Microsegmentation is still a zero trust control gap, not a cure-all

At a glance

What this is: Microsegmentation creates secure workload zones and narrows lateral movement, but its value depends on visibility, policy discovery, and careful implementation.

Why it matters: It matters because IAM and security teams use segmentation to contain breaches across NHI, autonomous, and human-accessed environments, and weak mapping can leave critical traffic trust assumptions intact.

By the numbers:

• Cybercrime costs will grow 15% per year over the next five years.

👉 Read StrongDM's beginner's guide to microsegmentation and Zero Trust

Context

Microsegmentation is a workload-level network control that breaks a flat trust zone into smaller, policy-enforced segments. In identity terms, it is part of the broader Zero Trust problem: access decisions still need to be precise enough to prevent lateral movement after initial entry.

For IAM, NHI, and platform security teams, the challenge is not the concept itself but the dependency on accurate topology, observed traffic patterns, and policy lifecycle management. The article’s core point is that segmentation only works when the environment is understood well enough to govern it deliberately.

Key questions

Q: What breaks when microsegmentation is applied without full environment visibility?

A: Teams create policy gaps, hidden dependencies, and overconfident boundaries. Without accurate topology and traffic knowledge, segmentation can isolate the wrong systems while leaving real lateral paths open. The result is a control that looks precise in design but behaves loosely in production.

Q: Why does microsegmentation matter for Zero Trust architectures?

A: Zero Trust assumes no workload or connection is trusted by default, and microsegmentation is one of the practical ways to enforce that assumption in a live environment. It reduces lateral movement by making east-west traffic subject to explicit policy rather than inherited network trust.

Q: What do security teams get wrong about microsegmentation?

A: They often treat it as a one-time network redesign instead of an iterative control that depends on current workload behaviour. If policies are not refreshed as applications change, segmentation becomes stale and leaves blind spots that attackers can exploit.

Q: How should organisations phase in microsegmentation without disrupting operations?

A: Begin with broad zones around the most sensitive workloads, validate traffic patterns, then narrow policy based on observed dependencies. This reduces operational risk while giving teams time to reconcile segmentation with how applications actually communicate.

Technical breakdown

How microsegmentation controls east-west traffic

Microsegmentation shifts enforcement from broad perimeter trust to workload-level policy. Instead of assuming traffic inside the network is safe, it treats every east-west connection as a separate authorization decision. In software-defined environments, these policies can follow workloads as they move across infrastructure. That makes the control more adaptive than traditional subnet-based segmentation, but also more dependent on correct identity-to-workload mapping and accurate policy scope.

Practical implication: map which workloads should communicate before you enforce segment boundaries.

Why visibility into architecture topology is the hard part

Microsegmentation fails when teams try to apply controls to a network they do not fully understand. Legacy environments often lack complete documentation, and workload relationships are rarely static. Without knowing where applications live, how they interconnect, and which dependencies are business-critical, teams create blind spots that look segmented on paper but remain exposed in practice. The control is therefore as much about discovery as enforcement.

Practical implication: build an authoritative inventory of workloads and dependencies before narrowing policy.

Policy discovery and workload behaviour drive lasting segmentation

Effective segmentation requires more than manual labels or one-time mapping. Security teams need to observe what talks to what, when, and why, then refine policies as applications change. That is especially important in cloud and hybrid estates where workload behaviour shifts faster than documentation. Phased rollout matters because policy discovery is iterative, not a single design exercise. The network state must be continuously reconciled with actual communication patterns.

Practical implication: use staged policy rollout and repeated traffic observation to avoid stale enforcement.

Threat narrative

Attacker objective: The attacker’s objective is to expand from an initial foothold into adjacent workloads and sensitive internal assets without triggering effective containment.

1. Entry occurs when an attacker reaches a workload that sits inside a loosely controlled segment and can begin probing adjacent systems.
2. Escalation follows when east-west traffic is not tightly verified, allowing the attacker to move from the initial workload to other internal targets.
3. Impact emerges when the attacker reaches sensitive applications or data stores that were meant to be isolated but remained reachable through incomplete segmentation.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Microsegmentation is a trust-boundary problem before it is a tooling problem. The article correctly frames segmentation as a way to limit lateral movement, but the governance issue is deeper: most enterprises still operate as though east-west traffic inside the environment deserves conditional trust. That assumption breaks down as workloads multiply across cloud and hybrid estates. Practitioners should treat segmentation as a trust model redesign, not a firewall project.

