Skip to content

Achieving ISO/IEC 27001 compliance with Enclave

Enclave is a software-based network security solution that facilitates secure and easy connectivity between devices, regardless of their location. Enclave can contribute to ISO 27001 compliance by helping organizations address several requirements related to information security and network controls.

Here's how Enclave maps to ISO27001 and can help customers to meet compliance requirements:

Key

Enclave is not relevant to this control

Enclave helps you to meet this control

Enclave meets this control

ISO 27001 Controls

A.5 - Information Security Policies

A.5.1.1 - Policies for Information Security

A.5.1.2 - Review of the policies for information security

A.6 - Organization of Information Security

A.6.1.1 - Policies for Information Security

A.6.1.2 - Review of the policies for information security

A.6.1.3 - Policies for Information Security

A.6.1.4 - Review of the policies for information security

A.6.2.1 - Mobile device policy

A.6.2.2 - Teleworking

A.7 - Human Resource Security

A.7.1.1 - Screening

A.7.1.2 - Terms and conditions of employment

A.7.2.1 - Management responsibilities

A.7.2.2 - Information security awareness, education and training

A.7.2.3 - Disciplinary process

A.7.3.1 - Termination or change of employment responsibilities

A.8 - Asset Management

A.8.1.1 - Inventory of assets

A.8.1.2 - Ownership of assets

A.8.1.3 - Acceptable use of assets

A.8.1.4 - Return of assets

A.8.2.1 - Classification of information

A.8.2.2 - Labelling of information

A.8.2.3 - Handling of assets

A.8.3.1 - Management of removable media

A.8.3.2 - Disposal of media

A.8.3.3 - Physical media transfer

A.9. - Access control

Enclave allows organizations to control access to their network resources by providing a secure way for authorized users to connect to internal systems and data. This helps organizations implement and enforce access control policies, ensuring that only authorized individuals can access sensitive information.

A.9.1.1 - Access control policy

A.9.1.2 - Access to networks and network services

πŸ“– Requirement: Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

Enclave enables customers to meet this requirement in the following ways:

  • Principle of least privilege: Enclave connects team members, services, and workloads without needing to configure an internal network with access control lists and policies that ensure that systems, devices, and users get only the level of access they need.

  • Prevent lateral movement: Enclave uses a Zero Trust security model that can help prevent lateral movement within a network. Unlike traditional VPNs, which give users access to everything within the network and route client traffic through a central server, Enclave connects users and services using end-to-end encrypted mesh connections, removing the need for a central server. Devices form direct peer-to-peer connections in a mesh network using direct IP-based connectivity and centrally controlled packet filters on each node help prevent lateral movement. Each system in an Enclave network has its own centrally configured firewall. Rich policy tooling allows you to limit which users, devices, and applications can connect to each other on the network.

  • Centralized access management: Enclave supports access policies that define who can access specific resources within the network. By using these policies, organizations can control access to various services and data based on job roles and responsibilities.

  • Segmented and isolated networks: Enclave allows organizations to create isolated networks or segments based on different teams, departments, or projects. This segmentation ensures that access to sensitive resources is restricted to authorized individuals and teams, aligning with the principle of least privilege.

  • Zero Trust architecture: Enclave follows a zero-trust networking model, which means that devices and users are not automatically trusted based on their location within the network. Instead, access is granted based on identity and other factors, enhancing security.

  • Encryption and secure channels: Enclave uses strong encryption for communication between devices, ensuring that network traffic remains confidential and secure. This helps prevent unauthorized access to sensitive data.

A.9.2.1 - User registration and de-registration

A.9.2.2 - User access provisioning

A.9.2.3 - Management of privileged access rights

A.9.2.4 - Management of secret authentication information of users

A.9.2.5 - Review of user access rights

πŸ“– Requirement: Asset owners shall review users’ access rights at regular intervals.

While Enclave can't directly review user access rights, it can integrate with Identity Management platforms like Azure Active Directory (AAD) to help maintain a single view of an identity and their access.

Enclave also provides logging and monitoring capabilities, which can aid in tracking user and device activities on the network, providing tooling to help organisations to meet this requirement.

A.9.2.6 - Removal or adjustment of access rights

πŸ“– Requirement: The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

While Enclave can't remove or adjust the access rights in other products and services, it can enforce hard limits and restrict access to those applications and workloads.

