In our ongoing series of blog posts looking at the 14 National Cyber Security Centre’s Cloud Security Principles, we will be looking at supply chain security.
The cloud service provider you choose should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.
Cloud services often rely upon third party products and services. Consequently, if this principle is not implemented, supply chain compromise can undermine the security of the service and affect the implementation of other security principles.
For whichever service you choose, you need to understand how:
- Your information is shared with, or accessible to, third party suppliers and their supply chains.
- The service provider’s procurement processes place security requirements on third party suppliers.
- The service provider manages security risks from third party suppliers.
- The service provider manages the conformance of their suppliers with security requirements.
- The service provider verifies that hardware and software used in the service is genuine and has not been tampered with.
For supply chain security, there are 3 approaches that need to be considered.
With this approach the service provider reassures you that the security controls which are important to you are transited through their supply chain.
This effectively means that you will need to carry out your own assessment of whether the controls in place are appropriate.
Assessed through application of appropriate standard
Here security controls are implemented in the supply chain through the application of a relevant standard. A number of security standards with supporting certification mechanisms exist. These include:
You would be advised to check that any certification has been performed by an appropriately independent and recognised party and that the scope of the assessment included the supply chain aspects required.
To read more about all the Cloud Security Principles – go here
Or, if you would like to talk about your cloud security and how we can help, please contact us.