The SolarWinds Hack and Zero Trust Architecture

By Dr. Robert Buccigrossi, TCG CTO

A screenshot from the SolarWinds system dashboard.SolarWinds Orion is a popular software system that allows an administrator to monitor your network performance across the company through a central interface. Of course, SolarWinds provides periodic patch updates to Orion. Unfortunately this past March, hackers, believed to be affiliated with the Russian government, broke into the patch distribution site (one of their passwords was “solarwinds123”) and snuck in a patch with a backdoor. Once that patch was distributed to 18,000 SolarWinds users (including 425 of the US Fortune 500 companies, all 10 of the top US telecom companies, and a bunch of US Government agencies) the hackers patiently picked and chose which companies to infiltrate.

Here’s a question: If a hacker has backdoor access to Orion running in your corporate infrastructure, how much access do they really have? That depends upon how much your servers trust other servers on the local network. For many TCG systems, we assume that the web server is highly vulnerable to attack, and protect other servers from the web server by running the web service as a non-privileged account, separating sensitive data to other machines, using role-based access to data, etc.

But that is not enough. If network or system monitoring software was hacked with a malicious patch, it could snoop on the network communications across our local area network. Therefore internal systems should use encrypted channels to avoid all that data being scooped up.

There is a logical extreme to assuming that any system in your network, any service, and any client can be hacked: “Zero Trust Architecture”. At its core, a Zero Trust Architecture forces you to think about and enforce the access policies you need for any internal and external service in your environment. For example, if a web server needs to talk to a database, the web server should authenticate itself and data should be passed between systems in a protected (encrypted) channel.

So, how bad are Government agencies impacted by the SolarWinds Orion hack? That depends upon how well the agencies implemented Zero Trust Architecture. If properly implemented, the hackers would snoop on the networks and simply find encrypted data with no good attack vectors. Otherwise, they could find themselves with a vast treasure trove of data to steal. How would your application architectures fare?