Before Danny Ocean and his crew ever set foot inside the Bellagio, they spent weeks mapping it. Every zone. Every vault. Every access control point. Every camera blind spot. They understood the architecture better than the people who designed it, and that's exactly why they succeeded.
Attackers do the same thing to your network.
They map it. They probe segment boundaries. They look for flat areas where one compromised endpoint can reach everything else. They find the places where "least privilege" was the intention but open access was the reality. And then they walk straight to the vault.
The question isn't whether someone will try. The question is whether you understand your own architecture as well as they do.
What Is CIS Safeguard 12.2?
CIS Safeguard 12.2 falls under CIS Control 12: Network Infrastructure Management. The safeguard reads: Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components.
Three words carry all the weight here: segmentation, least privilege, and availability. If your network architecture doesn't deliberately address all three, it's not a secure architecture, it's just a network.
Why It Matters
Flat networks are a gift to attackers. Once they're in, via phishing, a compromised credential, a vulnerable endpoint, they can move laterally without friction. No walls. No checkpoints. Just open floor space all the way to your crown jewels.
Segmentation changes that math. It means a breach in one area doesn't automatically become a breach everywhere. Least privilege between segments means that even if something crosses a boundary, it can only reach what it was explicitly permitted to reach. Availability monitoring means you know when something that should be reachable isn't, which is often the first signal that something is wrong.
This isn't just a technical concern. Regulators, cyber insurance carriers, and auditors increasingly want to see documented, defensible network architecture. "We have a firewall" is not an architecture.
How to Actually Implement This
Secure network architecture isn't a single configuration change. It's a deliberate design discipline. Here's where to focus:
- Segment by function and risk, not just by convenience. Your guest Wi-Fi should not share a segment with your finance systems. Your OT/ICS environment should not be reachable from the corporate LAN. Group assets by how sensitive they are and how they need to communicate, then build boundaries around those groups.
- Enforce least privilege between segments. Every cross-segment communication path should be explicitly permitted, documented, and regularly reviewed. Default-deny between segments is the goal. If you can't articulate why a particular flow is allowed, it probably shouldn't be.
- Don't let unauthorized devices connect to any segment. Network access control (NAC) isn't just for large enterprises. If an unknown device can plug into your network, or join your wireless, and reach production systems, your segmentation has a gap you may not know about.
- Monitor availability across all segments. You need to know when a segment goes dark, when a critical path becomes unreachable, and when traffic patterns deviate from baseline. Availability monitoring is both an operational and a security function.
- Document what you have. You cannot defend an architecture you haven't drawn. Maintain a current, accurate network diagram that shows segments, trust boundaries, and communication flows. This is the foundation for every other security decision, and it's the first thing an incident responder is going to ask for.
Final Thoughts
Danny Ocean's crew didn't succeed because they were reckless. They succeeded because they had done the work. They knew the architecture. They knew the controls. They had mapped every segment and understood exactly where the gaps were.
The attacker scoping your network right now is doing the same homework.
The difference is whether you've done yours first, whether you've mapped your own architecture, defined your segments, enforced the access controls, and documented what should and shouldn't flow between zones.
If you haven't, you're not running the Bellagio. You're running a pawn shop with an unlocked back door.
Free Resource: The CIS Controls are available at no cost at cisecurity.org. CIS also publishes implementation guidance and benchmarks that can help you assess where your network architecture currently stands.
Want to talk through where your network architecture has gaps? DM me.
CIS Control and Safeguard
CIS Control 12: Network Infrastructure Management
CIS Safeguard 12.2: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Shameless Marketing Information
Gotham offers network architecture assessments and design services, we'll help you understand what you have, where the gaps are, and what a defensible architecture actually looks like for your environment.