Applying ‘zero trust’ to improve supply chain systems – a Davis College faculty member explains
Trust is often viewed as an asset.
“But, the idea of zero trust flips it all around,” says Zachary Collier, Ph.D., an assistant professor of management in the Davis College of Business and Economics. “So, you take a guilty-until-proven-innocent-approach to your partnerships.”
It is an idea, as pessimistic as it may seem, “that is starting to catch on in certain circles,” such as information technology, cybersecurity and telecommunications, to name a few, explains Collier, whose research centers on risk and decision analysis. “So, I wrote this conceptual paper to work through the implications of the ideas.”
The paper, “The zero-trust supply chain: Managing supply chain risk in the absence of trust,” was recently published in the International Journal of Production Research. The paper, co-authored by Joseph Sarkis, a professor in the Foisie Business School at Worcester Polytechnic Institute, maps out “zero-trust concepts” to the global supply chain, which is under consistent attack, the researchers write, and discusses steps an organization could take to transition to zero trust.
“We set forth a research agenda by examining zero trust through the lens of several organizational theories and propose a number of research propositions,” Collier and Sarkis write in the paper’s introduction.
Modern supply chains, Collier explains, are porous systems with vulnerable entries for “potential adversaries to intercept sensitive information and disrupt operations.” Such attacks are growing in numbers and can cost companies millions of dollars.
“Trust between supply chain partners is commonly thought to be a risk management tool, where increasing trust results in reduced risks,” says Collier, whose research supports the NSF-funded Center for Hardware and Embedded Systems Security and Trust (CHEST). “However, increased trust may actually expose the supply chain to more risks, not less.” Implementing a zero-trust strategy involves continual, fine-grained monitoring of the supply chain and granting access to flows of materials, information, and finances on a per-request basis. Access decisions are based on quantifiable, risk-based assurance metrics.
In addition to defining and introducing the zero-trust concept, Collier and his co-author propose in the paper a number of research propositions, borrowing “from the zero-trust philosophy in cyber and information technology security,” they write, “and applying it to the supply chain context.”
Collier and Sarkis pinpoint real-life situations in which implementation of a zero-trust supply chain could have “saved lives, the environment, money, or organization reputation and competitiveness.” Cases include a situation in which toys were tainted with lead paint and a supply-chain cyberattack that cost one company $300 million.
A zero-trust policy comes with challenges of its own, Collier says, and “is not a silver bullet that will solve every problem within the supply chain.”
Collier notes that a pure zero-trust model may not be right for every supply chain, and other forms of “trusted” supplier models may be more appropriate, depending on the risks involved.
There are, however, “substantial opportunities for further investigation and development,” adding that practitioners can construct “resilient supply chains with a variety of practices,” and researchers may develop “ideas and investigate what may or may not work.”