Value Chain Security: Success in a Digital World Hinges on Mitigating Third-Party Risk
Value chain security is an essential element of success in a connected economy. Ensuring that the right security is in the right place at the right time throughout the value chain—the end-to-end lifecycle for hardware, software, and services—is an imperative.
The eight stages of the value chain are shown in Figure 64
Information technology and operations technology are converging in this digitized world. It is not enough for organizations to focus only on protecting their internal business models, offerings, and infrastructure. Organizations must look at their value chain holistically and consider whether each third-party that is involved in their business model or touching their offerings poses a risk to their security.
The short answer is that they likely do: Research by the SANS Institute found that 80 percent of data breaches originate from third parties.¹⁵ To reduce risk, organizations must foster a value chain where trust is not implicit and security is everyone’s responsibility. As a foundational step toward achieving this goal, organizations should:
- Identify the key players in their third-party ecosystem and understand what those third parties deliver
- Develop a flexible security architecture that can be shared with and deployed across the variety of third parties in that ecosystem
- Assess whether those third parties are operating within the tolerance levels set by the organization’s security architecture
- Be alert to new security risks that the ecosystem may present as digitization increases
Organizations must also think about security before introducing a new business model or an offering that requires involvement by, or that otherwise affects, their third-party ecosystem. Any potential value and productivity gains must be weighed against potential risks, particularly around data security and privacy.
Awareness of the importance of the value chain is growing both globally and in specific industry sectors. Recent U.S. IT procurement legislation mandated a 1-year assessment by the U.S. Department of Defense regarding open technology standards in procurements for information technology and cybersecurity acquisitions.¹⁶ In the highly converged energy sector, the North American Electric Reliability Corporation (NERC) is actively developing new requirements addressing its cyber value chain.¹⁷
Organizations, together with their third parties, need to answer questions such as, “How will data be generated and by whom?” and, “Should the data be digitally mined?” Further clarity requires determining the answers to such questions as, “Who owns the digital assets we are collecting or creating?” and, “With whom must we share that information?” Another critical question to answer: “Who owns what liability and obligation when a breach occurs?”
This value chain-centric approach helps ensure that security considerations are built in at every stage of the solutions lifecycle. The right architecture, combined with adherence to the appropriate security standards, will help to drive pervasive security—and build trust—throughout the entire value chain.Geopolitical Update: Encryption, Trust, and a Call for Transparency
In previous cybersecurity reports, Cisco geopolitical experts examined the uncertainty in the Internet governance landscape, the rights of the individual versus the rights of the state, and the ways that governments and private businesses might navigate the data-protection dilemma. One common topic across these discussions has been encryption. We believe that encryption will continue to permeate, perhaps even dominate, the cybersecurity debate for the foreseeable future.
The proliferation of national and regional data privacy laws has created unease among vendors and users attempting to navigate those laws. In this uncertain environment, issues such as data sovereignty and data localization have come to the fore, helping to fuel growth in cloud computing and localized data storage as businesses seek a creative solution to meeting complex and evolving privacy regulations.¹⁸
At the same time, the escalating number of data breaches and advanced persistent threats, and the publicity around hacks sponsored by nation-states—including those conducted during high-profile events such as the U.S. presidential election—are making users even less confident that their sensitive data and privacy will be protected.
Governments in the post-Snowden era have been increasingly strident in their desire to regulate digital communications and to access data when needed. However, users have been just as ardent in their demand for privacy. Events such as the recent head-butting between Apple and the FBI over an iPhone belonging to a terrorist have done nothing to assuage users’ worries about privacy. If anything, it taught a generation of digital users, especially in the United States, about end-to-end encryption. Many users are now demanding end-to-end encryption from their technology providers, and they want to hold the encryption keys.
This marks a fundamental shift in the cybersecurity landscape as we have known it. Organizations are going to need to architect their environments so they can navigate and respond to competing agendas.
While this shift is taking place, more governments are giving themselves the legal right—often on a broad basis—to bypass or break encryption or technical protection measures, often without the knowledge of the manufacturer, communication provider, or the user. This is creating tension not only between authorities and technology firms but also between governments, who are not necessarily keen to see their citizens’ data accessed by third-country authorities. Many governments collect information about zero-day exploits and vulnerabilities that they discover in vendor software; however, they are not always transparent with vendors about the information they possess, or sharing it in a timely manner.
Hoarding such valuable information prevents vendors from improving security in their products and providing users with better protection from threats. Even though governments may have good reason to hold some of this intelligence close, there is also a need for greater transparency and trust in the global cybersecurity landscape. Governments therefore should conduct a frank assessment of their current policies regarding the hoarding of zero-day exploits. They should start from the default position that sharing information with vendors can only lead to a far more secure digital environment for everyone.High-Speed Encryption: A Scalable Solution to Protecting Data in Transit
As explained in the geopolitical section on page 65, end-to-end encryption will remain a topic of much debate and consternation between governments and industry for the foreseeable future. Regardless of any tension stemming from this issue, however, user demand for end-to-end data encryption with customer-held keys is increasing.
