007
ENTERPRISE SECURITY BLUEPRINT
ENFORCEMENT LAYER
01
Defining the atomic segments and identifying the entities that share a common security
profile is the first step in implementing the SDP architecture. A security profile is assigned
to each segment based on the value of the corporation’s assets within a segment and the trust
level awarded to the segment users and security controls.
Threats may occur where two segments with different security profiles interact. In addition,
the potential for threats will increase in parallel with the differential between the two segment
security profiles. To avoid such risk, many organizations use an enterprise-wide classification
scheme for data, hosts, applications and networks that can support this segmentation
methodology.
Depending on business objectives, one of the following security requirements is selected as
a leading principle for classification: Confidentiality, Integrity or Availability (CIA). One
example could be:
Public -
systems and data that are cleared for access by the general public
Customer -
systems and data that contain confidential customer information. Typically
cleared for access by authenticated customers and a small number of internal users
Internal -
may be accessed by employees from anywhere
Sensitive -
internal systems and data requiring enhanced protections
Departmental -
restricted to selected individuals by departmental role
This type of classification assists in the definition of segments and their security profiles. The
level and extent of segmentation required for each enterprise depends on its business needs
and security requirements. Some organizations enforce strict ‘Least Privilege’ and ‘Privilege
Separation’ policies, whereas others consider all users and systems to be equivalent in terms of
their access levels and mission criticality.
Threats may
exist where two
segments with
different security
profiles interact
When determining segment boundaries, always ask whether entities have
the same authorizations, support the same business processes, handle similar
assets, and receive the same level of security protections. If you answer “yes”
to all of these questions, then these entities can be included within a single
atomic segment. If you answer “no” to at least one question, then the entities
should be segmented separately.
TIP
