Network segmentation and least privilege: are your controls keeping up?

TL;DR: Network segmentation reduces lateral movement by breaking flat networks into smaller trust zones, but poor segmentation, third-party overreach, and weak auditability still leave organisations exposed, according to StrongDM and IBM. The security case now depends on making legitimate access easier than illegitimate movement, not just adding more network boundaries.

NHIMG editorial — based on content published by StrongDM: 7 Network Segmentation Best Practices to Level-up Your Security

By the numbers:

• A recent report found that 44% of organizations experienced a breach in the last 12 months, with 74% saying it was the result of giving too much privileged access to third parties.
• Only 5.7% of organisations have full visibility into their service accounts.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams apply least privilege in segmented networks?

A: Security teams should define least privilege at the segment boundary first, then narrow access inside each zone by role, function, and data sensitivity.

Q: Why does third-party access create more segmentation risk than internal access?

A: Third-party access often combines external connectivity, broad task scope, and weaker visibility into the requester’s environment.

Q: How do you know if network segmentation is actually working?

A: You know segmentation is working when a compromise in one zone does not create immediate reach into adjacent systems, and when audit logs can show which identities crossed which boundaries.

Practitioner guidance

• Map access paths before adding more zones Document the current routes used by users, service accounts, vendors, and administrators, then identify which paths can reach sensitive systems without a clear business need.
• Separate third-party access from internal operator access Place vendor and contractor sessions into isolated portals or tightly scoped segments so their credentials cannot be reused to traverse broader internal zones.
• Review least-privilege rules at the segment boundary Check that each zone has explicit policies for who and what may cross it, and remove inherited permissions that let hosts or services move laterally by default.

What's in the full article

StrongDM's full article covers the operational detail this post intentionally leaves for the source:

• Specific examples of how VLANs, firewalls, and SDN-based segmentation differ in maintenance overhead
• The article's own guidance on making legitimate access paths easier to use than illegitimate ones
• The audit and monitoring considerations StrongDM highlights for engineering teams that need command-level visibility
• The practical trade-offs around avoiding over-segmentation in complex enterprise networks

👉 Read StrongDM's article on 7 network segmentation best practices →

Network segmentation and least privilege: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →