Author: Roman Arutyunov, Co-founder and SVP of Products, Xage Security
Xage Security products have been architected from the ground up to be secure by design. We are proud to have signed the CISA Secure By Design Pledge as a public acknowledgment of our dedication to these principles.
The Secure By Design Pledge includes several goals that are directly related to the capabilities Xage provides to our customers. The core of our technology is the Xage Fabric Platform, a highly-resilient, highly-available cybersecurity mesh that delivers the combined capabilities of zero trust network access (ZTNA), and privileged access management (PAM), as well as zero trust segmentation.
Xage adheres to the goals of the Secure By Design pledge in our own practices, and our products directly help our customers achieve the Secure By Design principles in their own environments, above and beyond their usage of Xage products. Xage customers include some of the largest energy producers (Petronas, Petrobras), manufacturers, and government agencies (U.S. Space Force) in the world. Xage customers provide critical infrastructure that supports and empowers the lives and livelihoods of billions of people worldwide. We are proud to sign this pledge to deliver secure-by-design products for our customers.
Goal: Multi Factor Authentication (MFA)
“GOAL: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.”
CISA Secure By Design Pledge
What Xage Does for MFA
MFA is one of the core offerings and product differentiators in Xage’s Zero Trust Access and Privileged Access Management products. Our customers use Xage to achieve MFA requirements, including MFA for remote access. Xage delivers unique MFA capabilities, including:
-
- Multi-layer MFA: Enforcing MFA at each hop from layer to layer in an environment. As users access more privileged assets and data, additional MFA challenges are presented to re-verify the users’ identity and privilege level. This reduces the risk represented by leaked or stolen credentials. Even if an attacker gains legitimate credentials and bypasses one MFA challenge, they will be faced with further challenges as they attempt lateral movement to more privileged devices. This prevents attackers from expanding their footprint, accessing critical assets, or escalating privileges.
- Per Device MFA: Xage makes it possible to require MFA challenges to access individual devices, even when the devices do not natively support MFA, which is far more granular than MFA in use at enterprises today. A typical setup may require one MFA challenge to gain VPN access to a company’s entire network, or to a large zone within it. Xage prevents this type of attack by requiring MFA not only to access network zones, but individual devices, as desired by the customer to protect their most critical assets.
- MFA for Legacy Assets (ICS, OT, Cyber Physical Systems): Many operational technology devices such as Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) have no built in credential or authentication mechanisms. These devices are often accessed via insecure VPN-to-jump server setups in which a technician with access to one device has access to every device in the zone or at the site. This makes activity logging and per-device access control virtually impossible. Xage is an overlay that can enforce per-device MFA on PLCs, RTUs, and other legacy assets with no concept of identity-based security built in.
Goal: Eliminate Default Passwords
“GOAL: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.”
CISA Secure By Design Pledge
The Risks of Default Passwords
Default passwords are extremely common in industrial settings, but also in enterprises in general. The challenge of regularly updating credentials and achieving user compliance with password strength and update schedules prohibits many orgs from fully protecting themselves. But default passwords introduce major risk into organizations. Widely known default passwords on industrial devices or even just commercial internet routers provide an easy way for a cyber adversary to gain a toehold in a target network.
How Xage Eliminates Default Passwords
Xage automatically rotates credentials on a per-user and per-asset basis, so that no default passwords or stale user accounts can be leaked and used against the organization by an attacker. Xage is deployed as an overlay so it can bring strong, auto-rotated credentials to devices that lack native functionality. Major global organizations such as Petrobras, the Brazilian government controlled energy giant, have used Xage to eliminate shared and default credentials at over 80 operational sites, for users accessing sensitive devices remotely, including offshore oil rigs and other challenging industrial environments. Learn more about how Petrobras stopped using insecure shared passwords and achieved secure remote access in this lecture from their head of cybersecurity.
Goal: Reducing Entire Classes of Vulnerability
“GOAL: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.”
CISA Secure By Design Pledge
Xage’s goal is not only to eliminate vulnerabilities in our own products, but to protect our customers from whole classes of vulnerabilities. In particular, we help our customers avoid the abuse of Valid Accounts (MITRE T1078) for living off the land techniques increasingly being used by nation-state adversaries such as Volt Typhoon to establish persistence inside U.S. critical infrastructure. Xage has mapped our capabilities to the MITRE ATT&CK Framework for Enterprise, and the MITRE ATT&CK Framework for Industrial Control Systems to help our customers understand which attacker tactics, techniques, and procedures Xage can protect them against.
2023 and 2024 have seen the disclosure of many high-severity vulnerabilities in widely deployed remote access and security products, such as the Ivanti PulseSecure VPN, Cisco ASA, and many enterprise firewalls. Xage strives not only to protect our own products from such vulnerabilities, but to protect our customers from the impact of such vulnerabilities by delivering internal segmentation, granular zero trust policy enforcement, and simple, rapidly deployed privileged access management capabilities.
As a business, Xage invests heavily in securing our own systems using our own products and others to assure that we are protected against software supply chain attacks, insider threats, third party risk, and other sources of potential cyberattack. Xage products are IEC 62443 certified, and the enterprise is ISO 27001 certified.
Why Xage Signed the Secure By Design Pledge
With or without the CISA pledge, we think the only way to succeed in the increasingly crowded cybersecurity market is to truly earn the trust of our customers. Our commitment to secure by design principles began at the very foundation of the company, and is bone-deep in everything we do. Signing the Secure By Design pledge is a way to make our voice heard, make our commitment public, and double down on what we have always done: simplify access, prevent cyberattacks, and empower businesses.
