Cloud Supply Chain Security Guide Published

In IT, the supply chain is the supply chain of all the sub-products and deliveries that make up an IT service or application. For any type of software, but especially for cloud services, such a supply chain consists of countless suppliers and products that are either directly or indirectly used or contribute to the creation or execution of the parts. This is what the German IT Security Association (TeleTrust) writes. In the best case, the producer or supplier of the parts will check the directly used components themselves for security properties. However, the user usually has neither the possibility to determine the use of an affected component, nor to work towards the elimination of vulnerabilities - an unacceptable state of affairs, according to TeleTrust.

Provision of SBOM as market standard

To solve the problem of lack of transparency, the way is through the Software Bill of Materials (SBOM). An SBOM, he said, is a listing of all components included in a software application. "As new findings emerge about flaws and vulnerabilities in these components, users can quickly determine if they may be affected and if the applications they use are at risk," TeleTrust points out. The provision of SBOMs by suppliers and operators of software and services is expected to become the market standard, he said.

Oliver Dehning, head of the TeleTrust "Cloud Security" AG: "Up-to-date software bills of materials (SBOMs) are the basis for more transparency in the cloud supply chain and thus for more security in the use of cloud services. Users can make a significant contribution to improving security in their cloud supply chain if they include the provision of SBOMs by providers in their catalog of requirements. Providers, in turn, should make this information available to their users, thus enabling active management of cybersecurity in the cloud as well."

Downloads of the guide here