Regulatory frameworks don't just recommend segmentation; they mandate it. PCI DSS, HIPAA, and NIST require strict isolation of regulated data environments to limit the scope of audits and prevent unauthorized access to sensitive records.
PCI DSS requires the CDE to be strictly segmented from the rest of the corporate network. If the CDE is properly isolated, the scope of the PCI audit is limited to that segment, saving massive amounts of time and money.
💡 Pro-tip: Use 'Network Diagrams' and 'Data Flow Diagrams' as the primary artifacts for auditors. If you can't visually prove the segmentation via firewall rules, the auditor will assume the entire network is in scope.
This scan proves that the CDE (10.0.50.0/24) is completely filtered from the scanner's location, demonstrating effective perimeter isolation for the auditor.
HIPAA requires isolating ePHI (electronic Protected Health Information). NIST 800-171 mandates protecting Controlled Unclassified Information (CUI) in non-federal systems, requiring strict boundary enforcement and FIPS-validated cryptography.
⚠️ 'Flat networks' guarantee compliance failure. If a single user workstation can ping a database containing CUI or ePHI without passing through a documented, inspected firewall rule, you are non-compliant.
| Framework | Protected Data | Key Segmentation Req |
|---|---|---|
| PCI DSS | Credit Cards | Isolate CDE from corporate |
| HIPAA | Health (ePHI) | Access controls + Audit logs |
| NIST 800-171 | CUI | Boundary protection + FIPS 140-2 |
Verify exercises to earn ★ 250 XP and unlock next lab level.