The Australian Cyber Security Centre (ACSC) has released a new Gateway Security Guidance package, making it easier for organisations to securely implement internet gateway capabilities.
Gateways play an important role in cybersecurity as they provide protection at the perimeter between the internet and other networks, becoming effective in a layered cyber security defence.
Aside from this, gateways are also able to be shared between organisations and broaden cyber security benefits among users.
Gateway architectures are evolving as gateway security functions are becoming more readily available in cloud service offerings. With these hybrid and cloud-native gateways, combined with new ways of working, it is expected that gateway architectures will look different in the future.
These expected changes led to the creation of the guidance package, which will help organisations approach cyber security challenges by making sure their gateways are more secure, flexible and adaptive to different architectures and delivery models.
The ACSC, within the Australian Signals Directorate (ASD), co-designed the guidance with key industry and government stakeholders through a consultative process.
The guidance was made to assist organisations and IRAP Assessors in making informed risk-based decisions and assessments when designing or consuming gateway services.
It also reflects government and industry best practices for the procurement, operation and disposal of gateway systems.
The Gateway Security Guidance package is divided into five documents that focus on different stages of governance, design and implementation. The overview document is intended to explain the structure of the package, making it suitable for all audiences.
The other documents under the guidance package are intended for specific figures within an organisation.
The Executive Guidance document for decision-makers at an organisation’s executive level, the Gateway Security Principles document for senior executives, architecture teams and engineering teams, and the Gateway Operations and Management and the Gateway Technology Guides documents are for architecture teams, engineering teams and gateway operators.
While the guidance is primarily intended for Australian Government gateway consumers and their service providers, any organisation that designs, procures, operates, maintains or disposes of a gateway may also avail of it.
The changes to the Australian Government’s gateway policy were done in order to create a risk-based authorisation model, replacing the previous Certification Authority role performed by ASD.
This empowers non-corporate Commonwealth entities (NCEs) to adopt a risk-based approach to their gateway capabilities, and the flexibility to adopt the gateway solutions which best suit their security requirements.
Source: ACSC. Content has been edited for style and length.