Network and Environment Capabilities

Collaborate with key stakeholders and the Enterprise to clearly outline, identify, create, and establish granular network access rules and policies:

• Conduct cross-organizational joint workgroups to collaboratively define Network Access Control (NAC) rulesets and policies.
• Identify, create, and maintain a comprehensive inventory of all approved systems and code sources for NAC rulesets and policies.

Identify the drivers for establishing the granular control access policies:

• Tailor the control access policies to address each driver's specifics, whether for regulatory compliance or data security requirements.
• Determine the level of granularity required for the NAC policy (e.g., file level, endpoint device, network segments, etc.).

Review data and asset classification:

• Leverage data classification initiated with data tagging, from Activity 4.2.1 (Phase One) – Define Data Tagging Standards, to categorize data and network environment assets based on sensitivity level and determine access conditions.

Leverage existing asset inventories:

• Link asset inventories to classification levels to establish access control permissions based on role, risk, and sensitivity levels aligned with existing CONOPS.
  • Leverage Component Master Device Inventory, from Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis.
  • Leverage Component Master Application Inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification.
  • Leverage Component Master Data Inventory, from Activity 4.1.1 (Discovery) – Data Analysis.

Identify roles:

• Collaborate with key stakeholders to define Users/Person Entities (PEs)/Non-Person Entities (NPEs) roles requiring Data, Applications, Assets, and Services (DAAS) granular access control.
• Leverage the separation of duties principle to limit excess data access and authority to any role.

Assign responsibilities:

• Collaborate with all key stakeholders (e.g., system administrators, Subject Matter Experts (SMEs), system owners, operators, managers, etc.) to define responsibilities associated with each unique role to determine network access requirements.

Establish a COI collaboration:

• Leverage the Enterprise guidelines in data exchange requirements and CONOPS to verify, validate, and identify COI applicable to the granular control access rules and policies.

Establish permission rules:

• Role-Based Access Control (RBAC), where permissions are assigned based on the role of the User/PE/NPE.
• Attribute-Based Access Control (ABAC), where a combination of several factors related to User/PE/NPE, data, and the environment are leveraged to restrict or allow network access based on a set of predefined rules and conditions.
• Discretionary-Based Access Control (DBAC), where controls are implemented based on specific rules and privileges granted to a specific requestor.

Define contextual access requirements:

• Consolidate and normalize network access control data. Use Application Programming Interfaces (APIs), scripts, feeds, or other integration methods to extract detailed data and metadata from each approved, authorized, and authenticated source. Gather specific information, such as usernames, namespaces, unique identifiers, associated groups, location, device compliance status, tags, and labels, to utilize in interoperable granular network environment access controls.

Define control access rules:

• Leverage data encryption to further safeguard highly sensitive data and restrict access based on predefined data access rules. Focus on interoperable granular network access controls by gathering specific information, such as usernames, namespaces, unique identifiers, associated groups, tags, and labels.
• Define dynamic access control policies where access rules are adaptive based on additional conditions, such as granting full rights to specific resources while on-premises but limited while teleworking.

Adopt Just-In-Time (JIT) access:

• Consider temporary access privileges where Users/PEs/NPEs are granted temporary privileged access on-demand to complete specific tasks or actions, and those rights are terminated once the action or timeline is executed.

Adopt comprehensive logging of all activities:

• Establish a policy to log all access requests and attempts with sufficient metadata information (e.g., timestamp, User Identification (ID), platform, etc.) to allow for forensic analysis.
• Develop a policy to securely store logs generated for control access-related activities.

Regular updates and audits:

• Enable periodic review of established access control policies to verify and validate compliance, enforceability, and effectiveness.
• Update policies as needed to support changing business needs, cyber threat landscape, and the broader stakeholder feedback.

Continuous monitoring:

• Adopt continuous monitoring to track all access requests and attempt activities to ensure compliance with the granular access control policies.
• Establish alerting policies as part of the comprehensive access control activities, logging where alerts are triggered for detected User/PE/NPE access anomalies.

Develop data filters for API access:

• Identify all query parameters susceptible to enhancing API technology security, efficiency, and data filtering. Develop a dataset for specific criteria to help retrieve security metrics. Develop a standardized query language syntax for API filtering based on:
  • Representational State Transfer (REST) API Endpoint
  • API query parameters
  • Parsing capability for query parameters

Design query parameters for API:

• Establish clear and descriptive parameters for query requests. Facilitate developer and tool understanding of API functions associated with specific queries, including:
  • Define error handling.
  • Develop comprehensive documentation.
• Identify API functions.

Integrate tagging policies with API management:

• Apply policies at the API gateway to enable API management for common scenarios such as authentication, caching, and transformation of requests or responses. Configure and standardize policies to support:
  • Reference to approved API management policy templates.
  • Extensible Markup Language (XML) to JavaScript Object Notation (JSON) format conversion.
  • Standardized API policy configurations for consistency and interoperability.

Enable data tagging across:

• Ensure that API tags can communicate with different data sources. Enable interoperability between API tagging and existing security tools policy enforcement across platforms. Establish and document an API tagging schema that includes:
  • Defined access control requirements for APIs to govern data exposure and interactions.

Dynamic documentation and reference for API integration:

• Where possible, establish or implement an API management solution that supports dynamic documentation and real-time updates to APIs. Incorporate automation capabilities such as:
  • Dynamic documentation generation and synchronization.
  • Pipeline automation for continuous API integration and updates.
  • Documentation generators to maintain accurate, real-time API references.

API security and SDN:

• Leverage SDN technology and API gateways to enforce security policies at granular levels and encrypt data in traffic. SDN provides centralized visibility into network traffic. Require all API communications to be executed over secure channels and protocols (e.g., Hypertext Transfer Protocol Secure (HTTPS), mutual Transport Layer Security (mTLS), etc.). This provides:
  • Traffic visibility
  • Adaptive security
• Adopt policy-based management.

