By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: IllumioPublished September 24, 2025

TL;DR: Western Union says microsegmentation helped accelerate PCI compliance, reduce dwell time during acquisitions, and improve visibility across thousands of workloads, according to Illumio. The underlying lesson is that Zero Trust succeeds when segmentation limits blast radius and makes change manageable across M&A, compliance, and detection.


At a glance

What this is: Western Union describes a Zero Trust programme built on microsegmentation to contain risk, support PCI DSS 4.0 compliance, and make acquisitions easier to absorb.

Why it matters: For IAM and security teams, the case shows how segmentation changes governance around privileged pathways, inherited access, and the operational limits of broad trust zones.

By the numbers:

👉 Read Illumio's article on how Western Union built scalable Zero Trust segmentation


Context

Microsegmentation limits how far an attacker or unexpected dependency can move once inside an environment. In this case, the problem is not whether systems are reachable at all, but whether trust is being granted too broadly across workloads, acquisitions, and regulated payment environments.

Western Union's experience maps to a common enterprise pattern: as estates grow through mergers, cloud migration, and regulatory pressure, flat trust models become harder to defend and harder to govern. The identity bridge matters because segmentation and IAM both exist to reduce excessive trust, even though they operate at different layers of the stack.


Key questions

Q: What breaks when segmentation is not in place for regulated environments?

A: Without segmentation, a compromise in one system can spread into adjacent workloads, and compliance scope often expands until far more of the environment must meet the same controls. That increases operational cost, makes audits harder, and turns every new connection into a potential exposure path. The failure is not only technical. It is a governance failure to define and enforce trust boundaries.

Q: Why do broad internal trust zones increase lateral movement risk?

A: Broad trust zones let an attacker move from one reachable system to another after the first foothold, especially when internal services, shared credentials, or legacy dependencies are already in place. Segmentation reduces that movement by forcing each path to be explicitly allowed. The smaller the zone, the less value an initial compromise delivers.

Q: How do teams know if microsegmentation is actually working?

A: Microsegmentation is working when a compromised workload cannot reach anything outside its explicit policy boundary. The best signal is not the existence of a segmentation design, but the reduction in reachable assets after compromise. If east-west traffic still flows broadly, the control is not changing attacker economics.

Q: Who is accountable when segmentation fails during an acquisition or audit?

A: Accountability should sit with the security architecture and application ownership functions together, because segmentation failures usually come from a mix of design choices, undocumented dependencies, and poor change coordination. In regulated environments, the control owner must be able to show why trust was granted, who approved it, and when it will be revisited.


Technical breakdown

How microsegmentation changes east-west trust

Microsegmentation divides internal networks into smaller policy zones so workloads can communicate only with explicitly allowed peers. That matters because most breaches do not begin with a clean perimeter failure alone, but with the ability to move laterally after initial access. In Zero Trust terms, segmentation makes trust local rather than enterprise-wide, which reduces the blast radius when credentials, hosts, or applications are compromised. The operational challenge is policy precision: teams need enough traffic visibility to avoid breaking legitimate flows while still constraining unnecessary pathways. In regulated environments, this also helps separate sensitive systems from the rest of the estate without forcing every asset into the same control envelope.

Practical implication: define segmentation boundaries around business-critical applications and high-risk data flows before you expand policies across the full environment.

Why segmentation matters for PCI DSS 4.0 and control scope

PCI DSS 4.0 increases the pressure to prove that cardholder data environments are isolated and controlled. Segmentation is valuable here because it can reduce the number of systems that fall inside audit scope, which in turn lowers the compliance burden and the chance that unrelated systems inherit cardholder-data risk. This is not just a compliance shortcut. It is a governance mechanism that forces clearer asset boundaries, better authentication boundaries, and more disciplined change control. When segmentation is weak, the audit scope tends to expand with the environment, and every new connection becomes a potential compliance problem.

Practical implication: map your cardholder-data flows first, then use segmentation to prove which systems truly belong inside the PCI scope.

What traffic telemetry adds to threat detection and M&A onboarding

Traffic telemetry turns segmentation from a blocking control into an observability layer. By watching real east-west communication, teams can spot anomalous dependencies, unexpected services, and risky patterns that logs alone may miss. That is especially useful during mergers and acquisitions, when inherited systems are often poorly documented and access paths are not yet normalised. The architectural value is that telemetry supports both containment and discovery. It helps security teams decide which assets can be onboarded quickly and which need isolation until trust relationships are understood. That makes segmentation part of resilience planning, not just network design.

Practical implication: use traffic analysis before and during acquisitions to identify unknown dependencies and isolate new environments until they are understood.


NHI Mgmt Group analysis

Microsegmentation is becoming a governance control, not just a network control. The Western Union case shows that segmentation now sits at the intersection of security architecture, compliance scope reduction, and M&A risk management. That is especially relevant where broad access assumptions have to be replaced with narrowly defined communication paths. Practitioners should treat segmentation as a way to make trust explicit across the enterprise.

