006
ENFORCEMENT LAYER
01
ENTERPRISE SECURITY BLUEPRINT
Method for Segmentation
Implementing segmentation starts with defining the “atomic” segments in the network.
A segment is defined as a logical set of computing and networking elements protected by
an enforcement point. A segment may be as small as a single executable running on a host,
or as large as the entire organization. An atomic segment contains elements that share the
same policy and the same protection characteristics. Enforcement points are introduced
at the boundaries of each segment to enforce defined protection logic. Segments can be
grouped to allow for modular protection. After the segmentation model has been created,
it is integrated into the network design. Finally, trusted channels are established to protect
interactions and data flow between various network segments.
Below is a description of the segmentation methodology:
Step 1: Atomic Segments
An atomic segment consists of a set of computing and networking elements that: (1) share
a common security profile, (2) cannot further be subdivided into smaller segments, (3) can
be protected using security controls that mediate all interactions between the segment and
external entities. Examples of an atomic segment might include a single device on which
security software is installed or a number of hosts on a shared network protected by a
security gateway.
An atomic
segment is a set of
computing hosts
and networking
elements that
share a common
security profile
Atomic Segments
.
Identify elements that share the same policy and protection characteristics
.
Define security enforcement points at the segment boundaries and mediate all
information flows into and out of the segment, allowing only controlled access
Segment Grouping
.
Group atomic segments to allow modular protection
Iteration
.
Iterate segment grouping until all enterprise assets have been defined within a
controlled segment boundary
Enforcement Consolidation
.
Consolidate physical and virtual components such as network security gateways
or host-based software
.
Use consolidation and virtualization to reach an optimal solution
Trusted Channels
.
Protect interactions and data flow between segments
Step 1
Step 2
Step 3
Step 4
