Zero Trust - Learning Module

Loading content...

0/273

Micro-Segmentation

Containing the Blast Radius

In 2017, the NotPetya attack devastated Maersk, the world's largest shipping conglomerate. Within hours of the initial infection, the malware had spread to nearly every one of their 49,000 endpoints across 600 sites in 130 countries. The company's entire global operations ground to a halt. Ships couldn't dock. Terminals couldn't process containers. The estimated damage: $300 million.

The attack vector was a compromised update to Ukrainian accounting software. But the devastation wasn't primarily due to the initial compromise—it was due to the speed and ease of lateral movement across Maersk's flat network architecture. Once inside, NotPetya spread like wildfire because there were no internal barriers to slow it down.

Micro-segmentation is the architectural response to this threat. It's the practice of creating fine-grained security boundaries around individual workloads, preventing compromised systems from reaching others—even within the same network segment.

What You Will Learn

By the end of this page, you will understand how micro-segmentation prevents lateral movement in distributed systems. You'll learn the evolution from traditional VLANs to workload-centric segmentation, explore implementation strategies using service meshes and software-defined networking, and understand how to design segmentation policies that balance security with operational complexity.

From Network Segmentation to Micro-Segmentation

Network segmentation has existed for decades. Organizations divided their networks into zones—DMZ, development, production, HR, finance—using VLANs, firewalls, and ACLs. This was better than a completely flat network, but it created coarse-grained trust zones where everything within a segment was implicitly trusted.

The problem with traditional segmentation:

Network Segmentation Evolution
Generation	Approach	Granularity	Limitations
Flat Network	Single broadcast domain, no segmentation	None	Any breach spreads everywhere instantly
VLAN Segmentation	VLANs separate network zones	Subnet level (dozens of hosts)	Large blast radius within VLANs; static; IP-based
Zone-Based Firewall	Firewalls between network zones	Zone level (hundreds of hosts)	Complex rule management; doesn't protect within zones
Software-Defined Segmentation	Virtualized network overlays	VM or host level	Still relatively coarse; limited application awareness
Micro-Segmentation	Workload-centric policies	Individual workload (container, function)	Minimal blast radius; identity-based; dynamic

Micro-segmentation defined:

Micro-segmentation creates a security boundary around each individual workload—each container, VM, serverless function, or service instance. Access between workloads requires explicit authorization, regardless of network location.

Key characteristics:

Workload-centric: Policies are attached to workloads, not network constructs
Identity-based: Access decisions based on verified identity, not IP addresses
Dynamic: Policies automatically apply as workloads scale up/down
Application-aware: Can understand and filter based on application-level protocols
Least privilege: Only necessary communication paths are allowed

Traditional Segmentation

•Policies based on IP addresses and ports
•Static rules that don't adapt to change
•Large trust zones with implicit trust within
•Network-centric: bound to physical topology
•Difficult to manage at scale
•Limited visibility into east-west traffic

Micro-Segmentation

•Policies based on workload identity
•Dynamic policies that follow workloads
•Each workload is its own trust boundary
•Workload-centric: independent of topology
•Scalable through automation and policy inheritance
•Full visibility into all traffic flows

Why IP-Based Policies Fail

In containerized environments, IP addresses are ephemeral. A container might use 10.0.0.50 at 2:00 PM and a completely different container uses that same IP at 2:05 PM. Firewall rules based on IPs are meaningless in this context. Micro-segmentation uses workload identity—a cryptographically verified identity tied to the workload itself, not its network address.

The Anatomy of Lateral Movement

To understand why micro-segmentation matters, we must understand how attackers move laterally within networks. Lateral movement is the phase of an attack where adversaries explore the network, escalate privileges, and reach their ultimate targets.

