Segment and Separate

February 1, 2024 · View on GitHub

(Back)

Objective

Segment and separate information based on sensitivity of information.

Applicable Service Models

IaaS, PaaS

Note

The following guardrail is not applicable to SaaS. The cloud service provider is responsible for the management and security of the network and this responsibility is included as part of the SaaS offering. Refer to section 4.3 of Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104) to understand key considerations for cloud network segmentation.

Mandatory Requirements

ActivityValidation
  • Isolate and secure cloud workloads based on the sensitivity of the data.
  • Confirm that the department has a target network architecture with a high-level design or a diagram with appropriate segmentation between network security zones in alignment with ITSP.50.104, ITSP.80.022 and ITSG-38.
  • Confirm that the department has documented a deployment guide for the cloud platform and associated services (the guide should capture the landing zone if applicable)
  • Confirm that the cloud service provider’s segmentation features are leveraged to provide segmentation of management, production, user acceptance testing (UAT), development (DEV) and testing (for example, the use of subscription, instances or other cloud provider constructs).

Additional Considerations

ActivityValidation
  • Develop a target network security design that considers segmentation via network security zones in alignment with ITSP.50.104, ITSP.80.022 and ITSG-38.
  • Leverage landing zones that include predefined, secured, multi-account support to allow automated onboarding of different workloads and teams.

References

AC‑4, SC‑7