NIST has published Special Publication (SP) 800-215, Guide to a Secure
Enterprise Network Landscape.
Access to multiple cloud services (e.g., IaaS, SaaS), the
geographic spread of enterprise Information Technology (IT) resources
(including multiple data centers and multiple branch offices), and the
emergence of highly distributed loosely coupled microservices-based
applications (as opposed to monolithic ones) have significantly altered the
enterprise network landscape. This transformation has the following security
impacts: (a) disappearance of the concept of a perimeter associated with the
enterprise network, (b) an increase in attack surfaces due to the sheer
multiplicity of IT resource components (e.g., computing, networking, and
storage), and (c) the ability of attackers to escalate sophisticated attacks
across several network boundaries by leveraging extensive connectivity features
within and across the individual network segments.
NIST SP 800-215 provides guidance from a secure operations
perspective. It examines the security limitations of current network access
solutions (e.g., VPNs) to the enterprise network as well as point security
solutions with traditional network appliances with enhanced features (e.g.,
firewalls, CASB for cloud access), including the usage of network visibility,
monitoring, and provisioning tools. This document also discusses emerging
network configurations that each address a specific security function (e.g.,
application/services security, cloud services access security, device or
endpoint security) and security frameworks, such as zero trust network access
(ZTNA), microsegmentation, and SDP that combine these individual
configurations. Additionally, the document highlights cloud-based WAN
infrastructures, such as SASE with widespread point of presence (PoP), that
combine use of the latest WAN technologies (e.g., SD-WAN) with a comprehensive
set of security services.