Identity and segmentation now intersect at the workload layer. As service accounts, tokens, and workload identities drive more machine-to-machine access, network policy alone cannot explain who should reach what. Microsegmentation becomes a companion control to NHI governance because it limits the blast radius when identity-based access is abused. Teams that separate network design from identity lifecycle management will miss where internal movement actually begins.

Policy discovery is the real control plane for microsegmentation. The article’s implementation guidance points to a core discipline problem: you cannot enforce precise east-west policy if you do not know current application behaviour. That makes observability, dependency mapping, and iterative policy refinement part of the control itself. Practitioners should judge segmentation programmes by how quickly they converge on accurate communication paths, not by how many zones they create.

Named concept: identity blast radius. Microsegmentation narrows the damage an attacker or misused credential can do by limiting how far access can travel after initial compromise. The concept matters because modern identity risks are rarely isolated to the first account or workload touched. For practitioners, the question is no longer whether a breach can happen, but how far it can propagate before control boundaries stop it.

Zero Trust only becomes operational when segmentation reflects actual behaviour. The article links microsegmentation with Zero Trust, which is directionally correct, but the field often overstates the maturity of that alignment. If policy is based on stale architecture assumptions, the result is partial trust enforcement rather than continuous verification. Practitioners should align segmentation with observed communications, not aspirational network diagrams.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why segmentation without identity visibility remains incomplete.
• Forward view: Ultimate Guide to NHIs , Key Challenges and Risks shows how over-privilege and visibility gaps compound each other in real programmes.

What this signals

Identity blast radius is becoming a more useful planning concept than simple perimeter strength. When workloads, service accounts, and access paths spread across hybrid environments, the practical question is how much damage one foothold can absorb before containment fails. Teams that pair segmentation with identity lifecycle governance will have a better chance of keeping lateral movement bounded.

The governance signal here is that microsegmentation cannot be measured only by policy count or zone count. The real test is whether security teams can explain which communications are expected, which are exceptional, and which should never occur. That requires ongoing observation, not just design-time intent.

For practitioners, the next step is to align network segmentation with NHI visibility and ownership. If the team cannot tell which service account or workload identity sits behind a connection, segmentation becomes a partial control rather than a durable boundary.

For practitioners

• Map workload dependencies before enforcement Document application topology, service-to-service flows, and critical data paths before applying microsegmentation rules. Use the map to define which east-west connections are actually required.
• Observe real traffic before writing policy Capture communication patterns in production or representative environments so policy reflects what workloads do, not what architecture diagrams assume.
• Roll out segmentation in phases Start with coarse zone boundaries, then narrow to application-level rules, and only then move toward fine-grained workload controls.
• Tie segmentation to identity governance Connect workload segmentation decisions to service account ownership, token scope, and offboarding so network boundaries and identity boundaries fail closed together.

Key takeaways

• Microsegmentation reduces lateral movement by enforcing workload-level policy, but it depends on accurate topology and traffic visibility.
• The scale problem is real: cybercrime costs are projected to grow 15% per year over the next five years, making containment controls increasingly important.
• Teams should phase segmentation carefully and connect it to identity governance so network boundaries and access boundaries reinforce each other.

Key terms

• Microsegmentation: Microsegmentation is a network security approach that divides environments into small, policy-enforced zones around workloads or applications. It reduces lateral movement by making each internal connection subject to explicit authorization rather than inherited network trust.
• East-west traffic: East-west traffic is communication that moves between systems inside an environment rather than entering or leaving it. In microsegmentation programmes, it is the traffic most likely to expose hidden trust assumptions and is therefore the main target for workload-level policy.
• Identity blast radius: Identity blast radius is the amount of internal damage an account, token, or workload identity can cause after compromise or misuse. It is a practical way to judge whether segmentation and identity governance are actually limiting propagation across systems.

Deepen your knowledge

Microsegmentation, workload visibility, and identity-boundary design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a containment model for hybrid workloads, it is worth exploring.

This post draws on content published by StrongDM: A Beginner’s Guide to Microsegmentation. Read the original.