We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

The Intrusive Reach of Software Vendors into Customer Systems

Cyber Security

From the outside, organizations are autonomous entities striving to establish their unique presence in the world. However, this perception does not align with reality. Businesses depend on other enterprises to sustain their operations. A grocery store relies on its food suppliers, a tech company depends on manufacturers of semiconductors and hardware. Collaboration is key.

In today’s landscape, the software supply chain links companies from various industries together. Software applications and operating systems rely on different segments of the software supply chain to enhance their functionalities. While this has boosted efficiency and productivity for most organizations, it also means that any vulnerability or glitch in the software could disrupt operations for numerous companies. Even security programs designed to safeguard users from cyberattacks might inadvertently introduce exploitable software or flawed updates, leading to severe consequences such as extensive data breaches, canceled flights, or medical facilities facing closures due to inaccessible patient records.

These failures within the software supply chain not only impact the company involved but also affect millions of individuals. This raises the question: why do software providers have such extensive access to an organization’s system to the extent that a single issue could result in a catastrophic scenario?

The progression of computing

To comprehend the interconnected nature of systems, one must examine the evolution of computing and software applications, as highlighted by Shiv Ramji, the President of Customer Identity at Okta.

“We transitioned from programmers coding on mainframes to adopting a cloud-based and distributed computing model,” Ramji elucidated during a discussion at the Oktane conference.

This shift has enabled companies to deploy applications more swiftly, with the ability to scale them elastically. Cloud-based applications offer enhanced speed, with numerous advantages in architecting applications that are integrated into cloud and network systems.

Nevertheless, Ramji points out that this evolution has led to application stacks becoming more intricate and sophisticated.

“Think about a social media or photo-sharing app,” Ramji elaborated. In the past, relying on a single data center and storage mechanism would hinder scalability and increase costs.

“But today, scalability is rapid due to utilizing storage services like Amazon’s S3, paired with scalable compute resources,” Ramji added. “Therefore, the number of users doesn’t affect our ability to cater to their needs.”

This evolution in computing has led to significantly more complex application stacks with intricate interdependencies. Cloud computing services, security measures, and networking capabilities seamlessly merge into an organization’s infrastructure.

Discover cybersecurity services

Committing to a vendor

The growing interdependencies are causing organizations to overly rely on specific vendors and applications to maintain smooth operations. While this can foster seamless integration with third-party partners, it also incurs additional costs from not exploring better deals and heightens the risk of a security flaw disrupting your system unexpectedly. A single flawed piece of code from an embedded vendor application can result in irreversible damage.

According to research by Dashdevs, “vendor lock-in often leads to unforeseen costs and technical debt.” Relying on these embedded applications has been shown to heighten risks and expose vulnerabilities specific to vendors.

When issues arise with these embedded applications, such as exploited vulnerabilities or misconfigured code, resolving them can be intricate. It may seem simple, like deleting a problematic file or applying a patch, but what if this issue blocks your system entirely? Identifying the source of the problem within your system and understanding how to address it is crucial. Will resolving the issue through the cloud automatically update all devices, or will individual machines require updating? Moreover, what is the extent of communication between the vendor and your organization? Did you discover the problem, or was it brought to your attention, and how promptly and willingly can the vendor take accountability?

Regrettably, these questions do not have straightforward answers. Solutions will be tailored to each scenario—considering the type of vendor, how the application integrates into your network, and the ensuing challenges it presents.

“Certain systems and controls you implement have the potential to either maintain service availability for your customers or cause a catastrophic outage, akin to recent incidents with other vendors,” suggests Charlotte Wylie, Deputy CSO at Okta.

Securing customers: A vendor’s responsibility

Vendors can play a proactive role in safeguarding customers against software failures by acknowledging their role within the customer’s infrastructure. Wylie offers the following suggestions for enhancing security in embedded applications through collaboration between vendors and customers:

  • Enforce least privilege access permissions on both ends
  • Establish protocols and controls to address service degradation
  • Maintain well-managed accounts secured by your organization’s IAM team

“I believe that ensuring least privilege access and implementing proper identity management are crucial,” highlights Wylie. “Regular testing is essential to establish robust enterprise resiliency and ensure your disaster recovery plan is primed for execution—these act as your contingency plans when reliant on a collaboration of vendors.”

Today, every organization heavily relies on software supply chains and applications ingrained in their intricate network structures. Operating a business efficiently in the current landscape necessitates interdependence on third parties who not only have deep access to your system but also extend through the other applications and software you utilize. Failures are inevitable. Having a well-devised recovery plan for worst-case scenarios and strategizing on how to architect networks with third-party vendors to navigate failures will prevent downtimes from spiraling into major incidents.