Identify API gateway points:

• Establish API gateways as entry points for API traffic throughout the SDN platform. Leverage API gateways to enforce security policies (e.g., authentication, authorization, etc.) at key locations, such as:
  • Edge gateways
  • Internal gateways
  • Micro-segmentation points
  • Service-to-service authentication points

Enforce authentication policies:

• Implement API gateways to act as a proxy for different third-party and client requests. Enable third-party integrations to enhance security and scalability and maintain traffic visibility. Enable the following capabilities:
  • API management
  • Access control
  • Secure traffic control
  • Data protection through encryption

API migration planning:

• Verify and validate API/service compatibility with the authorization gateways.
• Develop API/service migration roadmap/implementation plans.

Set up test environment:

• Whenever applicable, create a replica of the production environment dedicated to functional testing, positive testing, and non-functional testing to include different scenarios:
  • Endpoint validation
  • Input/Output validation
  • Create, Read, Update, and Delete (CRUD) operations
  • Test data preparation

Select the most appropriate testing solutions:

• Leverage automation to select testing solutions compatible with dependent services to ensure comprehensive testing and API response validation.

Test reporting, logging, verification, and validation:

• Analyze each test result to identify issues, malfunctions, and vulnerabilities.
• Generate comprehensive test reports with details concerning mitigation actions required, anomalies found, and a summary of the test results.
• As much as possible, automate the test reporting, logging, and data input verification and validation of the testing environment to improve efficiency and ensure continuous threat detection and reporting.

Define objectives and scope:

• Collaborate with key stakeholders and the Enterprise to provide an overview of SDN API concepts and design principles.
• Collaborate with Enterprise stakeholders to define baseline functional, performance, and security requirements for APIs, scripts, secure programming, feeds, and protocols. Ensure these requirements support consistent, reliable, and quality-controlled real-time operations for SDN or equivalent technologies.

Key components of SDN APIs:

• Simplified network control through layer abstraction.
• Enable programmatic control through network automation.
• Centralized SDN controller to provide a single point of control for the entire network.
• API security through strong authentication and authorization.

Align and optimize SDN compliance sustainability:

• Design APIs that enhance organizational SDN capabilities, emphasizing optimal uptime and long-term sustainability. Align API development with organizational guidance and governance standards, ensuring broader compliance with open standards and interoperability.

Establish a common data model:

• Establish a standardized schema, a common data model for use across all API endpoints.
• Define data sharing between API components for seamless integration, consistency, and data interoperability.

Review existing open standards and protocols:

• Promote interoperability and open standards design architecture for easy and more extensive adoption. Leverage open standards and protocols to ensure compatibility between SDN API components.

Design for security compliance:

• Establish secure communication channels as part of the functional requirements of SDN API design and development.
  • Enforce strong security mechanisms, such as authentication and authorization, to protect the entire SDN architecture.
  • Restrict access to the SDN controller and management plane only to approved entities.
  • Apply Least Privilege principle and Just-In-Time (JIT) access where applicable.
  • Incorporate log management/mechanisms as part of the API framework for implementation.

Review Northbound APIs:

• Leverage and design northbound APIs to establish communication between the SDN controller and the network applications.
• Enable network automation and dynamic traffic management through APIs.

Review Southbound APIs:

• Leverage and design southbound APIs to enable communication between the SDN controller and the network devices.
• Define the protocol standards and processes required to configure network devices through the SDN controller.

Review Data Plane APIs:

• Define the data plane APIs and related components responsible for packet forwarding and flow table updates.
• Enable SDN real-time operations, high performance, and traffic path management.

Define Telemetry APIs:

• Define network performance metrics and telemetry data statistics to enhance network troubleshooting, optimization, and security.
• Leverage API versioning to ensure compatibility between different components of the SDN architecture.

Define objectives and scope:

• Clearly define and identify use cases pertinent to the business and mission needs related to network performance, security posture enhancement, and threat detection capability. Determine specific metrics and analytics requirements for the SDN. Key elements to consider:
  • Validate mission use case.
  • Assess the current environment.
  • Address any existing roadblocks or challenges.
  • Review, verify, and validate design with vendors, Subject Matter Experts (SMEs), and stakeholders.

Design SDN architecture:

• Prioritize an API-driven networking architecture. Leverage the SDN as a centralized platform to deploy Information Technology (IT) infrastructure and to manage, secure, and direct traffic and data flows across the environment. Key considerations include:
  • Consider simplified network design principles.
  • Account for cloud computing and hybrid deployment requirements.
  • Evaluate on-premises versus cloud-based environment configurations.
  • Align with interoperability requirements and open standards.

Deploy SDN controller and network endpoints:

• Design, procure, and build an approved SDN infrastructure compatible with a centralized deployment approach around an SDN controller. Deploy southbound and northbound APIs to facilitate communication among the three (3) layers:
  • Application layer to communicate with the data plane to manage network applications and services.
  • Control layer to communicate with the control plane, acting as the command center of the network management platform.
  • Infrastructure layer to communicate with different physical network endpoints (e.g., routers, switches, etc.) that move data packets.

Implement logging configuration:

• Enable support for logging capability across all managed network resources. Standardize log format across the network infrastructure to facilitate interoperability and log analysis. Collect log events from all sources, including:
  • User/Person Entity (PE) activity
  • Applications and services
  • Network devices
  • API gateways

Select a centralized log repository:

• Establish requirements for the log repository and ensure they align with Enterprise specifications. Define storage requirements such as data-at-rest encryption, out-of-band management, and data retention policy. Key features to consider:
  • Ensure log integrity.
  • Enable access-control policy to log repository.
  • Configure strong encryption on log storage.
  • Enable real-time log streaming capability.

Integrate logging with the main controller:

• Deploy the SDN controller so logs from different network sources can be collected and centralized. Leverage syslog configurations on network devices over a secure channel to deliver logs to the log repository. Leverage API integration to secure logs from applications and services. Key features to consider:
  • Syslog configuration.
  • Create a virtual private network segment for log delivery.
  • Implement critical event alerting.
  • Develop log enrichment capability for event correlation.

Define automation goals:

• Establish automation goals and objectives. Automate the provisioning of network resources using APIs to build and modify network configuration templates. Automate the deployment and enforcement of security policies. Leverage network telemetry to automate alert generation on key performance metrics. Some key features to consider:
  • Network resources provisioning
  • Dynamic resource scaling
  • Dynamic policy enforcement
  • Workflow creation and deployment

Identify API standards and requirements:

• Develop or adopt APIs, following industry standards and best practices. Develop specific requirements tailored to mission needs and operational constraints. Some recommended key features to consider:
  • Client-server architecture
  • Statelessness
  • Cache-ability capability
  • Layered system
  • Uniform interface
  • Resource-based
  • Standardized methods

Leverage SDN API functionalities:

• Leverage SDN APIs to provide a control plane abstraction to allow centralized network management. Adopt a diversity in protocol, supporting interoperable communications between network components. Key features to consider:
  • Network programmability
  • Zero-touch provisioning
  • Network security
  • Centralized management
  • Application performance
  • Portability across different platforms
  • Scalability and flexibility

Enable analytics and alerting:

• Develop real-time/near real-time analytics capability for the centralized log repository based on business or mission requirements. Enable logs and historical data analysis to set up alerts for critical events. Implement powerful search engines for faster query requests. Key features to consider:
  • Develop dashboards for visualization.
  • Implement anomaly detection.
  • Review performance metrics.
  • Automate Incident Responses (IRs).

Implement network decision and enforcement points:

• Define policy rules leveraged by Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) to grant or deny access to network resources. Enforce access control policies. Monitor and evaluate resource access by applying predefined rules, ensuring compliance with security policies. Key features to consider:
  • Dynamic security
  • PEP
  • PDP
  • Policy Information Point (PIP)
  • Policy Administration Point (PAP)
  • Attribute-Based Access Control (ABAC)

Enable network segmentation:

• Implement segmentation gateways to isolate parts of the network and reduce the attack surface. Introduce enforcement points between network segments for packet inspection and access control. Enable and deploy network security zones to further protect the SDN infrastructure. Key features to consider:
  • Software-defined access policy
  • Group-based policy
  • Role-based policy

Implement secure communication protocols:

• Design and deploy a robust security framework for SDN by adopting secure network communication.
• Enable device authentication.
• Ensure data encryption in transit by leveraging secure protocols, such as the latest Transport Layer Security (TLS) or Secure Shell (SSH), etc., for remote access management. Some secure protocols to consider:
  • TLS, Hypertext Transfer Protocol Secure (HTTPS), provides end-to-end encryption for network communications.
  • SSH for remote access and infrastructure management.
  • Internet Protocol Security (IPsec), for network layer security, provides packet encryption and authentication.
  • Simple Network Management Protocol version 3 (SNMPv3) for network management security.
  • Secure Network Configuration (NETCONF) protocol for secure configuration management.
  • OpenFlow Protocol Security.

Deny all ports by default:

• Adopt the “deny all, permit by exception” strategy rule. Perform a NetFlow analysis to baseline the normal operation status of the environment to restrict the control access policy. Deny all network communications traffic by default and only allow network communications traffic by exception. Key points to consider:
  • Review legacy application compatibility.
  • Account for unexpected dependencies.
  • Adopt a deployment-Phased approach.
  • Enable rollback capabilities to avoid critical service interruption.

Define a strategic placement:

• Consider internal segmentation, perimeter boundaries, and remote access requirements before deploying control proxies at the edge and throughout the SDN. Verify and validate a business use case for legacy systems and applications for easy transition. Evaluate the benefits of implementing an Application Delivery Controller (ADC) vs. the traditional Virtual Private Network (VPN). Key features to consider:
  • Legacy systems and application requirements
  • Remote Access Policy
  • Multi-tenancy support

Establish key functions:

• ADCs perform multiple functions. Some key functions to consider are:
  • Reverse proxy
  • Load balancing
  • TLS offloading
  • Traffic optimization
  • Health monitoring
  • Distributed Denial-of-Service (DDoS) protection
  • Web application firewall
  • Central authentication
  • Multi-tenancy support
  • Caching

Review devices and network security hardening guidelines:

• Review existing and revised best practices and industry standards for network segmentation, security, and protection. Always rely on multiple layers of defense for a more secure network design.
• Ensure redundant devices in critical core areas are implemented across all network segments to provide availability, fault tolerance, load balance, and maximum network throughput.
• Adopt and enforce Enterprise recommended cryptographic algorithms for end-to-end network traffic encryption with built-in capability for Deep Packet Inspection (DPI) and monitoring.

Review and manage risks from SDN controllers:

• Adopt a cluster of load-balanced SDN controllers to avoid a single point of compromise. Maintain the secure integrity of the cluster and all the elements of the controller through strict authentication and authorization policies.
• Stay aware and vigilant of all known vulnerabilities associated with different SDN elements. Implement a repeatable process for rapidly applying vetted software updates to all elements of the SDN architecture(s).

Review and manage risk from communication protocols, including Transport Layer Security (TLS) inspection:

• Routinely review all TLS security settings, including version, cipher suites, and certificate authorities, for strict access controls and to verify and validate continuous compliance with the Enterprise and industry-vetted security best practices, policies, and standards.
• The adoption of encrypted communication channels is recommended for all SDN implementations. Enforce OpenFlow communications over the strongest version of TLS with systematic authentication and authorization controls for each session.

Leverage the SDN infrastructure, from Activity 5.2.2 (Phase One) – Implement Software-Define Networking (SDN) Programmable Infrastructure, to further review controller and software-defined architecture:

• Adopt a secure design for the SDN architecture to satisfy essential functions, such as:
  • Secure automated resources provisioning
  • Control plane abstraction
  • Segmentation and dynamic security policy enforcement
• Adopt a distributed application-aware firewall deployed at each segment boundary to restrict access control and properly segregate traffic between different SDN elements and planes.
• Align SDN design objectives for network automation, centralized management, security enforcement, improved agility, and scalability with the broader Enterprise network security strategy and modernization.

Leverage the SDN implementation, from Activity 5.2.2 (Phase One) – Implement Software-Defined Networking (SDN) Programmable Infrastructure, to verify and validate the deployment of a controller and centralized control:

• Leverage previous applications and network flow mappings to better understand the network infrastructure's normal operational profile and establish a functional baseline. Identify and approve only vetted traffic patterns by implementing a deny-by-default approach to all network traffic.
• Select a cluster of controllers that are logically centralized, scalable, and load-balanced to manage network devices across the entire SDN architecture. Design a fault-tolerant SDN cluster of controllers for high availability in support of network scalability.
• Ensure the SDN elements' decoupling and segregating different planes through a layered design architecture to centralize and restrict control plane access.

