TL;DR: CISA’s Microsegmentation in Zero Trust, Part One: Introduction and Planning turns microsegmentation into an operational control path, and Elisity’s analysis argues the real obstacle is execution, not intent, with legacy segmentation projects still measured in years and millions of dollars. The governance problem is that Zero Trust fails when policy cannot be deployed, validated, and maintained fast enough to match changing identity and device context.
NHIMG editorial — based on content published by Elisity: CISA Microsegmentation in Zero Trust, Part One: Introduction and Planning - How Elisity Makes It Actionable
By the numbers:
- While traditional firewall-based segmentation across 275 sites could take one year per location and cost $200 million, the guidance pushes phased implementation instead.
- CISA notes that the tactic used in over 70% of successful breaches is lateral movement, which microsegmentation is meant to constrain.
- Main Line Health protected 5 hospitals, health centers, and over 40 offices with a few full-time employees after adopting identity-based microsegmentation.
Questions worth separating out
Q: What breaks when microsegmentation is planned as a big-bang network project?
A: Big-bang segmentation usually fails because it depends on perfect dependency knowledge, extensive rule authoring, and low operational risk all at once.
Q: Why does zero trust still need microsegmentation in practice?
A: Zero trust verifies access decisions, but it does not automatically limit where a valid session can go once approved.
Q: How do security teams know if microsegmentation is actually working?
A: Look for evidence that policies are reducing reachable paths, blocking unnecessary east-west traffic, and shrinking the blast radius during testing or incidents.
Practitioner guidance
- Map dependencies before writing policy Build a traffic and application dependency map for one contained business service before attempting broad segmentation.
- Replace IP-centric rules with identity-based policy groups Create policy groups using stable attributes such as workload role, device class, and security posture instead of subnet addresses.
- Validate in permissive mode before enforcement Run policies in observation or permissive mode long enough to confirm what would be allowed or denied without disrupting business traffic.
What's in the full article
Elisity's full post covers the implementation detail this analysis intentionally leaves at the source:
- The article walks through how Elisity maps CISA guidance to policy simulation, discovery, and enforcement steps in real environments.
- It includes customer examples that show how phased microsegmentation is operationalised across large, mixed infrastructure estates.
- The post details how existing switch infrastructure can be used to enforce dynamic policy without a full network redesign.
- It explains how the platform correlates device and identity data to support attribute-based segmentation decisions.
👉 Read Elisity's analysis of CISA microsegmentation guidance and Zero Trust implementation →
Microsegmentation in Zero Trust: what practitioners need to fix?
Explore further
Microsegmentation is now an identity governance issue, not just a network design choice. The article’s real contribution is that it treats policy enforcement as dependent on identity, device state, and workload context. That is the same control logic identity teams use in access governance, only applied laterally inside the network. Practitioners should stop treating segmentation as a separate infrastructure project and align it with identity-led policy design.
A question worth separating out:
Q: Who is accountable when segmentation rules block business traffic?
A: Accountability should sit with the business service owner, security architecture, and the team operating the enforcement layer. Segmentation is not just a network function, because bad policy decisions can create outages as easily as they reduce risk. Clear ownership, change approval, and rollback criteria are essential so containment controls do not become operational hazards.
👉 Read our full editorial: CISA microsegmentation guidance exposes the real Zero Trust gap