Cisco geopolitical experts anticipate that some streams and pools of data will likely remain encrypted with vendor-managed keys at least for the short term, particularly in ad-driven business models. Elsewhere, however, we should expect to see the use of end-toend encryption with customer-held keys gaining more traction, absent a legal mandate to the contrary.
Meanwhile, look for organizations to also seek more control over how they protect their data while it is in transit, particularly as it moves at high speed from one data center to another. This was once an arduous task for enterprises due to the limitations of legacy technologies and the impact on network performance. However, new approaches are making this process easier.
One solution is application-layer security, where applications are modified to encrypt data. Deploying this type of security can be very resource-intensive, complex to implement, and operationally expensive depending on how many applications an organization uses.
Another approach seeing increased traction is encryption capabilities built in to a network or cloud service to protect data in transit. This is an evolution of the traditional gateway VPN model, a solution that addresses the dynamic nature of networks and the high-speed transmission rates of data center traffic. Enterprises are using the operational and cost efficiencies provided by the new capabilities to protect data coming from any application in that environment as it travels at high speed to another location.
Network-based encryption is only one tool for protecting data, however. To ensure they are doing enough to protect their data while it is in transit or at rest, organizations should look at the challenge holistically. A good place to begin is by asking technology vendors basic but important questions such as:
- How is data protected when it’s in transit?
- How is it protected when it’s at rest?
- Who has access to the data?
- Where is the data stored?
- What is the policy for deleting data, when and if it must be deleted?
Again, these questions are only a starting point for a broader dialogue about data protection that should evolve to include a discussion of topics such as data resiliency and availability.
Network Performance and Adoption Versus Security Maturity: Online Speeds, Traffic, and Preparedness Are Not Growing at the Same Pace
Defenders want to stay ahead of their adversaries. To be behind them is to be in a potentially dangerous place. The worry is that defenders can’t improve their security posture at the same pace that adversaries can gain space and time to operate. Given the pace of growth of fixed and mobile Internet traffic worldwide, defenders are obligated to match this growth with gains in the maturity of their security infrastructure.
The Cisco VNI Forecast examines global IP traffic annually, including mobile and Wi-Fi traffic. The forecasts provide 5-year projections for IP traffic, the number of Internet users, and the number of personal devices and machine-to-machine (M2M) connections that will be supported by IP networks. (Visit here
for more details on the VNI Forecast.) For example, the forecast estimates that by 2020, smartphones will generate 30 percent of total IP traffic.
Cisco has matched the VNI Forecast to data about defender maturity, taken from Cisco’s annual Security Capabilities Benchmark Study (see page 49). In examining maturity growth rates in the 2015, 2016, and 2017 benchmark reports, as seen in Figure 65
, security maturity is underwhelming compared with the growth of Internet traffic. Some countries, such as China and Germany, actually show a slight decline in maturity over this time period. Broadband speeds, in particular, are improving and growing at a significantly greater rate than other networking variables shown in Figure 65
. Faster speeds and more connected devices foster greater traffic growth, but organizations are struggling to bolster their security measures and infrastructures at similar rates.
Certain industries also lag in terms of their security maturity compared with other industries, as seen in Figure 66
. In particular, pharmaceuticals, healthcare, and transportation are behind other industries.
It’s important to note that the dramatic rise in mobile speeds is an outcome of the broad adoption of 4G and LTE networks by telecommunications providers. When large-scale deployments of 5G networks become available toward the end of this decade, mobile speeds are expected to become comparable to fixed network speeds. According to the current Mobile VNI Forecast, global mobile traffic will likely gain a greater share of total IP traffic when 5G is broadly adopted. Global mobile traffic was 5 percent of total IP traffic in 2015, according to the VNI Forecast; it is projected to be 16 percent of total IP traffic by 2020.
It’s clear that security organizations must step up their maturity efforts, and quickly, if they are to match the growth in Internet traffic, which portends growth in the potential attack surface. In addition, organizations must respond to the growth in the use of endpoints that are not fixed or wired to corporate networks. They must also accommodate a more widespread use of personal devices from which workers access corporate data.
Faster speeds are not the only factor driving growth of Internet traffic. The IoT is accelerating the number of devices that are attached to the Internet, not only adding to the growth of traffic but also adding potential pathways for attackers.
For more information about the Cisco VNI Forecast, visit the Cisco website
or read the Cisco blog post on the annual VNI forecast for 2015 to 2020