IVS-06: Segmentation and Segregation

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Design, develop, deploy and configure applications and infrastructures such that CSP and CSC (tenant) user access and intra-tenant access is appropriately segmented and segregated, monitored and restricted from other tenants.

Implementation Guidance

The following should be considered for control implementation:

  1. Established policies, procedures, and best-practices
  2. Possible definitions of segmentation should range from “total isolation” to “partial logical separation of business-critical assets and/or personal data/sensitive user data, and sessions”.
  3. Compliance with legal, statutory, and regulatory compliance obligations in-scope for particular use-cases or scenarios

Workloads between tenants and business lines should be segmented per the least privilege concept to reduce the attack surface. In addition, workload tagging, resource names, and identification should be used for workloads.

Auditing Guidance

  1. Review evidence to verify that the design and development of applications and infrastructure ensure appropriate best practices such as hardening, segmentation, and segregation is incorporated and the shared responsibility model between the CSP and CSC is maintained.
  2. Review evidence to verify that the deployment and configuration of applications and infrastructure follow appropriate hardening, segmentation, and segregation is incorporated and the shared responsibility model between the CSP and CSC is maintained.
  3. Review evidence to determine that segmentation and segregation is monitored.
  4. Review evidence to determine that the tenants are isolated from each other.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.