TL;DR: Macrosegmentation protects network boundaries, but it leaves east-west traffic and lateral movement inside a zone largely exposed, according to ColorTokens. Microsegmentation shifts control to the workload level, making identity-aware policy enforcement and blast-radius reduction the real zero-trust test, not perimeter inspection alone.
At a glance
What this is: This article argues that macrosegmentation is useful for north-south traffic, but microsegmentation is the control that meaningfully constrains east-west movement and workload-to-workload compromise.
Why it matters: It matters because identity, NHI, and access governance teams need to treat workload-level isolation as part of privilege control, not just a network design choice.
👉 Read ColorTokens' analysis of macrosegmentation and microsegmentation
Context
Microsegmentation is the practice of placing policy controls between workloads so that movement inside a network is constrained, not just traffic entering or leaving the perimeter. In this article, the primary governance gap is clear: organisations often inspect north-south traffic well enough, but still leave east-west paths open for compromise to spread.
That gap matters for identity and access governance because workload communication is increasingly mediated by service accounts, tokens, certificates, and other non-human identities. If access policy stops at the subnet or VLAN level, the trust model does not match how modern applications actually authenticate and communicate.
Key questions
Q: What breaks when organisations do not have microsegmentation in place?
A: Without microsegmentation, a single foothold can turn into rapid lateral movement because adjacent systems remain reachable through broad trust paths. That increases the chance of full-environment disruption, especially when attackers use valid credentials or administrative tools. The practical failure is not just exposure, but loss of containment.
Q: Why do workload identities matter in microsegmentation decisions?
A: Workload identities matter because many internal communications are authenticated by service accounts, tokens, or certificates rather than human users. If segmentation policy only considers network location, it misses the trust relationships that actually allow workloads to talk to each other. Identity-aware policy closes that gap.
Q: How do security teams know if segmentation is actually reducing risk?
A: Teams know segmentation is working when a simulated compromise cannot move from one workload to another without hitting an explicit denial. The useful signals are blocked east-west paths, limited reach to crown-jewel systems, and fewer uncontrolled exceptions between internal services. If those signals are absent, the control is mostly cosmetic.
Q: Which frameworks best support segmentation and workload containment?
A: NIST SP 800-207 is the best fit for zero trust design, while NIST SP 800-53 Rev 5 and MITRE ATT&CK help map access control and lateral movement risks. For identity-driven workloads, align those controls with workload identity and least privilege so segmentation policy reflects the real trust model.
Technical breakdown
Macrosegmentation controls zones, not workload trust
Macrosegmentation groups systems into broad zones such as corporate, cloud, data centre, or business function. It is usually enforced with VLANs, routers, firewalls, ACLs, and inspection tools that focus on north-south traffic. That helps reduce exposure from external entry points, but it does not meaningfully govern host-to-host movement once an attacker is inside a zone. The architectural limitation is simple: coarse zoning is not the same as workload isolation.
Practical implication: treat zone segmentation as a boundary control and not as evidence that lateral movement is contained.
Microsegmentation enforces east-west policy at the workload layer
Microsegmentation places policy between workloads rather than around large network segments. That means access can be restricted based on the source, destination, process, or identity context of the workload, not just network location. In practice, this is what blocks a compromised host from freely reaching adjacent systems. The article’s core technical claim is that the defensive value comes from narrowing the blast radius after breach, not from assuming breach can be fully prevented.
Practical implication: define workload-level rules for critical services and verify that peer-to-peer paths are explicitly denied unless required.
Identity-aware segmentation is the real zero trust requirement
Zero trust only works when policy reflects who or what is making the request. In modern environments, that includes users, service accounts, API keys, certificates, workloads, and automation components. The article hints at this by describing microsegmentation as identity-aware at the workload level. That matters because east-west communications are often driven by non-human identities, so network controls need to align with authentication, least privilege, and service-to-service trust relationships.
Practical implication: map workload connectivity to identity and privilege assignments so segmentation policy can follow the actual trust chain.
Threat narrative
Attacker objective: The attacker wants to turn one compromised system into a broader operational foothold that reaches critical workloads and data.
- Entry occurs when an attacker gets initial access through a perimeter weakness such as phishing, stolen credentials, or a software vulnerability.
- Escalation happens when the attacker uses unrestricted east-west paths inside a segment to reach adjacent workloads and locate higher-value systems.
- Impact follows when the attacker exfiltrates data, disrupts operations, or deploys ransomware across systems that were never separately isolated.
NHI Mgmt Group analysis
Macrosegmentation is a boundary control, not a breach containment strategy. Broad zones still leave an attacker room to move once initial access succeeds. That makes perimeter-oriented thinking inadequate for modern environments where east-west communications drive business applications. Practitioners should treat zone design as the outer shell of a control model, not the security outcome itself.
Microsegmentation only becomes meaningful when it is aligned to identity-aware policy. The article correctly frames microsegmentation as workload-level enforcement, which is where non-human identities matter most. Service accounts, API keys, and certificates are frequently the mechanism behind workload trust, so segmentation that ignores identity context will miss the real access path. Practitioners should align network policy with workload identity and privilege.
