First off – What is an Enclave?
According to the NIST Definition of an Enclave: “A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.”
You might be thinking: “Ok Thanks Bill, what does that really mean?“
Ok, lets simplify it: You run a separate system for a specific purpose. What it means is that you have cordoned off and isolated a group of organizational and IT Assets to perform a specific task, and you have a defined boundary between that and the rest of what you use within your organization. Much of the US Government works this way. A person within the government may have a public facing system and a enclaved system to perform more sensitive work. All this is, is applying the same methodology to a private organization.
Why would you do this?
Reduce the number of systems to only those which need protection and you can save on resources in the long run while reducing risk in the short run. When you think about implementing complex security and privacy frameworks there is a math problem involved. What I mean by that is that whatever you put in place, you need to put in place for all of the organizational assets that you have. Also it is not a one and done sort of thing. You need to keep it up for so long as you are in business. So if you are at a company which has 100 system components (different applications, pc’s, protective systems, hardware, networking etc.), you then need to ensure that the controls you are putting in place have been implemented on those systems.
In essence the assets you manage are a giant multiplier of complexity. So in my example of 100 System components, if you were to implement the core controls of NIST 800-171 the math problem works like this:
(Assets) X (Number of Controls)
In my example this would mean implementing and maintaining over time 100 assets X 110 controls = 11,000 points of evidence of implementation to keep updated over time.
Now this is a simplified equation for demonstrative purposes. The actual implementation has additional complexities, like trying to meet objectives. However, this gives you a good idea of why you would want to reduce the number of assets you are implementing controls against.
How do you implement an Enclave?
Comes down to two choices – Start Fresh, or Cordon off what you have.
Pros | Cons | |
Start Fresh – New Enclave | Clean slate Can use best of class and economical solutions. Separated systems with clear boundaries Potential for reduced number of systems and tools Easier to defend during an incident, assessments, or audits. | Different systems Need for Investment Culture change if technologies are different from what is being used tin the rest of the organization |
Cordon Off What you have | Reduced culture change Limited or no new investment
| Internal organizational lines may get blurry. May get messy to track what is and what is not affected over time. May get very complex as groups which may have little exposure may need to comply with more requirements than they need to. May have more assets in your boundary that what is needed with a fresh start |
How do I learn more?
Give us a call and we will be happy to help!!
Schedule a call with us today – https://calendly.com/d/24f-dt5-d9f/30-minute-exploratory-session
Linked in page: https://www.linkedin.com/company/3comply
Our Google Business Page:
References: https://csrc.nist.gov/glossary/term/enclave