WEBVTT

1
00:00:00.090 --> 00:00:01.350
In this lesson,

2
00:00:01.350 --> 00:00:04.560
we will learn about security boundaries.

3
00:00:04.560 --> 00:00:07.960
Security boundaries are defined by strict access controls

4
00:00:07.960 --> 00:00:11.850
and continuous verification rather than

5
00:00:11.850 --> 00:00:13.980
physical or network perimeters.

6
00:00:13.980 --> 00:00:16.830
The implementation of security boundaries

7
00:00:16.830 --> 00:00:19.740
enables the monitoring and validation

8
00:00:19.740 --> 00:00:22.590
of every cross-network interaction.

9
00:00:22.590 --> 00:00:26.550
Security boundary concepts include system components,

10
00:00:26.550 --> 00:00:29.260
data perimeters, and secure zones.

11
00:00:29.260 --> 00:00:33.960
Let's learn more about these security boundary concepts.

12
00:00:33.960 --> 00:00:36.900
First, we have system components.

13
00:00:36.900 --> 00:00:40.140
System components are the individual elements

14
00:00:40.140 --> 00:00:44.100
that make up an organization's IT infrastructure.

15
00:00:44.100 --> 00:00:47.970
These include servers, workstations, applications,

16
00:00:47.970 --> 00:00:50.340
routers, and databases.

17
00:00:50.340 --> 00:00:53.280
Each of these components needs to be secured

18
00:00:53.280 --> 00:00:56.430
separately to prevent unauthorized access

19
00:00:56.430 --> 00:00:58.350
and keep the system safe.

20
00:00:58.350 --> 00:01:00.150
In a zero-trust model,

21
00:01:00.150 --> 00:01:02.970
no component is trusted automatically,

22
00:01:02.970 --> 00:01:05.340
so every device and application

23
00:01:05.340 --> 00:01:08.700
operates within strict security boundaries.

24
00:01:08.700 --> 00:01:12.810
For example, a web server that handles public requests

25
00:01:12.810 --> 00:01:14.760
should not have direct access

26
00:01:14.760 --> 00:01:16.560
to a sensitive database.

27
00:01:16.560 --> 00:01:19.180
Access to a sensitive database should be controlled

28
00:01:19.180 --> 00:01:22.050
through role-based access controls,

29
00:01:22.050 --> 00:01:26.070
multi-factor authentication, and network segmentation.

30
00:01:26.070 --> 00:01:30.000
System components can be segmented into different zones

31
00:01:30.000 --> 00:01:32.580
based on their role, like handling

32
00:01:32.580 --> 00:01:36.030
credit card transactions or user authentication.

33
00:01:36.030 --> 00:01:39.360
This allows administrators to apply specific

34
00:01:39.360 --> 00:01:42.240
security policies for each component.

35
00:01:42.240 --> 00:01:46.050
For example, credit card systems need encryption

36
00:01:46.050 --> 00:01:48.300
and strict access controls,

37
00:01:48.300 --> 00:01:50.970
while user authentication systems

38
00:01:50.970 --> 00:01:53.370
require strong password management.

39
00:01:53.370 --> 00:01:57.300
Breaking the network into zones means security policies

40
00:01:57.300 --> 00:02:00.030
can be tailored to each system's needs.

41
00:02:00.030 --> 00:02:02.520
It also lets administrators focus

42
00:02:02.520 --> 00:02:06.000
on the security requirements of their assigned zone.

43
00:02:06.000 --> 00:02:09.030
This makes managing the network simpler

44
00:02:09.030 --> 00:02:11.610
because it is divided into smaller,

45
00:02:11.610 --> 00:02:13.800
more manageable sections.

46
00:02:13.800 --> 00:02:16.380
Second, we have data perimeters.

47
00:02:16.380 --> 00:02:19.680
Data perimeters define the boundaries that protect

48
00:02:19.680 --> 00:02:21.240
sensitive information.

49
00:02:21.240 --> 00:02:25.120
They ensure that only authorized users can access data,

50
00:02:25.120 --> 00:02:29.700
whether it's stored on-premise or in the cloud.

51
00:02:29.700 --> 00:02:33.750
These boundaries use encryption, Access Control Lists,

52
00:02:33.750 --> 00:02:36.630
and monitoring to control access.

