June 6, 2023
1.2 IT security risk management process Our top 10 security actions are based on the security controls listed in Annex 3A of ITSG 33.Footnote 4 ITSG 33Footnote 4 is a risk management framework which describes the roles, responsibilities, and activities that help organizations manage their IT security risks. It includes a catalogue of security controls like…

1.2 IT security risk management process

Our top 10 security actions are based on the security controls listed in Annex 3A of ITSG 33.Footnote 4 ITSG 33Footnote 4 is a risk management framework which describes the roles, responsibilities, and activities that help organizations manage their IT security risks. It includes a catalogue of security controls like standardized security requirements to protect the confidentiality, integrity, and availability of IT assets. These security controls are divided into three classes, which are further divided into several families (or groupings) of related security controls:

  • Technical security controls: Security controls that are implemented and executed by information systems primarily through security mechanisms contained in hardware, software, and firmware components.
  • Operational security controls: Information system security controls that are primarily implemented and executed by people and typically supported using technology, such as supporting software.
  • Management security controls: Security controls that focus on the management of IT security and IT security risks.

As illustrated in Figure 2, the guidance in this document addresses technical security controls that fall under the access control (AC) and systems and communications protection (SC) families. It also addresses management security controls that fall under the risk assessment (RA) family. This document includes actions that help satisfy the following security controls:

  • AC-4 information flow enforcement
  • SC‑2 application partitioning
  • SC-3 security function isolation
  • SC-7 boundary protection
  • SC-32 information system partitioning
  • RA-2 security categorization
  • See Annex A of this document for more information on controls AC-4, SC-2, SC-3, SC-7, SC-32, and RA-2.

Figure 2: Applicable security control classes and families as described in ITSG-33Long description – Figure 2

As depicted in Figure 2 with highlighted text, this publication focuses on technical, operational, and management security controls. It includes some of the actions that fall under the Access Control, System and Communication Protection, and Risk Assessment control families.

The full list of classes of security controls and their related control families or groupings is also presented in Figure 2, as follows:

Technical security controls

  • Access control
  • Audit and accountability
  • Identification and authentication
  • System and communications protection

Operational security controls

  • Awareness and training
  • Configuration management
  • Contingency planning
  • Incident response
  • Maintenance
  • Media protection
  • Physical and Environmental Protection
  • Personnel Security
  • System and Information Integrity

Management security controls

  • Security assessment and authorization
  • Planning
  • Risk assessment
  • System and services acquisition

You can use the security controls discussed in this document and in Annex 3A of ITSG-33 Footnote 4  as a foundation when determining how to manage your organization’s cyber security risks and protect its networks, systems, and IT assets. However, keep in mind that implementing these controls is only one part of the IT security risk management process.

ITSG-33 Footnote 4 describes a process based on two levels of risk management activities: departmental-level activities and information system-level activities. These two levels of activities will help your organization identify its security needs for both the entire organization and its information systems. Once you understand your security needs at each level, you can identify which security controls your organization needs to implement and maintain based on your accepted level of risk.

2 Controls supporting network segmentation

2.1 Information flow enforcement

The guidance in this section is based on security control AC-4 information flow enforcement.

When creating security zones within your environment, in addition to defining who has access to the data within them, it is also necessary to define what information is permitted to travel between them, in addition to defining who has access to the data within them. Enforcing the flow of information both between and within security zones allows your organization to control data flow across your network. This will ensure sensitive or classified information cannot travel across your systems unless otherwise defined in your segmentation rules. Flow control restrictions can include blocking external traffic that claims to be from within your organization or restricting web requests to the Internet that are not from your organization’s internal web proxy server. This concept can be applied for both traditional network zoning, which commonly leverages routable Internet protocol (IP) subnets, and for software-defined networks (SDN) or cloud segmentation that may instead segregate by dynamic policy or asset tagging.

Your organization should develop information flow control policies that clearly define the boundaries of where and how information can flow within and between your information systems. These policies should be clearly written, readily available, and frequently reviewed to ensure your information remains protected. Some policies or security control rules you may want to implement could include prohibiting information transfers between interconnected systems or employing hardware that works to enforce one-way information flows within your network.

