Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Microsegmentation and zero trust: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Most enterprises still struggle to operationalise microsegmentation, with Forrester saying projects were historically prone to failure because of complexity, even as the market is projected to grow from $8.2B in 2025 to $41B by 2034, according to Exactitude Consultancy. The real shift is that identity-based, agentless enforcement now makes the control more practical, but only if teams stop treating zero trust as a perimeter problem.

NHIMG editorial — based on content published by Elisity: Why Zero Trust Requires Microsegmentation

Questions worth separating out

Q: How should security teams implement microsegmentation in hybrid environments?

A: Start by anchoring policy to identity and function rather than IP address or subnet, then extend enforcement to the assets that matter most to lateral movement risk.

Q: Why do zero trust programmes still need microsegmentation?

A: Because zero trust at the entry point does not stop an attacker from moving inside the network after the first foothold.

Q: What do organisations get wrong about microsegmentation projects?

A: They often assume the hard part is the policy logic, when the real failure mode is operational complexity.

Practitioner guidance

  • Re-baseline your segmentation architecture around identity Replace IP-first segmentation designs with policy models tied to device identity, workload identity, and function.
  • Identify assets that cannot run agents List IoT, OT, medical, legacy, and unmanaged endpoints that would be excluded by an agent-based approach.
  • Measure east-west exposure explicitly Map where internal traffic still moves without policy enforcement and classify those paths by business criticality.

What's in the full article

Elisity's full post covers the operational detail this analysis intentionally leaves at the architecture level:

  • Customer-facing examples of identity-based microsegmentation in converged IT, OT, and IoT environments.
  • Specific criteria for evaluating whether a segmentation platform can work without endpoint agents.
  • Deployment considerations for teams replacing VLAN and ACL centric designs with identity-anchored policy.
  • Practical questions to ask when assessing whether microsegmentation can be rolled out in weeks rather than years.

👉 Read Elisity's analysis of identity-based microsegmentation and zero trust →

Microsegmentation and zero trust: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Microsegmentation is now an identity governance problem, not a network design exercise. The failed first generation was built on static topology, exhaustive flow mapping, and manual rules that could not keep pace with enterprise complexity. Once policy is anchored to identity and function, the control becomes governable across IT, OT, IoT, and hybrid environments. That shifts the decision from whether segmentation is possible to whether the organisation can operationalise identity as the enforcement layer.

A few things that frame the scale:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
  • 23.5% of security professionals are unsure about the biggest threat to their non-human identities, according to the same report.

A question worth separating out:

Q: What frameworks should guide microsegmentation decisions?

A: Use NIST SP 800-207 and CISA zero trust guidance to evaluate whether segmentation is actually part of the architecture, not just a network optimisation. Then align enforcement with internal containment goals so the control supports least privilege after initial access, not only at the perimeter.

👉 Read our full editorial: Microsegmentation is the missing control in zero trust architectures



   
ReplyQuote
Share: