Modern supply chains run on trust. In cybersecurity, trust is often our greatest exposure.
The recent Ribbon Communications breach, reportedly the work of a nation-state actor operating undetected for nearly a year, highlights a pattern we’ve seen before with Salt Typhoon: patient, credential-driven infiltration of telecom and infrastructure ecosystems.
These aren’t just data breaches. They reveal how much of our critical infrastructure still runs on implicit trust without continuous verification.
Three reflections for identity and access leaders:
- Vendor ecosystems are identity systems too
Every upstream partner with privileged or operational access extends your attack surface.
Risk management must evolve from contracts and certifications to continuous validation of identity, privilege, and activity.
Modern identity programs should encompass the entire supply chain, not just internal users.
- The network layer remains the soft underbelly of Zero Trust
Most organizations have matured cloud and app IAM programs, yet still rely on static credentials and shared accounts for network infrastructure.
That’s where attackers live quietly, persistently, and often unseen for months.
Bringing identity-first principles and least-privilege enforcement into routers, switches, and network devices is how Zero Trust finally reaches the foundation of our digital infrastructure.
- The UK’s Telecommunications Security Act is more than regulation. It’s a blueprint
The TSA compels operators to prove resilience and control even when vendors fail.
That’s a model the global industry should emulate. Not just for compliance, but because operational resilience depends on it.
A collective takeaway
Whether you’re a telecom operator, a service provider, or a CISO responsible for critical infrastructure, the Ribbon incident reinforces one truth:
Identity and privilege are now the connective tissue of resilience.
Our next challenge as an industry is to extend those principles into the network and infrastructure layer: where identity has historically been weakest and risk has quietly compounded.
(As part of the Identity Defined Security Alliance, we continue exploring how identity-first strategies and network-layer controls can reduce systemic risk across complex ecosystems.)
Where does compliance break without identity-based control? Watch this discussion on how to bring identity to the network layer.
Webinar: Zero Trust Falls Short Without Network Identity: Lessons from Salt Typhoon
Extend your AAA foundation into Network PAM with Kron: where identity follows privilege, compliance evolves into assurance, all under one policy plane. Learn more at networkpam.com.
About the Author: Craig Riddell is Vice President of Technology and Field CISO, Americas at Kron Technologies. A recognized cybersecurity leader with 15+ years of experience in identity and access management (IAM), privileged access security, and Zero Trust, Craig has helped global enterprises secure critical infrastructure and reduce risk. He’s a CISSP and Certified Ethical Hacker, known for bridging technical security and business strategy to help organizations strengthen their security posture and drive growth.
About the Company: Kron Network PAM gives you complete control over privileged access to your network—who can log in, what they can do, and how it’s tracked. Purpose-built for network infrastructure. Simple to deploy. Scales with your environment.