Implement the Southbound interface (data plane):

• Select a compatible open standard protocol to facilitate the control and data plane interface. Avoid vendor lock-in with non-interoperable and proprietary protocols.
• Configure the SDN controller to authenticate southbound Application Programming Interface (API) control-plane messages received from SDN-enabled network elements using a Federal Information Processing Standards (FIPS)-approved message authentication code algorithm.
• Enable secure configuration to protect the data plane and the various forwarding traffic functions initiated by the control plane across the integrated network domains.

Implement the Northbound interface (management plane):

• Configure the SDN controller to authenticate northbound API messages received from business applications and management systems using a FIPS-approved message authentication code algorithm.
• Select a compatible northbound API to seamlessly integrate and connect with the SDN controllers seamlessly. Representational State Transfer Application Programming Interface (REST API) should be considered for its standardization, flexibility, and significant acceptance.
• Define and design API endpoints that provide secure access to relevant network segment information and allow applications to perform necessary management actions, such as network topology, Virtual Local Area Network (VLAN) configuration, and Access Control List (ACL) tables.
• Implement caching mechanisms to improve API performance, reduce network latency, enhance scalability, and help load balance the SDN controllers.

Enforce access control:

• Leverage ACLs on network devices and gateway endpoints to filter traffic based on network parameters. Deploy distributed Next-Generation Firewalls (NGFWs) to restrict unapproved traffic and enforce access control-based policies between approved network segments.
• Leverage the concept of the security group to implement Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) types of identity profiles and enforce granular security policies at each session request and every gateway endpoint.
• Leverage the Access Control points, from Activity 5.3.1 (Phase One) – Datacenter Macro-Segmentation, to enforce access control policies and restrict access to approved entities only. Enforce authentication and approval policies based on application and service identities, the underlying network parameters, and User/PE/NPE identities.
• Leverage IDS/ IPS solutions for network monitoring, tracking, and restricting inbound and outbound traffic to include, whenever applicable, full-packet capture capability.
• Implement systematic identity verification, device posture validation, and strong authentication and authorization before granting access to the approved network segment using the principle of Least Privilege.

Identify, group, and segregate similar network traffic:

• Leverage traffic monitoring solutions and DPI techniques to capture and analyze network traffic. Examine network packets to identify applications, protocols, ports, and data types.
• Analyze traffic flows to understand approved communication patterns between different network elements. Apply appropriate tags for each plane of the SDN architecture and group network traffic based on criteria such as:
  • Application
  • Protocol
  • Port
  • Sensitivity Tag
  • Network Segment
  • VLAN ID
• Leverage traffic monitoring solutions and DPI techniques to capture and analyze network traffic. Examine network packets to identify applications, protocols, ports, and data types.
• Configure separate logical, trusted subnets using planning to isolate distinct types of network traffic. Leverage Artificial Intelligence (AI) and Machine Learning (ML) algorithms to automate the network traffic pattern analysis process over time.

Enable Internet Protocol Version 6 (IPv6) addressing compatibility:

• Whenever applicable, comply with Enterprise directives and industry best practices to select and deploy network technologies that are IPv6-enabled and ready for a seamless Enterprise-wide integration.
• Leverage vendor Subject Matter Expert (SME) support and approved solution integrators to build a seamless migration strategy plan.
• Adopt a phased approach for legacy systems, requiring an IPv4-IPv6 migration

Maintain complete network visibility:

• Leverage the various API integrations to provide and maintain real-time network visibility into the entire infrastructure landscape, enabling data flow control between different network elements, planes, and security solutions on the SDN architecture.
• Implement centralized logging by using APIs to collect, aggregate, and analyze log data from various security appliances, network segments, and system events into a secure, centralized log management platform.

Enable triggered workflows:

• Design workflow logic and automate security policy enforcement and monitoring. Integrate network configuration changes into the Continuous Integration/Continuous Delivery (or Deployment) (CI/CD) pipelines to orchestrate testing and deployment of configurations.

Enable API gateway integration:

• Leverage a broader API adoption, developed using open standards to minimize proprietary data interfaces, to avoid vendor lock-in integrations throughout the acquisition program lifecycle.
• Integrate security solutions via API to programmatically update network policies based on real-time events, security threats, Indicators of Compromise (IoC) containers, and system performance.
• Adopt industry best practice standards such as Open Authorization 2.0 (OAuth2) and JavaScript Object Notation (JSON) Web Tokens (JWT) for systematic authentication and authorization of all API consumers. Leverage API gateway and service mesh to centralize policy enforcement points for monitoring, management, and auditing.

Enable performance monitoring, advanced analytics, and reporting:

• Deploy network device APIs to collect advanced telemetry performance data and security events. Leverage streaming telemetry protocols to create real-time dashboards, visualize network performance, identify IoC, and help troubleshoot issues.

Enable API integration for configuration control:

• Leverage emerging technologies and tools, such as Configuration as Code (CaC) and Infrastructure as Code (IaC) to design and build immutable network deployments through vetted templating, Zero-Touch Provisioning (ZTP), and automated rollbacks built-in capabilities.

Review testing, verification, and validation strategies:

• Create a testing environment for the simulation of traffic generation and capture. Tailor each flow for the specific plane, and leverage packet capture capability at gateway entry points to analyze network traffic.
• Leverage flow monitoring solutions to ensure that network traffic is accurately segmented, and each traffic pattern is correctly associated with each segment and the specific plane.
• Confirm that segmentation enforcement defaults to a deny-all posture, only allowing explicitly defined flows based on identity- and policy-driven authorization decisions.
• Integrate with Automation and Orchestration and Visibility and Analytics pillar solutions.

Adopt verification and validation of isolation.

• Perform isolation testing to verify and validate that traffic is segregated and restricted in accordance with network segment policies.
• Leverage Virtual Local Area Network (VLAN) and Virtual Routing and Forwarding (VRF) technologies to test network ACLs between network segments. Capture and analyze all flow logs to identify any violations or weaknesses in traffic filtering.

