The growing level of interconnectedness of digital services and infrastructures creates tight and recursive security inter-dependencies between their providers, which are challenging to address due to the fragmentation of cybersecurity operations. Secure and reliable operation of the whole chain requires each provider to improve the security posture of its suppliers. However, the existing practice is largely based on human interaction for disclosing vulnerabilities, reporting alerts, and suggesting remediation, which demonstrates to be largely ineffective and risky.
Digital Service Chains are more challenging to setup and operate than other forms of supply chains because they usually follow “meshed” operational models instead of more conventional “linear” patterns.
In a meshed model applications leverage a continuous interaction with external devices, services, infrastructures, and data at run-time, which typically yields to complex, non-linear, unclear, recursive, and dynamic interdependencies.
The existing fragmentation of cyber-security operations prevents a common and coherent strategy for the entire chain and leaves many open issues
Multi-ownership, which hinders mitigation and response to attacks originated in other domains in the absence of collaboration from the owner
Dynamic, partially unknown, and opaque topologies, which hinder a complete and holistic assessment of vulnerabilities, the prediction of the impact of changes, the localization and tracking of data
Scarce or not at all visibility and control over services and infrastructures operated by third parties
Lateral movements between services, which exploit weak security controls due to business relationships in place
Broad attack surface, due to weak links in the chain that miss strong security policies