Common lateral movement techniques:

Lateral Movement Attack Techniques

•Credential theft and reuse — Attackers extract credentials from compromised hosts (mimikatz, memory dumps) and use them to authenticate to other systems.
•Pass-the-hash / Pass-the-ticket — Using captured authentication artifacts (NTLM hashes, Kerberos tickets) without knowing the plaintext password.
•Internal reconnaissance — Scanning internal networks to discover services, identify targets, and map the environment.
•Exploitation of internal services — Attacking internal services that lack the hardening of internet-facing systems.
•Abuse of legitimate tools — Using administrative tools (PowerShell, WMI, SSH) already present on compromised systems.
•Trust relationship abuse — Exploiting trust between services (database connections, API keys, service accounts) to pivot between systems.

A typical lateral movement attack flow:

Initial Compromise            Lateral Movement Path            Ultimate Target
      │                                │                            │
      ▼                                ▼                            ▼
┌─────────────┐    Trust      ┌─────────────┐    Trust      ┌─────────────┐
│   Workload  │──────────────▶│   Workload  │──────────────▶│   Critical  │
│      A      │    Allowed    │      B      │    Allowed    │   Database  │
│  (Webserver)│               │  (App Svc)  │               │             │
└─────────────┘               └─────────────┘               └─────────────┘
   Phishing               Uses extracted                Uses app service's
   compromises            credentials to                database credentials
   webserver              reach app service             to steal data

WITHOUT MICRO-SEGMENTATION:
- Webserver can freely communicate with app service (both in "production" zone)
- App service can freely communicate with database (both "internal")
- No verification of whether these communications are legitimate
- Attacker moves freely until reaching ultimate target

The micro-segmentation difference:

WITH MICRO-SEGMENTATION:
                                                              
┌─────────────┐               ┌─────────────┐               ┌─────────────┐
│   Webserver │               │   App Svc   │               │   Database  │
│             │               │             │               │             │
│  Segment A  │               │  Segment B  │               │  Segment C  │
└──────┬──────┘               └──────┬──────┘               └──────┬──────┘
       │                             │                             │
       │  POLICY: Web → App          │  POLICY: App → DB           │
       │  IF: valid token            │  IF: service identity       │
       │  AND: request matches       │  AND: authenticated         │
       │       expected pattern      │  AND: authorized query      │
       │                             │                             │
       └─────────▶ Verified ◀────────┴────────▶ Verified ◀─────────┘

Each hop requires explicit verification:
- Stolen credentials from webserver don't grant access to app service
- Compromised app service can only make authorized database queries
- Anomalous traffic patterns trigger alerts and blocks

Dwell Time Is the Enemy

The 2023 IBM X-Force Threat Intelligence Index reported that attackers spend an average of 277 days inside networks before detection. This extended "dwell time" is enabled by the ability to move laterally without triggering security controls. Micro-segmentation creates friction at every hop, forcing attackers to use techniques that are more likely to trigger detection.

Micro-Segmentation Implementation Approaches

Micro-segmentation can be implemented through multiple architectural approaches, each with different tradeoffs:

1. Host-Based Micro-Segmentation

Policy enforcement at the host (VM or bare metal) level using host-based firewalls and agents.

How it works:

Agent installed on each host
Agent enforces firewall rules based on workload identity
Central policy engine distributes policies
Works across physical, virtual, and cloud environments

Technologies:

Illumio Core
Guardicore (now Akamai)
VMware NSX Distributed Firewall
Cisco Secure Workload (Tetration)

Pros: Broad compatibility, works in any environment, existing workloads supported Cons: Requires agents, host-level permissions, potential performance overhead

2. Network-Based Micro-Segmentation

Policy enforcement at the network infrastructure level using software-defined networking (SDN).

How it works:

SDN controller maintains workload inventory
Virtual network overlays isolate segments
Distributed switches enforce policies
Policies follow workloads as they move

Technologies:

VMware NSX-T
Cisco ACI
Nuage Networks (Nokia)
OpenStack Neutron

Pros: No host agents, network-level control, strong isolation Cons: Infrastructure dependency, may not protect within hypervisors

3. Service Mesh Micro-Segmentation

Policy enforcement through sidecar proxies attached to each workload, typically in containerized environments.

How it works:

Sidecar proxy (e.g., Envoy) deployed alongside each container
All traffic routed through the proxy
Proxy enforces mTLS and authorization policies
Control plane manages certificates and policies

Technologies:

Istio (with mTLS and AuthorizationPolicy)
Linkerd (with policy)
Consul Connect
Cilium (eBPF-based, no sidecar)

Pros: Application-layer visibility, automatic mTLS, cloud-native Cons: Kubernetes/container focus, added complexity, latency overhead

Micro-Segmentation Approaches Comparison
Approach	Best For	Granularity	Complexity	Cloud-Native Fit
Host-Based	Hybrid environments, VMs	Process/VM level	Medium	Moderate
Network-Based (SDN)	Data centers with SDN investment	VM/Host level	High	Low
Service Mesh	Kubernetes, microservices	Container/pod level	Medium-High	Excellent
eBPF-Based	Kubernetes, high performance	Container/process level	Medium	Excellent
Cloud-Native	Single cloud environments	Workload level	Low-Medium	Excellent (vendor-specific)

Choose Based on Your Environment

There's no single "best" micro-segmentation approach. Host-based works well for hybrid environments with VMs and bare metal. Service mesh excels in Kubernetes. Cloud-native security groups work for single-cloud deployments. Most organizations use a combination of approaches for different parts of their infrastructure.

Designing Micro-Segmentation Policies

Effective micro-segmentation requires thoughtful policy design. Poorly designed policies either create security gaps (too permissive) or break applications (too restrictive).

Policy design principles:

Policy Design Principles

•Default deny — If not explicitly allowed, traffic is blocked. This ensures no implicit trust exists.
•Least privilege — Allow only the specific protocols, ports, and operations required for legitimate function.
•Application-aware — Understand actual application communication patterns, not just network flows.
•Identity-based — Reference workload identities, not IP addresses, which are ephemeral.
•Hierarchical — Use policy inheritance and grouping to manage complexity at scale.
•Observable — Log policy decisions for debugging, auditing, and continuous improvement.

Discovering communication patterns:

Before writing policies, you must understand how your applications communicate. This is called application dependency mapping.

Approaches to dependency mapping:

Passive observation: Monitor actual traffic flows in the environment
- Flow logs (VPC flow logs, Kubernetes network policies in audit mode)
- Service mesh telemetry
- Agent-based traffic analysis
Application documentation: Work with application teams
- Architecture diagrams
- API specifications
- Service catalogs
Automated discovery: Use tooling to map dependencies
- APM tools (Datadog, New Relic service maps)
- Micro-segmentation vendor discovery features
- Service mesh topology views

Example dependency map:

┌─────────────────────────────────────────────────────────────────────────┐
│                          E-Commerce Application                          │
└─────────────────────────────────────────────────────────────────────────┘

                    ┌──────────────────────────────┐
                    │       Load Balancer          │
                    │     (Ingress Controller)     │
                    └───────────────┬──────────────┘
                                    │ HTTPS (443)
                                    ▼
                    ┌──────────────────────────────┐
                    │      Web Frontend (BFF)      │
                    │         3 replicas           │
                    └───────────────┬──────────────┘
                                    │
              ┌─────────────────────┼─────────────────────┐
              │ gRPC (9090)         │ gRPC (9090)         │ gRPC (9090)
              ▼                     ▼                     ▼
    ┌─────────────────┐   ┌─────────────────┐   ┌─────────────────┐
    │  User Service   │   │ Catalog Service │   │  Cart Service   │
    │    2 replicas   │   │    4 replicas   │   │    2 replicas   │
    └────────┬────────┘   └────────┬────────┘   └────────┬────────┘
             │ TCP (5432)          │ TCP (5432)          │ TCP (6379)
             ▼                     ▼                     ▼
    ┌─────────────────┐   ┌─────────────────┐   ┌─────────────────┐
    │   User Database │   │ Catalog Database│   │   Redis Cache   │
    │   (PostgreSQL)  │   │   (PostgreSQL)  │   │                 │
    └─────────────────┘   └─────────────────┘   └─────────────────┘

