Sign up for our newsletter! →

Cloud Services Bill of Materials: An Idea Whose Time Has Come

Written By
Shea Nangle for HanaByte blog on Bill of materials cybersecurity

What Is A CSBOM?

A Cloud Services Bill Of Materials (CSBOM) is a comprehensive listing of each cloud-based asset utilized by a service that you run. For instance, if your company has a SaaS offering, it is very likely that the offering is dependent on a number of services provided by one or more cloud providers. In many cases, a sizable proportion of functionality may be provided by services run by cloud providers. A CSBOM will list each of the instances of a service used by your offering, as well as information beyond that of a basic inventory. The information contained in a CSBOM can include items such as, but not limited to the following:

  • Instance identifier
  • Instance purpose
  • Instance dependencies
  • Instance supplier

The CSBOM concept was inspired by, and borrows from, the great work that has been done with the Software Bill Of Materials (SBOM).

Why Do We Need CSBOMs?

Risk Management

A properly maintained CSBOM can facilitate good risk management practices and decisions in cloud environments. One prominent example of this is that with a CSBOM, you know quickly the impact of an outage in a particular cloud service. This can allow for more objective decisions regarding business continuity planning. In a somewhat similar vein, with an up to date CSBOM, if a vulnerability is discovered in a cloud service that you use, a CSBOM can help to quickly determine the impact on your offering if the vulnerability is exploited.

Cloud Spend

With an up to date CSBOM, there is a clearer picture of what cloud services are in use. Especially in highly complex cloud environments, it can be difficult to keep track of instances of services that are in use and what they are being used for. This can lead to suboptimal spending on cloud services. With a CSBOM, you know all of the instances of cloud services in use as well as what the purpose of each instance is. This allows for easier determination of instances and/or services that may not be needed, and can help to identify if more economical services can be utilized.

Lift And Shift

If you’ve been around for a while like me, you’ll remember that in the early days of cloud adoption, every cloud provider talked about how adoption of the cloud would result in seamless and easy lift and shift (“Want to change cloud providers?  NO PROBLEM, just lift and shift everything from your current cloud provider to us. It’s easy!”). While perceptions regarding migrating cloud environments are now more realistic, the difficulty of moving environments has increased as cloud environments have become more complicated. A well-developed CSBOM can help to reduce the difficulty involved in lifting and shifting an environment (or deploying in a new environment for purposes such as multi-cloud redundancy). With the data from a CSBOM, you more easily identify similar services provided by other cloud providers and use that information to better plan your deployment to a new cloud provider’s environment.

What Do We Need To Do?

At this point, the CSBOM concept is pretty much just that – a concept. Work needs to be done to develop CSBOM standards for items such as what data elements should be included in a CSBOM. Once standards are developed, tools will need to be developed for items such as asset discovery, CSBOM construction and maintenance, and reporting. At this time, the best thing to be done is to organize working groups to begin building out the CSBOM standards. If you would like to participate, please reach out to me!

For those in the Atlanta area, I will be running a Cloud Services Bill of Materials workshop at the  2024 ISACA Atlanta Cybersecurity Conference in October – please join me if you are attending! 

Relevant Blogs

Steven blog art based on Salesforce interface.
Business

From Salesforce Recruitment to Cloud Security: A Business Development Manager’s Journey into AWS

The cloud industry is so fast-paced, with AWS at the forefront of providing scalable and flexible cloud solutions to businesses across various sectors. Although my experience with Salesforce has given me a strong foundation in understanding complex technical environments and client needs, AWS’s extensive service portfolio demands a deep dive into new concepts and capabilities…

Read More →
Landing zones by Jenny Tang
Compliance

What is a Landing Zone?

For most companies shifting to the cloud, the cloud environment and resources needed to set up numerous accounts is complex. The challenge grows when balancing efficiency with security–organizations want complete cloud environments as soon as possible without overlooking key elements such as establishing firewalls or access controls. Addressing this issue begins with a landing zone, a secured and well-architected multi-account cloud environment that acts as a starting point or template allowing organizations to quickly deploy users, accounts, and environments for business needs…

Read More →