  • Centralized Access Management: Enclave allows administrators to manage user access and permissions centrally through a dashboard. When an employee changes roles or leaves the organization, administrators can quickly adjust access rights by adding or removing users and devices from the Enclave network with a single administrative action or API call. If an employee leaves the organization or changes roles, administrators can revoke access to the Enclave network immediately.

  • Access Policies: Enclave can also be automatically configured to remove access at a future date when an initial access is provisioned using auto-expiring policies. This prevents former employees, contractors or third parties from retaining access to sensitive resources.

A.9.3.1 - User responsibilities

A.9.4.1 - Information access restriction

A.9.4.2 - Secure log-on procedure

A.9.4.3 - Password management system

A.9.4.4 - Use of privileged utility programs

A.9.4.5 - Access control to program source code

A.10 - Cryptography

Enclave provides a secure overlay network that uses strong encryption and secure communication protocols to protect data in transit allowing organisations to unify private network access across north-south, east-west and serverless into a single network backplane and apply a single, consistent set of security controls regardless of where the device or workload is.

A.10.1.1 - Policy on the use of cryptographic controls

πŸ“– Requirement: A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

While Enclave does not directly create policies, it can help organizations use cryptography effectively to establish secure communication channels between devices, even over untrusted networks, and contributes to the protection of data against interception and tampering.

A.10.1.2 - Key management

πŸ“– Requirement: A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

While Enclave does not directly create policies and may only be a part of your overall key management activities, it uses encryption mechanisms that rely on cryptographic keys generated using strong, industry-recognized algorithms and practices. Cryptographic keys are fully managed by Enclave, there are no key material burdens for administrative users to manage, rotate or handle key material.

  • Message Signing: Signatures are generated using the Ed25519 EdDSA algorithm. The 512-bit private keys for a given certificate are generated locally on the agent and never leave the device. Endpoints retain complete sovereignty over their Enclave private key material.

  • Key Exchange: Every time a tunnel comes up between two peers, we use the Curve25519 ECDHE key agreement algorithm to generate brand new per-session keys, providing perfect forward-secrecy, and ensuring that no other party can decrypt the data stream between two peers. The Curve25519 algorithm provides a 256-bit shared secret, which is then expanded into two separate 256-bit secrets, one for each direction of transmission between peers. The Curve25519 algorithm provides a 256-bit shared secret, which is then expanded into two separate 256-bit secrets, one for each direction of transmission between peers.

  • Data in Transit Encryption: On platforms that support AES256 hardware acceleration (requires Intel SSSE3, aesni and pclmul instructions), tunnel encryption uses AES256-GCM AEAD with a 128-bit block size and a 96-bit counter nonce, non-repeating and monotonically incrementing. We switch to a new key before reaching 2^36 bytes or 2^32 messages encrypted with the same key. On any platform that does not support hardware acceleration, we use ChaCha20-Poly1305 AEAD (ChaCha20-Poly1305-IETF), with a 512-bit block size, a 64-bit counter nonce, non-repeating and monotonically incrementing. We switch to a new key before reaching nonce re-use with the same key.

See our Identity and Cryptography documentation and use of cryptographic algorithms summary table for more information.

A.11 - Physical and Environmental Security

A.11.1.1 - Physical security perimeter

A.11.1.2 - Physical entry control

A.11.1.3 - Securing offices, rooms and facilities

A.11.1.4 - Protecting against external and environmental threats

A.11.1.5 - Working in secure areas

A.11.1.6 - Delivery and loading areas

A.11.2.1 - Equipment siting and protection

A.11.2.2 - Supporting utilities

A.11.2.3 - Cabling security

A.11.2.4 - Equipment maintenance

A.11.2.5 - Removal of assets

A.11.2.6 - Security of equipment and assets off-premises

A.11.2.7 - Secure disposal or re-use of equipment

A.11.2.8 - Unattended user equipment

A.11.2.9 - Clear desk and clear screen policy

A.12 - Operation Security

Enclave uses encryption to secure data transmitted between devices, making it a valuable tool for complying with encryption requirements. This includes encrypting data in transit and providing an additional layer of protection for sensitive information.

A.12.1.1 - Documented operating procedures

A.12.1.2 - Change management

A.12.1.3 - Capacity management

A.12.1.4 Separation of development, testing and operational environments

πŸ“– Requirement: Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

While Enclave cannot create separate development, testing and operational environments, it can help you build and enforce network segmentation and isolation between them.

