Choose Partners, Data, Protocols carefully. Diversity is important

Recently, the DNS has come under an extensive attack. The so-called “DNSpionage” campaigns have brought to light the myriad methods used to infiltrate networks. These attacks employed phishing, system hopping via key exfiltration, and software zero day exploits, illustrating that many secure networks may not be fully protected.

When organizations and nations set out to build secure global networks, policy makers, technicians and architects often focus on operational aspects, such as performance, network coverage and routing, and technical support procedures. Public and private sector procurements for global public assets may add other requirements. For example, in 2011, the Australian^[1] government banned Chinese telecom vendor Huawei from the country’s $38 billion National Broadband Network (NBN) tender. Huawei has made headlines recently also.

Too often, companies touting secure networks focus on the security of the data at rest, or of the data in transit, and believe that this is the most important thing to secure. Other factors may be even more important to consider. For example, is the data traveling on a network whose integrity is not questionable? Is the data stored on equipment from reputable vendors? Is there the ability to look into your supply chain to determine if the data is on equipment from vendors who are either of questionable heritage, or whose integrity has been doubted.

Our extensive experience building and managing secure global networks shows that focusing primarily on operational parameters may miss several critical aspects in the supply chain, including:

• The security profile and footprint of each vendor and their downstream supply chain;
• The origin and type of hardware and software used by each provider;
• The protocols used to secure data inside a provider’s network;
• Contractual and audit commitments to vet each vendor’s downstream supply chain
• Procurement diversity: How diversified is each component of the infrastructure - including software, hardware, operating systems, and upstream providers; and
• Business Continuity Plans: The reassurance that these organizations have a comprehensive plan which includes business continuity practices to mitigate a catastrophic (zero day) failure. Certifications such as ISO 27001 and 22301 (or equivalent) are useful mitigations.

It is also important to make this an ongoing risk management discussion. Providers make changes to their infrastructures and products that should influence your own assessment of the risk you are managing, and have comprehensive strategies in place to mitigate these risks. It is essential to conduct regular audits of your understanding of what your vendors have and continue to do so.

In short:

• Secure your data internally AND externally (careful how/where you store data).
• Secure your data in transit (encrypt data in transit).
• Choose providers with a security profile equivalent to your own (high integrity providers).
• Build diversity (no single point of failure).
• Practice risk management (audit and enforcement).

Proper consideration of these factors, balanced with recognition of any specific contractual requirements, and you will be on your way to building a secure global network.

[1] Afilias is the technology provider for Australia’s .AU domain, and conforms to relevant requirements.