NIST has published Special Publication (SP) 800-215, Guide to a Secure Enterprise Network Landscape.
Access to multiple cloud services (e.g., IaaS, SaaS), the geographic spread of enterprise Information Technology (IT) resources (including multiple data centers and multiple branch offices), and the emergence of highly distributed loosely coupled microservices-based applications (as opposed to monolithic ones) have significantly altered the enterprise network landscape. This transformation has the following security impacts: (a) disappearance of the concept of a perimeter associated with the enterprise network, (b) an increase in attack surfaces due to the sheer multiplicity of IT resource components (e.g., computing, networking, and storage), and (c) the ability of attackers to escalate sophisticated attacks across several network boundaries by leveraging extensive connectivity features within and across the individual network segments.
NIST SP 800-215 provides guidance from a secure operations perspective. It examines the security limitations of current network access solutions (e.g., VPNs) to the enterprise network as well as point security solutions with traditional network appliances with enhanced features (e.g., firewalls, CASB for cloud access), including the usage of network visibility, monitoring, and provisioning tools. This document also discusses emerging network configurations that each address a specific security function (e.g., application/services security, cloud services access security, device or endpoint security) and security frameworks, such as zero trust network access (ZTNA), microsegmentation, and SDP that combine these individual configurations. Additionally, the document highlights cloud-based WAN infrastructures, such as SASE with widespread point of presence (PoP), that combine use of the latest WAN technologies (e.g., SD-WAN) with a comprehensive set of security services.