An Argument for Multi-Layered Security in Wake of the Equifax Breach

Winter weather can be brutal. Layers come in handy to protect from the cold, and in security, it’s the same story: protection in layers makes for stronger security. Axiomatics can help you implement a layered approach.

We’re already officially a few weeks into the fall season but the sun has managed to stave off the notoriously brutal midwestern cold. Well, until today. As I stepped outside my apartment to head over to the Axiomatics US office here in Chicago, I was greeted with a brisk and biting wind that reminded me: I need to start wearing layers, especially given I am a bike commuter. Gloves, beanies, and layered jackets are now in order.

You might be wondering what all this has to do with IT and security. Well, much like my epidermis, your data and services deserve the best protection available. And it’s not just one layer. Organizations need a multi-layered approach to security with several checkpoints. And don’t presume a single technology will suffice. You’ll need different tools brought together in a well-orchestrated security perimeter. Tools that address different concerns in the logical realm, such as:

  • Firewalls to protect the infrastructure and OS your service is running on
  • Web application firewalls to protect the applications you are running
  • Identity & Access Management (authentication, authorization, user management) solutions to make sure only the relevant individuals get access to the applications and services

Organizations need to shift from a world where anyone has access to everything or worse, no one has access to anything (which leads to …) to a compartmentalized world where individuals get access to the applicable data under relevant circumstances. This principle is called defense-in-depth, and it was first conceived by the NSA. (Read more on Wikipedia’s article page.) The point is to break down the amount of data anyone can access into smaller realms or compartments. So where does Axiomatics fit in? Given we deliver centrally-managed, easy-to-audit authorization decision services, we can integrate in these different layers to provide relevant and dynamic authorization.

Let’s look at the recent Equifax breach. They were victim of an issue (CVE-2017-5638) in a web framework called Apache Struts. That vulnerability allowed remote attackers to run commands on the server the web framework was running on. This meant that if the user or service account operating Apache Struts had some level of privileges, then a remote attacker could leverage those privileges to obtain access to other systems (as highlighted in Talos Intelligence’s blog post).

Had a multi-layered approach been taken, the service account running Apache Struts could have had a more limited access to data. If, for instance, fine-grained authorization had been used, the service account could have lost access to all the information that attackers were otherwise able to retrieve (a total of 145.5 million identities). A more secure architectural design with a better separation between the web application and back-end database could also have limited the extent of the damage Equifax incurred. The idea is to defend a system against the potential of an attack using several independent methods.

With dynamic authorization, aka Attribute Based Access Control or ABAC, we could have implemented a policy that includes a rule that made sure only customers or employees would be able to access a certain set of data, thereby preventing the service account itself from getting access. The checks could have been enforced in the web application tier, the API tier, and even the data tier. ABAC alone, though, is not enough. If, during the breach, attackers manage to obtain a highly privileged account (e.g. root) and propagate to the next server over, defense becomes more arduous. And this is where another type of technology, privileged account management, can come in – to limit access to such critical accounts.

There is a silver lining to the Equifax story, though. Their security team was able to detect anomalous traffic and shut down the system – albeit too late. They were able to detect the anomalies through another set of tools. So, as you can see, layered approaches are key, but not just with what is considered standard security tools (like firewalls or SIEM), but also with the addition of intelligent, dynamic access control approaches.

For more information and resources on how to get started with ABAC, visit our Access Control 101 page.



Leave a Reply

Your email address will not be published. Required fields are marked *