TL;DR: Western Union says microsegmentation helped accelerate PCI compliance, reduce dwell time during acquisitions, and improve visibility across thousands of workloads, according to Illumio. The underlying lesson is that Zero Trust succeeds when segmentation limits blast radius and makes change manageable across M&A, compliance, and detection.
NHIMG editorial — based on content published by Illumio: How Western Union Built Scalable Zero Trust with Illumio Segmentation
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: What breaks when segmentation is not in place for regulated environments?
A: Without segmentation, a compromise in one system can spread into adjacent workloads, and compliance scope often expands until far more of the environment must meet the same controls.
Q: Why do broad internal trust zones increase lateral movement risk?
A: Broad trust zones let an attacker move from one reachable system to another after the first foothold, especially when internal services, shared credentials, or legacy dependencies are already in place.
Q: How do teams know if microsegmentation is actually working?
A: Microsegmentation is working when a compromised workload cannot reach anything outside its explicit policy boundary.
Practitioner guidance
- Define segmentation boundaries around regulated data zones Start with the cardholder data environment, map every inbound and east-west dependency, and isolate unrelated workloads before expanding policy coverage.
- Pair traffic analysis with acquisition onboarding Run at least one traffic-baselining phase before merging new environments, then quarantine unknown dependencies until owners can validate them.
- Align identity policy with network policy Review whether authenticated systems also have unnecessary reach across internal segments, especially for service accounts and integration paths.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- How Western Union approached thousands of workload policies across cloud and on-premises environments.
- The cross-functional change-management process used to win application-owner support during segmentation rollout.
- The specific way traffic telemetry helped the team identify unknown dependencies before enforcement.
- The practical lessons learned from using segmentation to reduce PCI scope during M&A activity.
👉 Read Illumio's article on how Western Union built scalable Zero Trust segmentation →
Microsegmentation at global scale: what it means for Zero Trust teams?
Explore further
Microsegmentation is becoming a governance control, not just a network control. The Western Union case shows that segmentation now sits at the intersection of security architecture, compliance scope reduction, and M&A risk management. That is especially relevant where broad access assumptions have to be replaced with narrowly defined communication paths. Practitioners should treat segmentation as a way to make trust explicit across the enterprise.
A question worth separating out:
Q: Who is accountable when segmentation fails during an acquisition or audit?
A: Accountability should sit with the security architecture and application ownership functions together, because segmentation failures usually come from a mix of design choices, undocumented dependencies, and poor change coordination. In regulated environments, the control owner must be able to show why trust was granted, who approved it, and when it will be revisited.
👉 Read our full editorial: Western Union's microsegmentation playbook for Zero Trust at scale