Importance of a Secure Supply Chain in Selecting IT Vendors

Wednesday, December 07, 2011

Emmett Jorgensen


Article by Nate Cote

So, you are charged with selecting the best IT product to implement into your organization's infrastructure, but which product should you purchase? 

Of course there are the straight-forward items that need to be addressed such as performance, compatibility, price, and support. 

But what about the actual "guts" of the product?

As the incidence of cyber warfare expands, whether it is supported by nation-states, ethically challenged corporations, or hackers, it becomes increasingly important to trust the products that we are relying on to keep the "bad stuff" out. 

There have been numerous reports of rootkits and trojans that have been installed on component level chips designed to infiltrate networks from the inside. Government agencies have stepped up their diligence regarding what products are allowed to protect infrastructure at high security levels. 

But, commercial businesses and end users do not always have access to the same type of information or resources that government agencies do. 

While it is difficult to really understand how well a product company in the IT space secures their supply chain to prevent malfeasance, there are a few reasonable steps that can be taken to at least improve the chances that the product is secure. 

The most straight-forward is to stick with a company that has a solid reputation and customer list that includes organizations that take their security seriously (government agencies, financial institutions, etc). 

The thought here is two-fold: 1) The organization has a great deal to lose if they compromise their customer's trust so there should be adequate supply chain measures put in place on their end.  2) Piggyback on the due diligence of peers to help validate your own independent research.

Another step is to inquire as to whether the organization has undergone any independent testing which requires an in-depth analysis of supply chain management, such as Common Criteria. 

One of the typical requirements in Common Criteria is to outline supply chain integrity from the component level, to production, integration, loading, and ultimate delivery through the distribution network and the end user.

The third step is to simply ask the vendor.  Depending on what the request is, a vendor may be willing to disclose certain facts about supply chain and put something in writing as part of a contract negotiation.  It can never hurt to ask. 

Following these steps is a relatively easy way to glean additional insight into the overall security of a product and/or vendor.  A little due diligence can go a long way to help identify weaknesses within the supply chain and provide you with additional peace of mind. 

Nate Cote is the VP of product management at Kanguru Solutions overseeing security solutions and  product development.

Cross-posted from Kanguru Blog – Technology on the Move!

Possibly Related Articles:
Enterprise Security
Service Provider
Trojans Enterprise Security malware Rootkits Government Vendor Management Due Diligence Supply Chain
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.