Key considerations for software supply chain security in the cloud

A joint report from PwC and Microsoft

New opportunities bring new risks

Over the past few years, organizations have migrated their software supply chain operations to the cloud. In doing so, they face cybersecurity risks across various stages of the Software Supply Chain (SSC) lifecycle and are seeking cybersecurity best practices and frameworks.

Cloud-based SSCs bring specific benefits to the table, but they also carry risks. Managing these risks will require a pragmatic approach to end-to-end cybersecurity.

A cloud-based SSC provides many advantages over a traditional supply chain. Cloud computing provides scalability and elasticity, immutability, and API-driven infrastructure as code (IaC). A cloud-based SSC can also help simplify operations, consolidate distribution and transfer significant operations and risks to their cloud providers.

Holistic cybersecurity for a cloud-based software supply chain

Ensuring the cybersecurity and business continuity of SSCs is crucial to businesses, government agencies and individuals around the world. Yet many organizations are unable to fend off today’s sophisticated cybercriminals. It’s a type of risk that can affect organizations of all sizes and verticals, private and public.

Cloud-based SSCs bring specific benefits to the table, but they also carry risks. Managing these risks will require a pragmatic approach to end-to-end cybersecurity.

Moving software development to the cloud can help yield a variety of other benefits, including:

Pace and adaptability

Integrated systems allow third parties and engineers to swiftly access workloads and data, and more flexibly respond to engineering changes.

Collaboration and integration

A cloud-enabled SSC allows to easily move data between workstream and deploy continuous integration/continuous delivery (CI/CD).

Resilience

Cloud computing offers high availability and fault tolerance, easing concerns about local outages that can disrupt software development workstreams.

Cost efficiencies

A cloud-based SSC removes the burden of managing and maintaining physical systems within the supply chain using dynamic cost management platforms.

Increased security visibility

Advanced logging and threat-monitoring capabilities help improve auditability and accountability of actions performed in a cloud environment.

Key vulnerabilities and threat vectors of cloud-enabled SSCs

  • Coding and design defects embedded during the engineering lifecycle 
  • Weak or inconsistent configurations of the operating environments
  • Inadequately defined security requirements by an organization that is developing or acquiring the software
  • Logistics failures in the secure transport of software from supplier to acquirer
  • Poorly executed operational maintenance, such as inadequate patch management 
  • Lack of controls for secure destruction of information during the disposal phase
Key considerations for software supply chain security in the cloud

Microsoft solutions can help secure your software supply chain security

Microsoft has developed a wide range of guidance and solutions to enable a multi-layered approach that customers can apply to their own architecture. Two Microsoft solutions that PwC may leverage that help to enable monitoring of security across the software supply chain architecture:

Microsoft Defender for Cloud - Helps monitor and protect the workloads across multiple cloud environments and on-premises workloads. It enables auditing to ensure compliance with standards and policies and intervenes when there is a risky misconfiguration or detected threat.

Microsoft Sentinel - Connects with Microsoft Defender for Cloud and integrates with other security systems that have been deployed to help monitor and protect the software supply chain providing the integration across alerting and response holistically.

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Joe Dubbs

Principal, Cybersecurity & Privacy, PwC US

Husam Brohi

Principal, Cybersecurity & Privacy, PwC US

Shirish Munshi

Director, Cybersecurity & Privacy, PwC US

Hide