Collaborate with key stakeholders to identify public-facing Data, Applications, Assets, and Services (DAAS):

• Identify public DAAS by establishing cross-organizational joint workgroups to collaboratively identify all services and offerings within the environment, along with their operational requirements, accessible to Users/PEs/Non-Person Entities (NPEs) external to the Component.
• Leverage the following artifacts/activities to define public/private DAAS:
  • Component Master User Inventory, from Activity 1.1.1 (Discovery) – Inventory User
  • Component Master Device Inventory, from Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis
  • Component Master Application Inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification
  • Component Data Catalog, from Activity 4.1.1 (Discovery) – Data Analysis

Design a public/private environment architecture:

• Develop a public/private environment architecture that places additional safeguards on DAAS that are externally accessed, to include logical segmentation of public resources from private resources, with access enforced at the risk boundaries.

Manage exceptions:

• Risks are determined by the Enterprise and/or Component.
  • Consider how risks can be mitigated to achieve an Enterprise/Component-approved acceptable level.
• Public DAAS that cannot be migrated to a DMZ are:
  • Identified.
  • Documented.
  • Approved or Rejected.
• Approval is granted where the justification for the exception outweighs the risks to the Enterprise/Component.
• Approval is periodically reassessed.

Implement Access Control points:

• Leverage the SDN APIs, authentication decision points, and implement segmentation gateways, from Activity 5.2.2 (Phase One) – Implement Software-Defined Networking (SDN) Programmable Infrastructure.

Enforce service communication security:

• Implement secure communication channels to encrypt and protect all service-to-service communications.
  • Leverage modern, Enterprise/Component-approved authentication and encryption transport protocols to protect data in transit, including internal/intra-segment traversal.
  • Enable secure WebSocket connections.
  • Implement cryptographic capabilities to ensure data integrity.
• Key features to consider:
  • Service mesh
  • API gateways
  • Mutual Transport Layer Security (TLS)
  • Open Authorization 2.0 (OAuth 2.0)/OpenID Connect

Monitoring and logging:

• Implement centralized logging through secure channels to protect against tampering.
• Capture and monitor all access logs, interaction events, and system activities.
• Integrate SIEM tools with log repository and SDN infrastructure. Key elements to consider:
  • Centralized logging
  • Real-time event monitoring
  • Network traffic monitoring
  • Runtime Application Self-Protection (RASP)

Log collection and aggregation:

• Identify all log sources and enable secure log transmission. Review legacy devices, services, and applications for log collection compatibility.
• Adopt a collection method, agent-based or agentless, based on system and application requirements, where possible.
• Select and deploy a log aggregation solution and verify and validate expected outcomes.
• Review and implement log encryption based on Enterprise data governance and retention policy. Key features to consider:
  • Secure log transmission, from Activity 5.4.4 (Phase Two) – Protect Data in Transit
  • Data log storage
  • Log collection, processing, analysis, from Activity 7.1.2 (Phase One) – Log Parsing
  • Leverage API calls to retrieve logs programmatically, using the interoperability standards, from Activity 4.2.2 (Phase One) – Interoperability Standards

Activity monitoring and analysis:

• Establish monitoring objectives and goals.
• Identify monitoring points using segment boundaries and environment perimeter.
• Capture and monitor traffic flows between environment segments.
• Leverage agent-based or agentless API calls to monitor critical environment access, where possible. Select and implement monitoring tools with built-in analysis capability for anomaly and threat detection. Key elements to consider:
  • Available threat intelligence ingestion
  • Intrusion Detection Systems (IDS)
  • Intrusion Prevention Systems (IPS)
  • NetFlow/Flow collectors
  • Full packet capture capability
  • Real-time analysis and response
  • Integration with SIEM/Security Orchestration, Automation, and Response (SOAR) resources
• Continuously researching emerging threats and verifying and validating Component macro-segmentation efforts continue to mitigate the risks to the Enterprise/Component level of acceptance.

Review and define mission objectives:

• Review and leverage the existing Enterprise network modernization guidance and standards.
• Review and leverage existing:
  • Component Master Device Inventory, from Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis
  • Component Master Application Inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification
  • Component micro-segmentation architecture, from Activity 5.4.1 (Phase One) – Implement Micro-Segmentation
  • Application Programming Interface (API) Gateways, from Activity 5.1.2 (Phase One) – Define Granular Control Access Rules and Policies Part 2
  • Resource Authorization Gateways, from Activity 3.4.1 (Phase One) – Resource Authorization Part 1
  • Software-Defined Compute Authorization Gateways, from Activity 3.4.3 (Phase One) – Software-Defined Compute (SDC) Resource Authorization Part 1
• Review or develop accurate environment topology artifacts to understand the existing Component multi-region/location environment structure and security posture.
• Review and ensure that greater environment visibility is enabled to maintain global cyber situational awareness.

Establish regional Installation Service Nodes (ISNs):

• Design and configure network devices to create and enforce regional policy-driven segmentation boundaries, such as:
  • Switches
  • Routers
  • Firewalls
  • Installation Gateways (IGs)

Implement multi-region environment segmentation:

• Choose tools for implementing environment segmentation.
• Use internal security controls, such as:
  • VLANs to enforce security controls
  • Defined access policies written into firewall rules
  • Software-Defined Networking (SDN)
• Choose solutions for managing access control within and between segments.
  • Include Network Access Control (NAC) solutions.
  • Include Identity, Credential, and Access Management (ICAM) solutions.
• Utilize access policies to restrict lateral movement between segments.

Enforce B/P/C/S security overlays:

• Leverage network security overlays, from Activity 5.3.1 (Phase One) – Datacenter Macro-Segmentation, to create B/P/C/S-based secure virtual network segments.

Select security tools and technologies:

• Select or leverage firewall solutions for implementing application-specific security stacks.
• Select or leverage access control solutions for managing access policies.
• Select or leverage tools for monitoring and logging application activities.
• Select or leverage UAM solutions to monitor User/Person Entity (PE) activity.
• Select or leverage existing Endpoint Detection and Response (EDR) solutions to monitor device activity.
• Select or leverage existing authentication decision solutions.

Segregate segment traffic:

• Leverage the data flow segmentation and mapping, from Activity 5.2.3 (Phase Two) – Segment Flows into Control, Management, and Data Planes.
• Leverage Authentication Decision Points and Implement Segmentation Gateways, from Activity 5.2.2 (Phase One) – Implement Software-Defined Networking (SDN) Programmable Infrastructure.
• Leverage PEPs, from Activity 3.4.2 (Phase Two) – Resource Authorization Part 2.

