How we’re helping to reshape the software supply chain ecosystem securely
As the year comes to an end, we see rising disclosures about an attack committed by SolarWinds and others that compromised several other organizations. These forms of attacks affect all, from governments to industry to private individuals. Microsoft operates around the clock to offer the best software to its users and customers. Based on what we know about this incident at SolarWinds, we are sure that no systems were affected. The affected software and services are used in a restricted and confined manner, with our approach to supply chain security risks allowing the user to be minimal and contained. The addition of sophisticated monitoring systems strengthened these controls.
One of our first goals is to ensure that we will continue to protect our consumers and the industry, including security best practices we employ and investments we make for securing software source code. Our specific security initiatives include our efforts to implement security technology wisely and securely for design and create a trusted security cloud ecosystem.
To secure the software products and solutions we offer our cloud customers, we have to minimize possible security threats, no matter how small, our employees and systems. To avoid this, we have modernized all of our systems to withstand attacks even at scale. For example, we have upgraded security systems like BeyondCorp that allow our employees to work anywhere securely. Security keys have effectively removed password phishing attacks against our employees, and Chrome OS was designed from the start to be more robust against malware.
By investing in educating our staff, we are well-equipped to handle emerging threats, such as our supply chain applications’ security. These are some of the most important topics discussed in our textbook, Building Safe and Efficient Systems.
Reshaping the ecosystem
The larger security mechanism would need to restore its defending systems to cope with supply chain attacks in the long term. To have software development teams incorporate tamper-evident practices coupled with specific techniques that allow for third-party validation and discoverability is commendable. We also released architectural guidance on tamper testing for a package manager. If you are a developer, then the project enables you to use an open-source verifiable log.
Another field for consideration is mitigating exposure to attacks by using computer technology architectures that separate potentially compromised software components. This paper has many examples of application isolation frameworks such as Azure cloud, where containerization can restrict the impact of malicious software. If any of the upstream supply chains are breached, the isolating mechanisms serve as a final protection line, denying attackers from achieving their objectives.
The software supply chain reflects the ties between firms, with the whole being more significant than the pieces’ sum. We need to work as an industry to improve the way the production of software components is done.
One illustration of collaboration is the Open-Source Security Foundation. Google co-founded in 2010 to resolve software supply chain security problems in open-source software and encourage security awareness and best practices. We also assist businesses with supply chain strategies and supply chain risk management. The current software supply chain ecosystem requires a reboot, and this is only possible with AWS and Azure cloud.
Pushing the software ecosystem forward
Although software supply chain attacks have been recorded for years, each new attempt demonstrates fresh obstacles. The SolarWinds incident’s seriousness is very disturbing, but it also highlights the great opportunities for government, industry, and other stakeholders to collaborate on best practices. Moreover, creating successful technology can enhance the software development process as Azure managed services. The government will continue to collaborate with various stakeholders and use new knowledge to make these improvements.
Our AWS managed service providers verify whether the software is installed and signed in a licensed independent build environment in our binary authorization whitepaper. This ranges from properly checked code to reviewing and testing the software ecosystem. There are controls set for deployment based on the code’s sensitivity only if binaries run by the rules and policies are they allowed to run with the control checks and tests.
This is a vital control used to restrict a threat actor or an external attacker, to plant malicious software on our server. Binary Authorization is a service provided by azure managed services that enable customers to identify and implement production deployment policies based on their code’s authenticity and integrity.
Independent verification: cloud management platform will have changes that at least one other person will check. Administrative activities are also very responsive and require additional human approval. We do this to avoid unanticipated changes, whether they be errors or malicious tampering.