Securing Your Cloud Supply Chain
By Matt Chiodi, Chief Security Officer, Public Cloud, Palo Alto Networks
Supply chain security has become a top priority for many executives as incident after incident has uncovered vulnerabilities in the supply chain that pose significant organizational risk. Security challenges like log4j and solar storm organizations of all sizes have faced risks they probably didn’t even know they had. In a supply chain attack, a vulnerability in one component of a software stack can expose an entire organization to potential exploitation.
research Palo Alto Networks Unit 42 has identified a particularly serious type of risk in the cloud supply chain that should be of concern. Our research team found that 63% of third-party code used to build cloud infrastructure is insecure. Security risks include misconfigurations that put organizations at risk, misassigned permissions, and vulnerable code libraries.
What is the cloud supply chain anyway?
Most of the time, when individuals talk about the supply chain, they think of things like physical items and goods being transported from one place to another. What many organizations still don’t understand is that the movement of these physical assets is often enabled by applications running in the cloud. Taking this a step further, if your company builds its own cloud-native applications, then you have a supply chain within a supply chain.
Modern cloud-native applications are built and assembled in three general steps. The first level is the provision of the cloud infrastructure. The second step is a Kubernetes® container orchestration service, the platform on which the applications are deployed. The third step is the deployment of application container images themselves. Each of these three tiers can have misconfigurations or vulnerable code elements.
Delete the SBOM (Software Bill of Materials)
While cloud supply chain security can be complex, it also offers opportunities to make it simpler. Cloud-native applications almost always use containers, which provide an easier way for organizations to actually track what’s in an application.
The concept of a Software Bill of Materials (SBOM) is simplified with containers since they are declarative. A user can look into the container manifest line by line and understand what is in the container.
SBOMs will increasingly be part of the software supply chain, thanks in part Executive Order 14028which mandates the use of SBOMs for US government suppliers.
The cloud supply chain can be complex considering all the different tiers, components and sources. Although complex, cloud supply chain security can be managed with a four-step strategic approach:
Step 1: Define the strategy
A critical first step is to outline an overall cloud supply chain strategy, beginning with a shift-left approach. The left shift concept is about shifting security earlier in the process, sometimes referred to as DevSecOps. The strategy doesn’t need to be outlined in a giant document either. All that is really needed at the beginning is an overview of the vision, roles and responsibilities. From here, iterate over time.
Step 2: Understand where and how software is created
This is where you may need to do a little research to understand where and how software is created in the organization. This is really about going out and documenting how software makes its way from a developer’s laptop to the production cloud environment.
Step 3: Identify and implement safety quality guardrails
In traditional manufacturing processes, quality control has long been part of the operation. However, this has not always been the case with cloud applications. What is needed is to identify where the organization can conduct proactive reviews along the line as software is built. Good security controls must include as much automation as possible to supplement manual code review efforts that don’t scale on their own.
Step 4: Consider certifications
While the first three steps are all about building security into applications that a company develops, the security of the applications and the cloud infrastructure it uses must also be validated. This is one area where certifications can play a role. The major cloud providers typically have a variety of third-party endorsements and certifications. The most common include SOC2 Type II and ISO 27001, which specify how a vendor implements its own security controls and independently verifies them.
It is important to have these certifications in order to understand how vendors systematically review and assess risks. This is important because when you start scaling cloud usage, the provider is now a direct extension of your business.
Using all of the steps outlined here can help a security leader put their organization on a solid path to not just shift security to the left, but to make security synonymous with development. With organizations increasingly dependent on the cloud and cloud-native applications, now is the time to implement a cloud supply chain security strategy
To find out more, visit us here.
About Matt Chiodi:
Matt has nearly two decades of security leadership experience and is currently the Chief Security Officer of Public Cloud at Palo Alto Networks. He works with organizations to develop and implement security strategies for public cloud adoption and maturity. He does this through consulting with clients, frequent blogging, and speaking at industry events like RSA. He currently leads the Unit 42 Cloud Threat Team, an elite group of security researchers focused solely on public cloud issues. Chiodi has served on the boards of various non-profit organizations, including chairman and governor of InfraGard in Philadelphia. He is currently a lecturer at IANS Research.
Securing Your Cloud Supply Chain Source link Securing Your Cloud Supply Chain
