Anzr's Blueprint No. 2 - Secure Access Platform
Anzr, a company focusing on cyber security and infrastructure as code, has developed blueprints for components that support devsecops based service deliveries on public and private infrastructures, and mitigate critical cyber security risks. The blueprints are made available on a high level for Anzr’s followers and can be designed and implemented into our customers’ environments. If you identify a need in this area, feel free to contact us!
Why have we designed the Secure Access Platform?
Secure privileged access to private and public infrastructures is imperative for cyber security and constitute fundamental security controls in all relevant frameworks and standards.
Long-lived and complex environments can have many means of privileged access, including legacy ones not up to today’s best practices. There are also sometimes built-in weaknesses in privileged access design for greenfield environments.
Vulnerabilities and weak design of privileged access can result in critical security incidents due to increased exposure for privilege escalation, credential access, and lateral movement by threat actors. The threat actors’ modus operandi and related risks are significantly mitigated by a robust privileged access model.
The challenges for many organizations are to:
- correct over-privileged accounts due to insufficient management and automation
- limit exposure to privilege escalation, credential access, and later movement
- design and technically implement complex security models
- design and integrate a PAM solution to multiple systems
- implement just-in-time access and monitor privileged access in real-time
Anzr’s Secure Access platform has focused on solving these challenges and others. In the following interview, Anzr’s co-founders Robert Teir and Magnus Blom discuss some fundamental aspects of Anzr’s Secure Access Platform and key design choices.
Ok Robert, what is the Secure Access Platform?
Our Secure Access Platform is a non-proprietary solution for providing users and services dynamic and secure privileged access to private and public infrastructures in accordance with the customer’s security model and the principles for segregation of duties, least privilege, and zero trust.
Can you give Anzr’s view on the key challenges and organizations’ need in this area?
Our opinion based on several years’ experience is that privileged access often is implemented over time in a non-holistic manner with build-over-builds resulting in vulnerabilities and a design not always fulfilling today’s best practice.
We see everything from a lack of MFA coverage, non-hardened clients and systems, legacy access paths still operational, shared accounts, and poor secret management, to lack of good features such as a robust security model, just-in-time access, session recording and monitoring, dual access support etc.
You have worked on several high-profile ransomware incidents. Can you describe how threat actors operate and how the Secure Access Platform reduce related cyber security risks?
The cybercriminal market is now well-known for being professionalized where you for example can purchase initial access and tooling on the black market. Leaked internal communication from a high-profile ransomware group also show how they function to some extent as a normal company, with detailed manuals and playbooks, organized in departments and teams, recruitment processes etc.
Many threat actors therefor have a standardized operating model with resources, playbooks, and tooling for accessing and controlling target environments.
Their criminal work is made easier by common weaknesses in privileged access design where they can go from initial access to domain admin of a system within minutes in worst case. Privilege escalation, credential access, and lateral movement are critical attack phases where the target company significantly can mitigate their risks with the Secure Access Platform and a robust security model.
Normal ransomware groups have a bang-for-the-buck approach where complexity versus potential payout are factors. Other groups and APT actors can have other interests. It is obvious that organizations who themselves develop and manage applications, operate infrastructure, and have critical information, such as large enterprises, banking and finance, IT companies amongst other, benefit from a robust security model and the Secure Access Platform.
Other, smaller organizations with outsourced IT services may not need the Secure Access Platform but we can help them in other areas like identity and access management, cyber security due diligence, security awareness training for employees etc.
Can you give a high-level description of Anzr’s Secure Access Platform?
Our Secure Access Platform is built on several key components such as hardening of endpoints, secure communication, MFA, personal and shared vaults, PKI services, hardened directory services, orchestration modules, integration to reputable PAM and ITSM systems, bastions etc.
All users’ endpoints are hardened and access the Secure Access Platform with certificate-based secure communication and enforced MFA. We also provide personal vaults for password management. If the customer wishes, we can provide hardening of operating systems according to CIS standards for the end users’ clients, but that is another service of ours.
PKI services provide certificates for endpoints and other services in the platform.
Identity management is normally done with an isolated, hardened directory service with strictly controlled privileged access. The directory service is obviously a critical part in an access platform if used, and it need to have a secure design to mitigate any inherited design flaws.