Review and enforce B/P/C/S applicable Attribute-Based Access Control (ABAC) policies:

• Establish clear objectives for rule-based dynamic policy and enforcement checks across B/C/P/S. Determine if existing solutions meet the multi-location requirements.
  • Include improved network security.
  • Include enhancing visibility.
  • Include supporting dynamic access control.
• Map and integrate Identity and Access Management (IAM) roles and permissions into B/P/C/S segments access control for dynamic identity and attribute-based policy restriction.

Identify device attributes and behavior:

• Identify key attributes to be monitored. Determine if existing defined attributes meet the multi-location requirements.
  • Include device type.
  • Include operating system.
  • Include security posture.
• Identify behavioral patterns to be monitored.
  • Include network traffic patterns.

Select proxy and enforcement:

• Choose proxy tools for monitoring.
• Choose proxy tools for controlling network traffic.
• Select a service mesh to help monitor and map traffic flows.
• Select enforcement tools for implementing access control.
• Select enforcement tools for policy enforcement.

Implement continuous monitoring and reporting:

• Configure environment continuous monitoring to track application activities and alert on potential segment access violations.
  • Include proxy/enforcement, decision logs, and network flows.
• Generate log records and make them available for continuous monitoring.
  • Include detection of anomalies.
• Implement reporting mechanisms to provide visibility into network access and application activities, such as:
  • Policy enforcement and allow adjustments and revisions as needed.
  • Cross-domain compliance and ensure cybersecurity risk management performance is evaluated and updated as required.
• Prevent unnecessary protocols across the network boundary.
• Configure UAM solution to monitor User/PE activity and generate alerts for suspicious behavior.
• Configure Security Information and Event Management (SIEM) solution to collect, monitor, and analyze security events from all components.

Conduct periodic network penetration testing:

• Collaborate with key stakeholders to develop rules of engagement and scope.
  • Review the environment components.
  • Review the system dependencies.
  • Analyze traffic patterns and data flows.
• Assess the current security posture of each environment segment and identify security requirements.
  • Include existing firewall rules.
  • Include environment segment access policies.

Verify and validate macro-segmentation security configuration:

• Conduct functional environment testing to ensure the macro-segmentation configuration works as intended.
• Ensure security configuration can identify, verify, validate, and record environment access requests, attempts, and violations.
• Develop testing of a multi-tenancy capability to ensure environment isolation and continuous compliance among different network environments.

Collaborate with key stakeholders to further refine environment compartmentalization:

• Identify and collaborate with key stakeholders, including the Enterprise, to develop a microsegmentation plan to refine the Component public/private architecture to:
  • Distribute Data, Applications, Assets, and Services (DAAS) across systems with explicit access controls. Examples include:
    • Separating the database from a web server on a different host.
    • Separating security functions, like vulnerability scanning, from non-security dedicated hosts.
    • Separating management functions, like network device administration, from nonmanagement dedicated hosts.
  • Ensure virtual hosting environments employ micro-segmentation at the host/container level.
  • Confirm services are provided through application delivery control proxies.

Design environment micro-segmentation architecture:

• Extend the Component public/private architecture, from Activity 5.3.1 (Phase One) – Datacenter Macro-Segmentation, to develop a Component micro-segmentation architecture.

Update violation and remediation actions:

• Leverage the Component IR policy/plans.
  • Identify how the Component will handle access violations and extend the Component IR policies/plans to incorporate these actions.
• Identify how the Component will remediate access control failures, such as misconfigured access points, proxies, network Access Control Lists (ACLs), etc.
  • Remediation actions could include technical automation and/or manual actions in accordance with the Component’s policies and procedures.
  • Misconfiguration of access controls could be governed by vulnerability management.

Migrate services:

• Leverage the micro-segmentation plan and implement a phased approach to:
  • Migrate the identified services to new appropriate hosts.
  • Configure micro-segmentation on virtual systems/hosts.
  • Deploy application delivery control proxies and migrate necessary services.
  • Establish minimum necessary access to the services/hosts to support Enterprise/Component requirements, Least Privilege, and Role-Based Access Control (RBAC).

Implement API decision points:

• Leverage the access control points, from Activity 5.3.1 (Phase One) – Datacenter MacroSegmentation, to secure Component DAAS. Additional access control points are also defined after completing:
  • Activity 3.4.1 (Phase One) – Resource Authorization Part 1 defines authorization gateways.
  • Activity 5.2.2 (Phase One) – Implement Software-Defined Networking (SDN) Programmable Infrastructure defines authentication decision points and implements segmentation gateways.

Verify and validate DAAS migration:

• Test, verify, and validate DAAS are accessible, and operational requirements have been maintained.
• Test, verify, and validate that DAAS has the minimum necessary access in accordance with Enterprise/Component requirements.
• Test, verify, and validate that the final implementation is aligned with the Component microsegmentation plan and/or update the plan as necessary.

Dynamic policy engines:

• Implement and integrate dynamic policy engines capable of automatically evaluating and enforcing segmentation, access, and logging requirements in real-time based on predefined rules, contextual attributes, and system state.
• Configure automated policies to design, build, and securely deploy consistent container applications.
• Enforce dynamic policies through the access enforcement solutions, from Activity 5.3.1 (Phase One) – Datacenter Macro-Segmentation. Key elements to consider:
  • Real-time adaptation
  • Machine learning
  • Orchestration tools

Trigger-based policy updates:

• Enable event-based policy updates, such as security alerts, identity profile changes, and logging patterns
• Implement scheduled updates for routine review to ensure compliance with established policies.

Integrate micro-segmentation with Capabilities from the Automation and Orchestration Pillar and the Visibility and Analytics Pillar:

• Based on the ZT Automation and Orchestration Pillar:
  • Integrate segmentation policy enforcement points with Component automation and orchestration tools to support real-time policy deployment and updates.
• Based on the ZT Visibility and Analytics Pillar:
  • Ensure all micro-segmentation activities generate and forward logs that align with Component logging and visibility standards.
  • Continuously assess segmentation effectiveness, detect policy violations, and validate automated enforcement actions.

