A milestone action occurred on October 30th, in the history of cyber and legislation. The U.S. Security Exchange Commission (SEC), moved to prosecute SolarWinds, the software company that was the root cause of major breaches including the infamous 2021 Colonial Pipeline shutdown.
The breakthrough action in this case is that the SEC filed charges, not only against SolarWinds, but also against Timothy Brown, SolarWinds’ top security executive.
The Director of the SEC’s enforcement division said in a statement, “…underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC Charges SolarWinds and Security Lead with Fraud
The complaint states that SolarWinds and security lead, Tim Brown allegedly presented misleading and false statements about the company’s cybersecurity risks and practices from October 2018 to “at least” January 12, 2021.
The SEC charged fraud because of statements that SolarWinds made on:
- IPO registration forms
- Security statement posted to the company’s website
- Public 8-K filing
The SEC claim details that SolarWinds and Tim Brown were fraudulent and misrepresented its following security practices:
- Security of its password policies
- Security of its software development process
- Policies for determining who has access to what internal data
What is Involved in “Determining Who has Access to What”?
The concept of access certification is well documented. It is part of the NIST CyberSecurity Framework and pretty much all other guidances. The NIST CSF 2.0 spells out the need for access re-certification in PR.AC-6.
- Account activities and access events are audited and monitored to enforce authorized access (formerly PR.AC-1 and PR.AC-3 in NIST CSF 1.1)
These guidelines state that sensitive information (data and other resources) should be reviewed on a regular basis with a quantified and repeatable practice – by business owners and others that can accurately determine if the user/entity should have the current privileges.
In the world of governance and compliance, this practice is called UARs, or user access reviews.
YouAttest has Automated the Access Review Process
Traditionally the process of access reviews has entailed:
- Dumping the resource entitlements to a spreadsheet
- Having someone determine who the manager was
- Having someone send an email with a spreadsheet to these managers
- Nagging this manager to conduct the review
- Collating the responses into a report
YouAttest has eliminated this process – by automating the entire procedure. YouAttest:
- Connects to the identity store of record
- Enables a risk manager to conduct review of user groups’ applications
- Auto-delegating to the managers to certify, delegate or revoke the privilege
The process saves the enterprise hundreds of hours in even medium sized companies – and is repeatable.
Summary:
YouAttest uniquely connects directly to the enterprise data stores and then utilizes the IAM SSO for reviewing entitlements to BOTH IAM resources and siloed (non-IAM connected) resources.
—
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO into your existing IAM platform. Contact us to learn how YouAttest can automate your access review process and help your enterprise enact “Due Care” on your identities.
