ACSC Gateway Security Guidance
The Australian Cyber Security Centre (ACSC) recently released a Gateway Security Guidance Package. The Guidance was developed with input from industry, including Macquarie Government, gained during a series of co-design workshops.
Its main purpose is to help government agencies and IRAP assessors be more informed when making risk-based decisions and assessments of gateway solutions.
It reflects an evolving more towards a risk-based model for Gateway procurement which, it is hoped, will give agencies more flexibility when adopting Gateway solutions that are suited to their specific needs.
The Security Principals section describes three architectural approaches to gateway design:
- Monolithic, providing all Gateway functions through a centrally managed system. This approach offers benefits of economies of scale but with less flexible connection options.
- Disaggregated, providing service-specific functions through discrete but interoperable systems. Offers increased flexibility offered by multiple control planes still needs a common operating model to ensure security controls are consistently applied.
- Hybrid, providing a mix of centralised/disaggregated services and control planes. Enables security to be appropriately applied based on individual context.
The Guidance is based on eight principles:
- Risk cannot be outsourced: An agency always owns its security risk regardless of how much it engages third parties to carry out implementation. Agencies may be at risk of fulfilling their PSPF or public requirements if they contract services in a manner that is inconsistent with the ISM.
Agencies can however be assisted in managing risk by utilising our Gateway and other cybersecurity services that are IRAP assessed to be implementing approximately 500 ISM controls.
- Security management is continuous: Processes need to adapt to remain current with the evolving threat environment. Threat actors continually adapt their tools, techniques and procedures (TTPs) to avoid or take advantage of technological development.
- Risk is continuously managed: The Guidance highly recommends threat modelling based on the latest Cyber Threat Intelligence (CTI) and using a framework like MITRE ATT&CK, mapped back to ISM controls. As with the ACSC, we have found the ATT&CK framework a useful tool in developing our threat hunting library of over 4000 playbooks.
- The invisible cannot be protected: Over 90% of internet traffic is now encrypted, and that includes malicious traffic. When we designed SIGNET, our next-generation secure internet gateway, one of the core principles was everything must be inspected or blocked”. SIGNET includes SSL/TLS decryption and orchestration points to maximise traffic inspection without increasing overhead.
- Gateways protect organisations and staff: As well as generally blocking malicious traffic, Gateways have a role in enforcing each agency’s security policies and controls by also blocking access to inappropriate content and blocking exfiltration of agency data. As the Gateway provider to a large range of small to large agencies, collectively comprising 42% of the federal government, our Gateway services allow each agency to implement their own specific policies around web and email domain access, and Data Loss Protection (DLP).
- Commonwealth entities have specific obligations: While much of the ACSC Gateway Guidance is designed to help agencies and other Commonwealth entities to make risk-based decisions, they still need to consider any obligations outlined in the PSPF, PGPA Act and ISM. Agencies with those obligations can utilise our services like PROTECTED Cloud and SIG to help them meet ISM/PSPF requirements as well as manage risk.
- Plan for security flaws: All ICT Systems, not just gateways, should be designed for resilience against security control failure. A defence-in-depth approach is advised, where a security failure or flaw in one component does not cause the entire system to be catastrophically compromised or to fail. We’ve included defence-in-depth in our gateway designs, using multiple layers of devices from different vendors.
- Balance business and security: Balancing business and security objectives is critical to effective cybersecurity. As all organisations rely on the internet to conduct business, cybersecurity risks cannot be 100% eliminated but instead only managed through implementing appropriate controls. The guidance advises a consistent approach to risk, avoiding policy exemptions or inconsistent security architectures, for example in cloud deployments. Our Virtual Services Gateway (VSG) and Security Service Edge (SSE) services have been built on the principle that infosec controls should be applied consistently, regardless of location.
Given the recent spate of cyber attacks and data breaches, the Guidance is a timely publication from the ACSC, providing government agencies and any organisation with clear information on how to better manage cyber risk and meet information security obligations.