Getting a Handle on Supply Chain Security Risk

Add Your Comments

WINSTON SAUNDERS<BR/>IntelWINSTON SAUNDERS
Intel

Winston Saunders has worked at Intel for nearly two decades and currently leads server and data center efficiency initiatives. Winston is a graduate of UC Berkeley and the University of Washington. You can find him online at “Winston on Energy” on Twitter

Asset and privacy protection face increased challenges as devices in our homes and workplace become “pervasively connected.” In my own home, the number of connected devices appears to be doubling about every two to three years - with little sign of relenting .

Pervasively Connected in the DC

The same trend is true in the data center. IP-enabled power strips, temperature sensors, humidity sensors and cameras are just a few of the “connected” devices available. Add to that servers, routers and storage devices and other devices feeding software-based intelligence in the data center and you start to get the picture.

More connectivity brings benefits, but also the potential for security vulnerabilities and even malicious code, whether intentional or unintentional.

As an example, consider the recent disclosure that user video-chat data was insecure. I’ll ignore the “Big Brother” overtones and rather focus on the case as a good paradigm for a “supply chain” vulnerability. You select a product based on supplier reputation and capability, perhaps without thought to potential vulnerabilities. And then you use it with confidence, only to discover you are not as private as thought. If users or the supplier had only asked the question, “What is my risk if basic security controls like encryption are not implemented?” Some exposure might have been avoided.

Evaluating Risk

Risk assessments are the heart of improving security and are essentially based on defining the right kinds of questions. Given the complexity of the Information and Communications Technology (ICT) supply chain, NIST has taken a huge step forward in addressing assessing threats and controls in the supply chain by defining an excellent basis of questions that need to be asked. The NIST view is that procurement is an integrated part of overall security posture  (“built in, not bolted on”) and has acted on that by integrating Supply Chain Risk into NIST SP800-53r4 “Security and Privacy Controls for Federal information Systems and Organizations.”

As a testimonial to the robustness of their approach, the U.S military recently announced their convergence to the NIST Framework.

A growing industry practice is to use the framework to review supply chain risks based on the controls assessments in NIST SP800-161. I believe it will continue to grow rapidly in importance.

So it’s worth a look. While the publication is long (almost 300 pages), even the highest level key concepts make solid sense. And from there one can drill in to specific areas of vuletnerability.

At the highest level, the assessment deconstructs in to three tiers:

  • System components
  • Development and Operational Environment
  • Logistics and Transportation.

In the above camera example, un-encrypted camera data is both a system component and potentially a development environment vulnerability depending on perspective. Two questions SP800-161 asks is “What are the vulnerabilities?” and “Was vulnerability testing done?” Depending on where you are in the supply chain, either question may be relevant to ask.

Now turn that into a set of questions about the connected infrastructure in your data center. While the risk framework, at first glance, may seem daunting, I’d strongly encourage someone in your organization to read through it to understand and select a subset of risks. Have your suppliers considered appropriate controls? Understanding your vulnerabilities and getting a handle on what it takes to address them is a good way to stay ahead of the “bad guys.”

Cybersecurity Threats Are Real

As FBI director James Clapper recently updated Congress, it’s true that the security threats of destructive cyber-attack on critical infrastructure is real and growing.

Your data center is your company’s critical infrastructure. If we all embrace risk assessments and insist on good practices throughout our supplier chain, the whole industry will benefit. Your challenge, and the industry’s challenge, is to begin that journey.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)