Name: 05140-01 Perimeter Control ConceptsAuthor: Bela VarkonyiVersion: 1.8Created: 2014.07.14. 13:44:58Updated: 2014.08.08. 13:32:20

Security Enclave{1..*}

notesCollection of information systems connected by one or moreinternal networks under the control of a single authority andsecurity policy. The systems may be structured by physicalproximity or by function, independent of location.

Security Domain{1..*}

notesA security domain is a set of elements under agiven security policy administered by a singlesecurity authority for some specific security-relevant activ ities. [ITU-T X.810]Enclaves can be broken down into SecurityDomains or Communities of Interest (COIs).

Security Zone{1..*}

notesA security zone is defined byoperational control, location,and connectiv ity to otherdevice/network elements.

Security Environment

Protected Area{1..*}

Staging Environment

{1..4}

Security Perimeter

Security Perimeter Control

{0..*}

Ph ysical Perimeter Control

Lo g ical Perimeter Control

Admin istrative Perimeter Control

Ensure administrative accountability

A lign w ith physical security environments

Defend in depth

Ensure controlled staging by administrative domain separation

Avoid production data leakage to unauthorized personnel and partners in the staging process

Enable alignment and synergy of different type of security controls

Balance various security controls between effectiveness and effic iency

Compensate for weaknesses in host and application based security controls

Pro tected Device

Protected Host

Protected Application

Protected Communication

Enclave STIG V4R4

A lign w ith security policy scope boundaries

National Information Assurance (IA) Glossary

DoD Cybersecurity

Enclaves provide standard cybersecurity, such as boundary defense, incident detection and response, and key management, and also deliver common applications, such as office automation and electronic mail. Enclaves may be specific to an organization or a mission, and the computing environments may be organized by physical proximity or by function independent of location.

Security Enclave Boundary

notesPo int at which an encla ve’s internal n etwo rkservice layer conn ects to an exte rnal n etwo rk’sservice layer, i.e., to another enclave or to aWide Area Network (WAN).An enclave boundary is an entry/exit point of anetwork of dissimilar security policy

Enclaves always assume the highest security category of the ISs that they host, and derive their security needs from those systems.

Development Environment (DEV)

notesUnit testingOptionally: s imulation of integration interfaces

Integration Test Environment (ITST)

notesIntegration testingEmulation of integration interfaces

Acceptance Test Environment (ATST or UAT)

notesF inal acceptance testing for production rolloutLive integration interfaces of other test systems

Production Environment (PROD)

notesLive operations

A protected area is an intersection of a security zone and a security domain,

IT U-T X .805 Security architecture...

A lign w ith security planes

A given security domain may span multiple security zones. [ITU-T Y.2701]

«trace»

«trace»

1 ..*

«trace»

«trace»

«trace»

«trace»

«trace»

1 ..*

«trace»

«trace»

«trace»