Supply chain woes have dominated headlines, from raw material and labor shortages, to shipping delays and manufacturing problems. But there's another type of supply chain that's also increasingly at risk: the cloud supply chain.
Cloud supply chain risks have little to do with logistics in the literal sense of the word. Rather, they stem from vulnerabilities in cloud services and processes. Over the last 18 months, 79% of companies have experienced at least one cloud data breach, and 43% have reported 10 or more breaches in that time. And any company, in any industry, is vulnerable.
Though recent breaches have elevated awareness, cloud supply chain attacks are not going away. In fact, because cloud adoption has accelerated due to the COVID-19 pandemic, the threats may increase. So, what's at the root? Risks to the cloud supply chain primarily stem from ecosystem complexity, siloed operations, and lack of insight into software assets, all of which boil down to poor risk management.
But there's good news: gaining a clearer understanding of the supply chain as well as developing a standardized risk management protocol for the entire cloud software development life cycle can reduce the risks and challenges.
Understanding Threats and Attack Types
Recent studies into the supply chain have shown that at least 80% of a typical SaaS application is powered by multiple services and vendors, with each component representing a different level of risk. The complexity of this extended operating environment makes it extremely hard to manage, let alone pinpoint vulnerabilities and insecure configurations.
So, what does it look like when your cloud supply chain is under attack? Some attacks will compromise source code. In last year's PHP attack, an attacker compromised the self-hosted Git server and injected two malicious commits that were not detected by code maintainers. Organizations using the software language unknowingly downloaded the malicious code and used it in their operating environment. Dependency attacks, meanwhile, happen when attackers prey on vulnerable dependencies, also injecting them with malware.
Build pipeline threats are perhaps the most damaging types of attacks, since compromised code is turned into an executable format. During the SolarWinds attack, for example, a cybercriminal compromised the build process to insert corrupt Sunspot malware into update packages. SolarWinds did not detect the malware until much later. Though the nature of these attacks may differ, an overarching strategy can prevent them: a better understanding of what's under the hood of your cloud.
Three Phases of Protection: Assessment, Standardization, and Partnership
Organizations can reduce their cloud supply chain risks by developing a keen understanding of every piece of their cloud ecosystem. Yet today, just one in five organizations assesses their cloud supply chain in real time. The same number conduct weekly evaluations, and a concerning 58% evaluate their posture once a month or less frequently. This leaves the door open for bad actors.
To protect themselves, it's essential for organizations of all sizes to create a software bill of materials (SBOM), an inventory of all components in the tech stack. By doing so, companies can better understand the complexities of their environment and significantly reduce their vulnerability to cloud supply chain attack.
Once the assessment is complete and users are confident in the security of their cloud supply chains, the next step is to develop a strategy that maintains that level of security. The US National Institute of Standards and Technology's (NIST) framework for vetting cloud vendors can serve as a starting point, but companies should tailor the steps that NIST lays out to their development workflows and processes.
The right partner can also play a key role in risk management, especially for smaller businesses. While mega cloud vendors provide a solid foundation for developers to build secure products, alternative cloud providers can offer something additional: a concierge-style partnership that ensures companies aren't on their own when it comes to security.
For example, Akamai partners with the HackerOne bug bounty program, which has thousands of ethical hackers performing penetration testing against their operating environment and products. Additionally, Akamai offers security controls and protection against supply chain risk by scanning our tech stack.
Creating a Culture of Security
As an industry, we are currently in reaction mode. Attacks are on the rise, and organizations aren't taking enough proactive measures to prevent disaster. But as the dependency on cloud continues to grow, no company, big or small, can afford to take this gamble.
Security starts with understanding the stack, assessing the risks associated with each element, and committing to following established best practices. The software supply chain includes multiple departments — purchasing, IT, software engineering, development, release, change management, operations. It really is everyone's job to get it right.
About the Author
As senior director of information security, Joseph Zhou leads the cybersecurity program, architecture, and operations of Akamai's cloud compute operations. Zhou leads a team of security professionals spanning enterprise security architecture, network security, business continuity, security awareness training, and more. He brings a wealth of industry experience to the role, and previously served in CISO roles at Evive and Transworld Systems.