Network Security Architecture in Mumbai · BFSI Segmentation

Macksofy delivers defensive network engineering for Mumbai-headquartered banks, NBFCs, payment aggregators and MMR manufacturing estates from our Bandra Kurla Complex base. The typical Mumbai BFSI firewall rule-base is the product of fifteen years of mergers, CBS migrations and one-off CR exceptions: 8,000-15,000 active rules, 35-50% of them dead or shadowed, and a long tail of ANY-ANY-ANY temporary-rules with comments like 'temp - 2017'. Our engagement starts by removing the noise so the rule-base is auditable, then layers segmentation by trust zone in a sequence the CAB can absorb.

Mumbai BFSI segmentation evidence is an explicit RBI MD-ITGRC ask. The November 2023 Master Direction expects bank IT estates to demonstrate trust-zone isolation between corporate-network, core-banking, treasury, ATM-switch, payment-gateway, BCP-site, vendor-network and BYOD populations. The same evidence underpins SEBI CSCRF Annexure-K for broker / AMC subsidiaries and IRDAI 2023 for insurer subsidiaries. Macksofy's deliverable is the segmentation-evidence binder that closes all three regulator asks from a single engagement.

Firewall rule-base cleanup is risk-managed, not bulk. On a Mumbai private bank engagement, we typically classify rules into dead (zero hits in 90 days), shadowed (a more-specific rule matches first), overly-permissive (ANY service or ANY destination on a sensitive zone), and unjustified (no business owner). Each rule gets a rollback window and an explicit business-owner sign-off before removal. The bank's network engineering team executes the changes during scheduled maintenance windows with Macksofy senior on standby; a single Critical-1 rollback in the engagement's history would force re-scoping, so the workflow is conservative by design.

IT-OT segmentation for MMR manufacturing is the second large engagement class. Powai, Andheri MIDC, Thane Belapur, Vasai-Virar and Navi Mumbai (Airoli, Vashi, Mahape) host pharma, auto OEMs, chemical and process manufacturing with legacy PLC estates that almost universally share a flat network with engineering laptops. Macksofy's IEC 62443-3-2 zones-and-conduits redesign is calibrated to the Indian operational reality — vendor-mandated flat networks, the engineering-laptop hygiene gap, the BCP-secondary-site connectivity that often bypasses the segmentation gateway, and the maintenance-vendor remote-access path that USFDA / DCGI / EMA inspections specifically test.

CDE scoping for Mumbai payment aggregators follows PCI-DSS v4.0 §1.x with the BKC / Lower Parel PA-PG operational reality layered in. The typical scoping engagement finds the CDE reachable from the sandbox environment via a leftover IPsec tunnel, the merchant-onboarding portal sitting in the wrong zone, and the settlement-reconciliation database reachable from the corporate-network because of a shared SQL listener. We redraw the CDE boundary, document the cardholder-data flow end-to-end, and produce the QSA-ready evidence pack that the next assessment cycle expects.

SASE / ZTNA vendor selection is part of the engagement on roadmap-scale projects. Macksofy is vendor-neutral — we do not resell Zscaler, Netskope, Cisco, Palo Alto Prisma or Cloudflare. The short-list is driven by the bank's existing investment profile, the connectivity vendor's edge-presence in Mumbai / Pune / Bengaluru, the regulatory posture on cloud-mediated traffic, and the rollout cadence the CAB calendar can absorb. We've shipped this short-list to four Mumbai BFSI clients in the last eighteen months and the engagement scales from architecture-only to full rollout supervision.

Microsegmentation pilots — VMware NSX, Illumio, Akamai Guardicore or native cloud security groups — typically run on a 250-host scope before expanding. The pilot validates the agent footprint, the policy-modelling effort, the integration with the existing SIEM (Splunk, Sentinel, Wazuh) and the change-failure rate. A Mumbai listed bank's microsegmentation rollout that survives the CAB calendar is a 12-month programme; we plan it as such, not as a six-week sprint.

Deliverables include the regulator-mapped segmentation-evidence binder, the current-state and target-state network architecture diagrams, the phased rollout plan with CAB-aware change windows, the change-management playbook with rollback-tested templates, and an optional 90-day quarterly drift audit. The senior consultant on the engagement is physically reachable across the MMR including Thane and Navi Mumbai inside four hours including a monsoon-traffic buffer.