Is placing VAs in isolated network segments with no external access a best practice?

Isolating Virtual Appliances (VAs) in network segments without external access is considered a double-edged sword. While there are arguments for both sides, the practice of placing VAs in completely isolated network segments may lead to challenges that outweigh its perceived security benefits.

Having VAs in isolated segments can hinder necessary communication and integration with other systems, applications, and upstream/downstream services. This can impact functionality, performance, and the overall efficiency of identity management processes. Security measures should also include implementing strong access controls, continuous monitoring, and establishing secure channels for necessary communication rather than complete isolation, which could lead to operational issues and complexity.

Therefore, the recognition of potential operational limitations highlights the view that complete isolation without any external access might not be the best practice in all scenarios.