The National Institute of Standards and Technology (NIST) as well as Gartner have identified machine identity management to be a crucial and foundational infrastructure required to secure and support the digital transformation initiatives of modern businesses. As we see a sustained increase in supply chain attacks, machine identity management will continue to gain authority in the security strategies of many organizations.
From SolarWinds to Biden’s Executive Order
In December 2020, FireEye announced the discovery of a global supply chain attack campaign that affected public and private organizations. The attackers leveraged a commercial software application made by SolarWinds to steal data. Due to the seriousness of the SolarWinds attack, and other similar events, in April 2021, the National Institute of Standards and Technology (NIST) published the report “Defending Against Supply Chain Attacks” to provide recommendations for identifying, assessing and mitigating software supply chain risks.
The following month, President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity highlighted the need for the government to improve its efforts to identify, deter, detect, respond and protect against any malicious cyber campaigns that threaten the public and private sectors. The EO notes the important role that the private sector plays in partnering with the government to foster a more secure cyberspace. It focused on the private sector’s obligation to ensure that its products are built securely. The EO set forth standards and requirements in various areas, including the software supply chain.
Section 4, Enhancing Software Supply Chain Security, is an area that the software development industry will want to pay close attention to. It states that the government must act to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software. This action will impact government operations and the software industry. It will result in changes to processes for developing software that meets certain requirements and the government’s acquisition of such software.
Enhancing software supply chain security
The EO states that the Secretary of Commerce, acting through the Director of NIST, will issue guidance identifying practices that enhance the security of the software supply chain. The guidance will include standards, procedures, or criteria regarding actions, such as:
Secure software development environments by using administratively separate build environments. Providing artifacts that demonstrate conformance to processes like auditing trust relationships and establishing multi-factor authentication. Employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code. The EO also states that the Secretary of Commerce will publish a definition of the term critical software for inclusion in the future guidance. The published definition will reflect the following:
- The level of privilege or access required to function
- Integration and dependencies with other software
- Direct access to networking and computing resources
- Performance of a function critical to trust and the potential for harm if compromised
Definition of critical software under the EO
On June 25, 2021, NIST published a definition for critical software, which is referred to as “EO-critical” to differentiate from other potential definitions and meanings of critical software. EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- It is designed to run with elevated privilege or manage privileges
- It has direct or privileged access to networking or computing resources
- It is designed to control access to data or operational technology
- It performs a function critical to trust
- It operates outside of normal trust boundaries with privileged access
Identity and access management is critical software
NIST provided a preliminary list of software categories characterized as EO-critical. At the top of the list is Identity, Credential and Access Management (ICAM). It is described as “software that centrally identifies, authenticates, manages access rights for, or enforces access decisions for organizational users, systems, and devices.”
It’s no wonder that ICAM is at the top of the list of EO-critical software. This type of software plays a critical role in information technology (IT) modernization and digital transformation efforts now that more machines are performing tasks that were traditionally performed by people, and the associated need to manage machine identities. A few months ago, Gartner identified machine identity management as critical as well as a “high-priority” for all enterprises.
Gartner notes that “Machine identity management aims to establish and manage trust in the identity of a machine (mobile devices and IoT devices and workloads such as applications and containers) interacting with other entities, such as devices, applications, cloud services or gateways.” NIST adds that ICAM platforms are “foundational for ensuring that only authorized users, systems, and devices can obtain access to sensitive information and functions.” According to the Gartner Hype Cycle, an “enterprise-wide machine identity management strategy is needed to support digital transformation in modern IT environments.”
The authoritative list of critical software is scheduled to be released by the Cybersecurity & Infrastructure Security Agency (CISA) on a later date.
The recent EO demonstrates that partnering with the private sector to protect IT systems against malicious cyber actors is a top priority for the Biden administration. This includes bold changes and improvements to secure software development and a phased approach to securing the supply chain of EO-critical software such as ICAM.
As machine identities play an increasingly critical role in the daily operations of public and private sector organizations, ICAM products must align with the requirements of the EO, the NIST definition of critical software, as well as future implementation guidance.
Venafi can help you safeguard the code signing machine identities used in your critical software supply chain with the Venafi CodeSign Protect solution. To learn more about how Venafi can help you protect your machine identities, contact our experts.