segmentation

Increasing segmentation allows for segments that represent services, where each segment includes the servers necessary for that service to function. Communication within the segment is permitted, but access in and out is controlled by the firewall.

Another approach is to segment based on function, clustering web applications with other web applications in one segment, databases in another, and different services in their respective segments.

cyber segment 3

The most secure segmentation method is zero-trust architecture, which mandates explicit permission for all systems to communicate with different services. Linking firewall management to the organization’s user directory allows administrators to create role-based rules, enabling seamless permission adjustments without needing to request changes from firewall administrators when roles change, known as user-based policy control.

IT administrators should be able to use management protocols for various services.
HR employees should have access to HTTPS for HR platforms.
Helpdesk staff should only be permitted to access helpdesk-related services.
Unknown users can be identified and provisioned appropriately.

Note: A commonly used user directory is Microsoft’s Windows Active Directory, which contains information about the organization’s users, computers, and groupings.