What is network access control?
Network access control is enforcement that allows or blocks network traffic between endpoints.
- The system evaluates a connection attempt (source, destination, port, protocol, and sometimes identity context).
- If a rule matches allow, traffic passes; if not, traffic is blocked.
- The decision happens before the target service receives the request.
How do systems enforce network access control rules?
Step 1: A connection attempt is initiated (source → destination, port, protocol).
Step 2: An enforcement component observes the attempt and extracts match fields (addresses, ports, protocol, labels if available).
Step 3: The component evaluates policy rules to produce allow or deny.
Step 4: Allow forwards traffic; deny drops or rejects so the application never sees the request.
What breaks network access control in practice?
Cause → system behavior → security impact.
- Cause: default-allow posture or overly broad allow rules.
- Behavior: unexpected connections succeed because there is no matching block.
- Impact: attackers can scan internal services and find reachable targets for lateral movement.
What is service-to-service communication security?
Service-to-service communication security is the set of checks a callee performs to accept calls from a caller service.
- The callee authenticates the caller (proves who is calling).
- The callee authorizes the operation (checks what that caller is allowed to do).
- Network reachability alone does not prove caller identity, so it cannot replace authentication.
How do systems authenticate service-to-service calls?
Step 1: Caller attaches proof on the request (token) or on the connection (mutual Transport Layer Security (mTLS)).
Step 2: Callee validates the proof (token signature/constraints, or certificate chain/identity).
Step 3: Callee binds the request to a caller service identity derived from the proof.
Step 4: Callee authorizes the specific operation and executes only if allowed.
What breaks service-to-service authentication in practice?
Cause → system behavior → security impact.
- Cause: internal endpoints skip authentication because “only internal traffic reaches them.”
- Behavior: any reachable workload can invoke privileged endpoints without proving identity.
- Impact: a single foothold can call many services and escalate access across the environment.
What are runtime permissions?
Runtime permissions are the OS-level rules that decide what a running process can do.
- The OS checks permissions when the process attempts actions like reading files, opening sockets, or calling privileged syscalls.
- If checks fail, the OS denies the action and it does not happen.
- These permissions control local blast radius after code execution is gained.
How do operating systems enforce runtime permissions?
Step 1: Process attempts a privileged action (file access, network bind, syscall).
Step 2: OS identifies the process security context (user/group IDs and any additional privilege flags).
Step 3: OS compares the action against allowed permissions for that context.
Step 4: OS allows the action or denies it with an error; denied actions are not executed.
What breaks runtime permissions in practice?
Cause → system behavior → security impact.
- Cause: running as a highly privileged user or granting broad privileges.
- Behavior: OS checks pass for sensitive actions that should be blocked.
- Impact: attacker can modify the host environment, steal data, or gain persistence beyond the application.
What are isolation boundaries?
Isolation boundaries are enforced separations that limit how one workload can affect others.
- Examples include process boundaries, container boundaries, virtual machine boundaries, and network segmentation boundaries.
- A boundary is effective only if crossing it requires checks the attacker cannot bypass.
- Isolation limits how far compromise spreads from one workload.
How do systems enforce isolation boundaries between workloads?
Step 1: Workload attempts to access a resource outside its boundary (host files, other workload resources, restricted network).
Step 2: The enforcing layer identifies the boundary context (namespace/VM/network domain).
Step 3: The enforcing layer evaluates rules and permissions for that access attempt.
Step 4: Access is allowed only if policy permits; otherwise it is blocked at the boundary.
What breaks isolation boundaries in practice?
Cause → system behavior → security impact.
- Cause: misconfiguration that weakens boundaries or exploitable runtime vulnerabilities.
- Behavior: attacker crosses from an isolated workload into the host or other workloads.
- Impact: compromise expands from one service to many, increasing data access and control.
What is runtime identity?
Runtime identity is how a running workload is represented as a caller in access decisions.
- The system assigns a workload identity and uses it to authorize calls to services and control planes.
- The receiver extracts that identity from validated proof (token or mTLS certificate).
- Without runtime identity, systems fall back to weak signals like source IP, which do not uniquely identify the caller.
How do systems bind runtime identity to requests?
Step 1: Workload obtains proof tied to its identity (token issuance or mTLS client certificate).
Step 2: Workload presents proof on each call.
Step 3: Receiver validates proof and derives the caller identity from it.
Step 4: Receiver authorizes the request using policies keyed to that identity.
What breaks runtime identity in practice?
Cause → system behavior → security impact.
- Cause: shared identities across workloads or stolen identity proof (tokens, keys).
- Behavior: receiver cannot distinguish which workload is calling, or attacker calls as a trusted identity.
- Impact: least privilege collapses and investigations cannot reliably scope what was compromised.
What is lateral movement?
Lateral movement is an attacker moving from one compromised workload to additional internal targets.
- The attacker uses reachable paths (network access) plus authorization paths (stolen tokens/secrets or weak internal auth).
- Each move provides new privileges, data, or execution locations.
How does lateral movement happen after a foothold?
Step 1: Attacker gains execution in one workload.
Step 2: Attacker enumerates reachable services and endpoints.
Step 3: Attacker uses available proofs (stolen tokens/secrets) or unauthenticated internal endpoints to access other services.
Step 4: Attacker repeats, expanding access and privilege over time.
What breaks lateral movement defenses in practice?
Cause → system behavior → security impact.
- Cause: flat connectivity plus weak per-service authentication/authorization.
- Behavior: many internal calls succeed once the attacker is “inside.”
- Impact: compromise spreads quickly and becomes an environment-wide incident.
What is containment?
Containment is limiting what a compromised workload can do and what it can reach.
- It uses network restrictions, identity least privilege, and runtime permission restrictions.
- The goal is that “one workload compromised” does not become “many workloads compromised.”
How do systems implement containment mechanically?
Containment is enforced by multiple independent checks.
- Network access control limits which destinations a workload can connect to.
- Service-to-service authentication ensures reachability is not enough; identity proof is required.
- Authorization limits what an authenticated identity can do.
- Runtime permissions and isolation boundaries limit local and cross-workload damage.
How do systems enforce zero trust principles mechanically?
Zero trust mechanically means per-request verification, not network-based assumptions.
- Each request must be authenticated to derive a caller identity.
- Each request must be authorized for the specific operation and resource.
- Each hop enforces its own checks because upstream checks can be bypassed.
| “Internal network” is not accepted as proof because network position can be obtained by attackers.
What breaks zero trust in practice?
Cause → system behavior → security impact.
- Cause: bypass paths that skip authentication/authorization (direct service ports, debug endpoints, missing enforcement on some paths).
- Behavior: requests execute based on reachability rather than verified identity and policy.
- Impact: once inside, attackers can move laterally and perform privileged actions without strong checks.
-
Security Fundamentals55
-
Identity and Access25
-
Tokens and Authentication Protocols22
-
Secrets and Key Management22
-
CI/CD and Supply Chain Security24
-
Runtime and Networking Security23
-
Cloud, IaC, and Governance22
-
Incidents and Failure Modes23
-
Threat Modeling and Risk Decisions19
-
Incident Management25
-
Vulnerability Management28
-
Logging, Monitoring, and Detection29
-
Kubernetes Security36
-
Container Security31
-
Data Security30
-
Secure SDLC and Reviews32
