One of the hottest security topics in recent memory is that of “Zero Trust”. While some may argue that it has reached cliché status, that would only be true if everyone established zero trust as a standard operating procedure. One area that exhibits a clear gap in zero trust is with key protection. When was the last time that an auditor checked your key protection controls? How many keys are circulating in your organization that are unknown, the loss of which could compromise the entire cryptographic solution, resulting in your vital data being lost, shredded effectively, permanently?
Since cryptographic keys factor into all areas of an organization, from all aspects of digital transformation, from IoT all the way to blockchain technology, and quantum computing, the use of a Hardware Security Module, known as an HSM, should be common practice in all organizations. Are you using an HSM to protect your keys? If not, tune into our Talking Trust series to learn how an HSM can protect your security tasks.
I recently spoke with Eddie Glenn, the Senior Product Marketing Manager at Venafi, who offered insights into how an HSM can protect your software supply chain. Many people would think that a discussion about the software supply chain would pertain only to a company that writes its own software, but that is not accurate. All software, whether written in-house, or purchased “off-the-shelf” is subject to the rules of supply chain management. Even open-source software is part of this large canvas as well.
Probably the largest software supply chain attack in recent memory is the SolarWinds attack. The “Sunburst” attack, as it was named, directly attacked the code at the development level, prior to shipment to the customers. It is easy to understand the frustration of a client who installs verified software, only to later discover that it contained malicious code. Considering that SolarWinds’ clients, many of them government entities, carefully source their software, only adds to the aggravation.
Eddie not only lays out 4 ways that an organization can protect itself from falling victim to a future copycat attack, but he shows ways that code signing can be implemented at various stages for development teams. If done at critical stages of the development process, malware cannot be easily injected into the software prior to its release.
For customers building DevOps based CI/CD software pipelines, steps can be taken to maintain a secure and verified copy of the software, ensuring that it is truly safe. For example, if your organization has a process where any new software needs to be checked and approved before it is allowed into the environment, Venafi can help to automate the authorization and approval process. Working in tandem with the Thales Luna HSM, the entire operation can be brought to a new level of assurance and automation across deployments on premises, in the cloud, and anywhere in between.
Tune into our discussion learn more about the steps your organization can take to accomplish better security by using code signing with solid certificate, and key management.