Translating to policies:

From this map, we can derive explicit policies:

Load Balancer → Web Frontend: HTTPS (443) only
Web Frontend → User Service: gRPC (9090) only
Web Frontend → Catalog Service: gRPC (9090) only
Web Frontend → Cart Service: gRPC (9090) only
User Service → User Database: PostgreSQL (5432) only
Catalog Service → Catalog Database: PostgreSQL (5432) only
Cart Service → Redis Cache: Redis (6379) only

Everything else is denied by default.

Start with Observation Mode

Never deploy micro-segmentation policies in enforcement mode without first validating them. Start in "audit" or "observe" mode where policy violations are logged but not blocked. Analyze the violations: Are they attacks? Or legitimate traffic you didn't account for? Only after resolving all expected violations should you move to enforcement mode.

Service Mesh Micro-Segmentation Deep Dive

For cloud-native, containerized environments, service meshes provide the most natural micro-segmentation implementation. Let's explore how Istio—one of the most popular service meshes—implements Zero Trust micro-segmentation.

Istio's security architecture:

┌─────────────────────────────────────────────────────────────────────────┐
│                           Istio Control Plane                            │
│  ┌───────────────┐  ┌───────────────┐  ┌───────────────────────────┐    │
│  │    istiod     │  │   Citadel     │  │  Authorization Policy     │    │
│  │  (Pilot +     │  │  (Certificate │  │  Engine                   │    │
│  │   Config)     │  │   Authority)  │  │                           │    │
│  └───────────────┘  └───────────────┘  └───────────────────────────┘    │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
         Certificate distribution + Policy configuration
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│                              Data Plane                                  │
│  ┌─────────────────────┐          ┌─────────────────────┐               │
│  │   Pod A             │  mTLS    │   Pod B             │               │
│  │  ┌───────┐ ┌──────┐ │◀────────▶│ ┌──────┐ ┌────────┐ │               │
│  │  │ App A │◀┤Envoy │ │          │ │Envoy ├▶│ App B  │ │               │
│  │  └───────┘ └──────┘ │          │ └──────┘ └────────┘ │               │
│  └─────────────────────┘          └─────────────────────┘               │
└─────────────────────────────────────────────────────────────────────────┘

Traffic flow:
1. App A sends request to App B
2. Request goes to local Envoy sidecar
3. Envoy encrypts request using mutual TLS with App B's identity
4. App B's Envoy receives request, verifies identity
5. Envoy checks AuthorizationPolicy: Is App A allowed to call this endpoint?
6. If authorized, request passes to App B; otherwise, denied

Istio AuthorizationPolicy example:

# Policy: Only allow frontend service to call the user service
# and only for specific paths with specific methods
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: user-service-policy
  namespace: production
spec:
  selector:
    matchLabels:
      app: user-service
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - "cluster.local/ns/production/sa/frontend-service"
    to:
    - operation:
        methods: ["GET", "POST"]
        paths: ["/api/users/*", "/api/auth/validate"]
  - from:
    - source:
        principals:
        - "cluster.local/ns/production/sa/admin-service"
    to:
    - operation:
        methods: ["GET", "POST", "PUT", "DELETE"]
        paths: ["/api/users/*", "/api/admin/*"]

This policy specifies:

Who can access: Only frontend-service and admin-service identities
What they can access: Specific paths and methods
Everything else: Implicitly denied

