Following the headline-grabbing SolarWinds and Kaseya attacks of the past year, supply chain security has once again come under the spotlight. We live in an age where the extended corporate ecosystem of third-party digital and physical providers is larger than ever — driving both competitive advantage and cyber risk. It’s a risk that the UK government recently revealed it’s keen to mitigate, through various “interventions” if necessary.
Hands-on regulation may help to close down cyber risk on the supplier side, by enforcing best practice standards among the cloud and managed service provider (CSP/MSP) community. But it must be remembered that much of the risk from public cloud IaaS environments is borne by the customer.
CSPs are critical suppliers
It should surprise no-one that public cloud spending is forecast to grow 18% this year and then by 19% in 2022, to exceed $362bn globally. The pandemic has accelerated digital transformation in some organizations by several years, enabling them to become agile, meet fast-changing customer demands and streamline business processes. As such, the CSPs that provide your IT infrastructure are increasingly business-critical digital suppliers.
Yet where there are suppliers, there is risk. One report from earlier this year claimed that cloud-based user accounts were hit by over three million attacks over the course of 2020. Beyond this, threat actors are increasingly probing cloud infrastructure for gaps in protection which could give them access to your web applications. Attacks against web apps surged by 800% year-on-year in H1 2020, according to one study. They’re also past masters at compromising data stores of highly regulated customer personally identifiable information (PII), trade secrets and IP.
Risk is multiplied by complexity and opacity—of which there is plenty in the cloud. Some 92% of enterprises have a multi-cloud strategy today and 80% have a hybrid cloud strategy. These stretch in-house security skills to the limit and create an extra management burden which can lead to gaps in protection. In fact, the visibility challenge is exacerbated in some cases by CSPs themselves, according to that government report which said:
“Many respondents argued that they cannot make fully informed procurement decisions because it is increasingly difficult to obtain the necessary cybersecurity assurance from providers who are reluctant to provide information on their cybersecurity measures or standards they adhere to. This poses a number of business and operational challenges for customers who ultimately bear the risk of cyber security incidents.”
Regulation on the way?
Partly for this reason, government intervention is likely. Potential steps include:
- Providing enhanced advice and guidance
- Improving access to a skilled workforce and the right products and services to manage risk
- Working with “influential market actors” to prioritize supply chain risk management across the economy
However, “regulation” was apparently the most popular option cited by industry stakeholders. The government is mooting plans to ensure CSPs comply with best practice frameworks in order to drive up baseline security—although this is not so much of an issue for the top three global players.
Remember shared responsibility
This is certainly a worthwhile aspiration. But it won’t solve all your cloud supply chain security issues. It’s crucial to remember that the shared responsibility model means CSPs are only on the hook for securing their lower-level infrastructure, not what runs on it. That means customers must protect their data, apps, operating systems and so on. As the government noted in its report, there’s still “an incorrect perception among certain customers that, by purchasing cloud or managed services, they can conveniently outsource cybersecurity risk.”
In fact, Gartner has predicted in the past that by 2020, 95% of cloud security incidents would be the customer’s fault.
Cloud misconfigurations are a great example of what can happen when organizations forget their role in the model. An IBM study from last year found that over 85% of 8.5 billion breached records reported in 2019 were due to misconfigured cloud servers and other config errors. This is particularly worrying when threat actors are becoming adept at scanning for and rapidly exploiting exposed systems.
Getting smarter about security
The bottom line is that organizations must be proactive in securing their supply chains, including cloud infrastructure, if they’re serious about minimizing cyber risk. The following steps provide a high-level direction:
- Conduct a rigorous cloud asset discovery exercise
- Classify those assets and data flows according to risk appetite
- Deploy security controls including:
- Cloud security posture management to alert and fix any misconfigurations
- Cloud compatible web application firewalls
- Cloud firewalls
- SD-WAN and VPNs to secure branch-to-cloud traffic
- Consider following Zero Trust principles to further mitigate cloud risk
Your CSPs are among your most critical supply chain partners. But don’t assume they’ll protect everything. Visibility, control and continuous monitoring should be your watchwords on this journey.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.