PCI pressure often accelerates Zero Trust adoption because it forces boundary decisions. PCI DSS 4.0 does more than raise audit requirements. It pushes teams to define where sensitive systems begin and end, which exposes how much ambient trust exists in the estate. The practical lesson is that control scope is a design choice, not an accident, and the choice has cost, audit, and resilience consequences.

Segmentation fatigue: the operational drag that appears when teams try to secure sprawling estates without clear traffic visibility. Western Union's reliance on traffic analysis, internal partnership, and phased onboarding reflects the reality that policy design fails when dependencies are unknown. That same pattern shows up wherever modern estates combine legacy systems, cloud workloads, and inherited access paths. The conclusion for practitioners is to reduce policy ambiguity before asking teams to enforce it at scale.

Identity and segmentation solve different problems, but they fail together when trust is too broad. IAM controls who can authenticate, while segmentation constrains where authenticated systems can talk. In a breach or acquisition scenario, both layers matter because a valid identity can still be over-extended across too many assets. Practitioners should align privilege boundaries with network boundaries instead of assuming one control can compensate for the other.

What this signals

Segmentation and identity governance now intersect at the point where trust boundaries are enforced, not just where users authenticate. When environments span acquisitions, payment systems, and mixed infrastructure, the practical question is whether policy can keep pace with the estate's complexity. Teams that already struggle with hidden access paths should expect segmentation projects to expose the same visibility gaps they see in IAM and NHI programmes.

The number that matters operationally is the time it takes to understand and reduce exposure after change, not the amount of policy written. That is why telemetry, asset discovery, and access scoping need to be managed together, with a clear line of sight from architecture decisions to control ownership.

For teams building out both IAM and NHI governance, the lesson is to treat internal reachability as an access problem as much as a routing problem. The more clearly you can define allowed flows, the easier it becomes to validate service accounts, integration accounts, and inherited privileges against business need.


For practitioners

  • Define segmentation boundaries around regulated data zones Start with the cardholder data environment, map every inbound and east-west dependency, and isolate unrelated workloads before expanding policy coverage. Use the boundary to reduce audit scope and avoid dragging the entire estate into PCI controls.
  • Pair traffic analysis with acquisition onboarding Run at least one traffic-baselining phase before merging new environments, then quarantine unknown dependencies until owners can validate them. This keeps inherited trust paths from becoming your new default.
  • Align identity policy with network policy Review whether authenticated systems also have unnecessary reach across internal segments, especially for service accounts and integration paths. Remove the assumption that a valid credential should imply broad east-west access.
  • Use telemetry to drive policy exceptions Treat anomaly detection as a feed into segmentation design, not just a SOC output. When telemetry reveals unexpected communication, either narrow the rule or document the business exception explicitly.

Key takeaways

  • Western Union's example shows that microsegmentation is now a governance tool for compliance, M&A, and resilience, not only a network security control.
  • The operational win comes from shrinking trust zones and making east-west traffic visible enough to separate real dependencies from inherited risk.
  • For IAM and NHI teams, the useful lesson is to align identity boundaries with segmentation boundaries so valid access does not translate into unnecessary reach.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Segmentation and least privilege underpin the article's Zero Trust approach.
NIST SP 800-53 Rev 5AC-4Information flow enforcement fits the article's segmentation model.
NIST Zero Trust (SP 800-207)The article is centered on Zero Trust segmentation and trust reduction.
CIS Controls v8CIS-12 , Network Infrastructure ManagementSegmentation depends on controlled network architecture and change discipline.
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactSegmentation limits attacker movement and business disruption after entry.

Use PR.AC-4 to validate internal trust boundaries and limit east-west access to approved flows.


Key terms

  • Microsegmentation: Microsegmentation is the practice of dividing internal environments into small policy zones so only approved systems and services can communicate. It reduces blast radius, helps contain lateral movement, and gives security teams a clearer way to separate sensitive workloads from general-purpose traffic.
  • East-West Traffic: East-west traffic is communication that moves laterally inside an environment rather than entering or leaving it. In segmentation programmes, this traffic is the most useful signal for understanding hidden dependencies, enforcing policy boundaries, and spotting movement that should not be allowed between workloads.
  • Cardholder Data Environment: The cardholder data environment is the set of systems, users, and processes that store, process, or transmit payment card data. For NHI governance, it includes every machine identity that can influence those systems, even when the identity itself is invisible to end users.

What's in the full article

Illumio's full article covers the operational detail this post intentionally leaves for the source:

  • How Western Union approached thousands of workload policies across cloud and on-premises environments.
  • The cross-functional change-management process used to win application-owner support during segmentation rollout.
  • The specific way traffic telemetry helped the team identify unknown dependencies before enforcement.
  • The practical lessons learned from using segmentation to reduce PCI scope during M&A activity.

👉 Illumio's full post covers the rollout lessons, M&A use case, and traffic-analysis approach in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle practices. It suits practitioners who need to connect identity controls to broader security architecture and operational risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org