Enforcement mechanisms should be deployed to control the flow of information between designated sources and destinations, like your networks, devices, and users, within and between your systems. This enforcement can occur via your organization’s boundary protection controls and devices, such as your routers, firewalls, and protected gateways. These controls and devices have been configured to restrict information system services and provide filtering capabilities, like packet filtering or message filtering, based on predefined rules or settings.

2.2 Security categorization

The guidance in this section is based on security control RA-2 security categorization.

Without a complete understanding of the information that your organization processes and holds, you cannot fully protect it. As a part of your risk management and cyber security activities, you should examine your organization’s information to identity its value, determine its classification, and categorize it into groups, based on its level of sensitivity.

2.2.1 Identify its value

By identifying the value of your organization’s information, you can prioritize what needs to be protected.

You can determine the value of your organization’s information by assessing the possible harm that could result from the inability to protect its confidentiality, integrity, and availability. When assigning value, consider the following types of information:

  • Business critical information: Information that your organization relies on for its ongoing operation, like sales information or emergency response plans
  • Sensitive information: Information that needs to be kept confidential or only accessed by certain users, like financial and personal information or intellectual property
  • Records and evidence: Information that needs to be protected from unauthorized modification, like contracts and receipts

For more information on determining the value of information systems and assets, see Protecting high value information: Tips for small and medium organizations (ITSAP.40.001)Footnote 7 and section 2.3 of our Baseline cyber security controls for small and medium organizations.Footnote 8

2.2.2 Classify and categorize

As you identify the value of your enterprise information, you should also classify and organize it into groups or classes based on its level of sensitivity. The classification markings that your organization applies may vary, depending on whether you are a government department or a non-government, private organization. Classifying your information appropriately helps you manage and protect it against unauthorized access and distribution, as well as improper retention and disposition.

Categorizing your enterprise information has several purposes, including:

  • reflecting the value that your organization has assigned to the information
  • representing your organization’s risk tolerance
  • determining how your organization assures the confidentiality, integrity, and availability of information

When enterprise information is classified and categorized appropriately, your organization is in a better position to manage it throughout its lifecycle, ensure that it is properly retained and destroyed, and protect it against unauthorized access and distribution. In addition, by understanding your information, you can implement the appropriate security controls and manage risks according to your organization’s predetermined risk tolerance.

2.3 Application partitioning

The guidance in this section is based on the security control SC-2 application partitioning.

  • User roles that require access to sensitive data (including your CSP and MSP users)
  • Responsibilities, accountabilities, and tasks for each user role
  • Tasks that absolutely require administrative privileges
  • Users who are required, and who are authorized, to carry out administrator tasks
  • Time frame (i.e. permanently or for a predetermined length of time) in which users need to carry out administrator tasks (e.g. permanent tasks, emergency tasks).

You should disallow privileged users from having one account with both normal user access to networks, such as the Internet and email services, and administrative privileges. Whether your organization uses a cloud, on-prem, or hybrid environment, we strongly recommend that you create separate administrative accounts with separate credentials for users who require them. Ensure that these administrative accounts do not have the ability to access the Internet or email services, as this can expose your organization unnecessarily to threat actors. You should develop a policy or directive that ensures all administrative tasks are performed on dedicated administrative computers that cannot access the Internet or email services. For remote access, Annex 3A of ITSG‑33 Footnote 4 under AC-17(100) states that remote access to privileged accounts should be performed on dedicated management consoles governed entirely by the system’s security policies and used exclusively for this purpose (e.g. Internet access not allowed). For cloud administration from this dedicated workstation, ensure it is configured with a virtual private network (VPN) or allow lists, and multi-factor authentication (MFA) to access the cloud tenancy.

For more information on administrative accounts and permissions, see Top 10 IT security actions: No. 3 managing and controlling administrative privileges (ITSM.10.094).Footnote 9

4 Network segmentation: Practical application

Segmenting your networks into various security zones is part of a defence-in-depth approach to cyber security. It limits access to connected systems, applications, devices, and data. Segmentation restricts communication between networks, thus isolating sensitive data and restricting access from unauthorized users. Network security zones can support a range of security solutions for your organization’s business needs. These security zones also provide a common network infrastructure to support electronic service delivery, interconnectivity, and interoperability. If your organization shares a common infrastructure for online service delivery or other purposes, you must conform to all the security standards established for that infrastructure.

Network segmentation reduces the attack surface, as it prevents widespread compromise of your organization’s network. If a host on one network is compromised, the hosts on the other network segments will not be impacted by the compromise, as they are unreachable beyond the boundaries of the segmented network that the compromised host resides in.

4.1 Segmentation considerations

Network segmentation requires planning and standard best practices to be successful. The following list provides some industry-accepted best practices you should implement prior to segmenting your networks into security zones.

  • Conduct an inventory of your data and assets.
  • Classify your data and assets as high, medium, or low value.
  • Draft and implement security policies to be applied to each type of data and asset that requires protection. The level of risk assigned to the data or assets will dictate the level of security required to protect them, as well as the details of the security policy assigned.
  • Follow the principle of least privilege, meaning your users are given only the set of access privileges that are essential for them to perform authorized tasks. This principle limits the damage that can result from the accidental, incorrect, or unauthorized use of an information system.
  • Determine who needs to access your data and develop a rule-based access (RuBAC) or role-based access (RBAC) rights model.
  • Limit third party access to your network to avoid creating additional entry points that can be exploited by threat actors. Identify the data flow for each of your applications and implement application allow lists to deny unapproved applications from executing on your systems. For more information on application allow lists,  see the Cyber Centre’s Top 10 security actions – No.10 implement application allow lists (ITSM.10.095) .Footnote 10
  • Monitor and audit your network on a continuous basis to identify anomalies in traffic patterns. For more information on auditing, monitoring, and logging, see the Cyber Centre’s Network security logging and monitoring (ITSAP.00.085) Footnote 11 and Network security auditing (ITSAP.80.086). Footnote 12
  • Implement sensors within each of your network segments to alert of potential intrusions. The logs from these sensors should be maintained and backed up to secure, offline storage.

Network segmentation can be implemented in a variety of IT environments. Whether your organization uses an on-prem, cloud, or hybrid IT environment, segmenting your networks into security zones will enhance your data security and reduce your risk of unauthorized access or compromised data.

Your organization’s implementation of network security zones should align with your current IT security risk management activities, such as defining organizational IT security needs and security controls, deploying security controls, and monitoring and assessing the performance of security controls. Your implementation should also align with your information system-level activities to ensure the solution is functional.

The following subsections provide information and best practices on implementing network segmentation in an on-prem, cloud, or hybrid IT environment. Guidance for organizations with operational technology (OT) is also provided.

Note: For hybrid environments, the guidance provided in the on-prem and cloud sections can be leveraged in tandem to address segmentation best practices.

4.2 Segmentation on-prem

On-prem environments, where IT infrastructure and security elements are managed in-house, have traditionally leveraged perimeter-based segmentation. In this model, subnets and external networks only connect to one another through managed interfaces, such as gateways, routers, or firewalls. For example, a firewall can be implemented at an Internet gateway to protect internal networks. Firewalls can also be used to define and protect a subnet hosting specific applications.

Subnets that physically or logically separate external untrusted networks from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically protected with firewalls and shield internal networks from external threat actors seeking to gain unauthorized access. DMZ managed interfaces often restrict external web traffic to designated web servers and prohibit external traffic that appears to be spoofing internal addresses.

4.2.1 Virtual local area network (VLAN)

A VLAN is a virtualized connection that joins devices and nodes across your network. They are used to assist in the division of your network into subnets and the isolation of traffic from other established VLANs. Your organization can use them to assist in limiting traffic from other areas in your environment and enable subnets to be connected across your network, despite their physical location.

You can improve your network performance by segmenting your network into subnets and VLANs, as they reduce the volume of broadcast traffic being sent or received by your network.

