What Is A CSBOM?
A Cloud Services Bill Of Materials (CSBOM) is a comprehensive listing of each cloud-based asset utilized by a service that you run. For instance, if your company has a SaaS offering, it is very likely that the offering is dependent on a number of services provided by one or more cloud providers. In many cases, a sizable proportion of functionality may be provided by services run by cloud providers. A CSBOM will list each of the instances of a service used by your offering, as well as information beyond that of a basic inventory. The information contained in a CSBOM can include items such as, but not limited to the following:
- Instance identifier
- Instance purpose
- Instance dependencies
- Instance supplier
The CSBOM concept was inspired by, and borrows from, the great work that has been done with the Software Bill Of Materials (SBOM).
Why Do We Need CSBOMs?
Risk Management
A properly maintained CSBOM can facilitate good risk management practices and decisions in cloud environments. One prominent example of this is that with a CSBOM, you know quickly the impact of an outage in a particular cloud service. This can allow for more objective decisions regarding business continuity planning. In a somewhat similar vein, with an up to date CSBOM, if a vulnerability is discovered in a cloud service that you use, a CSBOM can help to quickly determine the impact on your offering if the vulnerability is exploited.
Cloud Spend
With an up to date CSBOM, there is a clearer picture of what cloud services are in use. Especially in highly complex cloud environments, it can be difficult to keep track of instances of services that are in use and what they are being used for. This can lead to suboptimal spending on cloud services. With a CSBOM, you know all of the instances of cloud services in use as well as what the purpose of each instance is. This allows for easier determination of instances and/or services that may not be needed, and can help to identify if more economical services can be utilized.
Lift And Shift
If you’ve been around for a while like me, you’ll remember that in the early days of cloud adoption, every cloud provider talked about how adoption of the cloud would result in seamless and easy lift and shift (“Want to change cloud providers? NO PROBLEM, just lift and shift everything from your current cloud provider to us. It’s easy!”). While perceptions regarding migrating cloud environments are now more realistic, the difficulty of moving environments has increased as cloud environments have become more complicated. A well-developed CSBOM can help to reduce the difficulty involved in lifting and shifting an environment (or deploying in a new environment for purposes such as multi-cloud redundancy). With the data from a CSBOM, you more easily identify similar services provided by other cloud providers and use that information to better plan your deployment to a new cloud provider’s environment.
What Do We Need To Do?
At this point, the CSBOM concept is pretty much just that – a concept. Work needs to be done to develop CSBOM standards for items such as what data elements should be included in a CSBOM. Once standards are developed, tools will need to be developed for items such as asset discovery, CSBOM construction and maintenance, and reporting. At this time, the best thing to be done is to organize working groups to begin building out the CSBOM standards. If you would like to participate, please reach out to me!
For those in the Atlanta area, I will be running a Cloud Services Bill of Materials workshop at the 2024 ISACA Atlanta Cybersecurity Conference in October – please join me if you are attending!
