Skip to main content

Security States

Overview

This document provides a technical overview of the security enforcement states in the Xshield platform, focusing on two critical axes of segmentation: Attack Surface and Blast Radius. These axes define how inbound and outbound communications are controlled, monitored, and enforced using progressive Zero Trust principles.

Purpose and Application of Security States

Security states are essential for operationalizing Zero Trust principles in a flexible, scalable, and phased manner. They enable organizations to adopt enforcement progressively, reducing risk while ensuring minimal disruption to ongoing operations.

Why Security States Are Needed

  • Enforcement: Security states allow administrators to introduce controls gradually, using test modes before moving to full enforcement. This helps validate policy impact without breaking legitimate business flows.
  • Policy Transparency: By logging violations during test modes, security teams gain insights into existing traffic patterns and can refine policies based on real-world behavior.
  • Risk Reduction: Clearly defined states for both inbound (Attack Surface) and outbound (Blast Radius) traffic minimize exposure to threats, limit lateral movement, and help contain breaches.
  • Operational Continuity: Security states ensure that enforcement aligns with business needs, enabling secure access without impeding productivity.

Concept of Security State Enforcement

A Security State refers to the application and activation of security controls according to the defined enforcement levels for inbound (Attack Surface) and outbound (Blast Radius) communications. When a security state is enforced, all traffic—either incoming or outgoing—will be subject to the security rules specified by the corresponding state. This enforcement ensures that only traffic compliant with the defined security state is allowed, while blocking or logging any non-compliant traffic.

Enforcement states include modes such as Test Mode and Enforced Mode, which define whether security rules are merely logged (Test Mode) or actively enforced (Enforced Mode).

  • Test Mode: In this state, violations are logged, but no traffic is blocked. It allows security teams to evaluate the impact of enforcement before committing to full enforcement.
  • Enforced Mode: In this state, only traffic that meets the defined security rules is allowed. Non-compliant traffic is blocked, ensuring maximum security based on the enforcement state.

By enforcing a security state, an organization ensures that security protocols are applied consistently, mitigating the risk of unauthorized access or communications and ensuring that Zero Trust principles are upheld across the network.

Enforcement Levels

  • Asset Level: Security states at the asset level define the precise enforcement applied to individual workloads. This granularity is useful when specific assets require tailored protection levels due to their criticality or exposure. Asset-level enforcement is the preferred method.
  • Segment Level: Security states at the segment level act as the minimum baseline enforcement for all assets within that segment. This ensures a consistent security posture across related workloads while allowing asset-level overrides for stricter control.

Together, these layers of enforcement allow for a highly adaptable security model that aligns with both organizational structure and risk profiles.

Security Enforcement at Asset Level

Attack Surface Enforcement

Attack Surface Enforcement governs inbound traffic—controlling which external sources can communicate with an asset. It is essential to reduce the exposed services on the network by only permitting legitimate inbound traffic based on defined policies. This process ensures unauthorized sources are blocked while ensuring business-critical communications are preserved.

Security States for Attack Surface

  • Unsecure: No enforcement; all inbound communications are allowed, except for explicitly blocked incoming traffic (as configured by the user-defined block template).
  • Secure Internet (Test Mode): Policies are applied, and violations are logged, but not blocked. In this mode, no traffic is blocked except for the ones that match any rules configured in block templates.
  • Secure Internet (Enforced): Inbound internet traffic is restricted to only permitted internet traffic defined in the policy. Intranet traffic is allowed.
  • Secure All (Test Mode): Policies are applied, and violations are logged during test mode. Intranet traffic is not blocked, allowing all intranet communications to flow uninterrupted. Internet traffic is only permitted if explicitly allowed by policy.
  • Secure All (Enforced): Policies are applied in enforced mode, and any unauthorized traffic is blocked. Internet & Intranet traffic is only permitted if explicitly whitelisted by policy.

Blast Radius Enforcement

Blast Radius Enforcement governs outbound traffic—controlling what assets are allowed to communicate externally. By reducing the blast radius, it prevents lateral movement and ensures that unauthorized communications from assets are minimized. Enforcing outbound traffic restrictions is vital to protect the organization from threats that might exploit unintentional external communications.

Security States for Blast Radius

  • Unsecure: No enforcement; all outbound communications are allowed.
  • Secure Internet (Test Mode): Policies are applied but violations are logged. No outbound traffic is blocked.
  • Secure Internet (Enforced): Policies are applied in enforced mode, and unauthorized outbound internet traffic is blocked. Intranet communications remain permitted without restriction.
  • Secure All (Test Mode): Policies are applied, and violations are logged during test mode, but no intranet traffic is blocked. Outbound internet traffic is only permitted if explicitly allowed by policy.
  • Secure All (Enforced): Policies are applied in enforced mode, and any unauthorized traffic is blocked. Internet & Intranet traffic is only permitted if explicitly whitelisted by policy.

Security Enforcement at Segment Level

Enforcement states at the segment level define the minimum-security posture for inbound and outbound communications across all assets within a given segment. These states do not specify policies but instead establish minimum enforcement levels. This helps standardize security expectations across environments while allowing granular control at the asset level.

Attack Surface Enforcement

Attack Surface Enforcement governs how inbound traffic is handled for all assets in a segment. At the segment level, this determines the minimum required enforcement state for inbound communication.

How It Works

  • When a segment is configured with an attack surface enforcement state (e.g., Secure Internet (Enforced)), all assets under that segment must be in the same or a stricter state.
  • Assets cannot downgrade to a less secure state (e.g., Unsecure or Secure Internet Test Mode), even if configured locally.

Purpose

  • Establish a uniform inbound protection baseline for environments grouped by business role or function (e.g., production frontend, internal services).
  • Prevent scenarios where individual asset misconfigurations lead to exposure.

Example

If a segment is set to Secure All (Test Mode), all assets must at least be in Secure All (Test Mode) or in a stricter state such as Secure All (Enforced).

Considerations

  • Enables gradual tightening of controls across environments without immediate enforcement on every individual workload.

Blast Radius Enforcement

Blast Radius Enforcement controls outbound communications from assets. At the segment level, this defines the minimum enforcement state for outbound traffic leaving any asset in that segment.

How It Works

  • When a segment is configured with a blast radius enforcement state (e.g., Secure Internet (Enforced)), all assets under that segment must be in the same or a stricter state.
  • Assets cannot downgrade to a less secure state (e.g., Unsecure or Secure Internet Test Mode), even if configured locally.

Purpose

  • Prevent inconsistent outbound enforcement across assets that may expose the environment to risks like lateral movement or data exfiltration.
  • Useful for high-risk environments where outbound controls are critical (e.g., finance, production workloads).

Example

If the segment is set to Secure Internet (Test Mode), assets in that segment can operate in that state or a stricter one (e.g., Secure All (Enforced)), but cannot fall back to Unsecure.

Considerations

  • Helps in phased rollout of outbound enforcement. For example, begin with Test Mode, analyze traffic, then gradually move to Enforced.
  • Critical for containing compromise by reducing external communication paths from potentially vulnerable assets.

Notes

  • Block Templates (e.g., Corporate Block Policy) are always enforced, regardless of the enforcement state.
  • Secure Internet Modes allow gradual enforcement of internet-bound traffic, supporting SaaS access and public service restrictions.

Summary

Attack Surface and Blast Radius enforcement states are critical for a phased, non-disruptive implementation of Zero Trust policies. These enforcement mechanisms ensure security without sacrificing operational continuity, enabling organizations to gain visibility, reduce risks, and enforce least-privilege access controls.