Enclave allows organizations to create isolated networks or segments based on different teams, departments, or projects. This segmentation ensures that access to sensitive resources is restricted to authorized individuals and teams, aligning with the principle of least privilege. This makes it easy to achieve and maintain network isolation and separation of development, testing and operational environments.

A.12.2.1 - Controls against malware

A.12.3.1 - Information backup

A.12.4.1 - Event logging

A.12.4.2 - Protection of log information

A.12.4.3 - Administrator and operator logs

A.12.4.4 - Clock synchronization

A.12.5.1 - Installation of software on operational systems

A.12.6.1 - Management of technical vulnerabilities

πŸ“– Requirement: Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

While Enclave can't mitigate technical vulnerabilities in other systems, it can help reduce your attack surface area and exposure to threat actors.

Using only outbound traffic, Enclave allows you to keep firewalls closed, darkening your network to discovery, targeting, and attack and helping to ensure:

  • Applications are hidden from discovery, so there is no public visibility.
  • Access is restricted via a trust broker.
  • The trust broker verifies the identity, context, and policy.
  • Lateral movement in the network is prohibited.
  • There is a reduced surface area available for attack.

Enclave uses NAT traversal and UDP and TCP hole punching to build peer-to-peer and end-to-end encrypted network connections between systems using only outbound traffic, customers are able to close incoming firewall ports.

Traditionally, connecting systems which can reside in discreet and isolated private networks separated by the public Internet relies on the use of publicly accessible VPN servers which are vulnerable to discovery, targeting and attack.

With Enclave, connectivity is established using outbound-only network traffic. By default, all systems are dark to the public Internet, behind closed firewalls with no knowledge of one other and no ability to communicate. Once policy is defined, members are introduced and must mutually authenticate using digital certificates. If successful, access is granted.

Enclave is also a software-only solution, making it easier to update and patch, which in turn helps you maintain the security of your network infrastructure.

A.13 - Communication Security

Enclave enables secure remote access to internal resources, which aligns with the need for organizations to provide remote access while maintaining security controls. Enclave's approach can help organizations avoid less secure methods of remote access, such as exposing services directly to the public internet.

A.13.1.1 - Network controls

πŸ“– Requirement: Networks shall be managed and controlled to protect information in systems and applications.

Enclave enables customers to meet this requirement in the following ways:

  • Centralized Access Management: Enclave allows administrators to manage user access and permissions centrally through a dashboard using identity-based access controls, meaning that users are authenticated and authorized based on their identities to ensure that only the right user, gets access to the right network services they are authorized to use, at the right time.

  • Zero Trust Networking: Enclave employs a zero-trust networking model, where access to resources is not implicitly trusted based on network location, minimizing trust assumptions, and verifying access regardless of where the user or device is connecting from.

  • Change-free private access: Enclave is a pure software solution which builds peer-to-peer virtual overlay mesh networks. It can also be deployed without changes to existing networks or infrastructure and without the installation of additional hardware. Private access can be dynamically reconfigured in policy without needing to change the underlying firewalls, IP addresses, subnets, ACLs or NSGs, VPCs, VPNs, VLANs, NAT, routing tables or DNS.

  • Self-documenting networks: When Enclave is used to unify all private access across north-south, east-west and serverless traffic patterns into a single network backplane with a consistent set of security controls regardless of where the device or workload is, combined with change-free private access the network becomes fully self-documenting according to defined policy avoiding the need to manually maintain formal documentation to meet this group of control requirements.

  • Segmented and isolated networks: Enclave allows organizations to create isolated networks or segments based on different teams, departments, or projects. This segmentation ensures that access to sensitive resources is restricted to authorized individuals and teams, aligning with the principle of least privilege.

A.13.1.2 - Security of network services

πŸ“– Requirement: Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.

While Enclave can't make security guarantees about the availability of physical underlay networks and public Internet, it can offer much higher availability than traditional VPN servers because of its decentralised peer-to-peer architecture, which is resilient to centralised points of failure.

The core technology difference of Enclave is that devices talk direct to one another, which is different from a client-server model where machines talk through VPN servers (or concentrators). It's a big distinction, as the old model creates lots of management overhead that's surprisingly difficult to secure using traditional technologies.

Enclave moves network traffic into a peer-to-peer overlay mesh and wraps it with centralised management and security controls. With Enclave, the network looks the way your business looks, and security controls are self-documenting and easy to reason about.

The Cloud-delivered Enclave management platform is not tightly coupled to the availability of endpoint connectivity, and users can expect dramatically higher uptime with Enclave than traditional hub-and-spoke VPN servers. Read more about how we approach availability.

A.13.1.3 - Segregation in networks

πŸ“– Requirement: Groups of information services, users and information systems shall be segregated on networks.

Enclave enables customers to meet this requirement in the following ways:

  • Segmented and isolated networks: Enclave allows organizations to create isolated networks or segments based on different teams, departments, or projects. This segmentation ensures that access to sensitive resources is restricted to authorized individuals and teams, aligning with the principle of least privilege.

  • Zero Trust Networking: Enclave employs a zero-trust networking model, where access to resources is not implicitly trusted based on network location, minimizing trust assumptions, and verifying access regardless of where the user or device is connecting from.

  • Centralized Access Management: Enclave allows administrators to manage user access and permissions centrally through a dashboard using identity-based access controls, meaning that users are authenticated and authorized based on their identities to ensure that only the right user, gets access to the right network services they are authorized to use, at the right time.

A.13.2.1 - Information transfer policies and procedures

A.13.2.2 - Agreements on information transfer

A.13.2.3 - Electronic messaging

A.13.2.4 - Confidentiality or non-disclosure agreements

A.14 - System acquisition, development and maintenance

A.14.1.1 - Information security requirements analysis and specification

A.14.1.2 - Securing application services on public networks

A.14.1.3 - Protecting application services transactions

A.14.2.1 - Secure development policy

A.14.2.2 - System changes control procedures

A.14.2.3 - Technical review of applications after operating platform changes

A.14.2.4 - Restrictions on changes to software packages

A.14.2.5 - Secure system engineering principles

A.14.2.6 - Secure development environment

A.14.2.7 - Outsourced development

A.14.2.8 - System security testing

A.14.2.9 - System acceptance testing

A.14.3.1 - Protection of test data

A.15 - Supplier Relationships

A.15.1.1 - Information security policy for supplier relationships

A.15.1.2 - Addressing security within supplier agreements

A.15.1.3 - Information and communications technology supply chain

A.15.2.1 - Monitoring and review of supplier services

A.15.2.2 - Managing changes to supplier services

A.16 - Information security incident management

A.16.1.1 - Responsibilities and procedures

A.16.1.2 - Reporting information security events

πŸ“– Requirement: Information security events shall be reported through appropriate management channels as quickly as possible.

Network flow metadata exports with SIEM integration can help get security events related to network access routed directly to the appropriate channels.

A.16.1.3 - Reporting information security weaknesses

A.16.1.4 - Assessment of and decision on information security events

A.16.1.5 - Response to information security incidents

πŸ“– Requirement: Information security incidents shall be responded to in accordance with the documented procedures.

While Enclave can't respond directly to security incidents, it can help administrators quickly take steps to contain and isolate affected devices.

  • Isolation of affected devices: Enclave's network segmentation allows organizations to isolate affected devices from the rest of the network to prevent the incident from spreading further.

  • Logging and auditing: Enclave offers logging features which can assist in detecting unusual or suspicious activities that could indicate an ongoing security incident.

  • Response coordination: Enclave's centralized management and access control can help in coordinating incident response by allowing administrators to quickly make changes across the network.

  • Out of band communication: Enclave can facilitate secure communication among incident response teams, ensuring that critical information is shared while maintaining confidentiality.

  • Containment: Enclave's features, like remote device management and access control, aid in containing incidents by isolating affected devices and restricting unauthorized access.

A.16.1.6 - Learning from information security incidents

A.16.1.7 - Collection of evidence

A.17 - Information Security Aspects of Business Continuity Management

A.17.1.1 - Planning information security continuity

A.17.1.2 - Implementing information security continuity

A.17.1.3 - Verify, review, and evaluate information security continuity

A.17.2.1 - Availability of information processing facilities

A.18 - Compliance

A.18.1.1 - Identification of applicable legislation and contractual requirements

A.18.1.2 - Intellectual property rights

A.18.1.3 - Protection of records

A.18.1.4 - Privacy and protection of personally identifiable information

A.18.1.5 - Regulation of cryptographic controls

A.18.2.1 - Independent review of information security

A.18.2.2 - Compliance with security policies and standards

A.18.2.3 - Technical compliance review


Last updated Feb 19, 2024