Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Zero trust segmentation and cyber resilience: are controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Enterprises are being pushed to prove cyber resilience while downtime can cost as much as $5 million per hour, according to Gartner, which makes lateral movement containment and business continuity a single governance problem rather than separate goals. Zero Trust segmentation now has to be judged on whether it narrows blast radius without creating operational dead zones.

NHIMG editorial — based on content published by Zero Networks: Ask the Expert, A Field CTO’s Guide to Cyber Resilience, Zero Trust Segmentation, and Business Continuity

By the numbers:

Questions worth separating out

Q: How should security teams stop lateral movement without breaking business operations?

A: They should start with the business flows that must keep working, then segment only the communication paths those flows truly require.

Q: Why do zero trust and cyber resilience need to be designed together?

A: Because resilience is no longer just about recovering after an incident.

Q: What do organisations get wrong about microsegmentation in production networks?

A: They often treat it as a pure perimeter or subnet exercise, when it actually depends on identity, application behaviour, and operational exceptions.

Practitioner guidance

  • Inventory high-value communication paths Map the specific assets, ports, and identity relationships that support business-critical workflows, then identify which of them are unnecessarily open across the environment.
  • Convert standing admin routes into just-in-time access Replace permanently available privileged communication with temporary, verified access tied to the exact task and revoke it as soon as the session completes.
  • Enforce identity-aware segmentation policies Tie network rules to the identities and applications that actually need them, instead of relying on broad subnet trust or static allow lists.

What's in the full article

Zero Networks' full post covers the operational detail this post intentionally leaves for the source:

  • The vendor’s practical segmentation workflow for mapping business traffic before enforcement.
  • Examples of how just-in-time privileged access is applied at the network layer during real operations.
  • The article’s discussion of isolating infected systems without shutting down the whole network.
  • Details on how the vendor frames frictionless rollout and continuous learning across assets and identities.

👉 Read Zero Networks' guide to cyber resilience, segmentation, and business continuity →

Zero trust segmentation and cyber resilience: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Identity-based resilience is now a governance problem, not just a network design problem. The article correctly shows that segmentation only works when identity, device, and communication paths are understood together. A control that ignores legitimate business dependencies will either be bypassed or rejected by operations, which is why resilience programmes need shared ownership across IAM, PAM, and network security. The practitioner implication is that blast-radius reduction must be measured as a governance outcome, not a technology purchase.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

A question worth separating out:

Q: Who is accountable when segmentation still allows a breach to spread?

A: Accountability sits with the teams that own identity policy, privileged access, and network containment together, because failures usually happen at the boundary between those domains. NIST SP 800-207 Zero Trust Architecture is the clearest reference point for assigning explicit verification and least-privilege responsibilities.

👉 Read our full editorial: Cyber resilience depends on stopping lateral movement without friction



   
ReplyQuote
Share: