Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Key Takeaways
- IT infrastructure security protects four layers at once: network, server, identity, and data. Skip any one of them and the other three become a slower path to the same breach.
- The 2025 IBM Cost of a Data Breach Report puts the global average breach at USD 4.88M, with stolen credentials still the top initial access vector for the third year running.
- CIS Controls v8.1 and the Canadian Centre for Cyber Security baseline give Canadian SMBs an actionable, prioritized starting point that maps cleanly to PIPEDA and Bill C-8 expectations.
- The 8-control infrastructure security checklist below is what Fusion Computing deploys on every managed client; it covers about 80% of practical risk before optional controls are layered on.
- Phishing-resistant MFA, hardened servers, immutable backups, and network segmentation are the four moves that prevent the majority of incidents we triage in Ontario and BC.
What is IT infrastructure security?
IT infrastructure security is the practice of protecting the network, servers, identities, and data that a business depends on, using a layered set of technical and administrative controls. The goal is to keep systems available, keep information confidential, and keep records accurate even when something goes wrong.
For a Canadian SMB the practical definition is simpler. Infrastructure security is everything that stops a phishing email, a stolen laptop, or an unpatched server from becoming a reportable breach under PIPEDA. It sits beneath the application layer and beneath end-user training.
The 4 layers of infrastructure security: network, server, identity, data
Every infrastructure security program protects four layers. Network controls keep traffic clean. Server controls keep workloads hardened. Identity controls decide who is allowed in. Data controls protect information regardless of where it lives.
| Layer | Primary threat | Core control | Tool example |
|---|---|---|---|
| Network | Lateral movement, exposed services | Segmentation, firewalling, ZTNA | Fortinet FortiGate |
| Server | Unpatched OS, weak configs | CIS Benchmarks, EDR, patching | NinjaOne, SentinelOne, Microsoft Defender for Endpoint |
| Identity | Stolen credentials, privilege abuse | MFA, conditional access, PAM | Microsoft Entra ID |
| Data | Ransomware, exfiltration, loss | Encryption, immutable backup, DLP | Veeam, Microsoft Purview |
Want a 30-minute infrastructure security walkthrough? Book a no-cost session with a Fusion Computing engineer and review your four layers against the checklist below. Book a consultation.
Network security: firewall, segmentation, and VPN or ZTNA
Network security is the first layer because it controls where traffic can go before any other control fires. Three tools do most of the work for a Canadian SMB. A next-generation firewall enforces the perimeter and inspects encrypted traffic. Segmentation breaks the internal network into zones so a compromised laptop cannot reach a server VLAN unchallenged.
Remote access uses either traditional VPN or Zero Trust Network Access (ZTNA) that verifies device posture and identity on every request.
Fusion Computing standardizes on Fortinet FortiGate at the perimeter and uses Microsoft Entra Private Access for ZTNA on Microsoft 365-aligned clients. Segmentation is enforced with VLANs and firewall policies between user, server, and guest zones. Older flat networks where every device sees every other device are the most common finding in our infrastructure audits.
The CIS Controls v8.1 Safeguard 12.2 and the Canadian Centre for Cyber Security baseline control “implement network security zones” both formalize this expectation. Treat segmentation as table stakes, not as an upgrade.
Server hardening: CIS Benchmarks, patching, and monitoring
Most servers ship with defaults that prioritize ease of setup over security. Hardening reverses those defaults. The CIS Benchmarks are the de facto standard, with prescriptive guides for Windows Server, Ubuntu, RHEL, and major cloud platforms. A typical Windows Server 2022 baseline tightens password policy, disables legacy SMBv1, restricts PowerShell, and audits privileged actions.
Patching is the second pillar. The Canadian Centre for Cyber Security baseline calls for patching critical vulnerabilities within 48 hours and high-severity within two weeks. Fusion Computing meets these targets through NinjaOne RMM with automated patch rings and reboot windows. Monitoring is the third pillar; SentinelOne or Microsoft Defender for Endpoint provides the EDR telemetry that turns a strange process tree into an alert before encryption starts.
Why this matters: The 2025 IBM Cost of a Data Breach Report found that breaches involving unpatched vulnerabilities cost organizations USD 4.45M on average and took 274 days to identify and contain. Patching remains one of the highest-ROI controls in the program.
Identity and access: MFA, PAM, and conditional access
Identity is the new perimeter. The 2025 IBM report identifies stolen or compromised credentials as the most common initial access vector for the third year running. Three controls close most of the gap.
Phishing-resistant MFA blocks the credential reuse attacks that drive most account takeovers. FIDO2 keys and passkeys are the gold standard; authenticator apps with number matching are the practical floor. Privileged Access Management (PAM) puts admin credentials in a vault, rotates them, and records sessions so a compromised admin account cannot be used silently.
Conditional access ties sign-in decisions to device state, location, and risk score. In Microsoft Entra ID this is enforced through Conditional Access policies that block legacy authentication and require compliant devices.
For a 50-user firm, this means Entra ID with mandatory MFA for all users, Conditional Access blocking sign-ins from outside Canada and the US, and a small PAM tier for the global admin accounts. That configuration is achievable in two weeks and prevents the majority of identity attacks we see.
Data protection: backup, encryption, and classification
Data protection is the layer that determines whether a bad day becomes a closed business. Three controls anchor it. Backups must be immutable, tested, and stored off-site in a separate fault domain. Veeam with hardened repositories and immutable cloud copies meets the 3-2-1-1-0 rule (three copies, two media, one off-site, one immutable, zero errors on test restore).
Encryption protects data at rest and in transit. BitLocker on Windows endpoints, transparent data encryption on SQL Server, and TLS 1.3 on every public service are the baseline.
Classification, often overlooked, makes the other two controls work. Microsoft Purview labels documents as Public, Internal, Confidential, or Highly Confidential and applies encryption and DLP rules automatically. Without classification, every other data control treats every file the same.
The 8-control infrastructure security checklist
This is the checklist Fusion Computing applies on every managed client onboarding. Each control maps to one or more CIS v8.1 Safeguards and to the Canadian Centre for Cyber Security baseline.
| # | Control | What it looks like in production | CIS v8.1 |
|---|---|---|---|
| 1 | Asset inventory | Live inventory of every server, endpoint, and SaaS tenant in NinjaOne and Entra ID | 1.1, 2.1 |
| 2 | Phishing-resistant MFA | FIDO2 or authenticator MFA enforced for 100% of users; Conditional Access blocks legacy auth | 6.5 |
| 3 | Patch management | Critical patches inside 48 hours; monthly reboot rings; reporting in NinjaOne | 7.3, 7.4 |
| 4 | EDR on every endpoint and server | SentinelOne or Microsoft Defender for Endpoint with 24/7 response coverage | 10.1, 13.7 |
| 5 | Network segmentation | VLANs for user, server, IoT, and guest; firewall policy between every zone | 12.2, 12.6 |
| 6 | Immutable backups | Veeam with hardened repository and immutable cloud copy; quarterly restore tests | 11.1, 11.4 |
| 7 | Privileged access control | PAM vault for admin accounts; just-in-time elevation in Entra ID | 5.4, 6.8 |
| 8 | Logging and monitoring | Centralized logs from firewall, servers, and identity; 90-day minimum retention | 8.2, 8.5 |
Field note from the desk. Last quarter I walked into a 40-person Hamilton manufacturer that had seven of these eight controls in place. The missing one was network segmentation. A vendor laptop on the user VLAN reached the ERP server VLAN over SMB, and a ransomware payload encrypted both file shares before EDR fired.
Recovery took 19 hours from immutable backups and the controls held, but the segmentation gap turned a contained incident into a billable weekend. Eight controls, not seven.
How does this map to PIPEDA, Bill C-8, and CIS v8.1?
Canadian SMBs do not operate in a vacuum. PIPEDA requires safeguards proportionate to the sensitivity of personal information, and a documented breach response. Bill C-8 (the Critical Cyber Systems Protection Act) extends mandatory incident reporting and minimum control requirements to designated operators in finance, telecom, transport, and energy. CIS Controls v8.1 and NIST CSF 2.0 are the technical frameworks most often cited as evidence of “reasonable” safeguards.
