This is an ongoing series of guest blogs written by TAG Cyber analysts in conjunction with various members of our SPHERE team. Offering insights from the perspective of the professional industry analysts combined with a technology company focused on the goal of establishing cyber hygiene. This article comes from a fearless leader, CEO & Founder of TAG Cyber, Edward Amoroso.
Many things have changed in the technology space since the earliest software began to find its way into automation and support for business processes. One of the most obvious changes has been a shift from software applications running on servers located in local data centers to distributed workloads that are hosted across different cloud and premise locations.
The implication is that software workloads now consist of packages of different components, often implemented as containers, and their operation is governed by coordination and communication through interfaces. When humans are involved, these are called user interfaces, but when two workloads communicate, they do so through application programming interfaces or APIs. If an organization does all of its software development in-house, then user interfaces and APIs can be defined and controlled locally. The problem is that finding an organization that does all of its development in-house is difficult if not impossible. Even organizations as large as the US Department of Defense rely on many different sources for their software.
As a result, technical interoperability has become a major issue in both software design and cybersecurity – and if interoperability is not properly addressed, then issues can emerge with the security posture and cyber hygiene in an organization. Interoperability for cybersecurity is addressed at two different levels – namely, standards definitions and local interface definitions.
Standards in cybersecurity have not been as prominent as in other aspects of modern technology – such as, for example, networking. Certainly, request for comments (RFCs) exist for many popular security tools such as Kerberos, and standards cooperatives such as the Fast IDentity Online (FIDO) have contributed much to the industry, helping to drive more commonality across systems. But the more consequential work has tended to come from software vendors who use interface definitions on workloads to advertise how they can coordinate, share, and cooperate with other software packages. The degree to which this is inventoried, documented, and connected to user identities is part of the overall cyber hygiene posture of an organization.
Enterprise teams are encouraged to work with a leading cyber hygiene partner, and SPHERE is an oft-cited effective solution provider in this area, to ensure that the posture of their software packages and interfaces is well-defined from an identity perspective. This is an easy-to-miss aspect of the hygiene and posture assessment process, so teams should review their local process to avoid gaps.
As always, we welcome your comments and suggestions in this area. Cyber hygiene is a holistic concept, especially as it relates to identity. Security assessment and posture analysis of APIs might not be at the top of the list for most security teams in the context of hygiene – but as explained above, we think otherwise. Let us know what you think!