Was Asked to "Create A Secure Enclave"
egrizzly
Member Posts: 533 ■■■■■□□□□□
So this new CISO shows up in our environment last week and already, just yesterday, he asks that I create a secure enclave. What in the name of the four winds is a secure enclave. I've never come across this verbage my entire time in IT, in this forum, or during my time studying for any certifications.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Comments
-
JDMurray Admin Posts: 13,101 AdminThe first thing that pops into my head is a very segmented, restricted, and monitored area of a network used to contain sensitive and regulated information, such as PCI-DSS or HIPAA. Compliance auditors often require such and look for it.
I would guess whatever "secure enclave" meant in the CISO's previous situation is what s/he is referring to now as if everyone in the new situation will automatically understand its meaning. The CISO will have no idea how to plan, implement, or maintain a secure enclave, but will demand metrics from it presented in slide decks.
-
TechGromit Member Posts: 2,156 ■■■■■■■■■□Isolated network is what I'm thinking. A Data Diode would allow you to transmit info one way if you need status updates. That's how our power plant runs, the Plant network is completely isolated, but can still report plant status information to other departments thru the diode. Nothing is allowed to directly access the isolated network from the outside, not even with firewalls, one way traffic only.
Still searching for the corner in a round room. -
egrizzly Member Posts: 533 ■■■■■□□□□□
You folks all said something similar. We no doubt have to be behind either a router with locked down access lists or behind a firewall. How did you guys do it in the past? ...and yeah, I gotta admit, this CISO is different, lol. Seems like he's trying to flex his muscles.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
JDMurray Admin Posts: 13,101 Adminegrizzly said:
You folks all said something similar. We no doubt have to be behind either a router with locked down access lists or behind a firewall. How did you guys do it in the past?egrizzly said:
...and yeah, I gotta admit, this CISO is different, lol. Seems like he's trying to flex his muscles.
-
scasc Member Posts: 465 ■■■■■■■□□□Zero trust to secure and micro segment your network segments. Doing a lot around this with CASB, SASE, SD WAN, layer 7 proxies etcAWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
-
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■Yeah, this has to be related to Zero Trust. I knew I had heard this term thrown around before (I had to Google some), and it was Apple's approach to a secure subsystem.
https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□TechGromit said:Isolated network is what I'm thinking. A Data Diode would allow you to transmit info one way if you need status updates. That's how our power plant runs, the Plant network is completely isolated, but can still report plant status information to other departments thru the diode. Nothing is allowed to directly access the isolated network from the outside, not even with firewalls, one way traffic only.
-
egrizzly Member Posts: 533 ■■■■■□□□□□JDMurray said:egrizzly said:
You folks all said something similar. We no doubt have to be behind either a router with locked down access lists or behind a firewall. How did you guys do it in the past?egrizzly said:
...and yeah, I gotta admit, this CISO is different, lol. Seems like he's trying to flex his muscles.
Yes, I would certainly say with the sharp, cutting-edge security words he uses on our daily briefs and the standards, SOPs, and metrics he mouths he's certainly out to make a mark. I'm glad you mentioned it being "...a project requiring multiple people with multiple subject-matter-expertises." because like a few folks here it's my first time hearing about it. Hopefully there's flexibility in timeframe needed to get it done.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
yoba222 Member Posts: 1,237 ■■■■■■■■□□I've never worked with this, but as a start it looks likes there's the NIST SP 800-207 which mentions "zero trust" as well as "enclave" among the lingo.
https://www.nccoe.nist.gov/news/nist-releases-finalized-zero-trust-architecture-guidance
A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP