Name: 05140-01 Perimeter Control Concepts Author: Bela Varkonyi Version: 1.8 Created: 2014.07.14. 13:44:58 Updated: 2014.08.08. 13:32:20 Security Enclave {1..*} notes Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location. Security Domain {1..*} notes A security domain is a set of elements under a given security policy administered by a single security authority for some specific security- relevant activities. [ITU-T X.810] Enclaves can be broken down into Security Domains or Communities of Interest (COIs). Security Zone {1..*} notes A security zone is defined by operational control, location, and connectivity to other device/network elements. Security Environment Protected Area {1..*} Staging Environment {1..4} Security Perimeter Security Perimeter Control {0..*} Physical Perimeter Control Logical Perimeter Control Administrative Perimeter Control Ensure administrative accountability Align with physical security environments Defend in depth Ensure controlled staging by administrative domain separation Avoid production data leakage to unauthorized personnel and partners in the staging process Enable alignment and synergy of different type of security controls Balance various security controls between effectiveness and efficiency Compensate for weaknesses in host and application based security controls Protected Device Protected Host Protected Application Protected Communication Enclave STIG V4R4 Align with security policy scope boundaries National Information Assurance (IA) Glossary DoD Cybersecurity Enclaves provide standard cybersecurity, such as boundary defense, incident detection and response, and key management, and also deliver common applications, such as office automation and electronic mail. Enclaves may be specific to an organization or a mission, and the computing environments may be organized by physical proximity or by function independent of location. Security Enclave Boundary notes Point at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a Wide Area Network (WAN). An enclave boundary is an entry/exit point of a network of dissimilar security policy Enclaves always assume the highest security category of the ISs that they host, and derive their security needs from those systems. Development Environment (DEV) notes Unit testing Optionally: simulation of integration interfaces Integration Test Environment (ITST) notes Integration testing Emulation of integration interfaces Acceptance Test Environment (ATST or UAT) notes Final acceptance testing for production rollout Live integration interfaces of other test systems Production Environment (PROD) notes Live operations A protected area is an intersection of a security zone and a security domain, ITU-T X.805 Security architecture... Align with security planes A given security domain may span multiple security zones. [ITU-T Y.2701] «trace» «trace» 1 ..* «trace» «trace» «trace» «trace» «trace» 1 ..* «trace» «trace» «trace»