Cloud Security Principle 8: Supply chain security

Serviceteam IT Security News

Cloud services often rely upon third party products and services. Consequently, if this principle is not implemented, supply chain compromise can undermine the security of the service and affect the implementation of other security principles.

Goals

You understand and accept:

  • How your information is shared with, or accessible to, third party suppliers and their supply chains.
  • How the service provider’s procurement processes place security requirements on third party suppliers.
  • How the service provider manages security risks from third party suppliers.
  • How the service provider manages the conformance of their suppliers with security requirements.
  • How the service provider verifies that hardware and software used in the service is genuine and has not been tampered with.

Implementation – Supply chain security

Approach

Description

Guidance

Commitments

The service provider reassures you that the security controls which are important to you are transited through their supply chain

In this scenario you will need to carry out your own assessment of whether the controls in place are appropriate.

Assessed through application of appropriate standard

Security controls are implemented in the supply chain through the application of a relevant standard.

A number of security standards with supporting certification mechanisms exist. These include: 
ISO/IEC 27001 
ISO/PAS 28000:2007

It is advisable to check that any certification has been performed by an appropriately independent and recognised party and that the scope of the assessment included the supply chain aspects required.

Additional notes – Layered services

Cloud services are often built on top of third party IaaS or PaaS products. This is a valuable opportunity to reuse trusted components, but it’s important to identify which party is responsible for implementing which security functions.

These layered services may result in a more complex situation when it comes to understanding separation. For example, a community SaaS may separate different users with application software controls. However, it may have been built on top of a public cloud IaaS offering, where the separation controls are implemented in the hypervisor. Thus the actual controls may be different in practice to what they first appear.

If your application or data is particularly sensitive, you will need to consider the entire underlying stack of services as part of any security assessment. It will be difficult to gain a high degree of confidence in the security of any service built on foundations you do notunderstand.

< last principle   next principle >

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News CyberUK 2017: People – The Strongest Link
Serviceteam IT Security News Password Breaches Fueling Booming Credential Stuffing Business
Serviceteam IT Security News Bulk Data: 1-3 What are you protecting?
Serviceteam IT Security News Imgur Confirms 2014 Breach of 1.7 Million User Accounts
Serviceteam IT Security News Users of biggest NFT marketplace warned over phishing after data leak
Serviceteam IT Security News Football Australia data leak exposes players’ contracts, fans’ personal details