3.5.1. Segmentation, Access Control, and Isolation

💡 First Principle: The core mitigation strategy is containment. If you can't prevent every breach, you can ensure that breaching one part doesn't compromise everything. Segmentation divides networks, access control restricts permissions, and isolation quarantines high-risk or high-value systems.

Network segmentation divides a network into smaller zones with controlled traffic between them. An attacker who compromises the guest Wi-Fi can't reach the financial database if they're on separate segments with a firewall between them.

Access control enforces least privilege at every level: user accounts get minimum necessary permissions, services run with restricted rights, and administrative access requires additional authentication. Access control lists (ACLs) specify exactly what each entity can access.

Application allow listing permits only approved applications to execute. Unlike blocklisting (blocking known-bad), allow listing defaults to deny — anything not explicitly approved is blocked. More restrictive but far more effective against zero-days and unknown malware.

Micro-segmentation applies segmentation at the workload level rather than the network level. Traditional segmentation separates subnets; micro-segmentation controls traffic between individual virtual machines or containers. This is critical in cloud and data center environments where east-west traffic (server-to-server) far exceeds north-south traffic (client-to-server). An attacker who compromises one server can't pivot to adjacent servers if micro-segmentation policies block unauthorized lateral communication.

Isolation completely separates critical or compromised systems. Air-gapped networks have no connection to external networks — used for classified systems and critical industrial controls. Sandboxing runs suspicious code in an isolated environment to observe its behavior without risk to production systems. During incident response, isolation is the first containment action: disconnect the compromised system to stop lateral movement while preserving evidence.

⚠️ Exam Trap: Allow listing is more secure than blocklisting but harder to maintain. Allow listing blocks unknown/zero-day malware by default; blocklisting only catches known threats. If the question asks for the most restrictive approach, the answer is allow listing.