VLANs are often used in combination with access control lists (ACLs) to enhance the filtering of traffic on your network. Your organization can implement ACLs on your routers and switches to further enhance your IT security posture. The ACLs will better isolate your devices and systems, which can enhance your organization’s ability to prevent threat actors from deploying and spreading malware across your network.

Note: VLANs are used for IP management and while they can be useful in limiting broadcast traffic and allow for asset management on the network, they are not a security solution for network segregation.

4.2.2 Firewalls

Firewalls, or devices with firewall capabilities, are essential to network segmentation. A firewall is a security barrier placed between two networks that controls the amount and types of traffic that may pass between them. This protects local system resources from being accessed from the outside. They can be physically in the path of the network traffic (inline) or be encountered by this traffic logically, because of the routing rules in effect on the network. A firewall assesses every network packet to ensure it complies with rules established in policy and enforced by the administrator before allowing it through.

Firewalls can also include additional functions, such as anti-malware, intrusion detection and prevention capabilities, or they can serve as remote connection VPN termination points. All traffic going through your firewall should be logged in detail, as these logs can provide valuable information about normal traffic patterns and help spot irregular or malicious traffic. The logs can be used to establish a baseline for normal traffic patterns for your organization and will assist you in spotting anomalies in those patterns. These anomalies can be indicative of malicious activity. Your organization should also backup your logs to a read-only location, such as a different email or offline storage, to protect them from being compromised by a threat actor.

Firewalls can be both physical, like a hardware device, or virtual, like a cloud-based or virtual firewall running in a virtual environment. Depending on the architecture and the criticality of systems, it might be advisable to use multiple firewalls to secure critical networks even further. For example, you can have one firewall act as a gatekeeper to another firewall in an on-prem or hybrid environment. Some organizations also opt for using different vendors when using multiple firewalls so that if one manufacturer reports a flaw or security vulnerability, the other might not have the same vulnerabilities.

To move beyond traditional firewall capabilities, your organization could deploy next-generation firewalls. These firewalls provide enhanced functionality, such as content filtering at a higher layer in the Open Systems Interconnection (OSI) model.

4.2.3 Software-defined network (SDN)

SDN is a networking approach that results in the virtualization of networks. With SDN, the physical network infrastructure is abstracted to a fabric layer, and all traffic flow is controlled by a central controller or controllers. SDN can be adapted to your existing architecture and can assist in virtualizing your networks. It uses software-based programs or application programming interfaces (APIs) to communicate with your organization’s infrastructure and assist in directing traffic within your segmented network. Being software-based, SDN is more flexible than traditional networking and allows administrators to manage and control several components from a single interface. The need to secure this interface is crucial for your organization, as it could be a single point of failure if it were compromised by a threat actor.

Virtualization is technology that your organization can use to create simulated environments or virtual resources, like your servers, desktop, operating system, storage, or networking components. It separates the logical desktop from the physical desktop. A user then interacts with the logical (virtual) desktop through a device connected to your organization’s network. This device can be a workstation or mobile device and may have its own separate desktop. You can use virtual desktops to centrally control which applications users can access on their workstations.

While virtualized devices can still be managed in a traditional IT way, SDN relies on devices being physically connected to an underlay and central management.

4.2.4 Micro-segmentation

With traditional network segmentation approaches, the focus is on network traffic from a client to your organization’s server. When data comes from outside your organization’s network, security controls filter it to the appropriate subnet. The limitation to this is that traditional segmentation cannot monitor the traffic within your network security zones themselves. To further segment and monitor traffic within your network, you may want to implement micro-segmentation.

Micro-segmentation works to further segment by applying security controls and protocols to the traffic within your network security zones. Micro-segmentation allows your organization to isolate specific individual applications, which means if the application itself is ever compromised, the threat cannot spread to other areas within your network.

Micro-segmentation logically divides the data centre and cloud environments into distinct security segments down to individual workload level. It relies heavily on the use of managed policy enforcement points throughout the network to dynamically control the communication between components based on policy. This is done to protect sensitive data and services from both internal and external threats. It provides layered security and allows for restricted access to assets on a granular level. This ensures that, even if a threat actor does enter the network, the amount of damage they can cause is limited.

