The Digital Economy is transforming the way that organizations operate. Deploying a secure, trustworthy infrastructure is no longer enough. Security must be designed into all facets of an enterprise’s network and its third party ecosystem. At the same time, enterprises of all sizes must shrink the attack surface. And, foster an open, security-aware culture, internally and throughout their value chain.
Given Cisco’s commitment to being trustworthy, transparent and accountable, I have been thinking quite a bit lately about the importance of collaboration.
Partnering for improved security
Ensuring that your value chain embraces security wholeheartedly requires a commitment to collaboration. Embracing that commitment can enhance and accelerate security innovation. A true partnership that focuses on security can also create opportunities for previously unexplored operational excellence. Read More »
In this environment of advanced threats along every point of the value chain, I’d like to talk about what it means for you, our customers and partners, to have supply chain security throughout the product lifecycle.
I’ve just finished a short video on this topic. I’d love to hear your feedback, insights and suggestions on securing the product supply chain.
I’ve been thinking lately about how collaboration can work for the IT industry as we strive to address security. Cisco’s supply chain security capability focuses on three key exposures: taint, counterfeit and misuse of intellectual property.
Specifically, I’ve been thinking about how we might detect and mitigate against counterfeit ASICs. I have a hunch that working with the semiconductor industry, we can achieve this goal. Read More »
As the focus on securing Information and Communications Technology (ICT) supply chains intensifies, the number of standards and guidelines is increasing at a troubling pace. These well-intended efforts to provide a framework for security may very well be “cooking the global ICT supply chain goose,” without moving the security needle. For more on this challenge see SC Magazine from the CSO’s Desk: The proliferation of mandates.
On September 19 at Progress Report from the Supply Chain Security Technical Working Group (September 19 2012), a status report was presented from the Supply Chain Security Technical Work Group which was formed in March 2012 with the approval of the Common Criteria Development Board, in order to produce a Common Criteria Supporting Document that technical communities can use and adapt for their protection profiles.
The information and communications technology (ICT) supply chain has become increasingly complex, with logically long and geographically diverse routes, including multiple tiers of outsourcing. This leads to a significant increase in the number of organizations and individuals who “touch” a product, and thus, increase the likelihood that a product’s integrity will be compromised. Ensuring that ICT products from commercial software and hardware providers are free from vulnerabilities introduced via the product developer’s supply chain is an increasing concern which has manifested in proposed legislation and draft government regulations, as well as publicized attacks.
Exacerbating those concerns is the fact that awareness of supply chain risks and potential mitigations is not widely shared within the ICT industry, academia, government regulators, and product acquirers.
The product life cycle and its corresponding supply chain aspects extend from design to sourcing, manufacturing, distribution, delivery, installation, support, and end-of-life. Each stage presents potential threats of attack: the introduction of counterfeit products or components; elements of product taint, for example via malware or an integrity breach; disruptions to logistics and delivery; as well as tampered communications between the product developer and the customer or the customer and supplier.
The initial Supply Chain Security Supporting Document will describe several of these threats in more detail, specify additional threats, suggest assurance requirements, and recommend best practices for product manufacturers, evaluators, certifiers and end users.
As communities incorporate targeted material from the Supply Chain Supporting Document in protection profiles and vendors complete Common Criteria security evaluations against those protection profiles, customers will gain additional assurance of the product developer’s actions to secure their supply chain, and confidence in the manufactured product they are receiving; all under the globally accepted Common Criteria framework.