US Executive Order means stronger software supply chain security. Tehama Secure Digital Office delivers.
May 19, 2021
5 min read time
A recently-announced Executive Order on Improving the Nation’s Cybersecurity from U.S. President Joe Biden means many companies will soon have to step up their IT security and compliance game.
The Executive Order is intended to provide a preview and guidance to the direction by both public and private sectors. Most onlookers agree that software and other companies doing business with the U.S. government will almost certainly have to (among other things):
- Implement multi-factor authentication and data encryption
- Submit and abide by a “software bill of materials” stating exactly what’s inside their software (this would override any non-disclosure agreements in place)
- Keep an expanded volume of digital records on hand in case of investigation
- Work with organizations such as the FBI and Department of Homeland Security in the event of an incident
- Disclose any breaches or attacks to the government in a timely manner
“If you’re doing business with the federal government, then when you have an incident, you must notify us quickly,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology, in an NPR story.
The order will also create a cybersecurity incident response board to conduct investigations, similar to the National Transportation Safety Board’s role following a plane crash, according to media reports.
Observers note the changes will most dramatically impact larger software vendors, such as Microsoft and SalesForce, but will likely affect to some degree every software vendor that sells to the U.S. government.
Response to SolarWinds exploit
The executive order comes following the December 2020 discovery of the SolarWinds-Microsoft-VMware hack, a wide-ranging (and long lasting) supply chain attack that (among other attack avenues) trojanized SolarWinds Orion software updates to distribute malware.
Security firm FireEye, which discovered the attack, says the campaign affected public and private organizations around the world by leveraging “multiple techniques to evade detection.”
The attack primarily affected large software vendors to the government, such as Microsoft, which said after its own investigation that the hackers downloaded some of its Azure, Exchange, and Intune source code. But the damage wasn’t limited to large companies – the White House recently said at least 100 companies and nine federal agencies were affected, including the U.S. Treasury and departments of Commerce, State, Energy, and Homeland Security.
The massive hack discovered in late 2020 isn’t the only cyber threat currently on the minds of White House officials. More recently, a ransomware attack on a major U.S. oil pipeline forced its owner to shut down the conduit indefinitely – one of the largest-ever attacks on U.S. infrastructure.
How Tehama’s Secure Digital Office Platform delivers the supply chain development security requirements
Many organizations will need to quickly scale up to meet these and any other requirements within the upcoming executive order.
In many cases that will be a significant challenge requiring considerable IT expenditure and complexity, including stacking additional IT security solutions on top of existing data and desktop estates. It could also require companies to accelerate their laptop refresh strategy (depending on the age of their physical machines) and be far more disciplined when implementing system updates and patches.
It’s an even bigger challenge for companies engaged in distributed software development and other hybrid workforce use cases, where employees regularly connect to environments remotely and physical endpoints are spread out over several regions.
Tehama’s Secure Digital Office Platform, however, can help.
Tehama combines Desktop as a Service (DaaS), Security, Audit, and Networking to secure the supply chain by providing software developers with a high-performance development environment on a secure virtual desktop within a virtual room. It’s got the security and attestation features organizations need to reduce vulnerabilities, along with complete visibility (and a full audit trail) into everyone that uses a virtual room or desktop:
- Zero-Trust access controls including multi-factor authentication and least privilege permissions
- Nested virtualization to automate and rapidly provision development environments
- Built in encryption, anti-malware and dynamic firewall tools
- Centralized policy controls and management
- Automatic system and application patches and updates
- Virtual Windows and Linux desktops (including GPU desktops) to meet any workload need
Because it securely captures all room and desktop activity through session recordings, its built-in tools help you prove all development takes place within secure environments (while allowing the actual developer to be anywhere in the world with an internet connection).
Tehama next-gen enterprise DaaS: A more secure option
Tehama makes it easy to meet any IT security standard through an arsenal of built-in security and compliance tools. Its unique architecture constructs a secure perimeter around a virtual room containing secure virtual desktops, and provides the controls and capabilities required to quickly onboard, scale, manage, and audit your entire hybrid workforce or roster of third-party vendors in minutes.
Rooms and desktops connect to corporate and cloud systems through our encrypted Tehama Gateway, a secure channel that handles all network traffic.
And all virtual desktops are powered by Teradici PCoIP Ultra technology, which uses AES 256 encryption while compressing and transmitting a pixelated representation of a centralized virtual machine.
Tehama enterprise DaaS customers leverage our solution every day to provide secure access to production, development, and staging environments. That means they’ve already got the security and compliance tools necessary to easily accommodate the U.S. government’s upcoming executive order on IT security.
By ensuring Tehama is their only path to committing code to production, they’ve secured their software development supply chain.