Skip to main content

A-004 - Infrastructure Hosting

Purpose

Provide the underlying compute, storage and networking environments required to run systems and services within the Scheol Security Lab.

Asset Type

  • Business Capability

Description

  • Represents the hosting environments supporting all infrastructure and services
  • Includes both local and external hosting components

At the current stage:

  • Hell environment provides local virtualization (Proxmox-based infrastructure)
  • Heaven environment relies on VPS hosting for exposed services
  • hosting is distributed and not yet fully standardized or isolated

Criticality

  • Critical

All systems depend on hosting infrastructure. Failure or compromise can lead to:

  • service disruption
  • data loss
  • full environment compromise

Sensitivity

  • Sensitive

Hosting environments expose:

  • system-level access
  • infrastructure control planes
  • storage and execution environments

Exposure Level

  • Exposed

Especially in Heaven:

  • VPS are directly accessible from the Internet
  • hosting layer contributes directly to attack surface

Trust Zone

  • Hybrid

  • Hell → local infrastructure (controlled environment)

  • Heaven → externally hosted infrastructure (higher exposure)

Dependencies

  • Physical hardware (Hell)
  • Hypervisor platform (Proxmox)
  • VPS providers (Heaven)
  • Network Security & Segmentation
  • Administrative Access

Relationships

  • All infrastructure assets (hosting dependency)
  • Network Security (exposure and segmentation)
  • Backup & Recovery (data protection)
  • Monitoring & Detection (host visibility)
  • Application Security (runtime environment)

Security Position (Architecture Context)

  • Foundational layer of the architecture
  • Supports all other capabilities and assets

Key roles:

  • defines where workloads run
  • determines exposure level (local vs public)
  • influences isolation and resilience

Current structural weaknesses:

  • service co-location on VPS (limited isolation)
  • reliance on provider-level security for Heaven
  • limited workload isolation strategy
  • uneven security controls between Hell and Heaven

Existing Protective Measures

  • hardened SSH access on VPS
  • restricted administrative access
  • baseline system hardening

Limitations:

  • no standardized isolation model
  • no hardened hosting baseline across all systems
  • limited control over provider infrastructure
  • no dedicated separation of sensitive workloads

Owner / Responsibility

  • Operations Role (Ops)

Notes

Infrastructure Hosting is a foundational capability that directly impacts all other security domains.

Current architecture reflects a transitional state between:

  • distributed VPS-based exposure (Heaven)
  • more controlled internal infrastructure (Hell)

Future improvements include:

  • better workload isolation
  • clearer separation of roles between environments
  • improved hosting security baseline
  • alignment with network segmentation and access control strategies