I recently came across reruns of a TV show from the 60’s called “Get Smart”. In the opening sequence of the show, the lead character, Maxwell Smart, played by Don Adams, must pass through nearly a dozen doors, or layers of security in order to access his job at “Control” where the secrets are stored.
I spend a lot of time discussing security strategy and requirements with colleagues, customers and the NonStop user community in general. Over the last 10 years that I’ve been working in the NonStop space, it’s become clear that the traditional approach to security – applying a single layer of security or a solution that meets a certain requirement, has some serious shortcomings. History has shown time and time again that although a single focused solution can be useful in stopping a particular attack, in the long run, more patient and advanced adversaries will find this approach to security merely an inconvenience. I’m amazed at how often I hear “That’s good enough for us” speaking about a particular approach.
“We use multi-factor authentication.”
“We use encryption.”
“We scan our systems.”
“Our servers aren’t connected to the internet.”
“Our auditors have not mentioned that.”
No one is suffering from the illusion that there’s a silver bullet that will effortlessly make an organization 100% secure. More importantly, the perimeter itself is dissolving. Punting security to an external group and relying on firewalls, IDS/IPS and authentication controls by themselves to protect a system is irresponsible and actually leaves unexpected holes in the system. Identifying your assets and building your security strategy around those assets is the only true way to mitigate risk. Identification is key. If you don’t know what you are protecting and why you are protecting it, it becomes difficult to deploy the right security measures.
Layered security takes the military concept of “Defense in Depth” and applies it to cyber security. The idea is simple; a single solution may stop a certain type of attack, but if an attack does get through, the layers behind them are set up to continuously slow down and stop the attacker. For example, a castle may have a moat, a protected door, a perimeter wall, guards and guard towers, inner walls and a highly secure, highly protected safe that contains the crown jewels. The same strategy should be applied to how critical digital assets are secured.
Hardening the NonStop server is no different. Structure your security solutions to best manage your risk. The goal is if an attack gets past a single layer or solution, the subsequent layers are purposefully set-up to slow down and narrow the field of attack.
XYPRO’s approach to HPE NonStop security is this: we took the same layered, defense in depth strategy and deconstructed all those layers to identify where the system or data is most at risk on the NonStop server. We apply the strategy based on the risk involved, the type of data we’re aiming to protect, and how different layers can interact with each other for risk mitigation. We ended up with the layers illustrated below. In this introductory article, we’ll identify and explain all the layers. In future articles we’ll discuss the importance of each layer in depth.
The Network Layer
The Network layer is the outermost layer of the system and most likely to be targeted first. This layer is essentially your system’s perimeter, where applications are exposed and data is in motion, communicating with other systems and endpoints. Unlike subsequent layers, the system does not necessarily need to be compromised for an attack to be successful at this layer. Therefore, it’s critical to ensure all data flowing in and out of the system at this layer is properly protected using secure protocols such as TLS, SSH, SFTP etc… and ensuring no suspicious ports or services are available for external fingerprinting or other reconnaissance activity. Implementing security at this layer will cause a potential attacker to look elsewhere.
The System Layer
The system layer controls who is allowed to have access into your system. This is where logon controls are set up, credentials are validated and additional integrations, such as Multi-factor Authentication and other authentication providers are implemented. An often overlooked but equally important understanding is access isn’t only for users or logging into the system. Processes, objects and subsystems also need to properly authenticate themselves to access system resources and data. Think of this layer as the front door to your house. A thief would typically need valid credentials, or keys, to proceed any further. Although hardening your defenses here is a must, assume a motivated and patient adversary will bide their time and eventually get the keys they are looking for. And not to mention those pesky insider threats who may already have validated access to the system. How do you slow them down once they penetrate this layer?
The User Layer
The user layer approach takes the position that users shouldn’t have unchecked permissions on a system, even after they’ve been granted access. Assume an attacker was road blocked at the Network Layer, but was able to compromise a user’s credentials at the system layer and logged on to the system. Deploying a proper layered strategy at these next two layers will ensure access to the “Data in Use” is properly controlled and managed. Once granted access to a system, users shouldn’t have free reign to browse and run applications and utilities as they please (although I have seen this happen more than I’m comfortable admitting). Controlling what a user can access in terms of utilities and system locations based on their role, job responsibilities and other factors is a critical approach to executing a proper security strategy. Role Based Access Control (RBAC) is a familiar concept to most security administrators. RBAC is deployed at this layer.