Unlike traditional network segmentation, which leverages ZIPs to govern access to network security zones, micro-segmentation can restrict user access to an individual device or a grouping of devices. It can also restrict access to endpoints and applications, despite the VLAN they have been assigned. Another main difference between traditional segmentation and micro-segmentation is the traffic flow direction. Traditional segmentation focuses on north-south traffic, which flows further into or out of the network. Micro-segmentation seeks to control east-west traffic, which flows within a network security zone, or between similar security zones.

There are other differences in the way micro-segmentation functions when compared to traditional segmentation. For example:

  • it is applied in smaller subsets of components, often made up of single devices
  • it works best with virtual networks
  • it follows more granular policies
  • it is implemented at the software-level

4.2.5 Challenges of network segmentation

Leveraging network segmentation for security purposes comes with challenges. Often, segmentation needs do not match the network architecture. Re-architecting the networks or reconfiguring VLANs and subnets to meet segmentation requirements is a difficult and time-consuming endevour.

Architecting segmented networks in an already established IT environment can be time consuming and challenging. If your organization lacks in-house expertise, you may need to outsource the assistance of an IT security professional who can re-architect your environment. These services can be costly and out of reach for many organizations with limited resources.

While segmenting your network can ultimately improve performance, it can be impacted negatively by over-segmenting. Increasing the granularity of segmentation of your networks can potentially create a bottleneck in your network and slow performance. 

Another challenge with traditional or perimeter-based segmentation is the established trust framework. With perimeter segmentation, the components within the perimeter of the network are trusted and anything outside of that perimeter is not. While this is an effective security approach to some degree, changes in technology and IT environments, as well as the ability for threat actors to refine their attack methodology, has created a need for more robust trust rules to be applied to networks.

One solution to this challenge is applying the principle of zero trust (ZT) to your environment. At its core, the ZT principle ensures that inherent trust is never granted by default to any subject, whether internal or external to your environment. This principle can be applied to your organization’s architecture by implementing zero trust architecture (ZTA).

Lastly, the preventative measures mentioned in earlier sections of this publication, such as firewalls, ACLs, VLANs, DMZs, and SDNs, can all present their own vulnerabilities. Whether your equipment is physical or virtual, threat actors can attempt to gain internal access, bypass firewalls, and VLAN hop, amongst other common attack methods. To mitigate the risk associated with these preventative measures, your organization should review, update, and reconfigure them on a regular basis.

4.2.6 Zero trust architecture (ZTA)

The primary goal of ZT is to prevent or limit the reliance on implicit trust policies when processing traffic flows. It also prevents lateral movement within your IT environment. ZTA is not focused on eliminating the legacy boundary defence your organization may have in place.

ZTA ensures that every interaction initiated between a user and a resource is strongly authenticated and authorized. Access control and permissions are implemented at the most granular level possible, and these access decisions are based on dynamic evaluation of the trust context for each access request.

With ZT the communication between users, systems, and devices is continuously authenticated, authorized, and validated. ZT is founded on policy-based access controls (PBAC), such as RBAC and attribute-based access control (ABAC). A ZTA enforces access policies based on context such as the user’s role, the time of day, geolocation, the device, and the data the user is requesting. The level of access that is granted is dynamically adjusted based on the level of trust established with the subject. In short, the more trust that an information system can develop in a subject, the more access that subject can be granted. 

For more information on ZTA, see A zero trust approach to security architecture (ITSM.10.008).Footnote 13

4.3 Segmentation in the cloud

The principles of zoning still apply if your organization is using cloud or managed services. If using a shared cloud deployment model, for example, you should ensure that your data is separated from other tenants’ data.

As with on-prem segmentation, segmentation in the cloud still employs ZIPs to describe the controlled interface connecting two zones. In a cloud environment, there are other logical segmentation mechanisms which may not necessarily meet all the security function requirements of a ZIP, but they can have a role in network zoning.

