Research Segmentation: Technical Design & Implementation
Technical Approach
Option A: VLAN-Based Segmentation
| Component | Implementation |
|---|---|
Default VLAN |
Untrusted_Research (limited access) |
ISE Policy |
Authenticate → Authorize → Assign VLAN based on group |
ACLs |
Permit only required services per research function |
Firewall |
Inter-VLAN routing controlled at firewall |
Option B: TrustSec (SGT-Based)
| Component | Implementation |
|---|---|
Security Group Tags |
Assign SGT per research function/project |
SGACL |
Policy matrix defining allowed flows |
Propagation |
Inline tagging or SXP to network devices |
Advantage |
Topology-independent segmentation |
Scope
In Scope
-
Research department endpoints (workstations, servers)
-
Lab equipment with network connectivity
-
Research data storage access
-
External collaboration access
Out of Scope (Phase 1)
-
Clinical systems (separate project)
-
Guest/visitor access
-
IoT/medical devices
Implementation Phases
Phase 1: Assessment (Blocked)
-
CISO approval - awaiting decision
-
Inventory all research endpoints
-
Map current access patterns
-
Identify critical dependencies
Phase 2: Design
-
Define trust zones and boundaries
-
Create VLAN/SGT architecture
-
Design ISE policies
-
Plan rollback strategy
Phase 3: Pilot
-
Select pilot group (single research team)
-
Deploy segmentation policies
-
Monitor for access issues
-
Refine policies based on feedback
Phase 4: Rollout
-
Phased deployment by research area
-
Communication plan for users
-
Support escalation procedures
-
Post-implementation review