What it is
Network segmentation involves dividing a network into multiple isolated segments or subnetworks, each with its own access controls and trust boundaries. Instead of a flat architecture where every system can communicate freely, segmentation ensures that communication between zones is limited to what is strictly necessary.
Segmentation can be physical, using separate switches, routers, or VLANs, or logical, enforced through software-defined networking and firewalls. Sensitive workloads, such as payment processing or industrial control systems, are isolated from general IT traffic to minimize lateral movement opportunities.
Zero Trust architectures build on segmentation by continuously verifying every connection attempt, regardless of its origin within or outside the network.
Why it matters
Without segmentation, an attacker who breaches a single endpoint can move laterally across the entire network. Segmentation restricts this movement, containing compromises and protecting critical assets. It also simplifies compliance with standards such as PCI DSS and NIST, which require isolation of sensitive systems.
How to reduce risk
- Map all assets and data flows before designing segmentation policies.
- Apply least privilege principles to inter-segment communication.
- Use next-generation firewalls and microsegmentation tools for granular control.
- Regularly test segmentation through penetration tests and red-team exercises.
- Update rulesets to reflect changes in infrastructure or business processes.