Logical and Physical Access Boundary Controls

Why it matters

Weak access boundaries allow attackers who compromise a public web server to move laterally into production databases, internal systems, and restricted environments. Network segmentation enforces "zero trust" principles by ensuring that breach of one system doesn't automatically grant access to all others, containing incidents and limiting blast radius.

Evidence to collect

• Network architecture diagram showing production, staging, and development VPCs/subnets with labeled security group rules or firewall policies between them
• Security group or firewall rule set for production environment (e.g., AWS Security Groups export or Azure NSG rules) showing explicit DENY rules for unauthorized ingress
• Change management log or ticket for the most recent infrastructure change, showing documented network topology updates and approval
• Output of network connectivity test (e.g., `traceroute`, security scanning tool report, or AWS VPC Flow Logs) confirming blocked unauthorized routes between segments

Testing procedure

Auditor requests the network architecture diagram and compares it against deployed security group/firewall rules to confirm production, staging, and development are in separate network segments. Auditor then attempts or simulates cross-segment access (e.g., production database from a staging instance) and verifies the connection is denied. Finally, auditor reviews the last three infrastructure changes to confirm network topology documentation was updated and changes followed approval workflow.

Common gotchas