Segmentation and Access Control (Domain 2)
In this episode, we are introducing two foundational cybersecurity defenses: segmentation and access control. These strategies are used to limit how far attackers can move if they breach your network, and they help ensure that users and systems only have access to what they truly need. When used together, segmentation and access control form a powerful barrier against both external threats and internal misuse.
Let’s begin with segmentation. Network segmentation is the practice of dividing a network into smaller, isolated sections. This creates internal boundaries between groups of devices, services, or users. Instead of every system having access to every other system, segmentation makes it possible to control and limit communication between them.
The security benefit of segmentation is clear. If an attacker compromises one device or service, they can’t move freely across the entire network. Instead, they’re limited to the segment they’ve breached. This reduces the size of the attack surface and gives defenders more time to detect and contain the threat before it spreads.
There are several methods of implementing segmentation. Virtual Local Area Networks, or VLANs, allow administrators to group devices logically—regardless of their physical location—and control traffic between those groups. Subnets divide IP address space into logical blocks and are often used with routers or firewalls to enforce boundaries. More advanced environments may use micro-segmentation, where access controls are applied at the level of individual applications or services. Micro-segmentation is common in cloud and virtualized environments, where security must be enforced dynamically.
A real-world example of segmentation involves separating user devices from critical servers. If a phishing attack compromises a workstation, the attacker can’t immediately reach sensitive data because the file server resides on a different subnet, protected by access control rules. This delay gives security teams time to respond, and it may completely block the attacker’s path.
Now let’s turn to access control. Access control refers to the policies and technologies used to restrict who can access what resources—and under which conditions. Two of the most common tools in access control are Access Control Lists and permissions based on roles and privileges.
Access Control Lists, or ACLs, define which users or systems can interact with network devices, files, or services. They are typically used on routers, firewalls, or file systems. An ACL might say that only traffic from a specific subnet can reach a web server, or that only the accounting department can access financial folders on a shared drive. ACLs are written as rules that evaluate attributes like IP addresses, protocols, or user identifiers to allow or deny access.
Permissions work at the user or system level. Role-based access control is one of the most widely used permission models. In this model, users are assigned to roles based on their job functions—such as Human Resources, Marketing, or IT Support—and each role has predefined access to systems and data. This simplifies administration and reduces the chance of granting unnecessary privileges.
The principle of least privilege is another important concept. It means users and systems should be granted only the minimum level of access needed to perform their duties—nothing more. If a user doesn’t need administrative rights to do their job, they shouldn’t have them. Limiting access helps reduce the impact of compromised accounts and accidental misuse.
Access control is one of the most effective ways to prevent internal threats. If a user account is compromised but only has access to one or two systems, the damage is contained. If that account has administrative access across the environment, the consequences can be catastrophic. Good access control also protects against external threats. Attackers who manage to bypass a firewall still face obstacles in the form of permissions, ACLs, and network segmentation.
As you prepare for the Security Plus exam, understand how segmentation and access control work together. You may be asked to choose the best method for isolating systems, protecting sensitive data, or limiting attacker movement. Know the difference between VLANs and subnets, the role of micro-segmentation, and the purpose of Access Control Lists. Be ready to apply role-based access and least privilege in a variety of scenarios—especially those that involve limiting exposure after a breach.
