As a contractor to the US federal government, a state business corporation manages a large amount of sensitive federal information. The corporation’s ability to access and disseminate this information, categorized as controlled unclassified information (CUI), is critical to their success.
In 2015, the National Institute of Standards and Technology (NIST) issued Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The corporation needed a segmentation strategy to reduce risk and help easily manage their compliance standards.
The corporation had 200 applications interacting with 1,800 servers across 17 geographic locations. Additionally, thousands of user endpoints were subject to housing CUI. In addition to CUI, the corporation holds data that falls under regulations for the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS) and the International Traffic in Arms Regulations (ITAR).
The corporation sought a solution that would document the artifacts and processes needed for them to implement enterprise segmentation.
We employed our defined and mature enterprise segmentation methodology that outlined needed zones and micro zones to ensure unauthorized users and applications could not access CUI.
We began with a planning phase, the first of three phases in our approach to enterprise segmentation.
Phase one is focused on identifying assets, applications, data, architecture, business functions, compliance and legal requirements. This allows the development of zone architecture, segmentation policy (e.g. tenets) and supporting application placement processes.
This information is necessary before moving in to a design phase, as it determines specific technical capabilities and a segmentation design. By identifying an application inventory, zone architecture with micro zones, segmentation tenets and process flow, we were able to meet customer objectives in this first phase of work.
Firstly, the corporation needed an accurate inventory of all the dependencies of applications and systems. To accomplish this, members of our security team provided stakeholders with a questionnaire and conducted follow-up interviews to determine what criteria needed to be considered when assessing applications for segmentation.
For the corporation, it was important to capture information regarding application and system names, sites, business units, owners, Internet accessibility, data type, server function, zone reference and access control requirements. This information provided the context for a high-level review of the network infrastructure, which provided understanding of the overall application environment.
With criteria established, we then performed application dependency mapping (ADM). During the ADM, we provided detailed technical information for each application and all communication requirement controls. This would provide critical documentation for determining zone allocation and access control requirements in a final enterprise segmentation design.
After collecting all application and network architecture criteria, and considering the business and compliance requirements for segmentation, we determined that the corporation needed to segment its network at a high-level by the following criteria: Internet accessibility, enterprise services, management functions, server roles, production or development environments, endpoint types and federal or commercial use.
We proposed a high-level design for segmentation that included management, enterprise services, external, untrusted (DMZ), restricted and internal zones. We suggested the untrusted, restricted and internal zones be broken out based on applications and systems that held federal data, commercial data, or shared federal and commercial data.
Using this zone design, we determined micro zones for further granularity and compliance requirements. The establishment of the micro zones was based on repeatable processes and controls that could be applied to any application or service systems.
For instance, Internet-accessible front-end servers were placed in untrusted zones while internal-only front-end servers were placed in the restricted zone. Application and database servers were placed in restricted zones, while user endpoints, phones and printers were placed in internal zones.
With a zone architecture and micro zones in place, the corporation could apply tenets that would dictate requirement definitions for communication between zones, what capabilities existed within zones and in which zone users and systems would be placed.
For example, tenets were established that instructed that all applications and data accessed by non-privileged users to be placed in a restricted or untrusted zone; log and alert data would be stored in the management zones; and access from the Internet would be restricted to an untrusted zone with heavy control and monitoring.
To further the corporation’s enterprise segmentation process, WWT created a repeatable process built on decision trees for each zone and micro zone. Through these decision trees, the corporation’s operations teams could segment any new application into the appropriate zone using a repeatable and consistent process.
With a compliant enterprise segmentation architecture and formal segmentation processes for appropriate zone association, the corporation will be able to place any new application that holds CUI into micro zones where CUI cannot be accessed by untrusted sources.
The corporation can be confident in its compliance with NIST 800-171 for segmentation because they have a formal enterprise segmentation strategy that aligns with the NIST 800-171 framework. Additionally, this architecture can be applied to other sensitive and regulated data outside of CUI.
Confidence in Decisions
By having a segmentation strategy and design in place, the corporation’s future infrastructure investments in segmentation can be directly attributed to security objectives.
Operational Expense Avoidance
Based on their security resources, we estimate the corporation would have spent thousands of staff hours, deferred from critical operational tasks, had a like assessment been conducted internally.