysts via Teams. And then you quickly onboard guests into a system and give access to SharePoint folders with most of the mechanisms that you are used to in your highly automated, well-designed IAM in general. These mechanisms are missing when it comes to guest accounts to make sure that there's an offboarding, there's an end date, there's a date where these just expire. If you think, can improve there, then this is your homework for today. That you really look into your guest management processes that might help you in improving your own Cyber Supply Chain Risk Management in the first place. This is something that we see in practice. We would never talk about our own customers, but this is a challenge. Guest accounts, right?
Absolutely, especially with the zero trust coming up and the parameter fading away. I'm allowed to say that this way. In general, the exchange of identities and internal external identities, guest accounts, that is becoming much more frequent. And we require a much higher time to market for most of the processes. So guest accounts are just one example. We have contingent workers out there. Sometimes these challenges are resolved with shared accounts, which is potentially the worst possible way to do that. But these are the challenges. And I'm not sure if every organization is ready for that parameter to fade away, to be honest, when I see how people or how organizations handle the onboarding and offboarding processes.
Yeah, I would fully agree, but it's improving. We are working together with organizations. Many of the consulting companies are working towards improving that and many organizations are working, but we're not yet there. And really fulfilling all these requirements that I've mentioned earlier, DORA, NIS-2 TISAX, whatever you have, they all come with this Supply Chain Risk Management with continuous risk monitoring. This is not a simple task. This is really work to do. And I think that's a great starting point for just improving your own cybersecurity posture in general. So we stop with that because as I we made it, a good job in providing bad conscience for all those who are listening. If you have questions, if you have suggestions around this topic, if you think we are wrong, please leave your comments in the YouTube section below. So in the comment section or drop us a mail or leave a comment wherever you are watching or listening to that. We are really interested in your feedback. We are really interested in continuing that discussion. Because this is such a theoretical term and it comes with so really tangible results that you need to implement. It's a topic that will stay with us for the next years and it not get better unless we get better at that. With that, Phillip, final word?
So Supply Chain Risk Management is a moving term right now. It's something that is happening every day. It's something that is highly up to date right now. So anyone should be aware. And my suggestion for that, don't rely on somebody else's controls. Try to do it yourself. Try to improve your controls and your processes that you have in place. And if you are in doubt, be the bad guy. If you don't get a proper identification or a bad authentication, don't give these people access to your systems. So in doubt, don't do that.
Great summary, no addition from my side. Thank you very much, Phillip, for being my guest today. Looking forward to having you soon again. Thanks.
Thank you, Matthias.
Bye bye.