A key component is obviously the PAM platform itself which the customer may choose. We provide recommendations and pros and cons and have worked with most of the leading PAM platforms on the market. PAM platforms can offer a wide range of functionality, but it is important to focus on the functionality required now, and in the future, as well as ease of management, ability to manage the security model, infrastructure requirements, and cost.
Most PAM platforms support certificate-based authentication but that might not always be the case with the target systems. The customer must decide if they want to have a unified authentication process or accept different ones.
The Secure Access Platform has an orchestration module which automate provisioning of hosts, groups, roles, and users across all components such as the PAM, directory service and appliances etc. This is key for minimizing human error and providing a realistic chance to manage a complex and well-designed security model.
We perform integration to ITSM systems which are used for example by an internal security department or SOC, providing just-in-time access and session monitoring. We also configure session recording and can add immutable backups of the same.
Logging from the Secure Access Platform is done to the customer’s central logging service. We have, as mentioned in the previous blueprint release, a data visualization platform that is a good environment to manage, amongst other, logging in a secure manner.
The Secure Access Platform is normally deployed on containers thru infrastructure as code. Some PAM platforms do not fully support container infrastructures yet and therefor need to be deployed on virtualized or physical servers, but configuration and deployment is nonetheless done thru infrastructure as code.
What is important to think about when you implement your organization’s security model?
The customer’s security model is what our Secure Access Platform will deliver and automate. Different customers have different complexity in the security model of choice, regardless of whether they fall under role or attribute based access control.
But if you assume that you have large infrastructures, several teams with privileged access, and high requirements for information security, it quickly gets complicated. Achieving good separation of duties and least privilege in complex organizations and processes is a critical design question and dependent on the PAM platform’s support and prerequisites.
We have experience of implementing most of the security models imaginable in the leading PAM platforms on the market.
Can you describe different design choices for directory services and why that can be important?
Yes, the PAM platforms do not generally provide a directory service, it is not the purpose of the PAM. We often include a hardened directory service in our design if the customer does not already have a suitable one to integrate.
A separate directory service provides benefits from an integration perspective where most systems allow integration to a directory service, and you minimize the need for complex integrations between the PAM platform and target systems.
Lastly there is also a possibility of integrating several directory services for privileged access outside the security model and systems that the customer controls, for example to a third-party’s environment where that third-party manage the lifecycle of privileged accounts.
How about hardening of the directory service if you choose to use it in the design?
Hardening of the directory service is obviously very important given the service it provides, and any inherited security flaws. You do not want to use the same directory service as non-privileged access outside the Secure Access Platform, because then you would in principle either break the security boundaries or impose the same security requirements to everything outside the Secure Access Platform.
Can you describe what type of infrastructure the Secure Access Platform can run on?
We prefer to deploy all our designs on containers, but some PAM platforms do not fully support this yet. Containers give you the ability to scale horizontally if a service experience for example heavy load. A PAM platform that run on virtual machines will be somewhat harder to scale, and there are of course other benefits with containers as well.
Is the Secure Access Platform relevant for a workload on for example Azure, AWS and GCP?
All customers do not have a pure public cloud infrastructure. The Secure Access Platform is obviously relevant in hybrid environments, fronting the public cloud infrastructure as well.
For a pure public cloud infrastructure, we would, depending on the security requirements, replace components for the benefit of cloud services such as Microsoft’s Azure AD PIM, AWS’ IAM and Google’s Cloud IAM, the cloud providers’ different logging services etc. It will not be the same blueprint as discussed now but we are obviously used to working with hardening of public cloud instances, layered defense, segmentation, IAM etc. It is a secure foundation for other devsecops services we provide on public cloud.
What type of testing is critical when designing, configurating and deploying the Secure Access Platform?
We recommend doing independent security reviews of the high and low level designs during the project’s preparation phase, and of the finished Secure Access Platform in production. An independent party can also provide white-box or black-box penetration testing. Anzr work with some of these tests but is not the correct choice if we are helping the customer design and build it. We have extensive experience in working together with third-parties in different types of security testing.
Then there are also the normal system integration and user acceptance tests, performance tests of both infrastructure and application components etc.
The CI/CD tooling we use also support SCA and SAST/DAST and we work according to good security practice in our development process.
Ok, final question. If a customer has other design preferences, can we work with that and help them?
Yes. As we mentioned before, the customer must make several choices in this blueprint, such as PAM platform, security model etc. But we can also adapt to other requirements regarding for example directory service and the use of public cloud services.