Istio Security Features for Micro-Segmentation

•Automatic mTLS — PeerAuthentication resources enforce mTLS mesh-wide. Every service-to-service connection is encrypted and authenticated.
•SPIFFE-based identity — Each workload gets a SPIFFE ID based on namespace and service account. No IP-based trust.
•Fine-grained authorization — AuthorizationPolicy supports L7 attributes: paths, methods, headers, JWT claims.
•Request-level logging — Envoy access logs capture every request with full context for auditing.
•Deny rules — Combine ALLOW and DENY policies for complex whitelisting and blacklisting scenarios.
•External authorization — Integrate with external authz services (OPA, custom services) for complex policy decisions.

eBPF-Based Alternatives

Cilium and Calico offer eBPF-based micro-segmentation that doesn't require sidecar proxies. eBPF runs policies directly in the Linux kernel, offering lower latency and resource usage. The tradeoff is less application-layer (L7) visibility without additional components. Many organizations use Cilium for network-level (L3/L4) segmentation and Istio for L7 policies.

Segmentation Strategies

Not all workloads require the same level of segmentation. Strategic segmentation focuses the most controls on the most sensitive assets while maintaining manageable complexity.

Segmentation by sensitivity:

Segmentation Tiers by Data Sensitivity
Tier	Data Types	Segmentation Level	Example Workloads
Critical	Secrets, cryptographic keys, authentication stores	Maximum isolation, dedicated segments, MFA for all access	HSM, Vault, root CA, identity provider
Highly Sensitive	PII, financial data, health records	Strong segmentation, restricted access, encryption required	Customer DB, payment processing, patient records
Sensitive	Internal business data, non-public APIs	Standard micro-segmentation, authentication required	CRM data, analytics, internal tools
Internal	Non-sensitive internal services	Basic segmentation, internal identity required	Logging, metrics, internal dashboards
Public	Public content, static assets	Minimal segmentation, rate limiting	CDN content, public APIs, marketing site

Domain-driven segmentation:

Align micro-segmentation boundaries with business domain boundaries (bounded contexts from Domain-Driven Design):

┌─────────────────────────────────────────────────────────────────────────┐
│                         Domain Boundary Segmentation                     │
└─────────────────────────────────────────────────────────────────────────┘

  ┌──────────────────────┐  ┌──────────────────────┐  ┌─────────────────┐
  │   Payments Domain    │  │   Inventory Domain   │  │  Users Domain   │
  │  ┌────────────────┐  │  │  ┌────────────────┐  │  │  ┌───────────┐  │
  │  │Payment Service │  │  │  │Inventory Svc   │  │  │  │User Svc   │  │
  │  └───────┬────────┘  │  │  └───────┬────────┘  │  │  └─────┬─────┘  │
  │          │           │  │          │           │  │        │        │
  │  ┌───────▼────────┐  │  │  ┌───────▼────────┐  │  │  ┌─────▼─────┐  │
  │  │Payment DB      │  │  │  │Inventory DB    │  │  │  │User DB    │  │
  │  └────────────────┘  │  │  └────────────────┘  │  │  └───────────┘  │
  │                      │  │                      │  │                 │
  │  ┌────────────────┐  │  │  ┌────────────────┐  │  │  ┌───────────┐  │
  │  │Fraud Detection │  │  │  │Warehouse Svc   │  │  │  │Auth Svc   │  │
  │  └────────────────┘  │  │  └────────────────┘  │  │  └───────────┘  │
  └──────────────────────┘  └──────────────────────┘  └─────────────────┘
          │                          │                        │
          └──────────────────────────┼────────────────────────┘
                                     │
                          Cross-domain communication
                          requires explicit APIs and
                          strong authentication

Benefits of domain-aligned segmentation:

Services within a domain share context and can be more permissive
Cross-domain communication is strictly controlled through well-defined APIs
Aligns with team ownership—each team manages their domain's policies
Reduces policy complexity—fewer cross-domain dependencies to model

Environment Segmentation

Beyond application-level segmentation, enforce strict isolation between environments: development, staging, production. Production credentials and data should never be accessible from non-production environments. Many breaches start in less-secured dev environments and pivot to production.

