Fundamental Cloud Security Part 12 – Supply Chain in the Cloud

Working with public cloud providers raises many security challenges for customers, due to the fact that they do not control physical access to the cloud vendor’s data centers, the Cloud architecture or agreements between the cloud vendors and their suppliers.

When conducting a risk assessment for supply chain in the cloud, we should ask cloud vendor questions such as:

Who has access to my data stored in the cloud?
What 3^rd party suppliers (of the cloud vendor) have access to my data and is a data processing agreement in place?
Does the cloud vendor store backups (in any form, from tape to physical hard drives) at 3^rd party suppliers’ location?
Do 3^rd party suppliers have remote access to my data or to the systems storing or processing my data?
Has the cloud vendor performed a risk assessment to the 3^rd party suppliers they work with, in order to provide services to the cloud vendor’s customers?
Has the cloud vendor signed an official contract with SLA with 3^rd party suppliers?

Risks involving the supply chain:

Lack of clarity surrounding the definition and attribution of responsibilities and liabilities between the cloud vendor and 3rd party suppliers
Achieving accountability across the cloud supply chain
Lack of transparency surrounding security and risk management
Difficulties performing internal and external due diligence
Lack of clarity in Service Level Agreements
Mismanagement of cloud access
Inventory theft
Physical device tampering
Cross-cloud applications creating hidden dependency
Poor provider selection
Lack of supplier redundancy

Here are a few examples of possible damage to customers due to supply chain failure:

Company reputation
Customer trust
Loss of personal identifiable data (PII)
Service delivery
Regulatory financial penalties e.g. GDPR

The Cloud Security Alliance is trying to address supply chain risks in cloud environments through vendor assessments and external auditing in the questionnaire Cloud Controls Matrix.

Example of topics related to supply chain that appears in the CCM document:

STA-06 – Providers shall review the risk management and governance processes of their partners so that practices are consistent and aligned to account for risks inherited from other members of that partner’s cloud supply chain.
STA-07 – Policies and procedures shall be implemented to ensure the consistent review of service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream). Reviews shall be performed at least annually and identity non-conformance to established agreements. The reviews should result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships.
STA-08 – Providers shall assure reasonable information security across their information supply chain by performing an annual review. The review shall include all partners/third party-providers upon which their information supply chain depends on.
STA-09 – Third-party service providers shall demonstrate compliance with information security and confidentiality, access control, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.

Solutions for managing the risks related to supply chain in the cloud

Review Cloud Security Alliance Security Trust Assurance and Risk Registry (STAR) questionnaire published by cloud vendors: https://cloudsecurityalliance.org/star/registry/