Let’s look at an example. Your organization has a database administrator who should only have access to SQLCI and no other applications or utilities for their job function. Using RBAC, you restrict their access to the utility needed to execute their job duties and deny access to everything else. That way, if their credentials are compromised at the system layer, their ability to access utilities and programs will be tightly controlled. It is very important to note as part of this process, that their access be monitored via proper audits. We’ll discuss this later.
XYPRO’s XYGATE Access Control (XAC) can take RBAC a step further, by restricting control to the subcommand level within utilities and programs. So, unless a user is explicitly granted access to run a utility or program, or even a subcommand within a utility, they will be denied. Further controlling what a malicious user may or may not do if they get down to this layer
The Object Layer
The object layer will ensure access to resources is granted only to authorized users. Resources may include files, volumes, subvolumes, databases and other objects. Building on the previous layer that restricted access based on actions, protection at the object layer will ensure an authorized user running an authorized application can only access authorized objects.
The Data Layer
The data layer is where the core of your data resides. The crown jewels of what an attacker would be after. Examples of these would be data stored within files, databases and other data repositories containing critical business data, payment card data, customer data and other critical data necessary for your operations. This is typically referenced as “Data at Rest”. If an attacker made it this far, your last line of defense would be to make the data completely unrecognizable. There are several solutions that exist such as HPE SecureData Transparent Data Protection encryption solutions. These solutions will tokenize or encrypt data at rest, so even if the data was exfiltrated, it would be of no use to the thief.
The Volume Layer
To protect the volume layer, often considered a physical layer of security, HPE offers solutions that protect data at rest at the disk level. One solution is Volume Level Encryption (VLE). An important point to keep in mind, VLE only protects against physical threats. If someone were to walk into your data center and walk out with a hard drive containing critical data, using VLE, that drive would be unusable to them. VLE does not protect application access to the data once the system is on and running. This concept shifts around a bit in the vNonStop world, but the objective is still the same.
Audit and Monitoring
Implementing controls without auditing and monitoring is ineffective and can ultimately be the Achilles heel that sinks a security strategy. Generating audit records at every layer for critical activities and reviewing those in a timely fashion will help gain insight into a security strategy like never before. Security intelligence and analytics are no longer buzzwords. Solutions like XYGATE SecurityOne® (XS1) and other analytics platforms can give you views into your data and what is happening on your systems like never before. What was traditionally a very tedious and time consuming activity with little result can tilt the scale in your favor and slow down or even stop a costly breach. At the end of the day, data is king. You can add defenses at every layer, but without generating the data to know what is happening at those layers, you’re flying blind and cannot ensure your defenses are working the way you intended. As part of this process, ensure the operating systems and applications are patched and updated regularly.
Back to Get Smart…… The reason I found the TV show so relatable to this article (aside from the very appropriate title) is the character works for a secret U.S. government counter-intelligence agency named CONTROL which is appropriate to all of the differing security layers for controlling access to computers and their data. CONTROL’s nemesis is KAOS who are an international organization of evil and represent the chaos of all the various threats against computers and their data. The fit was perfect with the opening to the show depicting agent 86 passing through many layers of security protecting their secrets and intelligence information. Agent 86, with his many layers of security, provide him with a 100% success record of detecting and averting disasters.
A motivated attacker will always find a way. Using a layered security approach to risk management can slow their advances enough to allow you to counter their moves. Without a strategy in place to address what happens when they get through, you are gambling, and hoping an attack will stop once they hit the first obstacle you throw at them.
Technology continues to evolve. The skill level & creativity of attackers also continues to evolve . Organizations and merchants need to up their game and their security strategy to keep up with the challenges of the current landscape. This not only benefits the organization, but more importantly provides the necessary assurance to customers that their critical data is being responsibly handled and protected in the most secure way possible.
We’ll be taking a deeper dive into the importance and risk at each layer in upcoming blogs and articles and discuss how to map solutions to set up your strategy to best mitigate your risk. Stay tuned!
Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. Steve is a Member of the Forbes Technology Council, on the NonStop Under 40 executive board and part of the ANSI X9 Security Standards Committee. With over 20 years in the cybersecurity field, Steve is responsible for strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance and security to ensure the best experience to customers in the Mission-Critical computing marketplace.
Steve is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.