As supply chains become increasingly digitized, so a company’s ability to maintain sovereignty over the complete distributed network is becoming mission-critical in many industries.
As businesses evolve rapidly to match changes in consumer behaviours and market conditions, so does the way that they are thought about. Once considered monolithic structures encased in bricks and mortar facilities, recent thinking sees businesses characterized more as supply chains.
A good definition of this is supplied by ENISA, The European Union Agency for Cybersecurity. “Supply chain refers to the ecosystem of processes, people, organizations, and distributors involved in the creation and delivery of a final solution or product,” it writes.
Few businesses in the modern era are completely vertically integrated, with the result that most organizations sit at the center of an interconnected network of flows of materials and services that exist between them and other business entities. The word ‘chain’ suggests linearity (which may have been the norm in “traditional” industries), but the reality is that this network more closely represents a mesh or web and is becoming surprisingly complex for even simple end solutions/products.
To illustrate and simplify these concepts, we can use the example of a “traditional” supply chain, in this case the car industry:
As you can see, there is a pronounced linear structure to the way that cars are produced. Besides the “core” components, reflecting the intellectual property of a company (or any business-critical component) that is usually developed and maintained in-house, other components participate in the production of an end-product. They can be sourced from third-party suppliers and assembled through production/post-production machinery and processes before they reach the distribution network.
From supply chain security to sovereignty
The fact that we used a definition as given by a cybersecurity agency shows where our interest lies in this process. As ENISA goes on to state, when it comes to cybersecurity, “the importance of supply chains is attributed to the fact that successful attacks may impact a large number of customers who make use of the affected supplier. Therefore, the cascading effects from a single attack may have a widely propagated impact.
For digital (and more specifically software) supply chains, this has been exemplified by the infamous Solarwind hack (2020) and Log4shell vulnerability (2022) that highlighted the devastating effects supply chain attacks can have on certain industries. Indeed, attacks of this kind were considered worrying enough that they led to President Biden in the US signing an Executive Order in May 2021, specifically referencing the need to strengthen the security of supply chains.
Securing all this is a daunting prospect — and an urgent one, too. A recent report from Gartner estimates that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. Those organizations are being hit harder, too, with an estimated 742% average annual increase in software supply chain attacks over the past three years (source: Sonatype).
For the sake of comprehensiveness, the discussion should turn though from one of simply supply chain security to one of “supply chain sovereignty” and an individual company’s ability to maintain control over its supply chain. Maintaining “business sovereignty” over a supply chain (and even more so over a distributed one) also means reducing the risks of disruptions, protecting intellectual property, improving operational efficiency through traceability, and ensuring greater agility in responding to changing customer demands and market conditions.
Happily, this is a task that VO is very well suited to manage following our pioneering work in the media and video industry space and, as we detail below, elsewhere too.
Different types of digital supply chains
What do premium digital media, 3D printing, and cloud-native software have in common?
All three activities are undergoing rapid transformation as a result of new technology and such over-arching processes as “softwarization”, “datafication” and cloud migration. This comes together with radical transformations of the supply chains and real risks of disruption.
1. Let’s start with premium digital media – the video streaming business sector where at VO we have developed many of our key technologies and expertise over the years. A simplified representation of the supply chain looks like this:
What’s interesting is that the media supply chain – more specifically on the downstream part – is already greatly distributed/fragmented (which also often translates into hybrid/multi-cloud deployments). Maintaining business sovereignty over it is no easy task and requires, among other things, that the most demanding security requirements from content owners be addressed with state-of-the-art cryptographic techniques, countermeasures, and robust processes. This notably includes protections against attack vectors at the endpoint (e.g. the consumer premise equipment (CPE), to counter threats of intellectual property theft and illegal content redistribution).
It is also worth mentioning that maintaining sovereignty on the upstream part of the supply chain is not less challenging, especially as the emergence of generative AI bears a real potential of disruption for legacy players and processes. This raises concrete threats against which VO continues to contribute its decades of experience.
2. Examining another supply chain we enable at VO adds further interesting insights to the notion of business sovereignty. This is the distributed industrial 3D printing supply chain:
Built to implement the production of “spare parts”, this industrial supply chain allows for on-demand manufacturing of objects (polymer, metal etc,) on 3D printers in remote and sometimes unconnected locations. This supply chain – which exemplifies the wider distributed Industry4.0 supply chain – shares with the premium digital media supply chain the criticality of endpoint security (the printer, at the edge), one of the pillars of its business sovereignty.
Besides intellectual property protection (against risks of theft of sensitive design models or manufacturing parameters), manufacturers expect the integrity of their 3D files to be protected throughout the chain – to avoid potentially dangerous and costly hacks. In addition, controlling and tracking the number of pieces produced is a key requirement to enable monetization of parts models.
In the rest of this blog post, we’ll provide more details on the technology enablers inherited from the premium media supply chain that sits at the core of VO's Secure Manufacturing Platform (SMP), our solution to tackle the sovereignty of digitized industrial supply chains. But for the moment, suffice it to note how the notion of business sovereignty impacts different supply chains in a parallel manner.
3. These considerations can be extended to yet another supply chain, the cloud-native software supply chain, which “powers” the various software solutions VO offers and can schematically be represented as follows:
The critical importance of business sovereignty can also be illustrated across this supply chain, which is one currently also undergoing substantial transformations.
Besides the fact that the number of building blocks making up applicative code is increasing (due to the adoption of microservice architectures, the integration of third-party / Open-Source components, etc.), interesting trends can be noted.
On the one hand, state-of-the-art architectures leverage software far beyond the strict applicative scope, historically under the sole control of R&D teams (think of infrastructure-as-code, configuration files, etc.). On the other hand, such architectures are increasingly distributed across physical boundaries (e.g., through the adoption of hybrid / multi-cloud approaches). In this context, consistent secret & credentials management is becoming increasingly complex.
The “secret sprawl” phenomenon is growing more acute by the day. A measure of this problem is given by GitGuardian in its 2023 State of Secret Sprawl report: between 2020 and 2022, the number of “hardcoded” secrets detected on public GitHub grew by more than three times (from 3 to 10 million). Secret leaks, and sometimes credential harvesting, have resulted in some of the boldest cyber-attacks on software supply chains in recent years, such as Codecov (2021), CircleCI (2023), and more.
How VO is enabling business sovereignty across distributed digitized supply chains
In this intense atmosphere of transformation, it is all the more important for organizations to preserve business sovereignty. As already explained and illustrated above, this can be defined as a company’s ability to maintain full ownership and control over business processes and, as can be seen by any examination of the multiple-stakeholder nature of supply chains in the modern era, is not necessarily easy to implement.
Security is only one aspect of this. Companies need to be confident that they control critical aspects of their supply chains in multiple environments and under differing conditions. Transparency and traceability are also vital components of this.
This is where our expertise comes in. We have been ensuring supply chain sovereignty for the Pay-TV and streaming video industries for over two decades, providing security that has to operate in a whole host of different environments, cope with extreme challenges, and adapt to constantly changing technologies, user behaviors, and evolving and escalating threat profiles.
As a result, the Key Management System (KMS) we have developed for securing the supply chains we are a part of — the well-established premium digital media and, more recently, the industry 4.0 and the cloud-native software supply chains — constitutes a vital enabler of business sovereignty. Portable, versatile, and field-proven resilient, our KMS has been designed with a Zero Trust architecture, which makes it particularly adapted to deal with the constraints of a hybrid cloud or cloud edge.
In summary, it offers users swiftly deployable supply chain security that can adapt to a wide range of circumstances and use cases, dynamically evolve with growing business needs, and provides a spectrum of options that balances costs and security levels, allowing firms of all sizes and business models to secure their chain and guarantee business sovereignty into the future.
The future of distributed digitized supply chains
Supply chains in multiple industries are currently undergoing rapid transformation as a result of major disruptors.
As key processes become locationally fluid on a global scale, the need for businesses to maintain sovereignty over their supply chains is more important than ever. As supply chains become more complex, unfortunately, so does their attack surface, and with the activities of bad actors constantly on the rise, finding a way to keep the supply chain secure at all the multiple touchpoints along its length will be mission-critical for future business success.
Stay tuned for some exciting announcements from VO as we continue contributing our assets and expertise to safeguarding supply chain sovereignty across a number of industries!
