Working with public cloud providers raises many security challenges for customers, due to the fact that they do not control physical access to the cloud vendor’s data centers, the Cloud architecture or agreements between the cloud vendors and their suppliers.
When conducting a risk assessment for supply chain in the cloud, we should ask cloud vendor questions such as:
- Who has access to my data stored in the cloud?
- What 3rd party suppliers (of the cloud vendor) have access to my data and is a data processing agreement in place?
- Does the cloud vendor store backups (in any form, from tape to physical hard drives) at 3rd party suppliers’ location?
- Do 3rd party suppliers have remote access to my data or to the systems storing or processing my data?
- Has the cloud vendor performed a risk assessment to the 3rd party suppliers they work with, in order to provide services to the cloud vendor’s customers?
- Has the cloud vendor signed an official contract with SLA with 3rd party suppliers?
Risks involving the supply chain:
- Lack of clarity surrounding the definition and attribution of responsibilities and liabilities between the cloud vendor and 3rd party suppliers
- Achieving accountability across the cloud supply chain
- Lack of transparency surrounding security and risk management
- Difficulties performing internal and external due diligence
- Lack of clarity in Service Level Agreements
- Mismanagement of cloud access
- Inventory theft
- Physical device tampering
- Cross-cloud applications creating hidden dependency
- Poor provider selection
- Lack of supplier redundancy
Here are a few examples of possible damage to customers due to supply chain failure:
- Company reputation
- Customer trust
- Loss of personal identifiable data (PII)
- Service delivery
- Regulatory financial penalties e.g. GDPR
Example of topics related to supply chain that appears in the CCM document:
- STA-06 – Providers shall review the risk management and governance processes of their partners so that practices are consistent and aligned to account for risks inherited from other members of that partner’s cloud supply chain.
- STA-07 – Policies and procedures shall be implemented to ensure the consistent review of service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream). Reviews shall be performed at least annually and identity non-conformance to established agreements. The reviews should result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships.
- STA-08 – Providers shall assure reasonable information security across their information supply chain by performing an annual review. The review shall include all partners/third party-providers upon which their information supply chain depends on.
- STA-09 – Third-party service providers shall demonstrate compliance with information security and confidentiality, access control, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.
Solutions for managing the risks related to supply chain in the cloud
- Review Cloud Security Alliance Security Trust Assurance and Risk Registry (STAR) questionnaire published by cloud vendors: https://cloudsecurityalliance.org/star/registry/
- Ask the cloud vendor for an up-to-date report of ISO 27001: https://www.isms.online/iso-27001/annex-a-15-supplier-relationships/
- Ask the cloud vendor for an up-to-date SOC 2 Type 2 report:
- Cloud Security Alliance – Cloud Controls Matrix: https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/
- ENISA Cloud Computing Risk Assessment
- 7 Supply Chain Security Concerns to Address in 2019 https://supplychainbeyond.com/7-supply-chain-security-concerns-to-address-in-2019/
- NCSC NIS guidance
- Cloud Computing in Supply Chain Management
About the author
Eyal Estrin is a cloud architect, working in the Inter-University Computation Center (IUCC) in Israel. He has more than 20 years of experience in infrastructure, information security and public cloud services. He is a public columnist and shares knowledge about cloud services. You can follow him on Twitter at @eyalestrin