Overview
The company wanted to formalise a strategic plan to increase productivity, improve flexibility and bolster security. With offices in London, Stockholm and Oslo, the business had been operating to some extent as disparate systems, with no effective logical uniformity. Furthermore, the security of each system had been approached in a somewhat haphazard and random way by different support companies in each of the locations. Users from all three locations worked on various projects in groups, but the size of data such as seismic interpretation files meant that simply working on literally the same data was all but impossible. Filing systems differed and support was unorganized. Patching was all but left to chance, with no helicopter view of any of the company systems.
Security Posture
When auditing the business, it was apparent that cybersecurity had never been at the forefront of their minds, with simple passwords and hundreds of thousands of files shared to everyone in a general folder to which all had full permission. Users and IT support used various methods to connect remotely from Teams, RDP, and VPN. Internal Exchange Servers provided email and Webmail with single-factor authentication. There was in fact no multi-factor authentication at all throughout the organization. Although this was at a time when the benefits of MAF were less widely understood it nonetheless posed a significant potential security threat. All users had administrative access to their own machines and there were many redundant users still on the system. Each location used a different method of endpoint protection and connectivity solutions, including Sophos UTM, Fortigate firewall, and Cisco routers. Backup solutions differed in each location, with various flavours of DLT autoloader solutions, but off-site backup and archiving was practically non-existent.
The Challenges
One of the major challenges in terms of infrastructure was that users worked on huge seismic interpretation files, the data for which could easily run into terabytes. Whilst using these files individually was manageable on their high-spec workstations, sharing that size of data over WAN services to all three countries was never going to be feasible, hence the patchwork adoption of various remote access services.
To complicate matters even more, some users needed good graphics capabilities, as their work involved the interpretation of seismic data and therefore the creation of accurate lines and analysis of geometric grids. No remote desktop services could, or can, reproduce graphics of sufficient quality to enable accurate interpretation.
Of course having become somewhat of a mish mash of services, cobbled together in no small part by the users themselves, they had become used to managing such things and this had introduced a culture of self-governance that was going to be difficult to overcome without upsetting the applecart. Given their scientific background, however, we were confident they would respect evidence-based changes to working practices.
The Solution
There was a lot to be done. Although the security audit had identified many attack surfaces, forming a mitigation strategy was to some extent an academic exercise if the underlying infrastructure was unsuitable in the first place. It was a catch 22 situation where in effect everything needed to be changed all in one go; something that was both impractical and impossible. The decision was taken to plan a pathway that secured and modified the infrastructure in a cohesive and coordinated way, so that efforts in one aspect were not wasted by changes in another.
The primary objective was to find a solution to the ‘giant’ file problem. Testing using VMWare workstations, Citrix Framework and Windows Hypervisor produced unacceptable results. Eventually we discovered and tested a solution that would provide accurate visual reproduction in the form of centrally hosted physical rack-mounted workstations containing PCOIP cards in Sweden, with users connecting to them via Teradici Zero Clients.
The system worked adequately at first, but to improve performance even more an EMC2 MPFS fibre SAN was implemented in the datacentre, which created a very fast, secure and available set of workstations that were more than fit for purpose. The workstations were eventually replaced with virtually, using nVidia virtual GPU graphics matrices.
With the migration of the data to the new system came the perfect opportunity to perform data analysis, GDPR compliance checks, and to implement a suitable data classification scheme. This also represented a good reason to implement updated, secure password policies and give people formal ownership of their resources.
To protect the data a mirror image of the EMC system was placed in a datacentre in Oslo, with regular synchronization. A further cloud backup solution was implemented that allowed not only the backing up of the working data, but the imaging of entire servers that, in the event of a disaster, could be mounted more or less instantly as virtual machines either on an on-site appliance, or in the cloud. This went a long way to providing the sort of business continuity and disaster recovery cover that the business needed.
With the exploration technicians sorted, attention turned to other users, who had again been using disparate storage mechanisms. The group collaboration ethos that the business was trying to promulgate throughout the workforce was not being reflected in the systems they were using. It was decided that what they really needed was a truly collaborative environment that allowed them to share documents, thoughts and ideas and work together, without the need to perpetually fly back and forth between the locations. To this end all administrative data was moved into Sharepoint, and users moved into Office 365. A hybrid approach meant that the internal Domain could still function as before, but the internal Exchange servers were retired. The net result of this was that security could be managed in a much more granular and controlled way, Data Loss Prevention (DLP) could be enabled and email services were much more robust and accessible. What’s more, everything could be protected by two-factor authentication, and eventually HSM security dongles could be issued.
The three sites were linked together using Fortinet gateways, with VPN access granted through dual-factor authentication using Active Directory. The traffic and events were monitored in the Unity Metrix SOC on Fortianalyzer, as was the status of the Bitdefender endpoint protection that had been rolled out company-wide using Gravityzone.
The management and monitoring of the workstations was completely overhauled, with the Unity Metrix RMM monitoring and support solution. This meant that we had complete visibility over all the machines, the status of their patches, their health, and their events. This also provided us with the ability to chat to and connect with any individual, regardless of where they were, share their desktop, edit their registry, view their events, use their command line and much more. This was truly a non-invasive, but massive breakthrough in terms of both support and security, allowing us to monitor systems proactively from our SOC in Bletchley.
With the advent of lockdown during the Covid-19 pandemic much of the workforce began working from home. Under the normal run of things, and as was the case for many businesses in the UK, the change would pose a significant headache as users moved beyond the firewall, anti-virus and other protections businesses put in place. The business continuity plan Unity Metrix established at ABC Petroleum, however, meant seamless remote working with no amendment or disruption to business processes. They simply took their workstations home and continued working with the same levels of protection they had always enjoyed.
