Chief Technology Officer
Takeaways of the SolarWinds Hack
When reports started surfacing in December 2020 about a sophisticated hack using the SolarWinds Orion platform, it quickly and increasingly became apparent how a tiny, seemingly insignificant security flaw can snowball into a major problem with profound consequences. While examples of this sort of disaster abound, this one is particularly noteworthy in its depth and scope; over 400 of the Fortune 500 companies, various federal government agencies, and key municipal infrastructure organizations not only had their private data exposed to unauthorized entities, the exploit also potentially altered and/or destroyed data without a trace – a “perfect storm” of hacking that will likely take a very long time to recover from.
A few things, however, stood out to me as remarkable.
Not All Management Systems are the Same
The first was that it was very difficult to determine what damage had been done since the primary tools of forensics analysis and intrusion detection had been bypassed quite handily due to the nature of the tool that was compromised. When researching this issue to see if our own company was at risk, I discovered (happily) that our 100% cloud-based solution was quite well-protected from such attacks simply because we just manage everything through an authenticated Application Programming Interface (API), which is actually a large system of closely related remote calls to various management tools inside the cloud infrastructure.
Trust is Always an Issue (And It Should Be)
Now you might think, “Well, if that API was hacked, anyone using that API would be in the same boat!” And that’s partly true, but there are some important facets that make an API interface considerably more resistant to this sort of attack. For example, the SolarWinds application, when exploited, allowed the installation of malware that essentially bypassed user authentication and audit logs, two key tools in identifying intrusions. The malware is then treated as part of the system, and the system keeps no secrets from itself, nor does it try to protect itself from its own actions. Once set up, these systems are implicitly trusting the application to behave properly.
With an authenticated API, the exact opposite is true: it never trusts any request made to it. Each request must properly pass its authentication and permissions validation mechanism every time, and all actions are logged just in case a bad actor was doing something untoward. It’s a completely different philosophy in systems management and intrinsically more secure. Even if your attacker bypassed authentication somehow, his or her actions are still being logged; and, of course, the inverse is true as well. This same “distrust” is applied not only to the APIs but also to the various services in use, which provides great resistance to the spread of viruses and other malicious actions.
System Heterogeneity Has Built-in Risk
The other interesting fact I noticed about this hack was that this vulnerability (and subsequent exploit) was the result of companies needing to manage a large, disparate technology infrastructure with a sizeable quantity of on-site servers and/or datacenters. There’s no question that the larger your organization becomes, the more platforms you need to support, the more cats you need to herd, and the attractiveness of a single tool that can act like Sauron’s One Ring (“…and in the darkness, bind them!” – shout out to my fellow geeks!) becomes apparent. By consolidating on one cloud platform, creating a common policy of service definitions and behaviors, and standardizing on specific technologies to use, our infrastructure is more manageable and the operations load is considerably reduced compared to similarly-sized companies with a less homogenous makeup.
Now, certainly, such a conformity of platforms is an unrealistic goal for almost all of the companies that are willing to invest in Orion; the more mature a company becomes, the more complex its needs become, and the more services they offer, the more difficult it is to have a standard anything. However, luckily, when you are able to focus on a clear path of expertise and set up properly at the beginning, you have a lot more options. There’s inherent value in never having to worry about managing aging equipment/ infrastructure or needing to consider how to properly support a host of third-party applications. Properly architecting solutions for our customers to leverage our infrastructure choices instead of making the infrastructure fit the solution also helps tremendously. Being 100% cloud-based means that if we don’t build it ourselves, we connect to someone else’s cloud-based service to securely get what we need. I wouldn’t exactly call it minimalist, but there is (perhaps counterintuitively) great flexibility to be gained when you keep things simple and only focus on the core business value you wish to provide.
This hack, in my opinion, highlights a growing security concern: increasingly more complex software systems on increasingly diverse hardware, while the ratio of human eyes to machines continues to shrink at breakneck speed. We know of the SolarWinds exploit now. How many similar products may have also been compromised that we don’t know about? How can we be sure SolarWinds won’t be hacked again? I think we’re going to see this as a decision point for many companies, and possibly an acceleration towards infrastructure standardization where it simply wasn’t conceivable before.
The cloud has grown up. As a company that started as a cloud access control solution, ERP Maestro is well-positioned for the next technology challenges. I expect this incident was a wake-up call for a lot of people who could never justify the expense of migrating to a different model, and I hope the public at large has gained a greater appreciation for the value of good security.