Practice and strategy · Module 2

Exposure reduction and zero trust

Zero trust is simple.

1.5h 3 outcomes Cybersecurity Practice and Strategy

Previously

Secure SDLC

Security becomes real when it is built into how work ships.

This module

Exposure reduction and zero trust

Zero trust is simple.

Runtime and cloud security

Crypto is only useful when it is applied correctly.

Progress

Mark this module complete when you can explain it without rereading every paragraph.

Why this matters

Patterns that help include strong identity and device posture, least privilege, service to service authentication, network policy that defaults to deny, explicit trust boundaries, and observability.

What you will be able to do

1 Explain trust boundaries and blast radius in plain language
2 Map implicit trust and remove the highest risk edges
3 Plan layered controls with ownership and logging

Before you begin

You can describe a simple system with users, services, and data

Common ways people get this wrong

Flat network thinking. If everything can talk to everything, one compromise becomes many.
Policy drift. Policies change. If you do not version and test them, they quietly break your assumptions.

Main idea at a glance

Layered, segmented view

User access checked at every hop. Segments limit lateral movement.

Zero trust layered segmentation

`flowchart LR
User["User\ndevice"] --> Edge["Web tier:\nWAF & auth"]
Edge --> API["API tier:\nmTLS & auth"]
API --> Data["Data tier:\npolicy & encrypt"]
SOC["Monitoring\n& SOC"] --> Edge
SOC --> API
SOC --> Data
Admin["Privileged\nadmin"] --> PAM["Access\ncontrols"]
PAM --> API

Edge -. "Boundary 1" .- API
API -. "Boundary 2" .- Data
`

Zero trust layered segmentation

Zero trust is simple. Never assume the network is friendly, always verify access, limit blast radius. zero trust. microsegment reduces how far an attacker can move. Defence in depth still matters. Identity, network, application, and data controls should stack.

Why this exists. Architecture is how you prevent one compromise from becoming an organisational outage. It is also how you control "security debt" so you can still ship. Segmentation, strong identity, and explicit trust boundaries reduce lateral movement and make detection and recovery feasible.

Who owns it. Architects and platform teams usually own the reference patterns and guardrails. Product and engineering teams own implementation. Security owns threat modelling standards, policy, and review for high risk systems. Leadership owns trade offs because architecture choices often impact cost, speed, and customer friction.

Trade offs. More segmentation and stronger identity can increase latency, complexity, and operational burden. Strict policies can break integrations. Zero trust can become security theatre if it is a slogan without ownership, telemetry, and an exception process. Some controls also shift risk rather than reduce it (for example, moving trust to a single identity provider without hardening it).

Failure modes. Flat networks with broad permissions, shared admin access, and hidden "break glass" paths that bypass controls. Another common failure is pretending every system deserves the same rigour, which spreads teams thin and leads to random controls rather than deliberate coverage.

Maturity thinking. Basic looks like clear trust boundaries, MFA (multi-factor authentication) for admin, and sane network segmentation between tiers. Good looks like strong service identity, default deny policies, tested emergency access, and consistent logging at control points. Excellent looks like measured blast radius reduction, continuous validation of assumptions, and governance that makes exceptions rare, visible, and time boxed.

This is where cyber stops being an IT problem and becomes an organisational capability. Architecture is the translation layer between risk and reality. The board talks about impact. Engineers talk about systems. Architecture is where those meet. If you cannot explain your design to a non technical leader, you probably cannot defend it under pressure either.

If you want an enterprise baseline, Cyber Essentials Plus is a good mental anchor. It is not perfect. Nothing is. But it forces useful basics. Secure configuration, access control, malware protection, patch management, and boundary protections. In practice, these are the controls that keep your worst day from turning into a month.

Patterns that help include strong identity and device posture, least privilege, service to service authentication, network policy that defaults to deny, explicit trust boundaries, and observability everywhere. Avoid flat networks, shared admin accounts, and hidden backdoors that bypass controls.

Before the tool, pick a story. "A laptop is compromised", "A token is stolen", or "A build agent is popped". You are not drawing a network diagram for fun. You are deciding which compromise becomes a minor incident and which one becomes a headline.

Afterwards, your output is a prioritised backlog and an ownership map. Which edges should not exist. Which identities should be constrained. Which segments need policy. Which logs must exist for detection. This is also where you connect to Cyber Essentials Plus style thinking. If you cannot explain your boundary protections and access control clearly, you probably cannot evidence them either.

Before the next tool, make a decision about constraints. Are you optimising for speed of delivery, for resilience, for compliance evidence, or for cost. You cannot maximise all of them, so be honest about what you are trading.

After you run it, the lead move is to turn "nice to have" into "decided". Write down what is mandatory, what is optional, and what is explicitly accepted risk. Then align it to governance. Architecture standards, design review checklists, and exception handling. If you cannot enforce it, it is not a standard, it is a wish.

Mental model

Trust boundaries and policy points

Zero trust is not a product. It is explicit trust decisions, enforced at boundaries.

1

Public internet
2

Edge
3

Policy point
4

Service
5

Data

Assumptions to keep in mind

Identity is reliable. If identity is weak, policy is weak. Strengthen identity before you promise zero trust.
High-risk paths are isolated. Admin and privileged operations should have stronger controls and better logs.

Failure modes to notice

Flat network thinking. If everything can talk to everything, one compromise becomes many.
Policy drift. Policies change. If you do not version and test them, they quietly break your assumptions.

Key terms

zero trust: Design where no implicit trust is granted based on network location
microsegment: Breaking systems into small zones with tight policy

Check yourself

Quick check. Secure architecture

0 of 7 opened

Scenario. One service is compromised. What architecture choice most reduces 'how far the attacker can go'

Segmentation and least privilege. Microsegmentation and scoped identities limit lateral movement and blast radius.

What is the core idea of zero trust

Do not grant implicit trust based on network location. Verify every access.

How does microsegmentation help

It limits lateral movement by confining access to small zones.

Why keep defence in depth

Different layers catch different failures so one miss is not catastrophic.

Name one sign of a flat network

Many services reachable without policy separation or filtering.

Where should you log in this architecture

At every boundary. Web, API, data access, and admin actions.

Why avoid shared admin accounts

They hide accountability and make abuse or mistakes hard to trace.

Artefact and reflection

Artefact

A trust boundary map with a prioritised backlog

Reflection

Where in your work would explain trust boundaries and blast radius in plain language change a decision, and what evidence would make you trust that change?

Optional practice

Pick a compromised node, connect trust edges, and watch the blast radius expand.

Also in this module

Plan layered defences

Compare design options and see how attack surface, blast radius and ops effort shift.