From the desk of the Brad Bell, CIO, Infoblox
Supply Chain Management: Evaluating Your Vendors’ Certifications
Evaluating vendor certifications to ensure the integrity of your supply chain is not a simple task. Over the next several weeks I will outline why it is important, what Infoblox is doing to help its customers in securing their supply chain, and highlight some best practices. Being neither simple nor too complex does not mean that the task of securing your supply chain should be cast aside.
More than Certification
As a CIO, one of my most significant tasks in many contract negotiations has been 
to ensure that all our vendors meet the stringent regulatory standards and can provide proof of compliance via certifications. If you are in a regulated industry, a government agency (federal, state or local), or a commercial integrator working with government agencies, I am sure you are as concerned about these certifications as I am. When it comes to cybersecurity, these certifications become even more critical, but vendor selection goes beyond certifications as it takes a collective effort in securing the supply chain. In this four-part blog series, I will suggest some key thoughts and practices for selecting your business partners and vendors, delivering the promise of an agile and safe network across your offices, workers and business partners, providing critical social and government services successfully, and meeting the needs of your constituents.
More than Availability
All too often, we sideline network security for the sake of functionality. ‘Does it do what I need it to do?’ If the answer is mostly yes, we procure equipment that’s easy to purchase, doesn’t take much to configure or manage, and simply works—like an unmanaged switch. But, without careful thought, this approach may not fulfill organizational security requirements. If we plan to secure the network, it’s important to consider the three facets of security — ‘Confidentiality, Integrity and Availability’ (CIA). We often simply assume the implications to Confidentiality or Integrity while focusing on Availability in making procurement decisions. Using an unmanaged switch as an example: sure, it works just like a managed switch, but if you lose management and visibility at the port level, security responsiveness will likely be affected during an incident investigation. Further, many of these products may not play well within the ecosystem. In short, they don’t talk to each other which further limits their effectiveness.
Now, a switch is rather basic in its functionality, but what about your more critical network components such as the firewall, routers, DNS, DHCP and IP address management (IPAM) servers, SIEMs, etc.? Have you evaluated if these products operate in accordance with your security standards? Have you even defined security standards? Are you in a regulated industry where cybersecurity compliance is inspected? Fortunately, there are several leading governing bodies that have set standards and guidelines including the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST)—from which most others derive their requirements.
Committed to Standardization
Infoblox has been committed to delivering best-in-class network technologies since its inception, which is why we’re the market leader in DNS, DHCP and IPAM (DDI). In that pursuit, we’ve charged our engineering teams with ensuring that we meet and exceed the requirements set forth by these governing bodies so our clients can be secure in the knowledge that our technologies address not only Availability but also Confidentiality and Integrity. Many of our products have been developed for and evaluated by NIST’s Common Criteria and FIPS 140-2 requirements, and the Defense Information Systems Agency (DISA) for inclusion on the Approved Products List (APL) for DoD infrastructure. Infoblox has also implemented a Security Technical Implementation Guide (STIG, the configuration standard for DoD Information Assurance (IA) and IA-enabled devices and systems) to verify compliance of other network devices and systems. But we haven’t just stopped in your datacenters—we’ve also been in the cloud.
Cloud Computing Leadership
For two years, Infoblox’s core DDI products have been available for use as virtualized appliances in the most secure cloud platforms. The US Government stipulated stringent security requirements for both the Amazon and Microsoft government cloud computing environments. AWS GovCloud and Microsoft Azure’s Government cloud environments are both accredited FedRAMP-High, designated to protect some of the government’s most sensitive, unclassified data. Infoblox’s virtualized DDI appliances have been supporting clients in the AWS GovCloud marketplace for two years, and these same Infoblox appliances are also available in Azure’s Government cloud marketplace.
How does this help you? We’ve passed the most stringent of security requirements to offer our clients the reliability they deserve and demand. Our clients should expect that their vendors provide the best in Confidentiality, Integrity AND Availability — because nothing less will do.
Conclusion
No CIO can afford to relax vendor requirements related to cybersecurity when it comes to core networking services such as DDI. Purpose-built cloud offerings can be very useful provided you ensure that your entire supply chain is adhering to the required standards. In future blogs, I will discuss related aspects such as the need for and value of an interactive ecosystem in which partners meet required government certifications, and the ability to demonstrate success through the insights of customer experience and case studies.
For more information about how Infoblox’s products can help your organization protect your infrastructure, secure your data, prevent the spread of malware and ensure that your security infrastructure works cohesively to better detect and remediate threats, select Secure Your Core. And to read more about Infoblox’s government applications, select Infoblox Solutions for Federal Networks or State and Local.
