Supply chain attacks are no longer rare events. They are a systematic, scalable attack strategy — and most organisations are not the primary target. They are the door.
The Supply Chain Attack Playbook
When the Nobelium hacker group flooded more than 140 resellers and technology providers with supply chain attacks, the objective was not to breach the resellers themselves. The objective was to use those resellers as a trusted delivery mechanism into thousands of downstream organisations.
This is the defining characteristic of modern supply chain attacks. Attackers identify the weakest link in a chain of trust — a software vendor, a managed service provider, a technology reseller — and use that link’s trusted access to reach every organisation it serves.
The SolarWinds attack followed the same logic. The attackers did not target the 18,000 organisations that installed the compromised update. They targeted SolarWinds, which had trusted access to all of them.
Why Traditional Perimeter Security Cannot Help
The problem with supply chain attacks is that they arrive through trusted channels. A software update from a verified vendor. A patch from your IT management platform. A connector from a service your organisation relies on.
Traditional perimeter security is designed to block untrusted traffic. It has no mechanism to distinguish between a legitimate software update and a compromised one arriving through the same trusted channel. By the time the attack is inside your perimeter, it has already bypassed your defences.
The critical question is not “can we trust this vendor?” It is “what can this vendor’s software access once it is inside our network?” If the answer is “almost everything,” you have a supply chain problem.
Zero Trust as a Supply Chain Control
Zero trust architecture changes the supply chain risk calculus fundamentally. Under a zero trust model, the question is not whether a connection comes from a trusted source. It is whether the specific request — this user, this device, this application — meets the policy requirements for the specific resource being accessed.
This matters for supply chain security because it limits blast radius. Even if a compromised component gains a foothold inside your environment, zero trust controls prevent it from moving laterally to other systems. Microsegmentation ensures that access to one application does not grant access to others.
TAC’s reverse proxy architecture implements this principle structurally. Applications are never directly exposed. Every connection — including those from vendor tools and management platforms — is mediated by TAC’s policy engine before any traffic reaches a protected resource.
What You Can Actually Control
You cannot control whether your software vendors get breached. You cannot audit every line of code in every dependency in your stack. What you can control is what happens if a compromised component ends up inside your environment.
Minimise standing access. Ensure vendor tools and management platforms have the minimum permissions required for their legitimate function. Implement network segmentation that limits what any compromised component can reach. Log everything so that anomalous access patterns are detectable.
The organisations that emerged from SolarWinds with minimal damage were not those that had perfect perimeter security. They were those that had limited what the compromised component could do once it was inside.
PortSys Total Access Control was built to solve exactly this problem. Learn how TAC addresses this challenge →