Network Access Restrictions
Description
The entity restricts access to system resources through network segmentation, firewalls, and access control lists.
⚠️ Risk Impact
Unrestricted network access enables lateral movement and data exfiltration.
🔧 Remediation
Implement network segmentation, firewall rules, and restrict public access. EchelonGraph scans firewall rules and network configurations.
💀 Real-World Attack Scenario
A flat network allowed an attacker who compromised a web server to directly access the database server, Redis cache, and internal APIs without any network restrictions. The attacker moved laterally across 14 servers in 90 minutes, compromising email, customer data, and financial systems.
💰 Cost of Non-Compliance
Flat networks increase breach cost by 2.8x vs segmented networks. Average lateral movement breach cost: $5.1M. CC6.6 findings are among the most common SOC 2 exceptions.
📋 Audit Questions
- 1.Show network segmentation architecture.
- 2.List all firewall rules allowing public access.
- 3.How is east-west traffic controlled?
- 4.Are VPC/VNET flow logs enabled?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Segmenting at the VPC level but not at the subnet level
- ⛔Overly permissive security group rules within the same VPC
- ⛔Not monitoring east-west traffic (only north-south)
📈 Business Value
Network segmentation limits breach blast radius and is a fundamental requirement for SOC 2, PCI DSS, and HIPAA. It's the network equivalent of least-privilege access.
⏱️ Effort Estimate
16-40 hours for network architecture review and segmentation implementation
EchelonGraph scans all firewall rules and identifies overly permissive network access
🔗 Cross-Framework References
Automate SOC 2 CC6.6 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →