Date Published: August 5, 2022
Comments Due:
Email Questions to:
Author(s)
Ramaswamy Chandramouli (NIST)
Announcement
The enterprise network landscape has undergone a significant transformation in the last decade. The drivers for this transformation are enterprise access to multiple cloud services, the geographic spread of enterprise-owned (on-premises) IT resources (e.g., in a central office, multiple branch offices, and data centers), and changes to application architecture from being monolithic to a set of loosely coupled microservices. The transformation has the following security impacts:
- disappearance of the concept of a perimeter associated with the enterprise network;
- an increase in attack surface due to the sheer multiplicity of IT resource components; and
- sophistication of the attackers in their ability to escalate attacks across several network boundaries leveraging the connectivity features.
The initial public draft of NIST Special Publication (SP) 800-215, Guide to a Secure Enterprise Network Landscape, provides guidance for navigating this new enterprise network landscape from a secure operations perspective. It examines the security limitations of current network access solutions and point security solutions through traditional appliances with enhanced security features. It also considers new appliances, emerging network configurations, frameworks that incorporate the configurations, and cloud-based wide area network (WAN) services with integrated security infrastructures.
NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
Access to multiple cloud services, the geographic spread of enterprise IT resources (including multiple data centers), and the emergence of microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This document is meant to provide guidance to this new enterprise network landscape from a secure operations perspective. Hence, it starts by examining the security limitations of the current network access solutions to the enterprise network. It then considers security feature enhancements to traditional network appliances in the form of point security solutions, network configurations for various security functions (e.g., application security, cloud access security, device or endpoint security, etc.), security frameworks that integrate these individual network configurations, and the evolving wide area network (WAN) infrastructure to provide a comprehensive set of security services for the modern enterprise network landscape.
Access to multiple cloud services, the geographic spread of enterprise IT resources (including multiple data centers), and the emergence of microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This document is meant to provide...
See full abstract
Access to multiple cloud services, the geographic spread of enterprise IT resources (including multiple data centers), and the emergence of microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This document is meant to provide guidance to this new enterprise network landscape from a secure operations perspective. Hence, it starts by examining the security limitations of the current network access solutions to the enterprise network. It then considers security feature enhancements to traditional network appliances in the form of point security solutions, network configurations for various security functions (e.g., application security, cloud access security, device or endpoint security, etc.), security frameworks that integrate these individual network configurations, and the evolving wide area network (WAN) infrastructure to provide a comprehensive set of security services for the modern enterprise network landscape.
Hide full abstract
Keywords
cloud access security broker (CASB); firewall; microsegmentation; secure access service edge (SASE); secure web gateway (SWG); security orchestration, automation, and response (SOAR); software-defined perimeter (SDP); software-defined wide area network (SD-WAN); virtual private network (VPN); zero trust network access (ZTNA)
Control Families
None selected
