Network Segmentation for Financial Services

APRA CPS 234 Requirements

APRA CPS 234 requires financial institutions to maintain information security capabilities commensurate with information asset criticality. Network segmentation supports multiple CPS 234 requirements including information asset protection, access controls, and incident response capabilities.

Segmentation Architecture Design

Design network segments aligned with data classification and business functions. Separate payment processing, customer data, internal operations, and development environments. Implement DMZs for internet-facing services and isolated segments for high-value assets.

• Payment processing isolation
• Customer data segregation
• DMZ for external-facing services
• Separate development/test/production
• Administrative network isolation

East-West Traffic Controls

Traditional north-south firewalls don't address lateral movement within networks. Implement internal segmentation firewalls (ISFWs) or next-generation firewalls (NGFWs) controlling east-west traffic between segments. Define and enforce segment-to-segment access policies.

Micro-Segmentation for Critical Applications

High-value applications require micro-segmentation providing application-level isolation. Use software-defined networking (SDN) or host-based firewalls to create fine-grained security zones. Implement default-deny policies allowing only required communications.

Third-Party and Vendor Access

Third-party access represents significant risk for financial institutions. Create dedicated segments for vendor access with strict controls. Implement privileged access management (PAM) for vendor administrators and monitor all third-party activities.