Over the past few years, organizations have migrated their software supply chain operations to the cloud. In doing so, they face cybersecurity risks across various stages of the Software Supply Chain (SSC) lifecycle and are seeking cybersecurity best practices and frameworks.
Cloud-based SSCs bring specific benefits to the table, but they also carry risks. Managing these risks will require a pragmatic approach to end-to-end cybersecurity.
A cloud-based SSC provides many advantages over a traditional supply chain. Cloud computing provides scalability and elasticity, immutability, and API-driven infrastructure as code (IaC). A cloud-based SSC can also help simplify operations, consolidate distribution and transfer significant operations and risks to their cloud providers.
Ensuring the cybersecurity and business continuity of SSCs is crucial to businesses, government agencies and individuals around the world. Yet many organizations are unable to fend off today’s sophisticated cybercriminals. It’s a type of risk that can affect organizations of all sizes and verticals, private and public.
Cloud-based SSCs bring specific benefits to the table, but they also carry risks. Managing these risks will require a pragmatic approach to end-to-end cybersecurity.
Integrated systems allow third parties and engineers to swiftly access workloads and data, and more flexibly respond to engineering changes.
A cloud-enabled SSC allows to easily move data between workstream and deploy continuous integration/continuous delivery (CI/CD).
Cloud computing offers high availability and fault tolerance, easing concerns about local outages that can disrupt software development workstreams.
A cloud-based SSC removes the burden of managing and maintaining physical systems within the supply chain using dynamic cost management platforms.
Advanced logging and threat-monitoring capabilities help improve auditability and accountability of actions performed in a cloud environment.
Microsoft has developed a wide range of guidance and solutions to enable a multi-layered approach that customers can apply to their own architecture. Two Microsoft solutions that PwC may leverage that help to enable monitoring of security across the software supply chain architecture:
Microsoft Defender for Cloud - Helps monitor and protect the workloads across multiple cloud environments and on-premises workloads. It enables auditing to ensure compliance with standards and policies and intervenes when there is a risky misconfiguration or detected threat.
Microsoft Sentinel - Connects with Microsoft Defender for Cloud and integrates with other security systems that have been deployed to help monitor and protect the software supply chain providing the integration across alerting and response holistically.