GitHub recently made security news by announcing plans to implement standard multifactor authentication (MFA) across its warehouses. The company deserves credit for recognizing its gravity in the software ecosystem and acting accordingly, but it should not be alone. We as industry leaders should build on what individual platforms like GitHub do in two critical ways: requiring our own ecosystems of providers to raise the bar for their security practices and create more interoperable architectures and drawings to make better security positions more accessible to organizations there. are dependent on our critical platforms.
Our interconnected technical stack
Businesses today rely on an entire ecosystem to run their technological stacks. They rely on cloud services for their infrastructure, including Azure, AWS, and Google Cloud. They rely on companies like Okta for their identity solutions, and they rely on a wide range of technologies to help them build or sell products faster, including collaboration and CRM apps, as well as repositories like GitHub.
They also rely on a broad set of third-party providers to provide services such as customer support or to manage some aspects of their infrastructure. We know that the long chain of software chefs in the kitchen has created access nightmares and breaks. The Cyber Security and Infrastructure Security Agency, along with other international government security organizations, has recently issued guidance to managed service providers, and third-party risk is something we at Okta know better than most. In January this year, we experienced the compromise of a provider that ultimately resulted in a threat actor briefly gaining access to an Octa support tool via a thin client. While the threat actor never gained direct access to the Octa service through an Octa account, Octa’s own security position was threatened due to our interconnected ecosystem.
The way forward
The first step towards solution is technology leaders who internally seek to recognize and take stock of our own service supply chain and the third-party providers we trust. In the case of Octa, we have looked closely at how Okta provides access to our providers and the security expectations we have for third-party providers that have access to customer data. Although security personnel understand the need to implement systems with the least privilege that restrict lateral movement, it is important to ask if the same principles are being applied by the third-party providers you trust. Movement in their environment can become movement in yours.
The second area is to look outwards towards the customers and partners who trust our platforms. In the case of GitHub, the attack surface is massive and the user base is wide. At a time when everyone recognizes the need to implement MFA, the adoption level is still quite low. Look no further than Microsoft Azure Active Directory, where more than three-quarters (78%) of organizations currently do not use MFA for their user accounts, according to Microsoft’s Cyber Signals Report. ‘
For something like identity and access control, it is easy to see how wide the attack surface for identity and access control can be. According to Verizon’s “Data Breach Investigations Report”, 89% of web attacks are caused by misuse of credentials. Although standards help a lot with access control, they are not foolproof. Leading identity solutions have largely eliminated the need for individual configurations for apps and services through advanced, self-service integrations that rely on standards and protocols such as SAML and OpenID Connect.
However, the ability to ensure secure interoperability can and should go further.
Organizations rely on multiple solutions that exist side by side, providing logs, risk signals, and other valuable insights into each other. We often think of this for security tools, but it should also apply to any platform or service where there is data and sensitive information. This is where we can and should improve to raise all safety boats. Our efforts as an industry to work with an eye towards open, pre-built integrations and clear architectures will ensure that tent pole technologies – whether in networking, identity management, endpoint detection and response or security information and event management – work effectively together. This goes beyond preventing misconfigurations: it’s about creating better security results.
Our technology world is flatter today than it has ever been before, whether it is our collective dependence on third-party providers, our interconnected software supply chain or the interoperability of our tools. In that environment, it is crucial for industry leaders not only to maintain a high degree of compliance across their own ecosystems from third-party providers, but also to develop technologies and policies that raise the bar for their users and customers. Part of that is through steps like what GitHub takes: implementing standard policies that rely on stronger factors. But in an interconnected world, we must move beyond individual actions to create open and interoperable technologies that enable users to easily configure and integrate their basic technologies in secure ways.