Op-Ed: An analysis of the Australian-produced modern defensible architecture

At the time, we noted that these kinds of incidents would force organisations to reassess their identity and access hygiene. “Hygiene” in this context carries a lot of weight. While often taken to mean foundational better or best practices to address security risks and concerns, the way hygiene is implemented and assessed often lends itself to a very tools-based conversation, and a layered approach to defensive protections is often the end result.

What an optimal layered defensive structure comprises obviously varies by who you talk to. But there is an Australian-led effort to create a more standardised, common and structured approach to defining the foundations for a modern defensible architecture – and this effort warrants some careful attention and examination.

Foundational anchors

The “Foundations for Modern Defensible Architecture” by the Australian Cyber Security Centre (ACSC) is equal parts a by-product of cyber incident response outcomes, penetration testing and vulnerability assessment activities, and evolving notions of better practice to increase cyber resilience in the face of evolving threats.

VIEW ALL

As the ACSC points out, the intent is to set a new “baseline of secure design and architecture activities that will best prepare organisations to adapt to current and emerging cyber threats and challenges”.

The framework is anchored by two fundamental cyber security paradigms: zero-trust principles and secure-by-design practices.

Zero trust operates on the tenets of “never trust, always verify”, “assume breach”, and “verify explicitly”. It necessitates continuous verification of user and device identities, irrespective of their location within or outside the network perimeter.

On the other hand, secure-by-design practices emphasise the integration of security considerations from the inception of system development and not as an afterthought. By embedding security measures during the design phase, organisations can proactively mitigate vulnerabilities, reduce the risk of exploitation and avoid unnecessary delays in the development of systems.

The alignment of the foundations to these two areas is perhaps no surprise within the context of the direction that Australian cyber security policy is already headed; under the 2023–30 Australian Cyber Security Strategy, both are seen as desirable for all organisations to embrace and foster.

Why 4 foundations are particularly impactful for defensive fortification

On a purely practical level, the guidance outlines 10 foundations that authorities believe can combine to create a defensible architecture. At a high level, they are: centrally managed enterprise identities, high assurance authentication, contextual authorisation, reliable asset inventory, secure endpoints, reduced attack surface, resilient networks, secure-by-design software, comprehensive assurance and governance, and continuous and actionable monitoring.

While the intent is not for organisations to cherry-pick foundations – ultimately, addressing all of them contributes to an optimal degree of defensive fortification – there are some foundations that particularly stand out over others for their ability to improve cyber security outcomes among various teams and departments within a typical organisation.

First, the guide encourages the implementation of centralised identity management solutions to provide a holistic view of users, facilitating informed, risk-based access decisions. This centralisation ensures that user roles and permissions are consistently monitored and updated, enhancing overall security posture.

Second, it seeks a commitment to maintaining a reliable asset inventory. This means having a comprehensive and up-to-date inventory of all assets, including devices, applications, and data repositories. Such an asset management database and associated better practice can enable organisations to identify and address vulnerabilities in their infrastructure and device fleets or application estates promptly, ensuring that all components are accounted for and secured.

Third, network segmentation and segregation are seen as foundational enablers for creating resilient networks. Segmentation is the act of dividing a network into distinct logical segments, which can limit the blast radius of an attack and the lateral movement of potential attackers. By isolating critical assets, organisations can contain breaches and minimise the impact of security incidents.

A fourth key foundation is continuous and actionable monitoring and logging. Implementing robust monitoring systems to detect anomalies and maintain comprehensive logs is essential for timely threat detection and response. This continuous oversight ensures that suspicious activities are identified and addressed promptly.

An organisation’s vendor partners will be important in meeting these guidelines and requirements.

Vendors that emphasise the importance of robust identity management are a cornerstone. By ensuring that only authorised individuals have access to critical systems, organisations can significantly reduce the risk of breaches based on identity attack vectors.

Similarly, there is mileage in vendors that:

• Support the adoption of zero-trust architectures, which require continuous verification of user identities and access privileges.

• Advocate for integrating security measures during the design and development phases of systems and applications that allow for a proactive approach to security at the system architecture level, including network segmentation, least privileged operations, and continuous monitoring of user and machine activities.

• Provide asset discovery, identity inventory, and classification of resources.

Vendors that can bring these important capabilities to the table are well placed to secure an organisation from malicious activity and enhance their resilience against evolving cyber threats.