53
00:02:36.630 --> 00:02:39.540
Sensitive data, like customer records

54
00:02:39.540 --> 00:02:41.220
or employee information,

55
00:02:41.220 --> 00:02:43.620
is protected even as it moves

56
00:02:43.620 --> 00:02:45.690
between different environments.

57
00:02:45.690 --> 00:02:49.020
This type of protection is done with data encryption

58
00:02:49.020 --> 00:02:51.300
and data loss prevention tools

59
00:02:51.300 --> 00:02:54.630
to secure the data in transit and at rest.

60
00:02:54.630 --> 00:02:58.110
In this way, data perimeters ensure that only

61
00:02:58.110 --> 00:03:01.260
specific users can access data.

62
00:03:01.260 --> 00:03:03.840
As more companies move to the cloud,

63
00:03:03.840 --> 00:03:07.620
traditional network perimeters are no longer enough.

64
00:03:07.620 --> 00:03:11.550
Continuous validation of data access requests

65
00:03:11.550 --> 00:03:15.090
is required to protect sensitive information.

66
00:03:15.090 --> 00:03:18.900
For example, organizations can create subzones

67
00:03:18.900 --> 00:03:22.170
within their networks to store sensitive data,

68
00:03:22.170 --> 00:03:26.700
using encryption and monitoring to add extra protection.

69
00:03:26.700 --> 00:03:30.420
Third and last, we have secure zones.

70
00:03:30.420 --> 00:03:33.930
Secure zones are tightly controlled areas within

71
00:03:33.930 --> 00:03:37.950
a network designed to protect critical systems and data.

72
00:03:37.950 --> 00:03:40.920
The most common secure zones are the trusted

73
00:03:40.920 --> 00:03:44.190
internal zone, the untrusted external zone,

74
00:03:44.190 --> 00:03:47.550
and the demilitarized zone, which is also called

75
00:03:47.550 --> 00:03:49.110
a screened subnet.

76
00:03:49.110 --> 00:03:51.690
A screened subnet acts as a buffer

77
00:03:51.690 --> 00:03:55.290
between the internal and external networks.

78
00:03:55.290 --> 00:03:59.460
Inside secure zones, access controls are strict,

79
00:03:59.460 --> 00:04:03.930
allowing only authorized users with verified credentials

80
00:04:03.930 --> 00:04:06.690
to access sensitive resources.

81
00:04:06.690 --> 00:04:09.980
For example, web servers inside the screened subnet

82
00:04:09.980 --> 00:04:13.140
might be accessible from the internet,

83
00:04:13.140 --> 00:04:16.020
while the internal network is shielded

84
00:04:16.020 --> 00:04:18.090
from external threats.

85
00:04:18.090 --> 00:04:22.050
Firewalls enforce strict access rules between

86
00:04:22.050 --> 00:04:25.770
these secure zones, preventing unauthorized traffic

87
00:04:25.770 --> 00:04:27.540
from moving between them.

88
00:04:27.540 --> 00:04:32.540
Organizations often create subzones within secure zones

89
00:04:32.550 --> 00:04:35.160
using subnetting, firewall rules,

90
00:04:35.160 --> 00:04:37.410
and network access control.

91
00:04:37.410 --> 00:04:41.100
For example, an internal zone might be divided

92
00:04:41.100 --> 00:04:44.670
into subzones for workstations, data centers,

93
00:04:44.670 --> 00:04:47.100
or credit card processing systems.

94
00:04:47.100 --> 00:04:50.880
This limits access to sensitive systems to only

95
00:04:50.880 --> 00:04:53.160
those authorized users.

96
00:04:53.160 --> 00:04:57.060
Other secure zone tools include bastion hosts,

97
00:04:57.060 --> 00:04:59.820
which are hardened servers or devices

98
00:04:59.820 --> 00:05:01.500
that are specifically designed

99
00:05:01.500 --> 00:05:03.870
to withstand external attacks.

100
00:05:03.870 --> 00:05:07.290
Bastion hosts are placed in vulnerable areas,

101
00:05:07.290 --> 00:05:10.020
such as outside the internal network

102
00:05:10.020 --> 00:05:12.510
and inside a screened subnet.

