Lesson 13: Internal Defense — Access Control, Hardening, and Segmentation
In the previous lesson we built a full perimeter defense line — firewalls, WAF, DMZ, IDS/IPS, VPN, and NACL — stopping most malicious traffic before it ever reaches the organization's network. But the basic assumption in cyber security is that a determined, sophisticated attacker will eventually get
In brief: assume the attacker eventually gets past the outer wall — so the question is how much damage they can do once they're already inside. PoLP sets a small 'blast radius' for every account in advance. RBAC/MAC/DAC/ABAC/GBAC are different ways to decide who even gets access. Hardening shrinks what there is to attack on each system; segmentation isolates systems from each other so an attacker can't move freely; and encryption protects data both while it travels and while it sits on disk.
- PoLP (Principle of Least Privilege) & Blast Radius
- Every process, user, or system gets only the permissions it actually needs to do its job — no more. This shrinks the attack surface, and if an account is breached or a service is stolen, the attacker is confined to a small 'blast radius' — only what that account truly needs, not the whole environment.
- RBAC (Role-Based Access Control)
- Permissions are assigned by organizational role/job function rather than per individual user — everyone in a given role automatically gets the same permission set. Simple to implement and scales well in large organizations.
- MAC (Mandatory Access Control)
- Rigid, centrally enforced access based on pairing clearance levels (secrecy labels) between user and resource — neither the user nor the resource owner can change it. Typical of high-clearance environments like the military and government.
- DAC (Discretionary Access Control)
- The resource owner (creator/holder) decides for themselves who gets access and what kind — suited to sharing and file-collaboration environments, but dependent on each individual owner's judgment.
- ABAC & GBAC (Attribute-Based & Group-Based Access Control)
- GBAC grants access based on group membership (like 'managers' or 'IT'). ABAC is the most comprehensive model — it weighs the user, the resource, and the environment (time, location) all at once, enabling the most granular, dynamic permissions.
- Hardening
- A process that shrinks a system's attack surface: disabling unnecessary services and software, closing unused network ports, and regularly applying security patches to fix known vulnerabilities.
- Segmentation & Lateral Movement
- Dividing a large network into isolated zones (like a DMZ, Server Farm, and DB Zone) or separate VLANs, so that even if an attacker breaches one segment, their ability to move freely into other segments (lateral movement) is heavily restricted. North-South traffic runs between the organization and the outside world; East-West runs within the organization itself.
- Encryption In-Transit vs At-Rest
- Communication encryption (TLS, IPsec, VPN) protects data while it travels between systems, preventing eavesdropping and tampering along the way. Encryption at rest protects data stored on disks and in databases, even if the physical media is stolen. These are two different states, and both are required.