1

Currently, we have a number of domains for various purposes like back office, production, DMZ, partners, etc. There has been a change in management thinking to simplification. They want all the resources to fall under one trust.

I'm responsible for the security of this change (Cybersecurity professional, former Enterprise Admin/Domain Admin). What should I be worried about and is this a good idea?

I've reviewed...

...so I think I have some of the basics down, but I'm worried about the unknown unknowns.

Thanks in advance.

oBreak
  • 470
  • 3
  • 5
  • 1
    I think this question is a bit opinion based. Anyway, I think segmentation like your company is doing is actually a good thing as long as it's not only limited to the domain but the network layer so that for example the back office hosts can't reach the production hosts and vice versa. If this is the case I'd strongly suggest: **Keep it!** I promise that when your company grows you will get to a point where you wish that things would be still separated. And it can be **very** hard to undo such a change. If this kind of separation is not done yet, I'd rather try to push it this way. – Noir Jul 27 '17 at 21:45
  • It would be more easy for an attacker, since all the attack vector is under same roof. – Mobutu Sese Seko Kuku Ngbendu Sep 28 '20 at 07:22

1 Answers1

1

Nobody can tell you what exactly you have to do, unless you give more details about your infrastructure, your business processes, used software etc.

What I would advise is:

  1. Set up a network plan for your hypothetical new infrastructure.

  2. Put together a security analysis, including (at least):

    2.1. an IT-Infrastructure analysis (what assets will be involved in your new infrastructure and how will they interact)

    2.2. a vulnerability report

    2.3. a risk analysis

    2.4. a managerial report

  3. Especially 2.1. - 2.3. will help you find those "unknowns" you are worried about. Also interview other experts in your company, read accompanying documents, look into other security documents.

You can check up on how all this is done in the various standards and norms. Just look around at nist.gov and look into the ISO/IEC 27000-27005.

Tom K.
  • 7,913
  • 3
  • 30
  • 53