preloader

Naming Update / ex-c3

You must have heard of C3 environments or Azure Hardened Environment (AHE). This terminology is confusing for most users because:

  • C3 means Thales Confidential Level 3. Only Thales CISOs can grant this approval for a specific system during an Information System Security Committee (ISSC). So having a c3 environment does not mean your environment is c3 approved
  • C3* means Thales Confidential Level 3 but accepting the risk of cloud acts. c3 environments fit, in reality, with c3* requirements.
  • You can pass an ISSC and get a c3* approval with a c2 environment. So naming or labelling of the environment is not representative of the security level of data manipulated.
  • AHE is related to infrastructure landing zone. Whereas managed services are eligible to host c3* data

On the Keynote presenting the cycle 13, in october 2022, we’ve started to talk about corporate addon instead of c3.

Description

What is the corporate addon objective?

The objective of the corporate addon is to guarantee that the workstations which access corporate environments are sufficiently mastered by the Thales Group. It reduces the risk of data leakage.

How the corporate addon works?

2 methods depending on the technical constraints:

Method 1: Network Isolation

The corporate addon enforces network and naming resolution to:

  • forbid any internet exposition of IaaS and PaaS services
  • use thales internal naming resolution (domain confidential) and private IP plan (IP plan confidential)
  • accept connections only from RIE networks and TNAP laptops configured with custom VPN rules

Method 2: 3 authentication factor (ID/password + Microsoft Authenticator + Endpoint compliance)

In some cases, the network isolation is not possible (Total cost of Ownership or not feasible technically). The corporate addon is a hardened policy checking the compliance of your device in addition to the standard authentication methods. In particular: the device should use RIE Network as outbound traffic OR the device should be a TNAP with a compliant security status.

What does it allow?

  • Developing in a safe network bubble
  • Provide large access from RIE networks
  • Use TNAP to develop

What does it not allow?

  • Provide access to partner or contractor (with a Thales identity) -> NOT ALLOWED
  • Provide an on-prem interconnection with corporate environments –> NOT ALLOWED

Where is it deployable?

Corporate addon can be enabled on both landing zone and all managed services.

Known limitations

Corporate addon should be enabled at the initialisation of the environment

Corporate addon forces the deployment of the environment within a Thales IP plan + an interconnection with the TrustNest Network Backbone. Any updates on the Address Space of a vnet is not possible.

Next steps?

Subscribe to an environment !

Start using one of MCS service by subscribing to a managed kubernetes, an APIM subscription key or a landing zone…

Subscribe
*