Segregation of Networks
Description
Groups of information services, users, and information systems shall be segregated in the organisation's networks.
⚠️ Risk Impact
Network segregation enforces trust boundaries. Without it, lateral movement is trivial; with it, every boundary is a potential detection point.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Segregate by environment (production/staging/dev), by data sensitivity, by user population. Enforce via NetworkPolicy (K8s), security groups, NSGs. Document the segregation model.
💀 Real-World Attack Scenario
A SaaS company had no network segregation between production and staging. An attacker compromised a staging container + pivoted to production-DB which was in the same VPC subnet. Segmentation would have required additional ingress hops, increasing detection probability.
💰 Cost of Non-Compliance
Unsegregated networks: avg breach scope 3-4× larger (Mandiant M-Trends).
📋 Audit Questions
- 1.What segregation model is enforced?
- 2.Show NetworkPolicy / security-group rules.
- 3.Have segregation boundaries been tested?
- 4.Cross-boundary monitoring?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Documented segregation that isn't technically enforced
- ⛔Production credentials reused in staging
- ⛔Cross-environment service-to-service traffic unmonitored
📈 Business Value
Network segregation is foundational to Zero Trust.
⏱️ Effort Estimate
60-120 hours initial segregation + ongoing maintenance
EchelonGraph evaluates segregation posture + flags cross-environment traffic
🔗 Cross-Framework References
Automate ISO 27001 A.8.22 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →