Rollout App Segments for Macro Segmentation
Implementation Effort: Medium
User Impact: Medium
Overview
Key Zero Trust macro-segmentation strategies include:
- Segmenting applications based on business function, sensitivity, and risk, not just network topology.
- Using per-app access controls to ensure that users and devices can only reach resources they are permitted to access.
- Continuously validating trust with real-time signals (e.g., device compliance, user risk, location) before and during each session.
- Enforcing least privilege and just-in-time access, so permissions are tightly scoped and time-bound.
By approaching macro-segmentation through a Zero Trust lens, organizations reduce lateral movement opportunities for attackers, limit exposure in case of compromise, and ensure that security controls adapt to evolving threats and business needs.
Microsoft Entra Private Access provides secure access to your organization's internal resources by enabling you to control and secure access to specific network destinations on your private network. This allows you to provide granular network access based on user needs. To do this, create an Enterprise application and add the application segment that is used by the internal, private resource that you want to secure.
Network requests sent from devices running the Global Secure Access client to the application segment you added to your Enterprise application will be acquired and routed to your internal application by the Global Secure Access cloud service without any ability to connect to other resources on your network. By configuring an Enterprise application, you create per-app access to your internal resources. Enterprise applications provide you a segmented, granular ability to manage how your resources are accessed on a per-app basis.