New opportunities bring new risks
Over the past few years, organizations have migrated their software supply chain operations to the cloud. In doing so, they face cybersecurity risks across various stages of the Software Supply Chain (SSC) lifecycle and are seeking cybersecurity best practices and frameworks.
Cloud-based SSCs bring specific benefits to the table, but they also carry risks. Managing these risks will require a pragmatic approach to end-to-end cybersecurity.
A cloud-based SSC provides many advantages over a traditional supply chain. Cloud computing provides scalability and elasticity, immutability, and API-driven infrastructure as code (IaC). A cloud-based SSC can also help simplify operations, consolidate distribution and transfer significant operations and risks to their cloud providers.
Holistic cybersecurity for a cloud-based software supply chain
Ensuring the cybersecurity and business continuity of SSCs is crucial to businesses, government agencies and individuals around the world. Yet many organizations are unable to fend off today’s sophisticated cybercriminals. It’s a type of risk that can affect organizations of all sizes and verticals, private and public.
Cloud-based SSCs bring specific benefits to the table, but they also carry risks. Managing these risks will require a pragmatic approach to end-to-end cybersecurity.
Moving software development to the cloud can help yield a variety of other benefits, including:
- Pace and adaptability
- Collaboration and integration
- Resilience
- Cost efficiencies
- Increased security visibility
Pace and adaptability
Integrated systems allow third parties and engineers to swiftly access workloads and data, and more flexibly respond to engineering changes.
Collaboration and integration
A cloud-enabled SSC allows to easily move data between workstream and deploy continuous integration/continuous delivery (CI/CD).
Resilience
Cloud computing offers high availability and fault tolerance, easing concerns about local outages that can disrupt software development workstreams.
Cost efficiencies
A cloud-based SSC removes the burden of managing and maintaining physical systems within the supply chain using dynamic cost management platforms.
Increased security visibility
Advanced logging and threat-monitoring capabilities help improve auditability and accountability of actions performed in a cloud environment.
Key vulnerabilities and threat vectors of cloud-enabled SSCs
- Coding and design defects embedded during the engineering lifecycle
- Weak or inconsistent configurations of the operating environments
- Inadequately defined security requirements by an organization that is developing or acquiring the software
- Logistics failures in the secure transport of software from supplier to acquirer
- Poorly executed operational maintenance, such as inadequate patch management
- Lack of controls for secure destruction of information during the disposal phase
Microsoft solutions can help secure your software supply chain security
Microsoft has developed a wide range of guidance and solutions to enable a multi-layered approach that customers can apply to their own architecture. Two Microsoft solutions that PwC may leverage that help to enable monitoring of security across the software supply chain architecture:
Microsoft Defender for Cloud - Helps monitor and protect the workloads across multiple cloud environments and on-premises workloads. It enables auditing to ensure compliance with standards and policies and intervenes when there is a risky misconfiguration or detected threat.
Microsoft Sentinel - Connects with Microsoft Defender for Cloud and integrates with other security systems that have been deployed to help monitor and protect the software supply chain providing the integration across alerting and response holistically.
