Australia’s largest banks, miners and utilities have implemented secure multi-tier architectures.
Many of these organisations have invested years to overhaul and harden their internal security into zones which significantly reduce the ability for internal and external attackers to steal sensitive information.
Prior to the architecture overhauls, some of these businesses - which cannot be named due to non-disclosure agreements - had soft, flat internal networks which offered little resistance to intruders that had breached perimeter security, and less still to malicious internal employees bent on stealing data.
Some had badly failed penetration tests in which sensitive information could be accessed though common oversights such as excessive user access rights, weak network controls and uncontrolled endpoints.
For these businesses, the need to redesign the networks to a zero trust model was a big consideration. While security advocates had banged on about the need to harden internal networks for decades, the amount of resources required to plan, procure and deploy the technology and processes like client-side firewalls, logging and intrusion detection systems at multiple chokepoints throughout the entire corporation appeared out of reach.
“Hardening the internal environment is the best investment any business can make in security,” says Chris Gatford, director of Sydney-based penetration testing firm HackLabs. “Basically every time we do a penetration test, depending on the techniques we use, we can breach the external environment with some form of client-side attack against end users. Once we are in the network, it is game over.”
That’s because organisations had built internal networks for functionality and ease of use. But that same slick, flat architecture means Gatford, or a malicious actor, could swipe data with ease with little chance of detection either during or after the breach.
Gatford, a former security manager with Ernst & Young, rarely encountered hardened internal networks when running penetration tests. Those that had tough internals were typically specialised organisations that often introduced zero trust zones on a limited basis, principally for systems such as Supervisory Control and Data Acquisition (SCADA).
“They are much harder to crack. Those organisations with robust internal authentication, client-side firewalls and two-factor authentication significantly slowed down or even halted our attacks, depending on the scope of the work we had done at the time.”
Divide and conquer
Physical and logical systems should be segmented into tiers grouped by similar services, exposure and risk, says Keith Price, director of Sydney-based Black Swan Consulting. Price, a former network engineer with some 25 years industry experience, has preached the need and benefits of multi-tiered architectures in which presentation, data management and application processing are logically separate processes.
Price says zone and trust modelling is based on defence in depth and diversity in defence, choke points, least privilege, systems segmentation and dedicated functionality security strategies where concentric security layers make exploitation significantly harder.
“If you’re an employee and you want to cause damage, the first thing you’re going to go for is the database,” Price says. This could be easy in a flat plan architecture where all security measures are focused at the perimeter, meaning users could have direct access to the targeted data.
But as Price explains, a zone architecture means that internal users must compromise rugged security measures like firewalls and intrusion prevention at choke points between zones. “They need to get to the web server, then to the business logic server and they need to own that in order to make queries to the database,” Price says.
“Choke points were a fundamental theory used at the Battle of Thermopylae where the vastly outnumbered Spartans stood ground at a well-defended choke point.”
Multi-tiered architectures were known to security architects, but Price contends many do not understand how the theory plays out in reality.
He explains that each zone is composed of devices grouped according to risk, so that higher and lower risk entities were separated and covered by common protection strategies.
Demarcated perimeters, which at its most basic would include a firewall, surround each zone and vary in complexity based on risk profiles. Each zone could be divided into smaller sub-zones that provide extra protection to more sensitive devices and systems.
The basic zones include the fundamental functions of service presentation, business application logic, and secured storage. There would also be multiple zones within the same classification. These include business applications (each with different business logic servers for application domains); internal users and systems (when staff are spread across locations); and secure data storage zones (for remote data centres or business partners).
The investment in multi-tiered architectures is significant. It was enough for Gatford to consider it “unfortunately unworkable” because of the resources required to uproot and rebuild networks and interruption to business operations.
“There are too many overheads and it is too hard to change rules and put in client side firewalls,” he says.
Price too acknowledges the cost, but says deployments should be made according to risk and requirement. “It’s different for every organisation. Those that have tonnes of credit card data should move to this architecture as soon as possible while others that hold public non-sensitive data might not worry.”
He recommends organisations that consider the architectural re-write begin with a board-run risk assessment to determine what systems should be secured first and plan a roadmap that could run over two years.
Some businesses need not uproot their existing architectures, according to Price, but rather mandate that all new network systems adhere to the zoned logic. “That way it’s like a phase out. We don’t advocate a retrospective fix, we advocate standards that new projects should meet.”
A network re-write might be undeniably intimidating, but Price says organisations with modern IT shops should be able to make the transition without interrupting the business.