Beyond Identity is a security-first company. “Better security” is why the company was founded, with mantras like “no shared secrets”, “no passwords”, and “all keys stored in hardware”. Cybersecurity and Infrastructure Agency (CISA) is a US Federal agency charged with improving and maintaining American cybersecurity against attack, both for the government itself, and for the large and vital American IT industry.

So, when CISA announced the “Secure by Design” Pledge one year ago (May 8th 2024) we signed it almost immediately, because it aligned well with our corporate strategy and philosophy. It was immediately evident we were already doing quite a lot of it. First among these is that we have been using Rust as our primary programming language since 2020.This post documents the Pledge commitments we were already doing when we signed, and reports on our progress since then. Each section describes our understanding of the commitment, our initial status at signing time, and our current state.

Multi-Factor Authentication

First of the seven Pledge goals is to increase the use of multi-factor authentication (MFA) across our products. Beyond Identity was founded to be an MFA vendor, and so has always used MFA across all of our products. This has not changed since signing, and our products remain 100% MFA.

Default Passwords

The second Pledge goal is to reduce the use of default passwords across our products. Beyond Identity has never supported passwords at all, and so is trivially 100% free of default passwords. Like MFA, this has always been our approach.

Reducing Entire Classes of Vulnerability

This Pledge commits to enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across our products. In the details of the Pledge, it emerges that they mean using tools that decimate vulnerability classes. One example of this is using SQL prepared statements instead of query sanitization, to reduce/eliminate SQL injection attacks. Another is using memory-safe programming languages to reduce or eliminate memory corruption vulnerabilities.

Beyond Identity has been Rust-first since 2020, so this is a third way in which we have pinned the needle with respect to a CISA Pledge: we were already there when we signed, and still are. However, reviewing the history of our journey to Rust revealed an interesting aspect of this goal: there are no FIPS-140 certified cryptographic libraries written in memory-safe languages. We are required by various compliance regimes to use FIPS compliant crypto, forcing us to shoe-horn a non-memory-safe but FIPS-certified cryptographic library into our systems. The result works and is FIPS compliant, but is also potentially vulnerable to latent memory corruption vulnerabilities akin to Heartbleed.

But Beyond Identity has developed two other tools intended to squash whole classes of vulnerabilities. Access360 is a scanner designed to detect vulnerabilities in configurations of Identity Providers (IdP) and Single Sign-on (SSO) systems, such as Beyond Identity’s prMFA and Secure Access products, as well as the IdP and SSO products from other vendors that we integrate with. Here is an example of Access360 analysis, showing the various flow paths for a given user to go from unauthenticated to authenticated. Here are some relevant screenshots.

‍

The above figure shows a typical report on the authentication flows for a given user. The power of this analysis is more obvious in the following example, which highlights that the indicated user has a single-factor authentication flow path, meaning that this user is vulnerable to both phishing and credential stuffing attacks. By identifying single-factor users, identity managers can work to move them to mandatory multi-factor authentication, hardening that user and their enterprise.

‍

In 2024 we also shipped a new product for a new class of vulnerabilities: deepfake AI calls. In early 2024, it was reported that a Hong Kong bank was defrauded of $25M using deepfake audio and video calls, making the victim think they were talking to people that they were familiar with. RealityCheck is our new product that overlays our strong asymmetric authentication on top of video calls, so that users can tell at a glance that they are speaking with actually authenticated members of their organization. This is qualitatively different from AI-based mitigations, which are in an inevitable arms race of evermore sophisticated AI fakes and detections. This video illustrates the concept clearly.

Security Patches

The Pledge commits signers to work towards improving the rate at which customers apply our patches. Beyond Identity is a hybrid of endpoint software and cloud-based SaaS, with most functionalities in the SaaS. SaaS are inherently resistant to the problem of customers applying vendor patches, because the vendor applies patches to the hosted cloud instance, making user hesitancy a non-issue.

Our endpoint software is a bit more involved. Our business model has always been cross-platform, so we support Windows, MacOS, Linux, Android, iOS, and now ChromeOS. We have also always supported unprivileged user installs (to support BYOD users) then MDM installs, and now also privileged installers which allowed us to include privileged helpers (to enhance security). All of this produces a large matrix of supported scenarios (54 and counting) which makes keeping it all updated smoothly is work, which our transition to supporting both privileged and unprivileged installs is helping with.

But we also do work to manage the patch-state of the endpoints we run on. The security of a user’s authentication is no better than the security of the device they are running on when they perform that authentication, and so we introduced Device360, which uses osquery to probe and report on the security state of the user’s endpoint, including the patch-level of components that the enterprise wishes to monitor. While not specifically a patch management product, D360 helps IT administrators to manage the patch-state of end-user machines, especially BYOD machines.

Vulnerability Disclosure Policy

The Pledge commits signers to have a Vulnerability Disclosure Policy (VDP). Beyond Identity had a VDP at signing. We get less than 10 external vulnerability disclosures per year, so our VDP is rarely used in practice.

CVEs

The Pledge commits signers to issue CVEs (Common Vulnerabilities and Exposures) for externally-found vulnerabilities. Beyond Identity addresses security matters directly with our enterprise customers. While we have received a small number of external vulnerability reports, our SaaS model enables us to communicate and deploy patches efficiently across our customer base. We recognize CVEs as valuable for widely distributed software systems like Windows, Linux, and the Chrome browser, and we will implement them when they align with our security and communication needs.

Evidence of Intrusions

The Pledge commits signers to help customers gather evidence of cybersecurity intrusions. We are a meta-product, so we monitor for intrusion directly against our product, and also for intrusion against other products our customers use, such as Windows and MacOS. For intrusions against our own product, we detect indicators such as impossibly fast travel to alert IT administrators of possible identity breaches. For indications of platform intrusions, we integrate with EDR vendors such as CrowdStrike.

So What Have We Been Doing?

For many of the Pledge commitments, such as Default Passwords and use of MFA, Beyond Identity was already fully compliant at the time we signed the Pledge. So what have we been doing in the ensuing year since we signed the CISA Pledge?

We shipped Secure Access, which is our entry into the Single Sign-On (SSO) market. Our previous product is an Identity Provider (IdP) that integrated into other vendors’ SSO products. Now we also offer our own SSO, enabling greater synergy between the IdP and SSO, such as a nascent investigation into device-bound SSO session tokens.

We also shipped Access360, the identity configuration scanner described above that e.g. can detect single-factor users.

We have rolled out mandatory security education for all Beyond Identity staff. Everyone here knows what a “security principal” is, or will soon 😎

Finally, since we signed the CISA Pledge Beyond Identity has achieved FedRAMP Moderate, enabling Federal government agencies to make use of Beyond Identity's modern identity solutions. We were able to do so with about 9 months of effort (fast for government work) by way of our partnership with SMX and their SMX Elevate platform that accelerates the compliance process.

Want in?

If your enterprise is looking to add or enhance your identity management solutions, and you are particularly interested in that solution being secure, contact us for a conversation or a demo.

‍