Naming Update / ex-c3
You must have heard of C3 environments or Azure Hardened Environment (AHE). This terminology is confusing for most users because:
- C3 means Thales Confidential Level 3. Only Thales CISOs can grant this approval for a specific system during an Information System Security Committee (ISSC). So having a c3 environment does not mean your environment is c3 approved
- C3* means Thales Confidential Level 3 but accepting the risk of cloud acts. c3 environments fit, in reality, with c3* requirements.
- You can pass an ISSC and get a c3* approval with a c2 environment. So naming or labelling of the environment is not representative of the security level of data manipulated.
- AHE is related to infrastructure landing zone. Whereas managed services are eligible to host c3* data
On the Keynote presenting the cycle 13, in october 2022, we’ve started to talk about corporate addon instead of c3.
Description
What is the corporate addon objective?
The objective of the corporate addon is to guarantee that the workstations which access corporate environments are sufficiently mastered by the Thales Group. It reduces the risk of data leakage.
How the corporate addon works?
2 methods depending on the technical constraints:
Method 1: Network Isolation
The corporate addon enforces network and naming resolution to:
- forbid any internet exposition of IaaS and PaaS services
- use thales internal naming resolution (domain confidential) and private IP plan (IP plan confidential)
- accept connections only from RIE networks and TNAP laptops configured with custom VPN rules
Method 2: 3 authentication factor (ID/password + Microsoft Authenticator + Endpoint compliance)
In some cases, the network isolation is not possible (Total cost of Ownership or not feasible technically). The corporate addon is a hardened policy checking the compliance of your device in addition to the standard authentication methods. In particular: the device should use RIE Network as outbound traffic OR the device should be a TNAP with a compliant security status.
What does it allow?
- Developing in a safe network bubble
- Provide large access from RIE networks
- Use TNAP to develop
What does it not allow?
- Provide access to partner or contractor (with a Thales identity) -> NOT ALLOWED
- Provide an on-prem interconnection with corporate environments –> NOT ALLOWED
Where is it deployable?
Corporate addon can be enabled on both landing zone and all managed services.
Known limitations
Corporate addon should be enabled at the initialisation of the environment
Corporate addon forces the deployment of the environment within a Thales IP plan + an interconnection with the TrustNest Network Backbone. Any updates on the Address Space of a vnet is not possible.
Next steps?
-
Discover How to enable corporate addon with Managed Kubernetes
-
Learn more with detailed corporate addon architecture view
-
Subscribe to Infrastructure landing zone with corporate addon