Blast-radius reduction is now the primary measure of segmentation quality. The goal is not to stop every intrusion at the perimeter, because that assumption no longer holds. The better test is whether a single compromise can be confined before it reaches sensitive services or operationally critical systems. Practitioners should assess segmentation by how much damage a single foothold can still do.
Named concept: east-west containment gap. This article exposes the gap between strong perimeter inspection and weak internal containment. That gap is where modern attackers operate, especially after credential theft or malware execution. Practitioners should evaluate whether internal traffic controls are strong enough to stop a compromised workload from becoming a broad enterprise incident.
Identity and network teams need a shared control model. Segmentation decisions increasingly depend on who or what is calling a service, not just where the packet came from. That makes workload identity, access governance, and network policy interdependent rather than separate disciplines. Practitioners should build joint ownership for workload trust paths and east-west control enforcement.
What this signals
East-west containment will become a primary board-level resilience question. As more services authenticate with non-human identities, the control problem shifts from keeping attackers out to limiting how far they can move once inside. That makes workload containment a governance issue, not only a network design issue, and it aligns closely with the NIST SP 800-207 Zero Trust Architecture model.
Workload identity and segmentation need to converge. Internal traffic policy that ignores service accounts, certificates, and automation identities will leave gaps exactly where modern applications communicate. The operational consequence is clear: IAM, platform, and network teams need a shared view of trust paths, or segmentation remains too coarse to meaningfully contain compromise.
Blast-radius metrics will matter more than perimeter metrics. The useful question is no longer whether a firewall is inspecting traffic, but whether a compromised host can still reach sensitive systems. That is why identity-aware containment should be measured as part of resilience planning, especially in environments with dense service-to-service communication.
For practitioners
- Map east-west paths before tightening policies Inventory internal service-to-service communications across servers, containers, and cloud workloads, then identify which paths are actually required versus merely tolerated. Use that map to isolate the highest-value systems first, including directory services, DNS, and application backends. Start with the traffic that would most likely be used for lateral movement.
- Translate trust rules into workload-level deny policies Replace broad allow rules with explicit allowlists for required processes, ports, and source workloads. Deny peer-to-peer communications by default where business workflows do not require them, and validate exceptions against real application dependencies. This is the control shift that makes microsegmentation operational instead of theoretical.
- Bind segmentation reviews to identity and access governance Cross-check segmentation policy against the identities used by services, automation, and privileged access paths, including service accounts and certificates. If a workload can authenticate but is not separately constrained, the trust model is incomplete. Use joint review between IAM, platform, and network teams to close that gap.
- Prioritise blast-radius testing for crown-jewel services Simulate a single-host compromise and test whether the attacker can reach critical workloads, not just whether north-south traffic is filtered. Measure how far an incident can spread inside one zone and whether controls stop movement before sensitive data or operational systems are exposed. That is the practical test of segmentation maturity.
Key takeaways
- Macrosegmentation still has value, but it is not enough to stop internal spread once an attacker gets inside a zone.
- Microsegmentation becomes effective when it follows workload identity and sharply limits east-west paths.
- The practical test is blast radius: if one workload is compromised, can it still reach crown-jewel systems?
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article focuses on internal spread after initial access and the impact of that spread. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control is central to restricting workload reachability. |
| NIST SP 800-53 Rev 5 | AC-4 | System and information flow control directly fits microsegmentation policy enforcement. |
| CIS Controls v8 | CIS-13 , Network Monitoring and Defense | Monitoring and controlling internal network pathways is central to the article's guidance. |
| NIST Zero Trust (SP 800-207) | The article is explicitly framed around Zero Trust architecture. |
Use zero trust design to move from perimeter-centric thinking to workload-level verification and containment.
Key terms
- Macrosegmentation: Macrosegmentation is broad network zoning that groups systems by location, asset type, or business function. It helps filter traffic across large boundaries, but it usually cannot stop movement between systems inside the same zone, which is why it is only one layer of containment.
- Microsegmentation: Microsegmentation is the practice of enforcing policy between individual workloads or tightly scoped service paths. It reduces the blast radius of compromise by limiting east-west traffic and making internal trust explicit rather than assumed.
- East-West Traffic: East-west traffic is communication that moves laterally inside an environment between internal systems or workloads. It is the traffic path attackers often exploit after initial access, because it can bypass controls that only focus on inbound and outbound network flow.
- Workload Identity: Workload identity is the authentication identity used by an application, service, container, or automation component. It is increasingly central to segmentation and access policy because internal communications are often machine-to-machine, not user-to-system.
What's in the full article
ColorTokens' full article covers the operational detail this post intentionally leaves for the source:
- How the vendor recommends translating broad security zones into workload-level policy
- The specific internal traffic patterns the article uses to illustrate lateral movement containment
- The implementation sequence for moving from visibility to policy enforcement in production environments
- The article's discussion of business service grouping, dependency mapping, and core service isolation
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle control. It is designed for practitioners who need to connect identity policy to real operational containment across modern environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org