Operational Considerations

Micro-segmentation adds security but also adds complexity. Successful implementations require careful operational planning.

Common Operational Challenges

•Policy debugging — When requests fail, is it a policy issue or an application bug? Detailed logging and tracing are essential.
•Policy management at scale — Thousands of services create policy complexity. Policy-as-code, version control, and testing are required.
•Performance overhead — Each hop through a proxy adds latency. Optimize sidecar resources and use connection pooling.
•Certificate management — mTLS requires certificate rotation, expiry handling, and root CA protection.
•Emergency access — When micro-segmentation blocks legitimate traffic, operators need break-glass procedures.
•Third-party integrations — External services may not support mTLS or identity-based auth. Plan for edge cases.

Best practices for operations:

1. Policy-as-code with CI/CD

policies/
├── base/
│   └── default-deny.yaml
├── domains/
│   ├── users/
│   │   └── user-service-policy.yaml
│   ├── payments/
│   │   └── payment-service-policy.yaml
│   └── catalog/
│       └── catalog-service-policy.yaml
└── kustomization.yaml

Treat policies like application code:

Version control all policies
Require code review for policy changes
Test policies in staging before production
Automate deployment through GitOps

2. Observability for security

Implement comprehensive observability:

Access logs for every request
Policy decision logs
Service topology visualization
Anomaly detection on traffic patterns

3. Gradual rollout strategy

Discover: Map all communication patterns
Define: Write policies based on discovered patterns
Monitor: Deploy in audit mode, validate no legitimate breakage
Enforce: Enable enforcement, start with least critical services
Expand: Gradually cover all services
Maintain: Continuously update policies as applications evolve

Break-Glass Procedures

For critical incidents, you need the ability to quickly bypass micro-segmentation. Document break-glass procedures: who can authorize, how to execute, and how to audit afterward. Never have a situation where security controls prevent fixing a critical outage. But ensure break-glass is audited and reviewed post-incident.

Summary: Micro-Segmentation

Let's consolidate the key concepts of micro-segmentation for Zero Trust:

Key Takeaways

•Micro-segmentation contains blast radius — Each workload is its own trust boundary. Compromise of one doesn't cascade to others.
•Identity-based, not IP-based — Policies reference verified workload identities, not ephemeral network addresses.
•Default deny is essential — If not explicitly allowed, traffic is blocked. No implicit trust within segments.
•Multiple implementation approaches exist — Host-based, network-based, service mesh, and eBPF. Choose based on your environment.
•Service meshes excel for cloud-native — Istio, Linkerd, and Cilium provide transparent mTLS and fine-grained authorization.
•Dependency mapping precedes policy writing — Understand actual communication patterns before defining policies.
•Operational complexity is real — Invest in policy-as-code, observability, and break-glass procedures.
•Align with domain boundaries — Domain-driven segmentation balances security with manageable complexity.

What's next:

With micro-segmentation establishing boundaries around workloads, we need to ensure that access within those boundaries is correctly controlled. The next page explores identity-based access—how to implement authentication and authorization based on verified identities rather than network location, including service-to-service identity using SPIFFE/SPIRE and workload identity in cloud-native environments.

Page Complete

You now understand micro-segmentation as a core Zero Trust strategy. You've learned how it prevents lateral movement, explored implementation approaches from host-based to service mesh, and examined policy design principles. In the next page, we'll focus on the identity layer that enables micro-segmentation to make trust decisions.

