Great message by US Cybersecurity and Infrastructure Security Agency Director Jen Easterly. In an address to Carnegie Mellon University, she warned that Chinese hackers are too frequently going “unidentified and undeterred.” And that software companies aren’t doing enough to secure their products from cyberattacks.
It’s time to start thinking about security and governance from the beginning.
Guilty as Charged
Most software companies build functionality. Having started an authentication software company from scratch – out of the proverbially living room – I know a little about the “race to functionality”. That is what the western IT companies do when building products – push themselves to meet the functional requirements of the prospects, investors and analyst.
It’s happening every day in living rooms, basements, and offices where the next products are being built, today.
What’s Lost in The Drive?
Security and governance. I do not mean to imply that software developers do not review their code, run input validation, and employ user tested libraries, user secure encryption algorithms and other OWASP best practices.
Most enterprises make the effort to secure their code and meet the industry standards – but there are some key underlying concepts that are missed in their drive to functionality – namely attestation.
What is Attestation?
Attestation is not the act of doing – but the act of acknowledging that an action was taken. A little “why’ on the attestation does not hurt either. That is an attestation that holds both audit and security merit, should answer the who: (who attested) to what: (what was attested) and why (why was this event/action approved).
And for the process to be repeatable – these attestations should be quantified as existing and dynamic groups that can allow the attestation process to scale and survive through organizational and personnel changes.
Functionality vs Governance
Governance is the missing piece to most of our functionality products. Whether the functionality is:
- Changing access to a network
- Changing a group membership affecting SaSE access
- Adding permission attributes to a user
- Changing the permissions on an application
- Adding users to key resource
- Changing approver for signing and access
- Changing the access to a micro-segmented ZT network
All of the changes are functionalities a hacker would likely implement – to penetrate, stay persistent and/or eventually exfiltrate data from an enterprise.
And this where attestation should be taking place.
In the Real World
Changes are made to these types of controls. And then for the sake of some compliance measure SOX, PCI-DSS, CMMC, etc – the change tickets and logs are searched w/ the associated emails and “approvals”.
All for the sake of “checking the box” for compliance.
This is where the s/w world has to change.
The concept of “attestation” should be built into all these “functionality” changes. Its NOT enough to make the functional change – the process itself should have a quantifiable workflow that shows when, why and what changed.
And this would shed some light on the actions of the hackers as well as simplifying the task of quantifying governance in our enterprises.
Ready, Willing and Able
And this is where YouAttest comes in. YouAttest is a cloud-based attestation engine that has quantified the process of attestation. Yes – in production and practice we are attesting to identity changes – and we’ve become damn good at these (1.97M role attestations to date – at the time of this writing).
But we have recently augmented our product with a full set of REST APIs that allow our attestation engine, complete with:
- SSO into the most popular IAMs
- Group level reviews
- Multi-Tier reviews
- Template Messages
- Email and Slack messaging
- Event triggering
Which make the product capable of attesting to any software product or service.
Give us a call – and let’s design attestation into your cybersecurity product from the start.