Skip to main content
MyITCyberBack to home
← Insights·Infrastructure Security

Network Segmentation: Do Not Put Everything on the Same VLAN

·2 min read
Side-by-side comparison of a flat network and a segmented network. On the left, a single rectangle places users, servers, printers, cameras, Wi-Fi, and backup on the same plane with an amber mesh connecting every node to every other node, labeled 'risk: lateral movement'. On the right, a segmented design organizes the same resources into clearly bordered VLANs on-prem (users, servers, IoT / printers, management, backup) and clearly bordered cloud subnets inside a VPC / VNet (public, app, db, management / backup), with only specific ALLOW lines drawn between the paths that real workflows need, and a footer strip listing route tables, security groups, NSG, firewall rules, and private endpoints, labeled 'reduced blast radius'.

Network segmentation is one of the most basic security principles, and one of the most ignored. Flat networks are easy to build but easy to abuse, one compromised endpoint can reach far too much. Whether it is VLANs on-prem or subnets, security groups, and private endpoints in the cloud, every system should only talk to what it really needs.

Network segmentation is one of the most basic security principles, but many environments still ignore it.

In on-prem environments, this usually means everything sits too close together. Users, servers, printers, cameras, Wi-Fi, management interfaces, and backup systems may all have too much access to each other.

It works until something goes wrong.

If one endpoint is infected or one user account is compromised, a flat network makes it much easier for an attacker to move laterally across the organization.

Segmentation reduces that risk.

  • Users should not have direct access to every server.
  • Printers and cameras should not talk freely to business systems.
  • Management networks should be isolated.
  • Backup infrastructure should be protected.
  • Critical servers should be separated from regular user traffic.

The same idea applies in the cloud.

Instead of putting everything in one large VPC, VNet, subnet, or security group, cloud networks should be designed with clear separation. Public services, private applications, databases, management access, and backup systems should not all live in the same open network.

In the cloud, segmentation is built with subnets, route tables, security groups, network security groups, firewall rules, private endpoints, and identity-based access.

Good segmentation does not only improve security. It also makes troubleshooting easier, reduces noise, limits the impact of mistakes, and gives IT teams better control.

A flat network is easy to build, but hard to protect.

A segmented network takes more planning, but it helps keep the business safer when something goes wrong.

// related reading
API security with backend validation diagram. On the left, an untrusted client panel showing a browser UI with a hidden DELETE button, a disabled ROLE field, and the URL /api/tickets/42 with the 42 underlined as 'attacker changes this', plus four amber pills indicating client-side manipulation: changed ID, modified payload, direct API call, bypassed UI. Amber arrows representing manipulated requests flow into the right panel, a backend pipeline labeled THE REAL ENFORCER. The pipeline runs each request through six teal gates top to bottom: AUTH (is the user logged in?), AUTHORIZATION (can this user do this action?), OBJECT-LEVEL AUTHZ (can this user access this record?), INPUT VALIDATION (does this payload make sense?), RATE LIMIT (is this request too frequent?), LOG + MONITOR (should this be recorded?), exiting into an APPROVED REQUEST arrow, with a side branch from OBJECT-LEVEL AUTHZ to an amber 403 · DENIED pill, and a callout noting every request is treated as possibly manipulated. Below, a strip of seven equally weighted controls: backend-side validation, object-level authorization, input sanitization, rate limiting, clear error handling, logging plus monitoring, and abuse protection, with a small tag reading 'frontend helps · backend enforces'.
Infrastructure Security

API Security: Do Not Trust the Client

The frontend can hide buttons, disable fields, and guide the user through the right flow, but anything that comes from the client can be changed. Attackers swap IDs in URLs, edit payloads, call the API directly, and bypass the UI completely. Real security lives in the backend: authentication, authorization, object-level access checks, input validation, rate limits, and logging on every request, because every request is treated as possibly manipulated.

Read article
Certificate expiration risk diagram. On the left, a CERTIFICATES EVERYWHERE panel showing ten services that quietly depend on a valid certificate, website, API, VPN, load balancer, mail, internal services, Kubernetes ingress, monitoring, identity, and integrations, with two services (WEBSITE and IDENTITY) flagged in amber as EXPIRES SOON, and a footer pill reading 'all depend on a valid cert'. On the right, an amber-bordered WHEN A CERT EXPIRES panel listing the immediate impact: users cannot log in, APIs fail, browser security warnings appear, automations break, integrations stop, customers lose access, with a footer note 'and all it took was a missed date'. Below, a CERTIFICATE LIFECYCLE strip with seven equally weighted controls: inventory, ownership, expiration monitoring, alerts, renewal process, automation, and post-renewal testing.
Infrastructure Security

Certificate Expiration Is Still Taking Systems Down

An expired certificate is one of the simplest, most preventable outages, and it still keeps happening. The fix is not heroics on renewal day. It is treating certificates like production assets: a real inventory, a clear owner, monitored expirations, alerts, a renewal process, automation where possible, and post-renewal testing so the change does not break something downstream.

Read article
Back to all insights