Partitioning

[davoodharun]

• [ ] user / admin function separation
• [ ] security function isolation
• [ ] bastion host / management subnet
• [ ] NSGs
  • [ ] Security component isolation
  • [ ] SQL tier / DB tier separation

[jomolesk]

Related control(s): SC-2, SC-3, SC-7 (13), SC-7 (21)

SC-2: The information system separates user functionality (including user interface services) from information system management functionality. Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. [This Azure Blueprint Solution separates user functionality from system management functionality through enforcement of logical access controls and system architecture. User functionality is limited to customer-deployed web application interfaces. Interfaces for system management functionality are separate from user interfaces. All management connectivity is through a secure bastion host (jumpbox) located in a management subnet with network security group rules to limit [...need additional implementation details].]

SC-3: The information system isolates security functions from nonsecurity functions. [implementation TBD]

SC-7 (13): The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. [This Azure Blueprint Solution deploys resources in an architecture with a separate management subnet for customer deployment of information security tools and support components. Subnets are logically separated by network security group rules._]

SC-7 (21): The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. [This Azure Blueprint Solution deploys resources in an architecture with a separate web subnet, database subnet, Active Directory subnet, and management subnet. Subnets are logically separated by network security group rules applied to the individual subnets to restrict traffic between subnets to only that necessary for system and management functionality.] (Also see issue #31.)

[reetikatech]

20 mentioned above is verified and closed

can you provide expectation from #29