Periodic Assessment:

• Periodically reassess that functionality meets operational demands and access control is maintained in accordance with Enterprise/Component policy. The assessment interval is determined by the Enterprise/Component-defined policy, but it is strongly recommended that the interval is no longer than annually.

Collaborate with key stakeholders to further refine environment compartmentalization.

• Leverage the Component micro-segmentation architecture, from Activity 5.4.1 (Phase One) – Implement Micro-Segmentation, as a starting point.
• Define requirements, including:
  • Ensure Role-Based Access Controls (RBACs)/Attribute-Based Access Controls (ABACs) are assigned.
    • Leverage the Enterprise Lifecycle Management Plan, from Activity 1.5.2 (Phase Two) – Enterprise Identity Lifecycle Management (ILM) Part 1
  • Provide PAM services.
    • Leverage the PAM solution, from Activity 1.4.1 (Phase One) – Implement System and Migrate Privileged Users Part 1 or Activity 1.4.2 (Phase Two) – Implement System and Migrate Privileged Users Part 2
  • Limit access on a per-identity basis for Users/PEs and devices.
    • Leverage Activity 1.2.2 (Phase Two) – Rule-Based Dynamic Access Part 1
  • Create logical network zones.
    • Leverage Activity 5.2.3 (Phase Two) – Segment Flows into Control, Management, and Data Planes
  • Support policy control via Representational State Transfer Application Programming Interface (REST API). Leverage the access control points:
    • Authorization gateways, from Activity 3.4.1 (Phase One) – Resource Authorization Part 1
    • SDN API, from Activity 5.2.2 (Phase One) – Implement Software-Defined Networking (SDN) Programmable Infrastructure
    • Authentication Decision Points and Implement Segmentation Gateways, from Activity 5.2.2 (Phase One) – Implement Software-Defined Networking (SDN) Programmable Infrastructure
• Identify Component workloads, the units of computation or processing, that run on an environment, which include:
  • Applications
  • Services
  • Processes
  • Hosts (virtual or physical)
  • Containers
• Identify micro-segmentation types that best support the Component’s operational requirements and identified workloads. Micro-segmentation types include:
  • Application segmentation
  • Tier segmentation
  • Container segmentation
• Create Component Service Offering Matrix:
  • Identify interconnections, communication flows, and dependencies between workloads, including required ports and protocols.
  • Catalog all running processes and associate them with applications.
  • Map processes to specific Users/Person Entities (PEs) and Non-Person Entities (NPEs).
  • Document north-south (client-to-server) and east-west (server-to-server) traffic patterns.
  • Classify workloads based on sensitivity.
  • Identify and document workload labels. Labels will need to be defined by the Component, but would typically include the application name, stage in the development cycle, location, and the workload’s role.

Design environment micro-segmentation architecture:

• Extend the Component reference architecture to include the micro-segmentation requirements. Leverage the Component Service Offering Matrix to develop a functional inter-workload dependence connectivity map.
• Identify micro-segmentation and workload labeling automation solutions that meet the Enterprise/Component requirements. Examples include:
  • Hypervisor-based firewalls for virtualized environments.
  • Cloud-native security groups for cloud deployments.

Verify and validate functionality/interoperability of micro-segmentation/workload labeling solutions.

• Test and confirm that the solution(s) functionality performs as expected within the Component development environment.
• Ensure implementation challenges are documented and accounted for in the solution implementation plan.

Workload labeling:

• Leverage the workload labeling solution(s) to apply the previously determined labels across all workloads within the Component environment.
• Integrate workload labels into the micro-segmentation automation solution(s), and access enforcement solutions, from Activity 5.3.1 (Phase One) – Datacenter Macro-Segmentation.

Application-level policy creation:

• Define granular rules for web servers (e.g., allow only Hypertext Transfer Protocol (HTTP)/Hypertext Transfer Protocol Secure (HTTPS) on ports 80/443 to application servers, etc.).
• Restrict database access to only application servers using specific ports (e.g., 5432 for PostgreSQL, 3306 for MySQL, etc.).
• Implement time-bound access policies for maintenance windows.
• Create separate rules for administrative access (e.g., Secure Shell (SSH), Remote Desktop Protocol (RDP), etc.) with stronger authentication requirements.

Application Component isolation:

• Separate web, application, and database tiers with different security groups or zones.
• Ensure applications traverse API gateways between components and dependencies.
• Create separate segments for different microservices within the same application.

Application identity-based controls:

• Implement service mesh technology for microservice applications.
• Use workload identity/labels rather than Internet Protocol (IP) addresses for policy enforcement.
• Configure mutual authentication services (e.g., mutual Transport Layer Security (mTLS), etc.) between application components, where applicable.

Host-based segmentation:

• Deploy specialized micro-segmentation agents on hosts, where possible.
• Use centralized policy management tools for consistency.
• Implement Host-Based Intrusion Prevention Systems (HIPS).
• Consider Endpoint Detection and Response (EDR) integration, from Activity 2.3.3 (Phase Two) – Implement Application Control and File Integrity Monitoring (FIM) Tools.

Emergency access procedures:

• Define break-glass procedures for emergency access.
• Create fallback policies for disaster recovery scenarios.
• Establish a process for temporary policy exceptions.

Process-level access controls:

• Configure host systems to control which processes can be executed.
• Apply mandatory access control mechanisms to restrict process capabilities.

File system and registry isolation:

• Implement process-specific access controls to sensitive file system areas.

Memory protection mechanisms:

• Implement Data Execution Prevention (DEP) to prevent code execution in data areas.
• Use Control Flow Integrity (CFI) or similar technologies to prevent malicious code from changing the flow of programs.
• Restrict Inter-Process Communication (IPC) mechanisms (pipes, sockets, shared memory) between processes.
• Implement message queue access controls for processes, where applicable.

Resource usage limitations:

• Set process-specific Central Processing Unit (CPU) and memory quotas, where applicable.
• Configure Input/Output (I/O) controls to prevent resource monopolization, where applicable.
• Apply disk quota limits for process-specific users, where applicable.
• Implement resource control technologies where applicable.

