An organization is designing a network architecture that must meet the following requirements:
✑ Users will only be able to access predefined services.
✑ Each user will have a unique allow list defined for access.
✑ The system will construct one-to-one subject/object access paths dynamically.
Which of the following architectural designs should the organization use to meet these requirements?
Microsegmentation enabled by software-defined networking allows the network to be divided into smaller segments, providing fine-grained security at the individual workload level. This approach enables the creation of unique allow lists for each user, ensuring users can only access predefined services. Additionally, microsegmentation allows for the dynamic construction of one-to-one subject/object access paths, meeting all the specified requirements of the network architecture design.
Option B, proxied application data connections enabled by API gateways, could potentially be used to enforce access controls, but it would not allow the system to dynamically construct one-to-one subject/object access paths. Option D, VLANs (Virtual Local Area Networks) enabled by network infrastructure devices, could also potentially be used to enforce access controls, but it would not allow the system to dynamically construct one-to-one subject/object access paths.
C:Micro-segmentation is a network security technique that enables security architects to logically divide the data center into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment
"Micro-segmentation uses an allow-list model to significantly reduce this attack surface across different workload types and environments."
Anyone have any feedback? Might also be D "Microsegmentation vs. VLANs, firewalls and ACLs" https://www.networkworld.com/article/3247672/what-is-microsegmentation-how-getting-granular-improves-network-security.html
Going with C "Network micro-segmentation Also known as infrastructure segmentation, this micro-segmentation form is the most similar to older forms of network segmentation. It usually divides data center resources into Virtual Local Area Networks (VLANs) and uses Access Control Lists (ACLs) or IP constructs to determine user access."
Microsegmentation enabled by software-defined networking. Controlled Access to Predefined Services: Microsegmentation allows the network to be divided into smaller segments or zones to control access between various parts of the network. It enables the isolation of services and resources, ensuring that users can only access predefined services as required. Unique Allow Lists for Each User: With microsegmentation, access control lists (ACLs) or policies can be customized for each user or user group. This customization facilitates the creation of unique allow lists, defining specific access permissions for different users. Construction of One-to-One Subject/Object Access Paths Dynamically: Microsegmentation in software-defined networking enables dynamic creation and management of access paths between subjects (users) and objects (services/resources). This dynamic configuration allows for one-to-one access paths to be established as needed, providing granular access control.
Predefined Services Access: Microsegmentation allows fine-grained security policies to be defined and enforced at the individual workload level. This means you can specify exactly which services each user can access. Unique Allow Lists: SDN enables dynamic and flexible management of network policies. You can create unique security policies for each user or group of users, allowing for personalized allow lists. Dynamic Access Paths: SDN allows the network to dynamically construct one-to-one access paths between subjects (users) and objects (services) based on predefined policies. This ensures that users can only access the services they are permitted to, and these paths can be dynamically adjusted as needed
Keywords to focus on: "predefined resources" "each user defined access" "one-to-one subject object" "dynamically" Microsegmentation Look up Zscaler microsegmentation Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
B seems most likely to me.
are you saying this because microsegmentation only deals with priority of network traffic for a user and not for an ACL type situation?