Supply chain management is big concern when the organizations have invested heavily to protect their key assets, resources, and intellectual property in recent years, changes to these practices present challenges and complexities.
With the supply chain adjusting to include CSPs, security truly is only as good as the weakest link.
Of late, many sizable and well-renowned entities and bodies have been breached and suffered compromises of security due to the extension and inclusion of new entities within their supply chain.
Given that many of these are published widely (tenders, awards of contracts, case studies, reference sites, and so on), it makes the supply chain a real and widely targeted threat vector in the security landscape.
How does the cloud change this? In truth, change is not the test term here. The perspective is either an increase or a risk reduction.
This varies for every organization based on their cloud footprint, the length and breadth of cloud use, and the assets and scope of operations.
If you use a single CSP as opposed to multiple vendors, this may well form a reduction in risk (not discounting other factors), whereas the migration of high valued information assets to another provider (with unknown levels of security and assurance) may well constitute an increase in risk and reliance.
Fundamentally, organizations lack clarity, understanding, and awareness of where their suppliers will have dependencies or reliances on third, fourth, or fifth parties.
If your provider relies on a single storage provider whose factory, which manufactures 80 percent of its storage devices, is damaged by floods or a natural disaster, that event may affect your organization and its ability to continue to provide business operations.
This is a single example of how the supply chain presents risks with which the Certified Cloud Security Professional must be prepared to contend.
What are the Cloud computing Supply Chain Risk?
When looking at supply chain risk, you should take a BCDR mindset and viewpoint.
- You should obtain regular updates of a clear and concise listing of all dependencies and reliance on third parties, coupled with the key suppliers.
- Where single points of failure exist, these should be challenged and acted upon to reduce outages and disruptions to business processes.
- Organizations need a way to quickly prioritize hundreds or thousands of contracts to determine which of them, and which of their suppliers’ suppliers, pose a potential risk.
Based on these documented third parties, organizations should perform a risk review to identify, categorize, and determine the current exposure or overall risk ratings versus corporate policies and determine how these risks will be acted upon.
Engagement with key suppliers is crucial at this point, as is ensuring that contracts cover such risks or provide a right to audit clause to ascertain and measure relevant risks
As with risk management, you can take several actions to avoid, reduce, transfer, or accept the risk related to cloud computing.
The by-product of such an assessment enables the organization to understand supply chain risks, identify assurances or actions required, and work with vendor management to manage appropriate cloud and supply chain risks.
One resource that the Certified Cloud Security Professional should consider about supplying chain risk is NIST SP 800-161.
The “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” document, although not focused on cloud environments per se, can help form a baseline of best practices for the organization.
A useful resource for assisting with supply chain reviews is the CSA CCM.
Note that not all risks may be captured as part of the CCM, dependent on your organization, its focus, and its industry.22
The CCM is designed to provide guidance for cloud vendors and to assist cloud customers with assessing the overall security risk of a CSP.
The CSA CCM provides a framework of controls that offers guidance in 13 domains.
It offers a ready reference that incorporates other industry-accepted security regulations, standards, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, NIST, PCI, Jericho Forum, and NERC CIP.
The CSA CCM framework gives organizations the necessary structure relating to information security tailored to the cloud industry.23
The ISO 28000:2007 Supply Chain Standard
In line with previous standards and advice to utilize established and measurable frameworks, the emergence and continued growth of supply chain standards for the measurement of security and resilience continue to gain traction.
Of particular focus is ISO 28000:2007 (Formerly the Publicly Available Specification (PAS) 28000:2005).
In line with other ISO security-related management systems, it focuses on the use of PDCA as a lifecycle of continual improvement and enhancement.
Other ISO standards that utilize the PDCA model heavily include ISO 27001:2013, ISO 9001, and ISO 14000. in and implementation of controls to protect its people, products, and property (assets).
It can be adopted by organizations both large and small, with a reliance or risk exposure related to supply chains.
In the world of cloud computing and global computing, that means just about every one of us. Because ISO 28000:2007 defines a set of security management requirements, the onus is on the organization to establish a security management system (SMS) that meets the standard’s requirements.
The SMS should then focus on the identification and subsequent risk-reduction techniques associated with the intentional or unintentional disruptions to relevant supply chains.
Organizations can choose to obtain independent certification against ISO 28000:2007 or can conform to the listed requirements.
Supply chain management certification by a third party or recognized certification body requires a review of the following elements:
- Security management policy
- Organizational objectives
- Risk-management programs and practices
- Documented practices and records
- Supplier relationships
- Roles, responsibilities, and relevant authorities
- Use of PDCA
- Organizational procedures and related processes
Given its relatively short lifecycle as an established ISO standard, the uptake in terms of organizations implementing ISO 28000:2007 through to certification has been limited.
With the increased awareness and heightened queries from cloud customers related to key dependencies, ISO 28000:2007 looks to continue to grow in terms of adoption.