Overview
User interface services (e.g., web services) are physically or logically separated from data storage and management services (e.g., database management systems). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate.
Threat
Unauthorized users as well as malicious insiders who gain access to a particular service will find it relatively easy to gain access and exploit another service on the same hard drive. As part of the defense in depth methodology, services must be separated to provide an additional layer of protection between them.
Guidance
1. User interface services (e.g., web pages) are physically or logically separated from data storage and management services (e.g., database management systems).
2. Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate.
DoD classifies this control in the subject area of “Security Design and Configuration” with a impact of “Low”.