Beacon Environment Security
Building a security program requires a strong foundation. The foundation of the Beacon security program focuses on an internal system security posture. This necessitates a layered approach that involves several key elements.
Beacon’s security architecture begins with establishing strong network segmentation based on system design best practices. Layering the network allows for the control of access at every level and scopes access to data based on data sensitivity. The most sensitive data is stored and processed in the inner most security layer in alignment with best practices. Operational environments, i.e. production and non-production environments, are separated with strict limitations on staff access.
Access to production networks and network components are only possible through Zero Trust authorization services of named users. This allows strong control of administrative access in concert with strong logging and monitoring of all production levels and administrative activities in the environment.
Integrated services within the environment must be explicitly authorized to communicate with each other. The Beacon virtual private cloud infrastructure configures all routing, networking, firewall rules, etc. with a default deny approach for all communications. This requires explicit configuration of communication routes for those services that need to communicate and share information, enforcing baseline configurations for all communications within the environment and supporting clear documentation of each service, how it communicates (e.g., ports, protocols, and services), and with which services it can communicate.
Access Management
Traditional access methodologies (username and password combinations) have long been insecure mechanisms for granting access to systems and system components, especially where administrative privileges are required for a claimed identity. Because of this, expanded authentication tools are required to increase the security of the system and more accurately validate the claimed identity of the user. In support of better authentication, authorization, and accounting (AAA) for all user access to Beacon systems and resources, several mechanisms are employed to scope and control access for only those personnel with an appropriately assigned role.
Some examples of techniques and technologies leveraged by Beacon include:
Multi-Factor Authentication (MFA)
For all user authentication processes, MFA is used as a secondary token (which utilizes many methods) to validate the claimed identity.
Zero-Trust Authentication
All authorization requires strict identity verification before granting any level of privileged access to the user.
Least Privilege Access
Roles are assigned to users based on the least collection of privileges required to perform their role.
Role Based Access Control (RBAC)
All users are assigned to roles to establish a baseline set of privileges that are consistently applied, reviewed, and maintained across the organization.
Access Control Review and Oversight
Regular reviews alongside risk assessments of all system access is performed to ensure the assigned roles and permissions still meet the stated and/or emerging requirements for users and system operations.
The above stated security mechanisms provide a comprehensive access control approach for managing access to operational resources within our environment. The goal is a solution that brings a strong resistance to modern credential attacks.