New Year, New Certifications
At Acronis SCS, we have kicked off 2021 with some exciting news: our hardened backup software officially earned its Federal Information Processing Standards (FIPS) 140-2 validation. To earn this certification, our backup software for federal government and utilities completed rigorous testing and review by government labs, meeting extensive requirements for military-grade encryption.
The FIPS validation rounds out a trifecta of approvals for Acronis SCS Cyber Backup 12.5 Hardened Edition, which is also certified by Common Criteria under both agent and server profiles and is the only full-disk image backup and disaster recovery point solution available on the Department of Defense Information Network Approved Products List (DoDIN APL).
Building Resilience Beyond Certifications
Successfully completing the years-long certification process is an accomplishment in and of itself – and a must for any software company seeking to demonstrate its commitment to national security and do business with the federal government. Taken together, the meticulous evaluations for FIPS, Common Criteria, and DoDIN APL cover a wide range of cybersecurity specifications, from cryptography and security management to privacy and much more.
Though important, certifications are only the starting point for safeguarding US public sector networks and data, not the be-all and end-all. Rather than simply checking boxes on a compliance to-do list, earning them should represent the start of an enduring public-private partnership, as well as a company’s consistent commitment to help government shore up its digital resilience. Frankly, the stakes are too high to do anything else.
Such partnership and commitment are more critical than ever in the wake of the recent SolarWinds breach, which demonstrated that certifications alone are not always sufficient for guaranteeing the security of software sitting in sensitive government networks, especially when that software relies on connectivity outside of its host network to function.
In the SolarWinds case, nefarious actors exploited a backdoor in the company’s software code. When the company pushed an update to its customers, that malicious backdoor went with it. After customers implemented the software update in their environments, attackers used the backdoor to perform outbound calls disguised as SolarWinds’ own callbacks. Such callbacks are normal for subscription-based software and, thus, did not raise red flags to IT administrators. As a result, the breach went undetected for months, compromising an unknown amount of sensitive information. Unfortunately, such risks can run high with connected software.
Zero-Connectivity = Peace of Mind
Looking beyond certifications, our federal government approved backup software was purpose built to meet the unique security and usability needs of sensitive government and utility air gapped, ‘no internet’ networks, including government labs, weapons testing sites, and supervisory control and data acquisition (SCADA) systems.
With those sensitive environments in mind, our hardened software never makes outbound connections over the internet back to a home server. This unique zero-connectivity design, in contrast to subscription-based software options, eliminates the risk of exploitation by software supply chain vulnerabilities or backdoors by empowering IT administrators with actionable, real-time threat detection.
If an attempt at outside communication does occur, for example, an IT administrator knows immediately that something is amiss. That type of certainty is invaluable when sensitive government information and operations hang in the balance.
Future-Proofing Software Supply Chain Security
Though our hardened backup solution is a game-changer for air gapped and other sensitive environments, zero-connectivity is not a realistic choice for every public sector organization or computing environment. What can government do to ensure digital resilience, particularly when certifications or a product’s design may not be enough to guarantee security?
The answer lies in developing a future-proof approach to evaluating software supply chain vulnerabilities and risk. Our research team, in partnership with leading academics at the University of California – Riverside, is developing and training an artificial intelligence-based model designed to do just that. The model, which consists of a deep learning neural network, scans through source code (both open source and proprietary) to provide impartial quantitative risk scores that help IT administrators accurately determine whether and how to deploy new software packages, as well as update existing packages.
So far, the research has yielded 41% “lift” or improvement at detecting common vulnerabilities and exposures over random testing, with ongoing rounds of analysis producing equally promising results. Once research is complete, we hope to share the model with others to help all organizations identify and remediate risks within their software code, and in so doing, help keep the public sector resilient against malicious backdoors, like the one exploited in the SolarWinds breach.
Resolutions for the New Year
For many across government, the SolarWinds breach served as an urgent wakeup call regarding the need for stronger digital resilience and software supply chain security. This new year and far beyond, we at Acronis SCS stand ready to help heed that call.