Was Asked to "Create A Secure Enclave"

egrizzly

So this new CISO shows up in our environment last week and already, just yesterday, he asks that I create a secure enclave.  What in the name of the four winds is a secure enclave.  I've never come across this verbage my entire time in IT, in this forum, or during my time studying for any certifications.

JDMurray

The first thing that pops into my head is a very segmented, restricted, and monitored area of a network used to contain sensitive and regulated information, such as PCI-DSS or HIPAA. Compliance auditors often require such and look for it.
I would guess whatever "secure enclave" meant in the CISO's previous situation is what s/he is referring to now as if everyone in the new situation will automatically understand its meaning. The CISO will have no idea how to plan, implement, or maintain a secure enclave, but will demand metrics from it presented in slide decks.
 

TechGromit

Isolated network is what I'm thinking. A Data Diode would allow you to transmit info one way if you need status updates. That's how our power plant runs, the Plant network is completely isolated, but can still report plant status information to other departments thru the diode. Nothing is allowed to directly access the isolated network from the outside, not even with firewalls, one way traffic only. 

egrizzly

You folks all said something similar.  We no doubt have to be behind either a router with locked down access lists or behind a firewall.  How did you guys do it in the past?  ...and yeah, I gotta admit, this CISO is different, lol.  Seems like he's trying to flex his muscles.

JDMurray

egrizzly said:

You folks all said something similar.  We no doubt have to be behind either a router with locked down access lists or behind a firewall.  How did you guys do it in the past? 

You gotta think security segmentation in layers starting with the Layer 8 humans and their applications and on down to the Layer 1 hardware. Then there is the business segmentation in which you think about all the external entities that are needed to create/modify/transport/process/store whatever it is you are trying to protect in that "secure enclave" and how it supports the org's ability to do business. You can see that this is a project requiring multiple people with multiple subject-matter-expertises.

egrizzly said:

...and yeah, I gotta admit, this CISO is different, lol.  Seems like he's trying to flex his muscles.

All new C-levels are expected to make an immediate mark on their new org. After all, a new C-level is rarely hired to "maintain the status quo." Instead, a new C-level is a chance to make things better for the org by expanding scopes, changing paths, tightening belts, and modernizing the corporate culture. There are some different challenges if the new C-level is replacing a former C-level (i.e., a back-fill) or is filling a brand new C-level position just created within the org (e.g., an org's first CISO). It really helps if you gone through multiple C-level transitions in multiple orgs over many years.

scasc

Zero trust to secure and micro segment your network segments. Doing a lot around this with CASB, SASE, SD WAN, layer 7 proxies etc

veritas_libertas

Yeah, this has to be related to Zero Trust. I knew I had heard this term thrown around before (I had to Google some), and it was Apple's approach to a secure subsystem.

https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web

SteveLavoie

TechGromit said:

Isolated network is what I'm thinking. A Data Diode would allow you to transmit info one way if you need status updates. That's how our power plant runs, the Plant network is completely isolated, but can still report plant status information to other departments thru the diode. Nothing is allowed to directly access the isolated network from the outside, not even with firewalls, one way traffic only. 

I am curious.. how is a data diode implemented.. Special equipment? 

UnixGuy

I need to keep up with this lingo

egrizzly

JDMurray said:

egrizzly said:

You folks all said something similar.  We no doubt have to be behind either a router with locked down access lists or behind a firewall.  How did you guys do it in the past? 

You gotta think security segmentation in layers starting with the Layer 8 humans and their applications and on down to the Layer 1 hardware. Then there is the business segmentation in which you think about all the external entities that are needed to create/modify/transport/process/store whatever it is you are trying to protect in that "secure enclave" and how it supports the org's ability to do business. You can see that this is a project requiring multiple people with multiple subject-matter-expertises.

egrizzly said:

...and yeah, I gotta admit, this CISO is different, lol.  Seems like he's trying to flex his muscles.

All new C-levels are expected to make an immediate mark on their new org. After all, a new C-level is rarely hired to "maintain the status quo." Instead, a new C-level is a chance to make things better for the org by expanding scopes, changing paths, tightening belts, and modernizing the corporate culture. There are some different challenges if the new C-level is replacing a former C-level (i.e., a back-fill) or is filling a brand new C-level position just created within the org (e.g., an org's first CISO). It really helps if you gone through multiple C-level transitions in multiple orgs over many years.

Yes, I would certainly say with the sharp, cutting-edge security words he uses on our daily briefs and the standards, SOPs, and metrics he mouths he's certainly out to make a mark.  I'm glad you mentioned it being "...a project requiring multiple people with multiple subject-matter-expertises." because like a few folks here it's my first time hearing about it.  Hopefully there's flexibility in timeframe needed to get it done.

yoba222

I've never worked with this, but as a start it looks likes there's the NIST SP 800-207 which mentions "zero trust" as well as "enclave" among the lingo.
https://www.nccoe.nist.gov/news/nist-releases-finalized-zero-trust-architecture-guidance

egrizzly

Thanks a mil for the link-share @yoba222.  I'll definitely look into it.  Looks like it's rich with information since it's the NIST standard.