As 500 Invictus Games competitors from 18 nations were preparing to descend on Sydney for eight days of intense competition, the team at Unisys were also getting Games-ready – locking in the final details for the project of a lifetime.
Created by HRH The Duke of Sussex, the Invictus Games sees wounded, injured or ill veterans and serving personnel contest medals in 11 adaptive sports including wheelchair basketball, sitting volleyball, cycling and indoor rowing.
Unisys has a proud history of working with the Defence community so we jumped at the opportunity to provide information technology and cybersecurity support to the Invictus Games Sydney 2018.
The sensitive nature of the data about competitors required a robust approach to security and was critical to the successful execution of the Games. Here we discuss how Unisys provided an appropriate level of security within a short timeframe for the Invictus Games Sydney 2018.
When Unisys came on board as a partner of the Invictus Games Sydney 2018, one of the key areas of concern raised by the Head of Technology was cybersecurity. The brief was simple; implement an appropriate level of security, but with minimal cost. Unisys was ready for the challenge!
The first two points to address were:
- What is an ‘appropriate level’ of security?
- What are the gaps that need to be addressed from a security perspective?
To address the above, Unisys performed a comprehensive security risk analysis. This helped pinpoint expectations and the appropriate level of security for the data to be protected.
The security risk analysis identified seven high priority areas:
- Network security, including wireless,
- Security detection and response,
- End-point security,
- User education and training,
- Email filtering,
- Anti-phishing training, and
- The security of third party suppliers to the Games.
Let’s look at each one in turn.
Network security, including wireless
As the Invictus Games relied on public networks at multiple sporting venues, keeping IT equipment and wireless devices secure was a top priority.
Unisys Stealth® with microsegmentation enable segmentation of the Invictus Games’ IT equipment into their own security zones, allowing Unisys to implement the required security policies to keep the data secure. This provided a virtual secure network across a shared public WiFi provided by each venue.
With critical applications running in the cloud, Unisys enabled secure connectivity to unsecured cloud applications via a proxy secured by Stealth, including the communications to, and from, the cloud provider.
Stealth provided additional benefits:
- You can’t hack what you can’t see – all Stealth enabled devices were cloaked, making them ‘invisible’ to devices without access to these segments by policy. Using Stealth meant any device that was not allowed to communicate to the relevant segment could not even ping a device on that segment
- Identity-based security – Stealth enforces security policies based on identities. A simple Public Key Infrastructure was put in place to validate the identity of a user or a device, and then enforce granular access control policies based on these identities. This led to two key outcomes
1. The level of security policy enforcement was more granular and controlled than traditional network based security; and
2. When the user or device moved from one micro-segment to another, the security went with them.
- Equivalent security in the Data Centre and the Cloud – Stealth enabled the security policies in the local environment to be replicated in the cloud. The Stealth Enterprise Manager pushed security policies to any workload in the cloud running the Stealth agent.
- Ease of deployment – using Stealth as software, it was deployed easily and quickly, and managed just as easily as well. This was important for this case in particular, as the security needed to be stood-up quickly and brought-down just as quickly after the conclusion of the Invictus Games. This would have been a lot more challenging with physical firewall infrastructure.
“A critical part for us was to make sure people had confidence in our ability to manage information with the respect and the confidence that is necessary for something like this, and Unisys effectively removed that problem from us. When they came on-board as a partner we no longer worried about that.” - Patrick Kidd, CEO, Invictus Games Sydney 2018
Security detection and response
The entire Stealth deployment protecting the Invictus Games Sydney 2018 infrastructure was monitored by 24x7 detection and response through Unisys Security Operations. Any security-related issues would be quickly detected and managed providing the Games team peace-of-mind.
End-point security and encryption
With Stealth, Unisys was able to achieve security segregation based on identities and encryption ‘on the wire’. However, to protect data in storage, BitLocker was deployed on all Unisys-provided endpoints, providing Games organisers the assurance that if a device was lost, data could not be accessed easily.
Unisys further hardened existing images to ensure all endpoints were protected. The endpoints were centrally managed (including security) using Microsoft Intune, to ensure the images remained secure and patch levels were up-to-date. Additionally, anti-malware software was deployed on the endpoints to provide protection against these types of issues. The combination of these controls ensured that the endpoints remained secure throughout the Games.
User education and training
Top-of-mind for the Head of Technology was ensuring that the users applied the right level of IT security hygiene to keep the environment secure.
This was particularly challenging as many of the users were volunteers from different backgrounds – some were security savvy and others not. Unisys worked with users to educate them about basic security hygiene practices including phishing, password security and so on to ensure that everyone had at least a base level of IT security understanding.
“Unisys helped us with these wider stakeholder groups by providing training and familiarisation in cybersecurity threats … [Unisys] did a full assessment of our security and risk profile, and that included looking at our people, looking at our processes, as well as the technology.” - James Smith, Head of Technology, Invictus Games Sydney 2018
Unisys helped improved the Information Security Policy so that all users had guidelines to refer to in terms of IT Security. This gave Games organisers the confidence that all layers of the IT environment were covered and, with the right knowledge, users had been turned into effective ‘human firewalls’!
Unisys deployed email filtering across the Invictus Games Sydney 2018 user base. With the increase in attacks on organisations via this channel this control ensured that the entry of malware through emails into the Games environment was heavily reduced.
Unisys worked with CoFense, to provide simulated phishing campaigns and anti-phishing training to the Games user base. With users increasingly targeted as an entry point for intruders, ensuring users were trained to spot and reject phishing emails was a critical control to implement.
Third party security assessments including penetration testing
Invictus Games Sydney 2018 used a number of cloud providers to address various aspects of games management such as competition management (such as results and scoring), workforce management, accreditation, etc. Unisys worked with Games organisers and third party providers to assess how they measured up against the Games’ security policies and made recommendations where there were gaps in compliance.
In some cases the providers had the controls available but had not implemented them because they weren’t aware it was needed. This is a common issue found with many organisations using cloud providers.
To provide an additional level of assurance, Unisys repeated the penetration testing after the recommended controls were implemented to ensure the cloud providers could withstand a typical attack.
By taking a simple approach to a complex environment, Unisys was able to secure the Invictus Games Sydney 2018 from cyber threats and achieved this on a tight budget. Unisys takes a Zero Trust approach to security spanning people, policies and technology. And by aligning security investments with risk profiles the desired business outcomes can be achieved by implementing the appropriate level of security. Everyone can achieve an appropriate level of security. It’s just a matter of understanding what that level is and managing the risks to the business.