Cloud resources are deployed within these specific zones. In a traditional network environment, it would be expected to find a ZIP at the boundary of the zone. Within a cloud environment, a ZIP can be situated at the boundary of a zone or within a zone associated with specific cloud resource network interfaces, such as a virtual machine (VM) or host.

In a cloud environment, networking has evolved to using SDN. Compared with traditional networking, SDN has different characteristics and capabilities that need to be taken into consideration in the use of segmentation of network security zones in a cloud environment.

Some of the key differences with traditional networking are:

  1. decoupling of the control plane, which specifies how traffic is routed within the SDN, from the device data plane, which physically handles the traffic as dictated by the control plane
  2. centralized single point of configuration provisioning and management
  3. central control point for regulating granular security and policy information

It is important to understand that while the CSP provides management and control plane access to its SDN, that access is exposed through their resource abstraction and control layer, a software as a service-like (SaaS-like) model. The CSP does not provide direct access to its SDN nor its implementation, whether that is in software or hardware. It is part of the CSP fabric.

Both on-prem and cloud environments share the same foundational principles of controlling, restricting access and data communication flows to certain components and users. They both establish network perimeters and associated boundary controls through the following functions:

  • Defining the entities that populate zones
  • Identifying discrete zone entry and exit points
  • Filtering network traffic at entry and exit points
  • Monitoring the state of the network
  • Authenticating the identity of network devices and users
  • Monitoring network traffic at the entry and exit points

For more guidance on a defence-in-depth approach, and segmentation, for cloud, see Guidance on defence-in-depth for cloud-based services (ITSP.50.104) Footnote 14 

4.3.1 Cloud zoning responsibilities

For SaaS offerings, the CSP is responsible for network zoning of the cloud environment. For platform as a service (PaaS) offerings, in which the CSP is typically hosting multiple tenants, platforms will most likely be subject to the CSP’s network zoning practices. Your organization has the responsibility to ensure that SaaS or PaaS applications comply with your organizational security policy especially on network zoning. The security requirements that a business application must meet are derived from the organization security policy or the risk management framework. ITSG-33 Footnote 4 can be used as part of the risk management framework to determine the security controls your organization should implement. Threat modeling, including identifying specific threats, should be part of your organization’s risk management framework.

Your organization should limit third-party service provider access to your network. Remote access points can increase the number of entry points into your network. These entry points can be exploited by threat actors and used as vectors to conduct malicious activities, such as deploying malware onto your network.

4.4 Segmentation for operational technology (OT)

Many of the network segmentation best practices and recommendations from Section 2.0 are applicable to OT environments. However, there are specific items that critical infrastructure organizations should establish to better protect their OT and industrial control systems (ICS). Separating your OT from your IT is paramount in an effective cyber security strategy. This separation will ensure that ICS function as they need to, without being connected to networks that could potentially become infected by malware.

Firewalls are an effective security tool, and it is strongly recommended that OT environments have them implemented. It is possible to take a layered approach with firewalls in an OT environment. For example, a single OT firewall could secure connections out to the IT network and feeds to external service providers or vendors, while also isolating all DMZ traffic. At the same time, internal firewalls can have highly granular policies for controlling flows between critical networks and devices, such as supervisory control and data acquisition (SCADA) systems. In general, a “deny all” approach is recommended for all OT connectivity, which allows your organization to implement firewalls to limit system communication with other systems, which will disallow any ad-hoc connectivity or lateral movement. This is another way in which your organization can layer your defensive posture and better protect your network, systems, and data.


Your organization’s IT assets and information are valuable and enable your organization’s continued operation. These assets are also a valuable target to threat actors. Your organization is always responsible for protecting the confidentiality, integrity, and availability of your networks, systems, and information. You should implement the security controls that address your organization’s business and security requirements.

One of our top 10 recommended IT security actions is to segment and separate information. The guidance included in this document is based on several of the security controls detailed in Annex 3A of ITSG-33.Footnote 4 This document is not comprehensive or all‑encompassing. To best segment and separate your information, you should review the guidance in this publication and apply the security controls discussed. You should also review the other top 10 recommended IT security actions in ITSM.10.089.Footnote 1