Administration Model
Description
Associated risk
Dedicated devices on a segregated network
The service is administered from dedicated devices on a segregated management network.
The devices are solely for service management, and not for general purpose use, such as email and web browsing.
With this approach, the management devices and segregated network are difficult to attack.
This approach may also help support personnel security measures for higher security systems. For example, where the service provider wishes to demonstrate that only staff that have been subject to stringent security screening (or hold appropriate security clearances) have access to system administration functions.
Dedicated devices for community service administration
Devices are dedicated to managing services for a single community (e.g. UK public sector). The management network is segregated from all other networks.
The devices are used solely for service management, and not for general purpose use, such as email and web browsing.
When managing multiple services there is a risk that a more vulnerable service could be compromised and used as a staging platform to attack the management network. Managing services with similar security postures together will help reduce this risk.
This approach may also help support personnel security measures for higher security systems. For example, where the service provider wishes to demonstrate that only staff that have been subject to stringent security screening (or hold appropriate security clearances)have access to system administration functions.
Dedicated devices for multiple community service administration
Devices are dedicated to service management, but are used to manage multiple services across multiple communities of users.
The devices are used solely for service management, and not for general purpose use, such as email and web browsing.
In this model the devices themselves remain difficult targets to attack, but the larger and wider ranging scope of the management network may make it more exposed to attacks.
Service administration via bastion hosts
This model (also known as ‘browse-up’) is where a service is managed using devices from a less trusted network (such as a corporate business network), but only by authorised management staff. Those staff have access to specific management hosts, known as bastions, from which all management actions on the service are conducted.
Corporate systems tend to process a wide range of content types and are more vulnerable to attack using typical techniques.
Bastion hosts provide some protection against threats from corporate networks, but attackers with access to corporate devices used by service administrators are likely to still be able to access the service management environment as if they were legitimate administrators.
Malware capable of performing session hijacking is becoming increasingly common, so the risks associated with this model are also increasing.
!
Direct service administration
The service is managed directly from devices which are also used for normal business (web browsing, viewing external email, etc.)
In this model, there is little protecting the service from unauthorised access to management interfaces. Services managed in this way are at a significant risk of compromise.
!
Source: NCSC
