Episode 64 — A.8.21–8.22 — Security of network services; Segregation of networks

A.8.21 requires that network services—whether internal or provided by third parties—be specified and secured to meet business and security requirements. For the exam, think beyond raw connectivity: services include routing, switching, DNS, DHCP, VPN, load balancing, DDoS protection, and content filtering. Contracts and internal SLAs should define availability, performance, logging, change processes, and security features such as encryption, authentication, and isolation. Verification mechanisms—service acceptance tests, periodic reviews, and independent assessments—ensure the service continues to meet expectations as environments evolve. Candidates should note integration points with supplier governance and incident management, including defined contacts, escalation paths, and evidence access for investigations. The objective is transparency and control: you must know what the service does, how it is secured, and how you will detect and respond when something goes wrong.

A.8.22 focuses on segregation of networks, a structural defense that limits the spread of threats and enforces policy boundaries. Segregation can be physical (separate hardware) or logical (VLANs, VRFs, SDN microsegmentation), and should map to data sensitivity, system criticality, and exposure. Controls include deny-by-default interzone policies, authenticated proxies for cross-zone access, and brokered connections for administrative functions. Monitoring validates that segmentation works, detecting forbidden flows and policy drift. Pitfalls include “any-any” rules added for expedience, shared management planes, and overlooked paths such as backup networks or out-of-band consoles that bypass controls. Effective programs document zoning standards, maintain up-to-date network diagrams, and require explicit risk acceptance for exceptions with expiry and review. Candidates should be prepared to describe how service security and segregation combine: secure, well-specified services run inside clearly bounded segments, with least-privilege pathways and auditable crossings that align to zero-trust goals and simplify both operations and audits. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.