メインコンテンツへスキップ

Define Segmentation Strategy

Implementation Effort: Medium

User Impact: High

Overview

Zero Trust in network segmentation means every segment boundary is a security checkpoint, not just the network edge. Segmentation should be dynamic, policy-driven, and closely tied to identity and context—ensuring that only authorized, validated users and devices can access resources, regardless of network location.

Evaluate Network Segmentation Strategy (Zero Trust Principles):

  • Network segmentation should not rely solely on perimeter-based controls. Instead, enforce segmentation at every possible layer—between environments (production, dev, test), between applications, and even between workloads.
  • Adopt a "least privilege" approach: only allow network flows explicitly required for business operations.
  • Treat every network segment as potentially hostile. Require authentication and authorization for all traffic crossing segment boundaries.

Application Segments for Macro-segmentation:

  • Group applications and services into segments based on business function, sensitivity, or exposure risk.
  • For each segment, define clear access policies that specify who (users, services) and what (devices, workloads) can access resources within the segment.
  • Use micro-segmentation within application segments to further restrict lateral movement—this means applying granular controls (e.g., host-based firewalls, software-defined networking policies).

Continuous Monitoring and Adaptation:

  • Continuously monitor network traffic between segments for anomalous behavior.
  • Regularly review and update segmentation policies as business needs and the threat landscape evolve.
  • Integrate segmentation controls with identity and device posture—access decisions should factor in user identity, device health, and context.

Reference