No internet connection validating identity

Applying the clean source principle to the system architecture requires you to ensure that the system is not dependent on lower trust systems.A system can be dependent on a higher trust system, but not on a lower trust system with lower security standards.

Any subject in control of an object is a security dependency of that object.

If an adversary can control anything in effective control of a target object, they can control that target object.

These include the DNS Server service and critical network devices like Internet proxies.

The clean source principle requires all security dependencies to be as trustworthy as the object being secured.

The tiers are relative to a specific security zone.

While they have gone by many names, security zones are a well-established approach that provide containment of security threats through network layer isolation between them.

As an example, its acceptable for Active Directory to control a standard user desktop but it's a significant escalation of privilege risk for a standard user desktop to be in control of the Active Directory.

The control relationship can be introduced through many means including security Access Control Lists (ACLs) on objects like filesystems, membership in the local administrators group on a computer, or agents installed on a computer running as System (with the ability to run arbitrary code and scripts).

Because of this, you must ensure that the assurances for all security dependencies are at or above the desired security level of the object itself.

While simple in principle, applying this requires understanding the control relationships of an asset of interest (Object) and performing a dependency analysis of it to discover all security dependencies (Subject(s)).

The reason it is useful as a basic prioritization mechanism is attacker difficulty/cost.