Everything’s a Supply Chain — Securing the Delivery of Infrastructure in the Cloud

There has been a lot of dialogue concerning “supply chain attacks” recently, especially after the SolarWinds incident thrust it to the forefront. When “supply chains” are discussed, most analysis tends to focus on that of the software supply chain — build systems, dependencies, libraries, and other components of the software package that can lead to unintended code execution.

In fact, this is what is believed to have been part of what was at play for SolarWinds; an unexpected piece of code was added to the software early enough in the build process that the final binary was still signed by SolarWinds itself.

But in cloud-based software delivery models, the supply chain encompasses not only the delivery of software, but delivery of the surrounding infrastructure components as well. Consider a modern cloud-based SaaS application. It may have tens, or even hundreds of moving pieces that are each responsible for delivering the complete infrastructure solution: the software build components, shared or imported instance images, infrastructure as code templates, storage buckets, and scores of other proprietary cloud services that combine to deliver the application and its underlying infrastructure to end users.