Supply chain integrity is the process of managing an organization's internal capabilities, as well as its partners and suppliers, to ensure all elements of an integrated solution are of high assurance. The need for integrity in the IT supply chain is necessary, whether the solution is developed in-house or purchased from a third party, says Gartner.
"IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years," said Neil MacDonald, research vice president and Gartner Fellow. "In the shorter term, the market for information security offerings will fragment along geopolitical lines. In the longer term, the same will happen for OSs and other IT system infrastructure software, reshaping the IT landscape moving forward.”
“Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect. These changes in information protection strategies will help enterprises embrace and adopt cloud computing and consumerization, which have strikingly similar issues with untrusted systems,” MacDonald added.
According to Ray Valdes, research vice president at Gartner, IT supply chain integrity issues are expanding from hardware into software and information. They are growing more complex as IT systems are assembled from a large number of geographically diverse providers.
“These issues are not just about defense and intelligence. This has significant implications for businesses, governments and individuals moving forward in a world where the integrity of the IT supply chain is no longer completely trustable, and where all layers of the IT stack will be targeted for supply chain compromise,” said Valdes.
The IT supply chain has become more complex, fine-grained, globally distributed and volatile in the sense that rapid change provides the opportunity to introduce compromises. However, Gartner analysts said most hardware systems included software-based elements (at a minimum, firmware and drivers), with the trend to shift more intelligence out of hardware and into software.
In an information- and software-based economy, IT supply chain integrity must extend to include the following:
Software supply chains — This includes components, frameworks, middleware, language platforms, virtual machines (VMs) and operating systems (OSs), but also the software infrastructure and environment for software distribution and updates (such as DNS, identity, application store packaging and digital certificates).
Ensuring the integrity of software supply chains is a more difficult problem because of the increased use of offshore development, the relative ease of cloning software and the ongoing need to keep software patched and updated via trusted mechanisms.
Information supply chains — Information is now becoming available from a variety of sources — from partners, suppliers and cloud-based services, such as data from Google Maps, Twitter, Facebook and Amazon.
This information can be incorporated into connected applications, information marketplaces and the information integrated from partners in an extended supply chain ecosystem. Critical decisions will be based on information assembled from many other sources, creating a similar supply chain integrity issue to that of hardware and software.