Define and select a container orchestration platform:

• Identify mission-specific use cases for container orchestration, such as microservices deployment, batch processing, or application dynamic scaling.
• Evaluate the existing Software Development Lifecycle (SDLC) infrastructure, applications, and capability to justify and review the adoption of containerization technologies.

Application deployment:

• Define a preferred application deployment model using manifests and charts.
• Develop Yet Another Markup Language (YAML) file for K8s to define application resources (e.g., deployment, services, ConfigMaps, etc.) or Helm charts for templating.
• Build automation into deployment by developing and implementing Continuous Integration/Continuous Delivery (or Deployment) (CI/CD) pipelines. Key principles to consider:
  • Horizontal scaling
  • Scaling policies
  • Cluster configuration

Select and deploy sidecar proxies:

• Select and implement a sidecar proxy based on operational requirements.
• Deploy sidecar proxies as part of container orchestration to simplify deployment.
• Enable telemetric collection to capture different metric types (e.g., error rate, latency, logging, etc.). Implement distributed tracing. Key elements to consider:
  • Metrics aggregation
  • Sidecar containers

Validation:

• Verify and validate all Component workloads function/work post-segmentation.
• Verify and validate that the micro-segmentation solutions have expected granular control.
• Ensure unapproved communication to the micro-segmented workload is blocked.
• Confirm network visibility allows detection of anomalies and violations.
• Test operational performance to identify any latency introduced by segmentation.

Periodic reassessment:

• Conduct security assessments using automated scanning tools to verify and validate micro-segmentation controls function properly and identify potential policy drift or vulnerabilities. Conduct at a frequency in accordance with Enterprise/Component requirements. It is strongly recommended to be quarterly.
• Schedule traffic pattern analysis to identify changes in application communication flows and update the Component Service Offering Matrix and segmentation policies accordingly; no more than biannually. It is strongly recommended to conduct at a frequency in accordance with Enterprise/Component requirements.
• Perform tabletop exercises simulating breach scenarios to test lateral movement restrictions and emergency access procedures. Conduct at a frequency in accordance with Enterprise/Component requirements. It is strongly recommended to be at least annually.
• Review logs and monitoring dashboards to identify denied connections that may indicate legitimate business needs requiring policy adjustments. Conduct at a frequency in accordance with Enterprise/Component requirements. It is strongly recommended to be monthly.
• Establish a policy review process with stakeholders to align micro-segmentation controls with evolving business requirements and new workloads. Conduct it at a frequency in accordance with Enterprise/Component requirements. It is strongly recommended that it be semi-annual.
• Conduct technology assessment to evaluate new micro-segmentation capabilities against current implementation and identify potential improvements. Conduct at a frequency in accordance with Enterprise/Component requirements. It is strongly recommended to be annual.

Acquire and review the Enterprise policies, regulations, and frameworks that ensure the protection of Data in Transit (DiT):

• Analyze the guidance or recommendations provided by the Enterprise on data protection while at rest, in transit, and in use to ensure secure information exchange.
• Leverage data criticality and control markings (e.g. to include transmission requirements for cross-domain and coalition info sharing use cases), from Activity 4.4.1 (Discovery) – Data Loss Prevention (DLP) Enforcement Point Logging and Analysis and Activity 4.5.1 (Phase One) – Implement Data Rights Management (DRM) and Protection Tools Part 1, to restrict data access, protect DiT, and safeguard data assets.

Identify security standards and technical controls required to ensure the Confidentiality, Integrity, and Availability (CIA) of DiT:

• Apply encryption, cryptographic key management, secure communication protocols, and access control mechanisms. Enforce authentication and authorization requirements previously implemented to restrict data access to only approved Users/Person Entities (PEs)/Non-Person entities (NPEs).

Develop encryption requirements:

• Leverage the Enterprise Public Key Infrastructure (PKI) and digital certificates to safeguard data assets while in transit.
• Review cryptographic algorithms to establish strong encryption specifications.
• Develop policies mandating encryption, secure protocols (e.g., Transport Layer Security (TLS), Internet Protocol Security (IPsec), etc.), and authentication mechanisms for secure data transmission.

Enforce authentication and authorization:

• Leverage existing Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) implementations to restrict data access to approved users.
• Enforce Multi-Factor Authentication (MFA), or alternative, appropriate solution, to require strong authentication mechanisms for accessing sensitive data assets.

Enforce secure communication channels:

• Establish Enterprise guidelines for secure information sharing through secure communication channels.
• Align with Enterprise-approved communication platforms.
• Periodically validate that channels remain secure.

Establish data integrity:

• Enforce hashing algorithms to safeguard sensitive data assets and ensure data integrity.
• Enable self-detection and automated response (e.g. policy revocation, session teardown, etc.) to data tampering attempts.

Understand approved information sharing requirements:

• Identify the types of data to be shared and their sensitivity levels.
• Define the scope of the Information Sharing Agreement (ISA) and partnering objectives.
• Identify interoperability requirements.
  • Comply with Enterprise and regulatory mandates for information sharing compliance.
  • Identify existing and future Component-level interoperability operational needs.

Review and refine mechanisms:

• Periodically review the protection mechanisms to ensure alignment with evolving requirements.
• Incorporate lessons learned from operations and audits to improve system effectiveness.
• Leverage data encryption and rights management capability, criticality, and control markings, from Activity 4.4.1 (Discovery) – Data Loss Prevention (DLP) Enforcement Point Logging and Analysis, Activity 4.5.1 (Phase One) – Implement Data Rights Management (DRM) and Protection Tools Part 1, and Activity 4.5.3 (Phase Two) – Data Rights Management (DRM) Enforcement via Data Tags and Analytics Part 1, to restrict data access, protect DiT and safeguard data assets.

Configure monitoring and logging:

• Enable monitoring tools to oversee data transfers across system-high boundaries.
• Maintain audit logs for compliance and incident investigation.

Integrate monitoring and auditing tools:

• Deploy monitoring systems to detect anomalies or unapproved access during data transmission.
• Enable alerting on anomalies or policy violations.
• Enable logging and auditing for compliance and IR purposes.

Test, verify, and validate integration:

• Conduct end-to-end testing to ensure mechanisms function seamlessly across components.
• Verify and validate data security under operational conditions and simulated environments.

Test, verify, and validate Implementation:

• Verify and validate data transfer security against established security requirements.