When Securing Your Software Supply Chain, Don't Forget the Cloud
Cloud security issues can put your software supply chain at risk. Here are strategies for minimizing risk when using the public cloud as part of a software supply chain.
Software supply chains have become a hot topic of late, thanks to major supply chain security fiascos involving names like SolarWinds and Log4j. Chances are that, if you work in IT, you're hearing more and more about the importance of understanding and securing your software supply chain.
Yet it's also likely that cloud computing platforms are not a major part of that conversation. Software supply chains as most folks define them don't include the public cloud, which isn't software as much as it is infrastructure.
That's a mistake. The cloud may not be software per se, but cloud security risks can taint your software supply chain just as seriously as vulnerabilities in applications or platforms.
Defining Software Supply Chains
A software supply chain is the set of resources that businesses use to build out their IT environment.
Supply chains can include open source tools or libraries (like Log4j) that your developers incorporate into applications they build themselves. They may also include software platforms (like SolarWinds) and services from commercial software vendors.
Software supply chains have been around for as long as businesses have been using software, of course. But they have made big headlines over the past year due to major breaches that have exposed thousands of businesses to cybersecurity risks. Pressure from the U.S. federal government for businesses to compile software bills of materials (SBOMs) has also helped to bring software supply chains and software supply chain security into the spotlight.
The Cloud's Role in Software Supply Chain Security
Despite all of the talk (and blogs and webinars) in recent months about supply chain security, the role of cloud computing in supply chains has received little attention.
This may be because the cloud is arguably only part of a software supply chain. Again, most public cloud platforms are basically infrastructure providers, not software providers. In addition, while public cloud security breaches can and do occur, they don't typically give attackers direct access to cloud customers' entire IT environments in the way that breaches like the SolarWind fiasco did. Usually, public cloud security incidents only expose data that customers were storing in the cloud.
On the other hand, you can make a pretty reasonable argument that public clouds are absolutely part of the software supply chain of any business that uses the public cloud, for several reasons:
Clouds are not just infrastructure: Infrastructure as a service (IaaS) may be the main offering of public clouds, but most cloud vendors deliver various software-as-a-service (SaaS) applications in addition to selling infrastructure.
Infrastructure security breaches can be bad, too: Even if you do only use infrastructure services in the cloud, vulnerabilities in the cloud provider's platform could expose your data or applications to attack.
Public clouds can be hacked: Those attacks aren't just theoretical. Public cloud security breaches that expose customer data happen all the time.
If you don't track the risks and breaches that impact the clouds you use, then you can hardly guarantee that the third-party resources that form your IT environment are secure.
Securing the Cloud Component of Your Software Supply Chain
Consider the following strategies to minimize risk when using the public cloud as part of a software supply chain:
Understand your cloud environment
As with software supply chain security in general, the first step in securing a cloud environment is understanding what runs where. This can be difficult, especially at large organizations where dozens or hundreds of people are using the cloud.
Enforcing tagging rules for cloud resources can help on this front by making it easier to keep track of cloud workloads. So can performing regular audits that map your cloud workloads.
Minimize data exposure
The less data you store in the public cloud, the lower your risk of a falling victim to a security issue with the cloud platform. This is one reason to consider using a hybrid cloud architecture that lets you keep sensitive data on-premises.
Use multiple cloud accounts
Along similar lines, spreading your workloads across different cloud accounts may reduce the impact of breaches. In many cases, security incidents on public cloud platforms are limited to specific accounts and configurations.
Track cloud security incidents
When a public cloud that you use experiences a security incident, you'll want to know immediately whether it impacted any of your workloads.
This requires some effort. Unlike vulnerabilities in software applications and libraries, public cloud security incidents aren't systematically tracked in vulnerability databases. You also can't use automated scanning tools to determine whether your cloud services are affected by a security breach in the same way that you can use source composition analysis (SCA) tools to scan application components.
You can, however, read the news or follow the security blog of your cloud provider (like this one from AWS and this from Azure), which is probably your best bet for staying on top of public cloud security issues.
Conclusion: Remember the Cloud When Securing Your Software Supply Chain
The cloud's place within software supply chains may be ambiguous. But the impact of cloud security issues on your business's IT security is not. When you make plans to assess and secure your software supply chain, don't leave the cloud on the sidelines.
About the Author
You May Also Like