The zero trust supply chain: Managing supply chain risk in the absence of trust

The modern supply chain is characterised by an ill-defined and porous perimeter, allowing entry points for potential adversaries to intercept sensitive information and disrupt operations. Such supply chain attacks are increasing in frequency and their impacts can be costly to an organisation. Trust between supply chain partners is commonly thought to be a risk management tool, where increasing trust results in reduced risk. However, increased trust may actually expose the supply chain to more risk, not less. In this paper, we propose the concept of the zero trust supply chain. Originating in the field of information technology and cybersecurity, a zero trust philosophy assumes that all actors and activity are untrusted. In contrast to perimeter-based security, which attempts to keep adversarial actors out, a zero trust-based security posture assumes that adversaries are already inside the system, and therefore imposes strict access and authentication requirements. In this paper, we map zero trust concepts to the supply chain, and discuss the steps an organisation might take to transition to zero trust. We set forth a research agenda by examining zero trust through the lens of several organisational theories and propose a number of research propositions.

Automated summary

This paper discusses supply chain attacks in the modern supply chain, introduces the application of zero trust concept in the supply chain, and explores the steps for organizations to transition to a zero trust model.