Organizations with large networks comprising many workflows utilizing internal applications and services SHOULD implement microsegmentation to isolate resources at the workload level.
Control Type: Technical
Control Function: Preventive
Description: For decades, network security has been built around the concept of the perimeter. In a perimeter-based model, a firewall sits at the edge of a network segment, inspecting traffic entering and leaving the environment. This is commonly referred to as north–south traffic. Within this model, all resources and activity behind the firewall are implicitly trusted. The underlying assumption is that the firewall serves as a single point of validation—if traffic is allowed through, it is considered safe.
In the 2020s, however, this model has become increasingly outdated. Modern networks are highly distributed, often spanning on-premises infrastructure and multiple cloud platforms. As a result, it is no longer practical—or even possible—to confine business resources within a single, well-defined perimeter.
To address this shift, organizations are increasingly adopting a Zero Trust approach to security. Zero Trust fundamentally changes the focus from north–south to east–west traffic—the internal communication between systems. In this model, no traffic is trusted by default, even if it originates from within the network. Every session must be continuously verified and validated.
This shift is driven in part by the evolution of adversary tactics. Threat actors have become far more adept at establishing persistence and moving laterally within compromised environments, often remaining undetected for extended periods. Additionally, many attackers now use sophisticated data exfiltration techniques that can evade traditional perimeter defenses.
One of the core strategies within Zero Trust architecture is microsegmentation. Microsegmentation addresses these challenges by applying granular isolation to resources within a network. Instead of treating the internal network as a trusted zone, it divides it into smaller, tightly controlled segments based on workloads—the specific resources and processes required to run an application.
Consider a typical business environment: an internal web application used for communication, a database server storing customer records, and a file storage system for archiving data. In a traditional perimeter-based model, all of these services would reside behind the firewall and implicitly trust one another.
In a microsegmented architecture, each of these services is isolated into its own segment, with dedicated security controls governing access. Any east–west traffic attempting to reach these resources is inspected and validated before being allowed through. Access decisions are guided by the principle of least privilege, ensuring that only explicitly authorized communications are permitted.
This approach significantly reduces the risk of lateral movement and privilege escalation. If an attacker compromises one system, microsegmentation helps contain the breach, preventing it from spreading across the network and limiting the potential for data exfiltration.
There are multiple ways to implement microsegmentation. Traditional technologies such as VLANs can be adapted to support it by creating smaller, application-specific segments rather than broad network zones. Access Control Lists (ACLs) can then enforce strict communication policies between these segments.
More advanced environments may leverage Software-Defined Networking (SDN) to achieve a higher level of granularity and flexibility. SDN separates the control plane from the data plane, allowing administrators to define and enforce policies through software. These policies can evaluate traffic based on a wide range of attributes—not just IP addresses and ports, but also user identity, device posture, environmental context, and behavioral patterns. Software-Defined Perimeters (SDPs) extend this concept further by dynamically controlling access based on these attributes.
While microsegmentation offers significant security benefits, it is still an emerging control and may present implementation challenges, particularly for smaller organizations with limited resources. Despite this, it is increasingly important for businesses of all sizes to evaluate its potential. Organizations that rely on multiple applications and interconnected systems are especially strong candidates.
Security teams should begin by conducting discovery efforts to identify viable microsegmentation solutions and assess their feasibility. Building a strong business case—one that highlights risk reduction, breach containment, and the prevention of costly data loss—will be critical in gaining executive support.
