Yes, the question is “Are you really secure?” Now that I’ve asked a loaded question, let me get to the point.
The term “secure” sure has a lot of different meanings depending on the context in which it is used. If we take it from a corporate security perspective, your options are somewhat limited to physical security, as in video surveillance or physical access, or logical security, as in your laptop or data access. But, when you ask a security professional if they are secure, they will most certainly take that in the context of what they can control, and will most likely answer “yes”.
Well, what about the things you cannot control? You can control which products you buy to provide security, you control how they are installed and configured, and you control the processes and procedures that identify how they are managed and updated. But, can you control how they are manufactured?
In the wake of the recent RSA security attack, companies are now realizing that there is another type of security that they need to consider. In other words, is the product I’m receiving from my suppliers secure? Now, we know that the integrity of the RSA Secure-ID is one of the best in the business, but in light of the recent attack, RSA has announced changes to their delivery processes to address the issue. You can read more about it here.
So, what this is really saying is that you not only have to trust the company whose products you are using, you have to trust that they are following safe practices in manufacturing and distribution, from the chip that’s on the motherboard to the firmware and software running on that device. Because, just like an operating system or browser, firmware and software can have bugs, back-doors and other less-than-desirable features that may not be found for months or years after the device has been put into place. The concept here is typically referred to as secure supply chain. Secure supply chain is essentially how manufacturers control and secure their products by controlling everything from the storage of raw materials, work-in-progress inventory, and finished goods from point of origin to point of consumption.
I suspect that you are going to hear a lot more about secure supply chain. It’s an area of security that is normally kept behind closed doors, but as you can see from the RSA example, it’s one that impacts not only the companies that manufacture the products, but the consumers of those products as well. And it’s not just the enterprise environment, those products are also in all the clouds. As I said before, this is an area that your security staff cannot control, so trusting your vendors is a must.