The Principle in the Wild

Here are some examples of Compartmentation in action:

• Use separate network segments, firewalls, and access control lists to segregate critical systems from noncritical systems such as office workstations. Connecting these noncritical systems opens up new and unnecessary attack vectors from everyday email and web browsing. Many attack types rely on there being openings and connections where there really shouldn’t be.

• Use session keys for encrypted communications to provide an added barrier against the compromise of encryption keys. Rather than rely on a single key for all communications, Compartmenting those keys allows for your system to maintain forward secrecy and better ensure the confidentiality of your communications.

• Implement least privilege more effectively by also implementing separation of privileges¹ and separation of concerns.² Least privilege is undermined if you have only two levels of privilege, or if every level of privilege needs access to the same databases.

• Store critical systems in physically secure locations, with physical access control, monitoring, and incident response mechanisms. The physical security of information systems is also a consideration for information security.

• Design software systems to reduce coupling, and increase cohesion. Software elements that are overly dependent on one another to function increase the fallout from individual attacks, complicate system recovery and improvement, and decrease overall system resilience.

Compartmentation is probably the most difficult principle to fully understand, but it is also one of the most impactful principles when you do it right…or, really wrong. Failures of Compartmentation are at the core of many catastrophic breaches given that a single vulnerability allows attackers to move unchecked throughout an overconnected system. Compartmentation is how these attacks can be cut off at the beachhead, so that even if you suffer a breach, your system is designed to allow for that breach to be isolated, controlled, and remedied.

At its most basic, Compartmentation is about dividing your world into separate conceptual compartments, enabling only the connections between those compartments that are necessary, and establishing ways to control those connections. Compartmentation does not mean that you cannot have interconnectivity, but it must be implemented in a manner that is deliberate and controlled. Unrestrained interconnectivity will quickly outpace the capabilities of any security team. Without a clear organizational structure, you will forever be fighting against an architecture that fundamentally weakens security, rather than enhances it.

Let’s consider a concrete example: you need to contain and protect a prisoner. To start building a prison cell you build a box. At the start, this is literally just a hollow cube: no doors, no windows, no air vents; just a box to hold a prisoner. But of course, a hollow cube isn’t that useful, so you begin adding ways to connect it to the space around it. You give it a door, maybe a small window, probably some plumbing. Each of these avenues to the outside world is a point of vulnerability, so they should be considered carefully: can the window be smaller? Can we see through the door? After these connections are put in place, you place control mechanisms on them: the doors need locks, the hall gets a camera, and the like. Other interactions might be deemed safe enough without added controls, such as the plumbing (unless you are imprisoning one of the Mario Brothers). At each step, you should be asking yourself: Is this needed? Is this introducing vulnerabilities? Can I accomplish this function in a more limited or controlled way?

Although the world of information security is rarely as straightforward as a prison cell, this stepwise process of beginning in isolation and then adding connections and controls as needed is a powerful tactic for improving security. Even in our world of heavily interconnected applications and devices, starting from an assumption of isolation and making sure that each connection is specifically accepted, defined, and controlled will ensure that our systems are more easily understood, operated, defended, and improved.

Physical Versus Logical Compartmentation

To aid in this process, it is helpful to break Compartmentation into physical compartmentation and logical compartmentation. Physical compartmentation is about restricting physical access and physical connections to a system or other hardware entity. Logical compartmentation, by contrast, is like drawing up a software architecture diagram: you separate out the logical components of your systems, clearly define their interactions, and minimize their interfaces. Although this doesn’t prevent compromises or breaches, Compartmentation can prevent the spread of a compromise, make it more obvious when a component is behaving suspiciously, and ease the process of fixing it.

Because Compartmentation is architectural, it can be difficult to implement on existing or legacy systems without significant disruption and/or planning. Apart from simple solutions such as firewalls, redesigning existing code is difficult, and the costs of doing so often outweigh the risks. In these scenarios, you must approach Compartmentation in a strategic and ongoing basis. This might involve incremental change over time, or greater reliance on other Principles like Minimization and Comprehensivity to help reduce the risks of these legacy systems. Or, it might simply mean that you do only what Compartmentation you can, be it adding system visibility, adding additional barriers to unnecessary connections, or finding ways to better isolate overconnected systems and elements.

Interactions

As discussed in Chapter 4, Compartmentation is most important to understand in conjunction with Minimization. Compartmentation requires Minimization to achieve its goal of isolating and limiting the interactions of systems and system elements. For instance, in our prison cell example, there is a Minimization step that limits the interactions we implement. Compartmentation without Minimization would create a scenario in which our interactions are well-defined, but the sheer number makes their management impractical. If each cell has an internet connection, telephone line, multiple rooms (some of which aren’t visible from the outside), doors leading to other cells, and secret passageways for the guards to spy with, we are making the cell (and therefore the whole prison) much more difficult to secure because we haven’t minimized the cell’s points of ingress/egress or complexity.

Compartmentation is also important to understand in combination with Fault Tolerance (Chapter 6). Compartmentation’s architectural nature is the primary enabler of Fault Tolerance given that building systems that are so isolated, discrete, and limited makes failures more easily anticipated and more easily addressed.

Takeaways

• Compartmentation is the Principle of breaking apart, limiting, and controlling the underlying structure of systems.

• Compartmentation is the most important principle for containing the spread of breaches.

• Compartmentation can be both physical and logical.

• Compartmentation is architectural, and therefore particularly important during the design of systems.

• Compartmentation is important to understand in combination with Minimization (Chapter 4) and Fault Tolerance (Chapter 6).