INF-004 Network Segmentation
Description
Network environments are segmented to isolate systems by function and sensitivity. Production systems are isolated from development, test, and administrative networks. Tenant workloads are logically separated from one another. Segmentation is enforced at the network layer and is documented.
Rationale
Segmentation limits the blast radius of a network compromise and prevents lateral movement between environments or between tenants.
Framework Mappings (5)
| I&S-05 | Production and Non-Production Environments | full |
| I&S-06 | Segmentation and Segregation | full |
| 8.22 | Segregation of networks | full |
| SC-32 | System Partitioning | informative |
| SC-7 | Boundary Protection | full |
Evidence (2)
Network segmentation configuration showing production, development, test, and administrative environments are isolated at the network layer, and tenant workloads are logically separated.
Example: AWS VPC routing table, security group, and network ACL export; GCP VPC firewall rules export; or equivalent cloud network configuration showing environment isolation and inter-VLAN traffic restrictions
Test: Export network configuration from the cloud provider. Verify: (1) separate VPCs, subnets, or network zones exist for production, development, test, and admin; (2) security groups or firewall rules prohibit unrestricted lateral traffic between zones; (3) tenant isolation is implemented (separate VPCs, namespaces, or equivalent); (4) attempt to trace a permitted traffic path between production and dev — confirm no default allow rule exists.
Network segmentation policy or architecture document that specifies environment boundaries, tenant isolation requirements, and enforcement mechanisms.
Example: Network Segmentation Policy or Network Architecture Design document (version-controlled, approved within the last 12 months) with a network diagram showing defined trust zones
Test: Request the network segmentation policy and supporting architecture diagram. Verify: (1) the document defines trust zones and permitted traffic flows between zones; (2) tenant isolation requirements are explicitly stated; (3) the diagram reflects the current deployed architecture; (4) the document has been approved by an accountable owner within the last 12 months.
Questions (2)
Are production systems logically isolated from development, test, and administrative networks, and are tenant workloads separated from one another at the network layer?
Isolation should be enforced via VPC boundaries, security groups, network ACLs, or equivalent cloud-native controls — not only by naming convention or access policy.
Which mechanisms are used to enforce network segmentation between environments and between tenants?
Multiple enforcement layers are expected for a strong segmentation posture. At minimum, expect separate network boundaries and explicit deny rules for cross-environment traffic.