2.2.3 Primary functions requiring different security levels are managed as follows:

• Only one primary function exists on a system component, OR
• Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.

Defined Approach Requirements

2.2.3 Primary functions requiring different security levels are managed as follows:

• Only one primary function exists on a system component, OR
• Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.

Defined Approach Testing Procedures

2.2.3.a Examine system configuration standards to verify they include managing primary functions requiring different security levels as specified in this requirement.

2.2.3.c Where virtualization technologies are used, examine the system configurations to verify that system functions requiring different security levels are managed in one of the following ways:

• Functions with differing security needs do not co-exist on the same system component.
• Functions with differing security needs that exist on the same system component are isolated from each other.
• Functions with differing security needs on the same system component are all secured to the level required by the function with the highest security need.

Purpose

Systems containing a combination of services, protocols, and daemons for their primary function will have a security profile appropriate to allow that function to operate effectively. For example, systems that need to be directly connected to the Internet would have a particular profile, like a DNS server, web server, or an e-commerce server. Conversely, other system components may operate a primary function comprising a different set of services, protocols, and daemons that perform functions that an entity does not want exposed to the Internet. This requirement aims to ensure that different functions do not impact the security profiles of other services in a way which may cause them to operate at a higher or lower security level.

Good Practice

Ideally, each function should be placed on different system components. This can be achieved by implementing only one primary function on each system component. Another option is to isolate primary functions on the same system component that have different security levels, for example, isolating web servers (which need to be directly connected to the Internet) from application and database servers.

A system component with multiple primary functions could be a web server that also has an FTP daemon to conduct regular updates. These services have different security profiles and, if not properly secured, the FTP daemon could be used to compromise the web server. In this case, the FTP daemon should be secured to the level of the web server, or the FTP daemon should be removed, or the web server and FTP server should be separated into different system components.

Where virtualization technologies are used, ensuring that system functions with differing security needs that exist on the same system component are isolated from each other may be achieved via the use of virtual machines, containers, or other logical separation that provides isolation equivalent to separate physical systems.