ds-3 High priority Device Security / Device Security

Network segmentation isolates critical systems

A flat network where every device can reach every other device means that compromising one endpoint can lead to compromising everything. Segmentation limits what an attacker can access after gaining an initial foothold. Production systems should be isolated from office networks. Databases should not be directly reachable from the internet. Critical systems should require explicit access paths, not open internal routing.

4h estimated effort

network-segmentation firewall zero-trust vpc

Complete first: ds-2

Implementation steps

1

Separate production from non-production and corporate networks

Production systems should be on a separate network segment, cloud VPC, or account from development, staging, and corporate office networks. Developer laptops should not be able to directly reach production databases. Use cloud account separation to enforce this boundary at the infrastructure level.

aws-vpc aws-organizations cloudflare-access terraform
2

Restrict internet exposure of internal services

Audit your cloud and on-premises infrastructure for services that are publicly accessible but should not be. Databases, admin panels, internal APIs, and management interfaces should not be reachable from the public internet. Use security groups, firewall rules, and private networking to enforce this.

aws-security-groups aws-vpc cloudflare terraform
3

Use zero-trust or VPN for remote access to internal systems

Remote access to internal systems and production environments should go through a VPN or zero-trust access solution that enforces identity verification and device health checks. Direct RDP or SSH exposure to the internet is a critical vulnerability. Require VPN or ZTNA for all remote administrative access.

cloudflare-access tailscale zscaler cisco-duo