Why businesses can’t leave supply chain security up to their cloud providers

The importance of effective supply chain security was thrust into the spotlight last year when the high-profile SolarWinds and Kaseya attacks took place.

Both businesses and individuals were reminded they live in an age where IT ecosystems are larger than ever and regularly extend to include third-party resources and services. Keeping everything secure at all times is a challenging task.

This supply chain challenge comes at a time when organisations are making use of cloud-based resources at ever-increasing rates. Research firm Gartner estimated that worldwide end-user spending on public cloud resources increased by 18 per cent during 2021. By the end of 2022, annual spending will have reached US$32 billion.

Unfortunately, however, where there are suppliers there is also risk. According to a report compiled by security company McAfee in 2021, cloud-based user accounts were hit by more than three million attacks during 2020 alone.

Beyond this, threat actors are increasingly probing cloud infrastructures for gaps in protection which could give them access to web applications. They’re also becoming much more adept at compromising data stores of highly regulated customer personally identifiable information (PII), trade secrets and IP.

Complexity increases risk

The risks faced by organisations tend to increase alongside the complexity of their IT infrastructures. According to estimates, some 92 per cent of enterprises have a multi-cloud strategy today and 80 per cent have a hybrid-cloud strategy.

These architectures stretch in-house security skills to the limit and create an extra management burden that can lead to gaps in protection. In fact, the visibility challenge is exacerbated in some cases by cloud service providers (CSPs) themselves.

VIEW ALL

Many organisations argue they cannot make fully informed procurement decisions because it is increasingly difficult to obtain the necessary cyber security assurance from providers who are reluctant to provide information on their cyber security measures or standards. This poses a number of business and operational challenges for customers who ultimately bear the risk of cyber security incidents.

Is more regulation the answer?

For these reasons, it’s likely that organisations will see greater levels of government intervention during coming years. Potential steps that could be taken include the provision of enhanced advice and guidance around security measures.

Governments could improve business access to skilled workers through migration policies as well as to the right products and services to manage risk. Governments could also work more closely with leading vendors in the security sector to prioritise supply-chain risk management across the national economy.

Because better regulation is often cited as a need by industry stakeholders, Australian governments are considering plans to ensure CSPs comply with best-practice frameworks in order to drive up baseline security.

Responsibility needs to be shared

While government action would be welcomed by the broader business community, it is unlikely to solve all of the cloud supply chain security issues that exist. It’s crucial to remember that there is a shared responsibility model in which CSPs are responsible for securing their lower-level infrastructure, but not what runs on it.

This means customers must protect their own data, applications and operating systems. For this reason, it is incorrect to think that purchasing cloud or managed services allows businesses to conveniently outsource their cyber security risks.

Cloud misconfigurations are a great example of what can happen when organisations forget their role in this shared responsibility model. Industry research has shown that many data breaches are due to misconfigured cloud servers and other config errors. This is particularly worrying when threat actors are becoming adept at scanning for and rapidly exploiting exposed systems.

Proactivity is key

The bottom line is that all organisations must be proactive in securing their supply chains – including cloud infrastructure – if they’re serious about minimising their overall cyber risk. There are some key steps that should be taken, and these include:

• Identify: Organisations should conduct rigorous cloud asset discovery exercises to determine what resources are being used and by whom.
• Classify: Once identified, the assets and data flows should be classified according to appropriate associated risk appetite.
• Deploy: When risk levels are understood, a range of security controls should be deployed including cloud-compatible web application firewalls, cloud firewalls, and SD-WAN and VPN tools to secure branch-to-cloud traffic. It’s also worth considering the deployment of a zero-trust strategy to further mitigate cloud risk.

For businesses of all sizes, CSPs will remain among the most critical supply-chain partners, however, it is dangerous to assume they will protect everything. It’s up to each organisation to take the steps necessary to ensure their cloud-based applications, network links and data are as secure as they can possibly be at all times.

Mark Lukie is the APAC sales engineer manager at Barracuda.