Home · Synthesis · cl-network-segmentation

Network segmentation with zero-trust principles

ISO 27001 NIST CSF 2.0 PCI DSS RBI CSF SEBI CSCRF CIS Controls v8.1 ISO 27017 NCIIPC NIST 800-53 SEBI Cloud

Primary statement

Network segmentation isolates critical systems from general corporate IT: (1) documented zones with controlled connections (SEBI PR.2); (2) zero-trust principles — no implicit trust between segments, identity-based connection authorisation, micro-segmentation for highly sensitive zones (SEBI PR.2 with August 2025 zero-trust expectations); (3) authorised data flows mapped (NIST ID.AM-03); (4) networks protected from unauthorised logical access (NIST PR.IR-01); (5) network monitoring for adverse events (NIST DE.CM-01); (6) network services security mechanisms and SLAs (ISO A.8.21); (7) network segregation per ISO A.8.22.

Audit-fatigue payoff

A unified segmentation architecture — zone diagram + zero-trust enforcement + data flow inventory + monitoring coverage — satisfies network-segmentation requirements across all 10 contributing frameworks. SEBI PR.2 zero-trust expectations are the audit-defensible ceiling.

Strictness matrix

Scope

Scope: ALL networks within the organisation's control, with zones isolating critical from general corporate IT. Zero-trust applies WITHIN the perimeter, not just AT the perimeter — east-west traffic authenticated and authorised. Ceiling source: sebi_cscrf:CSCRF.PR.2 Rationale: SEBI CSCRF PR.2 with zero-trust expectations specifies the broadest scope including east-west traffic. Other frameworks address perimeter / north-south.

Threshold

Threshold for inter-zone communication: identity-based authorisation, no implicit trust. Micro-segmentation for highly sensitive zones (e.g., payment systems, customer data stores). Documented data flow authorising each connection. Ceiling source: sebi_cscrf:CSCRF.PR.2 Rationale: SEBI CSCRF PR.2 zero-trust threshold is binary: identity-based authorisation present or absent. Other frameworks accept network-level controls only.

Method

Method: (1) zone architecture documented with critical / general / DMZ / partner-connected segments; (2) zero-trust between zones — identity-based connection authorisation, mutual TLS for service-to-service; (3) micro-segmentation for highly sensitive zones; (4) authorised data flow inventory maintained current (NIST ID.AM-03); (5) network services security mechanisms and SLAs (ISO A.8.21); (6) network monitoring for anomaly detection (NIST DE.CM-01); (7) network segregation per ISO A.8.22; (8) segmentation testing — verify east-west isolation actually works. Ceiling source: sebi_cscrf:CSCRF.PR.2 Rationale: SEBI CSCRF PR.2 with zero-trust is the most prescriptive method. The east-west-isolation testing requirement is uniquely strict.

Frequency

Network architecture review: annual + on material change. Data flow inventory refresh: continuous through change management + annual completeness review. Segmentation testing: annual (typically part of VAPT cycle). Firewall rule review: quarterly minimum. Ceiling source: iso27001:A.8.22 Rationale: Annual network architecture review with quarterly firewall reviews is the consistent cadence.

Evidence

Required evidence: (1) network architecture diagram (current) showing zones and zero-trust enforcement points; (2) authorised data flow inventory; (3) firewall and segmentation control configuration; (4) identity-based authorisation enforcement evidence (sample policies); (5) segmentation testing evidence — verify east-west isolation works; (6) network monitoring evidence (sample alerts to response); (7) micro-segmentation evidence for highly sensitive zones. Ceiling source: sebi_cscrf:CSCRF.PR.2 Rationale: SEBI CSCRF PR.2 evidence list with segmentation testing is uniquely strict. The east-west-isolation testing evidence is the audit-defensible anchor.

Auditor test pattern

Step 1: Inspect the network architecture diagram; verify zones documented and current. Step 2: For one critical zone, verify zero-trust enforcement (identity-based authorisation, not just network-level rules). Step 3: Conduct a segmentation test — attempt to reach the critical zone from a general corporate endpoint; verify the attempt is blocked or logged. Step 4: Verify the authorised data flow inventory reconciles with actual network traffic. Step 5: For highly sensitive zones (payment, customer data), verify micro-segmentation. Step 6: Inspect firewall rule reviews; verify quarterly cadence.

Common findings

Common 2024–26 findings: (1) Network diagram outdated by 12+ months; (2) Flat networks behind the perimeter (the classic failure); (3) Zero-trust claimed in policy but enforcement absent; (4) Data flow inventory theoretical — not used operationally; (5) Segmentation testing never performed; (6) Micro-segmentation absent for sensitive zones; (7) East-west traffic uncontrolled.