| Checklist control | PIPEDA principle | Bill C-8 expectation | CIS v8.1 / NIST CSF 2.0 |
|---|---|---|---|
| Asset inventory | Principle 7 (Safeguards) | Cyber security program scope | CIS 1, 2 / ID.AM |
| Phishing-resistant MFA | Principle 7 (Safeguards) | Identity assurance | CIS 6 / PR.AA |
| Patch management | Principle 7 (Safeguards) | Vulnerability management | CIS 7 / PR.IP |
| EDR coverage | Principle 7 (Safeguards) | Detection capability | CIS 10, 13 / DE.CM |
| Segmentation | Principle 7 (Safeguards) | Critical system isolation | CIS 12 / PR.AC |
| Immutable backups | Principle 7 (Safeguards) | Recovery capability | CIS 11 / RC.RP |
| Privileged access | Principle 7 (Safeguards) | Administrative control | CIS 5, 6 / PR.AC |
| Logging | Principle 9 (Individual Access) | Incident reporting evidence | CIS 8 / DE.AE |
Need this checklist deployed for your business? Fusion Computing has installed every control above for Canadian firms from 15 to 250 users since 2012. Book a consultation and we will scope your gaps in one call.
Frequently asked questions
What is the difference between IT infrastructure security and cybersecurity?
Cybersecurity is the broader discipline that covers application security, end-user awareness, governance, and infrastructure. Infrastructure security is the subset that protects the network, server, identity, and data layers. Most SMB cybersecurity programs are infrastructure-heavy because that is where the highest-impact controls live.
How much does an infrastructure security program cost for a Canadian SMB?
For a 50-user Canadian firm, a full program from Fusion Computing typically runs CAD 8,000 to CAD 14,000 per month all-in, covering licensing and 24/7 response. Initial deployment is CAD 15,000 to CAD 35,000 depending on existing infrastructure.
What are the CIS Benchmarks and do we need them?
The CIS Benchmarks are prescriptive hardening guides for operating systems, cloud services, and applications, maintained by the Center for Internet Security. Yes, you need them; auditors and cyber insurers expect server baselines to align with CIS.
Does PIPEDA require multi-factor authentication?
PIPEDA does not name specific controls. It requires safeguards “appropriate to the sensitivity of the information.” In 2026, the Office of the Privacy Commissioner and most cyber insurers treat MFA as a baseline expectation, and the absence of MFA after a credential breach is routinely cited as a contributing factor in PIPEDA findings.
How is Bill C-8 different from Bill C-26?
Bill C-26 was the 2022 predecessor that lapsed when Parliament was prorogued. Bill C-8 was reintroduced with substantively similar Critical Cyber Systems Protection Act provisions, requiring a cyber security program, 72-hour incident reporting, and minimum control standards for designated operators.
What is ZTNA and should we replace our VPN with it?
Zero Trust Network Access (ZTNA) verifies user identity and device posture on every request, rather than granting broad network access after a single VPN login. For Microsoft 365 firms, Entra Private Access is a practical replacement; mixed environments use FortiClient ZTNA alongside FortiGate. Most clients move within 12 to 18 months once they pilot it.
How often should we test our backups?
Quarterly at minimum, with annual full-scenario disaster recovery testing. The 2025 IBM Cost of a Data Breach Report shows that organizations with tested incident response plans saved an average of USD 1.49M per breach. Untested backups are the most common failure mode in ransomware recovery.
Do we need a SIEM if we have EDR?
For Canadian SMBs under 100 users, a managed EDR with a managed SOC usually covers detection. A SIEM becomes worthwhile when compliance requires correlated logs across non-endpoint systems, or when the firm passes about 150 users.
What is the single highest-impact control to deploy first?
Phishing-resistant MFA on every account, with no exceptions for service accounts. It is the lowest-cost, highest-impact control in the program and prevents the majority of credential-driven incidents we triage. Pair it with Conditional Access in Entra ID to block legacy authentication on day one.
Related Resources
- Cybersecurity services for Canadian businesses
- Server management best practices
- Types of firewalls and how to choose
- Benefits of multi-factor authentication
- Best practices for disaster recovery
Sources
- Center for Internet Security: CIS Controls v8.1
- Center for Internet Security: CIS Benchmarks (server hardening)
- Canadian Centre for Cyber Security: Baseline Cyber Security Controls for Small and Medium Organizations
- NIST: Cybersecurity Framework 2.0
- IBM Security: 2025 Cost of a Data Breach Report
