Network Security Matrix (NSM) Quick Reference Guide

1. Understanding the NSM

1.1 Definition - NSM: Network Security Matrix - A comprehensive document
detailing all network connections for an application or system
1.2 Purpose - To map and document all network traffic flows - To ensure proper
security measures are in place - To facilitate migration planning (e.g., from on-
premises to cloud)
1.3 Importance in Cloud Migration - Critical for understanding application
dependencies - Essential for configuring firewalls and security groups in the cloud -
Helps identify potential security risks or compliance issues [Infographic: Visual
representation of NSM's role in cloud migration]
2. Initial Data Gathering
2.1 Azure Portal Discovery Data - Access the Azure portal - Locate the discovery
data for the target application - Example: "BAM DP1" application mentioned in the
transcript
2.2 Dependency Viewer - Navigate to the dependency data section - Set appropriate
time range (e.g., last 30 days) - Analyze all flows and processes
2.3 Server Identification - List all servers involved in the application - Note any
external dependencies or connections [Screenshot: Azure portal dependency
viewer with key areas highlighted]
3. Network Flow Analysis
3.1 Identify Connection Types - Internal connections (within the application) -
External connections (to other systems or the internet) - Inbound vs. Outbound
traffic
3.2 Port and Protocol Documentation - Document all ports used (e.g., 80, 443,
9443) - Identify protocols (e.g., HTTP, HTTPS, custom protocols) - Flag any non-
standard port usage for further investigation
3.3 Traffic Volume and Frequency - Note the number of flows for each connection -
Identify high-volume or critical paths [Table: Sample of documented network flows
with ports, protocols, and volume]
4. Security Considerations
4.1 Encryption Requirements - Identify connections requiring encryption (e.g.,
HTTPS instead of HTTP) - Note any current unencrypted connections that need to be
secured
4.2 Firewall Rules - Document existing firewall rules - Identify new rules needed for
cloud migration
 4.3 Authentication Methods - Note any special authentication requirements for
connections - Identify use of certificates, API keys, or other security measures
[Checklist: Security upgrade requirements for each connection]
5. Cloud Migration Specific Considerations
5.1 On-Premises to Cloud Connections - Identify connections that will span on-
premises and cloud environments - Plan for VPN or ExpressRoute configurations
5.2 Cloud Provider Specific Requirements - Document any cloud provider specific
network configurations - Consider differences in network security groups, VPCs,
etc.
5.3 IP Address Changes - Plan for IP address changes during migration - Document
any hard-coded IP addresses that need to be updated [Diagram: Sample hybrid
cloud network architecture]
6. Application Team Collaboration
6.1 Knowledge Gap Identification - Note areas where application team input is
required - Prepare questions for unknown connections or ports
6.2 Documentation Review - Request and review any existing network
documentation - Compare with discovered data and note discrepancies
6.3 Collaborative Sessions - Schedule meetings with the application team to
discuss findings - Use these sessions to fill in knowledge gaps [Template:
Application team questionnaire for unknown connections]
7. NSM Document Creation
7.1 Standardized Format - Use a consistent template for all NSM documents -
Include sections for source, destination, port, protocol, purpose, and security
measures
7.2 Granularity - Provide sufficient detail without overwhelming - Group similar
connections where appropriate
7.3 Visual Representations - Include network diagrams to supplement the matrix -
Use color coding to distinguish different types of connections [Example: Snippet of
a completed NSM document]
8. Validation and Approval Process
8.1 Technical Review - Have network and security teams review the NSM - Ensure all
documented connections are necessary and secure
8.2 Application Owner Approval - Present the NSM to application owners for
validation - Address any concerns or discrepancies
8.3 Compliance Check - Verify that the documented network flows meet
compliance requirements - Involve compliance team if necessary [Flowchart: NSM
approval process]
9. Ongoing Maintenance
9.1 Regular Updates - Establish a process for keeping the NSM up to date - Set
review intervals (e.g., quarterly, bi-annually)
9.2 Change Management Integration - Ensure NSM updates are part of the change
management process - Require NSM review for any network changes
9.3 Version Control - Maintain version history of the NSM - Document reasons for
changes
10. Tools and Resources
10.1 Network Discovery Tools - Azure Migrate - AWS Application Discovery Service -
Network mapping software (e.g., SolarWinds, Nmap)
10.2 Documentation Tools - Microsoft Excel for matrix creation - Visio or draw.io for
network diagrams - Collaborative platforms (e.g., SharePoint, Confluence) for
sharing and version control
10.3 Security Resources - NIST Cybersecurity Framework - Cloud provider security
best practices documentation
11. Common Challenges and Solutions
11.1 Incomplete Discovery Data - Solution: Combine automated discovery with
manual verification - Involve application and infrastructure teams for gap filling
11.2 Legacy Applications - Challenge: Outdated or undocumented network
configurations - Solution: Perform thorough testing and consider application
modernization
11.3 Dynamic IP Addresses - Challenge: Cloud environments often use dynamic IPs
- Solution: Focus on documenting hostnames and FQDNs instead of IP addresses
where possible
11.4 Shadow IT - Challenge: Undocumented applications or connections - Solution:
Regular network scans and policy enforcement
12. Best Practices
a. Start with automated discovery tools but don't rely on them exclusively
b. Always verify critical connections through multiple sources
c. Use clear, consistent naming conventions throughout the NSM
d. Include both technical and business context for each connection
e. Regularly review and update the NSM, especially before and after major
changes
f. Ensure the NSM is easily accessible to relevant teams but properly secured
g. Use the NSM as a tool for security audits and compliance checks