From the outside, organizations are autonomous entities striving to establish their unique presence in the world. However, this perception does not align with reality. Businesses depend on other enterprises to sustain their operations. A grocery store relies on its food suppliers, a tech company depends on manufacturers of semiconductors and hardware. Collaboration is key.
In today’s landscape, the software supply chain links companies from various industries together. Software applications and operating systems rely on different segments of the software supply chain to enhance their functionalities. While this has boosted efficiency and productivity for most organizations, it also means that any vulnerability or glitch in the software could disrupt operations for numerous companies. Even security programs designed to safeguard users from cyberattacks might inadvertently introduce exploitable software or flawed updates, leading to severe consequences such as extensive data breaches, canceled flights, or medical facilities facing closures due to inaccessible patient records.
These failures within the software supply chain not only impact the company involved but also affect millions of individuals. This raises the question: why do software providers have such extensive access to an organization’s system to the extent that a single issue could result in a catastrophic scenario?
The progression of computing
To comprehend the interconnected nature of systems, one must examine the evolution of computing and software applications, as highlighted by Shiv Ramji, the President of Customer Identity at Okta.
“We transitioned from programmers coding on mainframes to adopting a cloud-based and distributed computing model,” Ramji elucidated during a discussion at the Oktane conference.
This shift has enabled companies to deploy applications more swiftly, with the ability to scale them elastically. Cloud-based applications offer enhanced speed, with numerous advantages in architecting applications that are integrated into cloud and network systems.
Nevertheless, Ramji points out that this evolution has led to application stacks becoming more intricate and sophisticated.
“Think about a social media or photo-sharing app,” Ramji elaborated. In the past, relying on a single data center and storage mechanism would hinder scalability and increase costs.
“But today, scalability is rapid due to utilizing storage services like Amazon’s S3, paired with scalable compute resources,” Ramji added. “Therefore, the number of users doesn’t affect our ability to cater to their needs.”
This evolution in computing has led to significantly more complex application stacks with intricate interdependencies. Cloud computing services, security measures, and networking capabilities seamlessly merge into an organization’s infrastructure.
Discover cybersecurity services
Committing to a vendor
The growing interdependencies are causing organizations to overly rely on specific vendors and applications to maintain smooth operations. While this can foster seamless integration with third-party partners, it also incurs additional costs from not exploring better deals and heightens the risk of a security flaw disrupting your system unexpectedly. A single flawed piece of code from an embedded vendor application can result in irreversible damage.
According to research by Dashdevs, “vendor lock-in often leads to unforeseen costs and technical debt.” Relying on these embedded applications has been shown to heighten risks and expose vulnerabilities specific to vendors.
When issues arise with these embedded applications, such as exploited vulnerabilities or misconfigured code, resolving them can be intricate. It may seem simple, like deleting a problematic file or applying a patch, but what if this issue blocks your system entirely? Identifying the source of the problem within your system and understanding how to address it is crucial. Will resolving the issue through the cloud automatically update all devices, or will individual machines require updating? Moreover, what is the extent of communication between the vendor and your organization? Did you discover the problem, or was it brought to your attention, and how promptly and willingly can the vendor take accountability?
Regrettably, these questions do not have straightforward answers. Solutions will be tailored to each scenario—considering the type of vendor, how the application integrates into your network, and the ensuing challenges it presents.
“Certain systems and controls you implement have the potential to either maintain service availability for your customers or cause a catastrophic outage, akin to recent incidents with other vendors,” suggests Charlotte Wylie, Deputy CSO at Okta.
Securing customers: A vendor’s responsibility
Vendors can play a proactive role in safeguarding customers against software failures by acknowledging their role within the customer’s infrastructure. Wylie offers the following suggestions for enhancing security in embedded applications through collaboration between vendors and customers:
- Enforce least privilege access permissions on both ends
- Establish protocols and controls to address service degradation
- Maintain well-managed accounts secured by your organization’s IAM team
“I believe that ensuring least privilege access and implementing proper identity management are crucial,” highlights Wylie. “Regular testing is essential to establish robust enterprise resiliency and ensure your disaster recovery plan is primed for execution—these act as your contingency plans when reliant on a collaboration of vendors.”
Today, every organization heavily relies on software supply chains and applications ingrained in their intricate network structures. Operating a business efficiently in the current landscape necessitates interdependence on third parties who not only have deep access to your system but also extend through the other applications and software you utilize. Failures are inevitable. Having a well-devised recovery plan for worst-case scenarios and strategizing on how to architect networks with third-party vendors to navigate failures will prevent downtimes from spiraling into major incidents.