1. Purpose
This policy establishes security requirements for Speak AI Inc.'s Demilitarized Zone (DMZ) to protect internal networks from external threats while ensuring controlled access to public-facing services.
2. Scope
This policy applies to all systems, services, and network devices within Speak AI Inc.'s DMZ infrastructure, including firewalls, web servers, application servers, and proxy servers.
3. DMZ Security Requirements
3.1 Network Segmentation
The DMZ must be logically and physically separated from internal and external networks.
Firewalls must enforce strict access control between the DMZ, internal network, and the internet.
Direct connections between internal systems and the internet must be prohibited.
3.2 Access Restrictions
Only explicitly authorized services should be hosted within the DMZ.
External access to the DMZ must be limited to necessary protocols and services (e.g., HTTPS, DNS, and SMTP) with restricted source and destination IPs.
Internal access from the DMZ to core network resources should be strictly controlled and monitored.
3.3 Authentication & Authorization
All remote administrative access to DMZ systems must require multi-factor authentication (MFA).
Role-based access control (RBAC) must be enforced to limit user privileges based on job responsibilities.
Service accounts must have the least privilege necessary for functionality and must not be shared.
3.4 Monitoring & Logging
All network traffic into and out of the DMZ must be logged and monitored for anomalies.
Intrusion detection and prevention systems (IDS/IPS) must be deployed to analyze DMZ traffic.
Logs from DMZ systems must be forwarded to a centralized log management system and reviewed regularly.
3.5 Patching & Vulnerability Management
All DMZ systems must be regularly patched and updated following the Vulnerability Management Policy.
Regular security assessments, including penetration testing, must be performed on DMZ-hosted services.
Unnecessary services, ports, and protocols must be disabled to reduce the attack surface.
3.6 Encryption & Secure Communications
All data transmitted between DMZ servers and internal networks must be encrypted using industry-standard protocols (e.g., TLS, IPsec).
Insecure communication protocols (e.g., FTP, Telnet) must be prohibited.
3.7 Incident Response & Containment
Security incidents involving DMZ systems must be escalated following the Incident Reporting and Response Policy.
Compromised DMZ systems must be isolated immediately to prevent lateral movement into internal networks.
4. Compliance & Enforcement
Periodic security audits must be conducted to verify compliance with this policy.
Non-compliant systems or services must be remediated or removed from the DMZ.
5. References & Supporting Documents
Speak AI Network Security Policy: https://help.speakai.co/en/articles/9363486-network-security-policy
Speak AI Vulnerability Management Policy: https://help.speakai.co/en/articles/9369290-vulnerability-management-policy
Speak AI Incident Reporting and Response Policy: https://help.speakai.co/en/articles/9363423-incident-reporting-and-response-policy
6. Contact Information For questions or concerns regarding DMZ security, please contact [email protected].
This policy is subject to periodic review and updates to align with evolving security best practices and industry regulations.