Anthropic-Cybersecurity-Skills/skills/configuring-microsegmentation-for-zero-trust/references/workflows.md

# Microsegmentation Implementation Workflows

## Workflow 1: Microsegmentation Deployment Lifecycle

```
┌──────────────────────┐
│ 1. Discovery          │
│ - Deploy agents       │
│ - Collect traffic     │
│   telemetry (2-4 wks)│
│ - Build flow map      │
└──────────┬───────────┘
           v
┌──────────────────────┐
│ 2. Classification     │
│ - Assign workload     │
│   labels (role, app,  │
│   env, location)      │
│ - Validate with CMDB  │
│ - Group by app tier   │
└──────────┬───────────┘
           v
┌──────────────────────┐
│ 3. Policy Design      │
│ - Define zones        │
│ - Create allow-list   │
│   rules per app       │
│ - Set default-deny    │
│ - Document exceptions │
└──────────┬───────────┘
           v
┌──────────────────────┐
│ 4. Test Mode          │
│ - Enable policies in  │
│   visibility mode     │
│ - Monitor would-block │
│   events (1-2 weeks)  │
│ - Refine rules        │
└──────────┬───────────┘
           v
┌──────────────────────┐
│ 5. Enforcement        │
│ - Enforce per-app,    │
│   starting low-risk   │
│ - Monitor 24-48 hrs   │
│ - Proceed to next app │
└──────────┬───────────┘
           v
┌──────────────────────┐
│ 6. Continuous Ops     │
│ - Weekly violation    │
│   review              │
│ - Quarterly audits    │
│ - CI/CD integration   │
│ - Incident response   │
└──────────────────────┘
```

## Workflow 2: Policy Creation Flow

```
Identify Application
    │
    v
┌─────────────────────┐
│ Map Dependencies     │
│ - Inbound sources    │
│ - Outbound targets   │
│ - Ports/protocols    │
│ - Process names      │
└──────────┬──────────┘
           v
┌─────────────────────┐
│ Define Labels        │
│ Role: web/app/db     │
│ App: erp/crm/hr      │
│ Env: prod/dev/stg    │
│ Loc: dc1/aws/azure   │
└──────────┬──────────┘
           v
┌─────────────────────┐
│ Create Rules         │
│ Allow: web→app:8080  │
│ Allow: app→db:3306   │
│ Allow: mon→all:9090  │
│ Deny: all other      │
└──────────┬──────────┘
           v
┌─────────────────────┐
│ Test and Validate    │
│ - Simulate in test   │
│ - Check flow map     │
│ - App owner sign-off │
└──────────┬──────────┘
           v
┌─────────────────────┐
│ Enforce and Monitor  │
│ - Switch to enforce  │
│ - Alert on violations│
│ - Log to SIEM        │
└─────────────────────┘
```

## Workflow 3: Ring-Fencing Critical Assets

```
Identify Critical Asset (e.g., PCI CDE Database)
    │
    v
┌──────────────────────────────────────┐
│ 1. Baseline Traffic                   │
│ - Observe all inbound/outbound flows │
│ - Document legitimate connections    │
│ - Identify unnecessary connections   │
└──────────────┬───────────────────────┘
               v
┌──────────────────────────────────────┐
│ 2. Define Ring-Fence Rules            │
│ - Allow: app-server → db:5432        │
│ - Allow: backup-agent → db:5432      │
│ - Allow: monitoring → db:9100        │
│ - Deny: ALL other inbound            │
│ - Deny: ALL outbound (except DNS,NTP)│
└──────────────┬───────────────────────┘
               v
┌──────────────────────────────────────┐
│ 3. Test with Production Traffic       │
│ - Enable in test mode                 │
│ - Verify zero false positives         │
│ - Validate backup and monitoring work │
└──────────────┬───────────────────────┘
               v
┌──────────────────────────────────────┐
│ 4. Enforce and Lock Down              │
│ - Switch to enforcement               │
│ - Enable alerting on any violation    │
│ - Review violations daily             │
│ - QSA validation for PCI scope       │
└──────────────────────────────────────┘
```

## Workflow 4: Incident Response with Microsegmentation

```
Alert: Unusual East-West Traffic Detected
    │
    v
┌─────────────────────────┐
│ 1. Investigate           │
│ - Review flow in console │
│ - Check source workload  │
│ - Identify destination   │
│ - Cross-ref with SIEM    │
└──────────┬──────────────┘
           v
┌──────────────────────────────┐
│ 2. Contain                    │
│ - Apply quarantine policy     │
│   (deny all except forensic) │
│ - Isolate compromised         │
│   workload instantly          │
└──────────┬───────────────────┘
           v
┌─────────────────────────┐
│ 3. Assess Impact         │
│ - Check if lateral move  │
│   was blocked by policy  │
│ - Review adjacent zones  │
│ - Determine blast radius │
└──────────┬──────────────┘
           v
┌─────────────────────────┐
│ 4. Remediate             │
│ - Patch/reimagevworkload │
│ - Strengthen policies    │
│ - Remove quarantine      │
│ - Post-incident review   │
└─────────────────────────┘
```