Assigning relative risk is very complex. See Quantifying Relative Security of Design Decisions and Quantifying the security effectiveness of firewalls and DMZs.
Below is our justification for the statement that: "A distributed server setup can be 100 times more secure than a single server setup."
Single Server
- A single-server has to host all of the services, which means that it automatically presents a larger attack surface. Each extra service represents another area that could be misconfigured or exploited via some bug. Each service could be used as a stepping stone to compromise the server.
- A single-server forces the Authentication, Database and other services to be directly accessible, even if the single server is hosted inside a DMZ.
- A single-server is difficult to monitor for suspicious activity because of the breadth of things it must already do.
- A compromised single-server will expose far more information, including: application configuration, connection credentials, API keys, and much more. Each extra bit of information, or exposed configuration represents another opportunity to exploit.
- A compromised single-server directly connects to more services: database, security (AD, LDAP, etc..), file, printer; all of which are now exposed and available for lateral movement. Again, each extra opportunity and connection makes it that much more likely that an attacker can advance to their end-goal.
- Most of the attack vectors (Web, Database, AD, LDAP, Fileserver, Printer) are well-documented and repeatedly targeted by automated attacks.
NOTE: The keys can be encrypted, but they can't be hashed since the server will need to recover the credentials and keys to access specific secured resources.
Distributed
- The web-server in a distributed setup represents the smallest target since only a web application is installed.
- The web-server in a distributed setup is much easier to monitor due to its simplicity and limited activity range.
- If compromised, the only information gained is the IP address of the Application Server. No application configuration, database credentials, AD credentials or other security-sensitive information is exposed.
- If compromised, the web-server provides ZERO opportunity for lateral movement since the web-server can operate within its own highly limited security island,
- If compromised, the attack becomes increasingly complex as hackers next need to attack an undocumented and limited Application Service before they can even begin to attack their next target.
- Separating the Web Application and Application Service, allows the Application, Database and Authentication services to operate from a Zero Trust environment, which mitigates against insider threats.
Calculation
Increases in attack surface and exposed information/access are not simple additional risks. Similar to the game MineSweeper, a single opening can expose a large number of avenues of attack, or nothing. A conservative option is to start at 1.5 and multiply by 1.5 for each additional risk, (1.5^R) where R is the sum of additional risk areas.
The following additional areas are attributed to a single server install:
- Increased Surface (3): Application Service, Print Services, Authentication Services,
- Exposed Resources (4): Application Config, Connection Credentials, API Keys, Network Access,
- Lateral Movement (4): Database Servers, Additional Network Appliances, Security Servers, File Servers,
- Attack Automation (1)
- Insider Threats (1)
- Monitoring Difficulty (1)
A rough sum of additional risk areas is 14, some very substantial. This calculates to an additional risk of (1.5^14) = 292 times. Choosing to remain conservative, we published 100 as our estimate.
This risk calculation is not an exact science but it aims to be a good discussion starter so as to force clear thinking about infrastructure decisions.
The root question is: Is this worth the extra infrastructure and costs? To answer that question you need to be able to evaluate the relative risk.
This answer is here in the QA to make discussion easier.
