Environment Isolation
What This Requires
Isolate development, staging, and production environments with separate networks, credentials, and access controls. Prohibit production data in non-production environments. Require VPN or bastion for production access.
Why It Matters
Shared environments leak production secrets into dev/staging. Attackers pivot from compromised dev to production. Isolation limits lateral movement and data exposure.
How To Implement
Network Isolation
Deploy environments in separate VPCs/subnets. Use network ACLs and security groups to block cross-environment traffic. Allow only necessary connections (staging → prod DB read replica for testing).
Separate Credentials
Use distinct AWS accounts, Azure subscriptions, or GCP projects per environment. Never share API keys or service account credentials across environments.
Access Controls
Require MFA and VPN/bastion for production access. Grant dev/staging access broadly (all engineers). Limit prod access to on-call rotation and senior engineers.
Data Masking
Prohibit production data in dev/staging. If realistic data needed, anonymize/mask PII (fake names, hashed SSNs).
Evidence & Audit
- Network architecture diagram showing isolated environments
- Access control policies (IAM, RBAC) per environment
- Credential separation documentation (separate accounts/subscriptions)
- Data masking/anonymization procedures for non-prod
- Access logs showing VPN/bastion usage for production