026
ENTERPRISE SECURITY BLUEPRINT
CONTROL LAYER
02
These protective controls can be partitioned into Inbound and Outbound control sets.
On the Inbound, each segment should protect its assets against external attacks. Strict
enforcement of Least Privilege minimizes attack surface. For example, an application within
the segment might contain a security flaw, but because access to the application is denied
by the access control policy, the vulnerability cannot be exploited. The Least Privilege
principle also dictates that clients within the protected segment should be granted access
only to external services that either directly or indirectly support the business. Outbound
controls are thus required to enforce this principle.
The analysis and control of traffic are done in an adaptive way based on context. For
example, in the case of Internet traffic, the Control Layer may consult with a cloud database
for the latest authorized applications and protocols; while in the case of internal traffic, it
may authorize the use of a propriety application or protocol used by the organization.
In addition, the Control Layer is aware of network changes and definitions implemented in
other IT systems. Examples may be user repository changes, automatically applying security
to a new Virtual Machine or allowing access to a new host defined in a Domain Name
Server (DNS). For SDN, the Control Layer also directs network traffic flows through
appropriate enforcement points, thereby shaping the network to conform to the enterprise
segmentation model and security policy.
Data Protection
To secure information properly, protections must follow data, at rest (in storage) and
in motion. To deny access to unauthorized users, cryptographic controls are applied to
protect data within and outside the organization. By categorizing data through enterprise
information classifications, data flows can be examined to identify and prevent data loss.
Data protection depends on the security policy for data categorization and watermarking.
Data is classified based on its ownership, attributes and content. Data signatures are created
based on data sensitivity and are used to prevent data leakage to unauthorized users from
any host or location.
Additionally, cryptographic mechanisms such as data encryption and digital signatures
need to be applied to data in storage to prevent unauthorized access and modification.
These mechanisms provide persistent protection even when data is copied outside of the
controlled system.
Encryption is especially valuable for mobile devices, storage on removable media, shared
storage environments and cloud computing. Local or cloud-based key management
infrastructure is required tomanage keys and access to encrypted data effectively. Encryption
can also be used to ensure secure data disposal through key revocation.
Protections
must follow
data at rest
and in motion