103
00:05:12.510 --> 00:05:16.417
This allows control and management of external access

104
00:05:16.417 --> 00:05:19.050
to these more secure systems.

105
00:05:19.050 --> 00:05:22.410
To do this, bastion hosts have minimal services

106
00:05:22.410 --> 00:05:25.140
running on them, and they are configured

107
00:05:25.140 --> 00:05:27.750
with strict security policies to reduce

108
00:05:27.750 --> 00:05:29.460
the risk of compromise.

109
00:05:29.460 --> 00:05:33.870
Next, a jump box is similar to a bastion host,

110
00:05:33.870 --> 00:05:37.260
but a jump box is specifically used to provide

111
00:05:37.260 --> 00:05:40.920
secure administrative access to a system.

112
00:05:40.920 --> 00:05:45.360
So unlike a bastion host, which tightly controls

113
00:05:45.360 --> 00:05:49.350
external access, a jump box acts as a gateway

114
00:05:49.350 --> 00:05:53.610
for administrators to reach systems in secure zones

115
00:05:53.610 --> 00:05:55.380
like a screened subnet.

116
00:05:55.380 --> 00:05:58.590
By requiring administrators to first connect

117
00:05:58.590 --> 00:06:01.950
to a jump box, the exposure of critical systems

118
00:06:01.950 --> 00:06:05.250
is minimized as only authorized users

119
00:06:05.250 --> 00:06:08.100
can pass through those sensitive resources,

120
00:06:08.100 --> 00:06:12.360
such as a jump box, to the server that is being configured.

121
00:06:12.360 --> 00:06:15.600
This setup adds an extra layer of protection

122
00:06:15.600 --> 00:06:17.430
for secure environments.

123
00:06:17.430 --> 00:06:21.390
Some organizations may even use air-gapped networks

124
00:06:21.390 --> 00:06:23.970
for the highest level of isolation.

125
00:06:23.970 --> 00:06:27.120
Air-gapped networks are physically separated

126
00:06:27.120 --> 00:06:30.750
from external connections, preventing any interaction

127
00:06:30.750 --> 00:06:34.410
between internal systems and external threats.

128
00:06:34.410 --> 00:06:38.520
Air-gapped networks are often used in sensitive environments

129
00:06:38.520 --> 00:06:40.350
like nuclear facilities.

130
00:06:40.350 --> 00:06:43.230
However, they require careful management

131
00:06:43.230 --> 00:06:45.990
because data must be physically transferred

132
00:06:45.990 --> 00:06:50.490
to or from them, and strict malware checks are necessary

133
00:06:50.490 --> 00:06:52.420
before devices are connected.

134
00:06:52.420 --> 00:06:56.370
So, proper segmentation through screened subnets,

135
00:06:56.370 --> 00:07:00.300
bastion hosts, or air-gapped systems helps secure

136
00:07:00.300 --> 00:07:03.600
the network while providing manageable zones

137
00:07:03.600 --> 00:07:06.960
to protect sensitive systems and information

138
00:07:06.960 --> 00:07:10.560
from both internal and external threats.

139
00:07:10.560 --> 00:07:15.560
So remember, security boundaries use strict access controls

140
00:07:16.050 --> 00:07:17.790
and constant monitoring

141
00:07:17.790 --> 00:07:20.520
instead of just physical barriers.

142
00:07:20.520 --> 00:07:23.250
These boundaries help track and verify

143
00:07:23.250 --> 00:07:26.190
every interaction within a network.

144
00:07:26.190 --> 00:07:30.300
Key security concepts include system components,

145
00:07:30.300 --> 00:07:33.210
data perimeters, and secure zones.

146
00:07:33.210 --> 00:07:36.280
System components like servers and applications

147
00:07:36.280 --> 00:07:41.280
are secured individually to prevent unauthorized access.

148
00:07:41.370 --> 00:07:44.730
Data perimeters protect sensitive information

149
00:07:44.730 --> 00:07:49.080
by using encryption and monitoring to control access.

150
00:07:49.080 --> 00:07:53.700
Secure zones divide the network into protected areas

151
00:07:53.700 --> 00:07:57.870
where access is tightly controlled and continuously checked

152
00:07:57.870 --> 00:08:01.383
to safeguard critical systems and data.