3 min reading
Wed Sep 22 2021

The impact of your supply chain on your digital footprint


My last posts talked about your company's digital footprint and the different items composing it. But often, the impact of your supply chain is omitted from this.

Often, the assets that compose your digital footprint, like the server on which your website runs, or your email infrastructure, is not hosted on your premisses but somewhere in the cloud. This might mean that the management of that system is out of your zone of control. In case you find any weaknesses on this system you should trigger an internal process to start a communication and remediation process with said supplier. Same goes for the web application running on top of that system. Chances are it's not developed internally but by an external party, and probably a different supplier than the cloud company. You'll need to start a second process to communicate with that party as well.

Let's think this scenario through. We've performed a scan on our company's digital footprint. We found a bunch of exposed assets amongst which a web application that is developed by an external supplier, and hosted on a system managed by yet a different external supplier. We need to understand that while our digital footprint is assigned to us, our company, it is actually composed out of different bits and pieces spread over different suppliers and even geographic locations.

Hence, if we'd like to have a full view on the exposure our digital footprint brings to our company we need to take not only into account the exposure of our own systems and applications, which are securely under our direct control, but also of those located outside our direct zone of control, lying with different suppliers.

A following question we need to ask is how far does this exposure go? Is our web application located on a single or multi tenant environment? If the acquisition of the system and contract negotiation went through the normal approved processes chances are you already have this information. But what if another department went ahead and ordered the web application and hosting outside of normal processes? Also, was the supplier chosen from a list of pre-approved suppliers? Or did they (randomly) pick their own supplier? If this is the case, how can we make sure that this supplier practices sound security principles such as secure coding, regular security tests on their code and systems, manages our company's data securely, have a business continuity plan in case there's an impact on the availability of your asset, etc ... ?

Measuring the exposure and the risks of assets in our zone of control is pretty simple. We can run active vulnerability scans, execute penetration tests, check the configuration, etc. But it's not as simple with external suppliers. Are you allowed to run a vulnerability scan or require them to perform a penetration test? Do you have an idea on how they are organised internally concerning secure coding and other security and risk management practices?

In my post next week I'll delve deeper into how to check and maintain a view on the security and risk exposure of your digital footprint, and your suppliers'. Don't hesitate to send me a pm or mail when you got a remark or a question, happy to help you out!

Jimmy pommerenke Ceeyu

Jimmy Pommerenke


Jimmy is the founder, CEO and CTO of Ceeyu. Prior to founding Ceeyu, Jimmy was responsible for cybersecurity programs at large financial institutions and consulting company EY. Jimmy started his career as a security engineer. His duties included installing and managing firewalls, scanning infrastructure for vulnerabilities, and performing pen testing and ethical hacking.

Other Blogposts

Ceeyu UI

NIS2: Essential entities vs Important entities, what’s the difference?

The impact of NIS2 for essential and important entities is not much different when it comes to implementing controls to comply, as they are ...

December 11, 2023


The EU DORA regulation and third party risk

With the DORA regulation that the EU aims to strengthen the IT security of financial services and industries. This means banks, insurance co...

July 17, 2022


How to manage the third party risks posed by your critical suppliers

This blog post walks you through some ideas on how to navigate the complex web of third-party risks, focusing on critical suppliers.

June 27, 2022