Micro-Segmentation

Containing the Blast Radius

What You Will Learn

From Network Segmentation to Micro-Segmentation

The problem with traditional segmentation:

Network Segmentation Evolution
Generation	Approach	Granularity	Limitations
Flat Network	Single broadcast domain, no segmentation	None	Any breach spreads everywhere instantly
VLAN Segmentation	VLANs separate network zones	Subnet level (dozens of hosts)	Large blast radius within VLANs; static; IP-based
Zone-Based Firewall	Firewalls between network zones	Zone level (hundreds of hosts)	Complex rule management; doesn't protect within zones
Software-Defined Segmentation	Virtualized network overlays	VM or host level	Still relatively coarse; limited application awareness
Micro-Segmentation	Workload-centric policies	Individual workload (container, function)	Minimal blast radius; identity-based; dynamic

Micro-segmentation defined:

Key characteristics:

Workload-centric: Policies are attached to workloads, not network constructs
Identity-based: Access decisions based on verified identity, not IP addresses
Dynamic: Policies automatically apply as workloads scale up/down
Application-aware: Can understand and filter based on application-level protocols
Least privilege: Only necessary communication paths are allowed

Traditional Segmentation

•Policies based on IP addresses and ports
•Static rules that don't adapt to change
•Large trust zones with implicit trust within
•Network-centric: bound to physical topology
•Difficult to manage at scale
•Limited visibility into east-west traffic

Micro-Segmentation

•Policies based on workload identity
•Dynamic policies that follow workloads
•Each workload is its own trust boundary
•Workload-centric: independent of topology
•Scalable through automation and policy inheritance
•Full visibility into all traffic flows

Why IP-Based Policies Fail

The Anatomy of Lateral Movement

Common lateral movement techniques:

Lateral Movement Attack Techniques

•Credential theft and reuse — Attackers extract credentials from compromised hosts (mimikatz, memory dumps) and use them to authenticate to other systems.
•Pass-the-hash / Pass-the-ticket — Using captured authentication artifacts (NTLM hashes, Kerberos tickets) without knowing the plaintext password.
•Internal reconnaissance — Scanning internal networks to discover services, identify targets, and map the environment.
•Exploitation of internal services — Attacking internal services that lack the hardening of internet-facing systems.
•Abuse of legitimate tools — Using administrative tools (PowerShell, WMI, SSH) already present on compromised systems.
•Trust relationship abuse — Exploiting trust between services (database connections, API keys, service accounts) to pivot between systems.

A typical lateral movement attack flow:

Initial Compromise            Lateral Movement Path            Ultimate Target
      │                                │                            │
      ▼                                ▼                            ▼
┌─────────────┐    Trust      ┌─────────────┐    Trust      ┌─────────────┐
│   Workload  │──────────────▶│   Workload  │──────────────▶│   Critical  │
│      A      │    Allowed    │      B      │    Allowed    │   Database  │
│  (Webserver)│               │  (App Svc)  │               │             │
└─────────────┘               └─────────────┘               └─────────────┘
   Phishing               Uses extracted                Uses app service's
   compromises            credentials to                database credentials
   webserver              reach app service             to steal data

WITHOUT MICRO-SEGMENTATION:
- Webserver can freely communicate with app service (both in "production" zone)
- App service can freely communicate with database (both "internal")
- No verification of whether these communications are legitimate
- Attacker moves freely until reaching ultimate target

The micro-segmentation difference:

WITH MICRO-SEGMENTATION:
                                                              
┌─────────────┐               ┌─────────────┐               ┌─────────────┐
│   Webserver │               │   App Svc   │               │   Database  │
│             │               │             │               │             │
│  Segment A  │               │  Segment B  │               │  Segment C  │
└──────┬──────┘               └──────┬──────┘               └──────┬──────┘
       │                             │                             │
       │  POLICY: Web → App          │  POLICY: App → DB           │
       │  IF: valid token            │  IF: service identity       │
       │  AND: request matches       │  AND: authenticated         │
       │       expected pattern      │  AND: authorized query      │
       │                             │                             │
       └─────────▶ Verified ◀────────┴────────▶ Verified ◀─────────┘

Each hop requires explicit verification:
- Stolen credentials from webserver don't grant access to app service
- Compromised app service can only make authorized database queries
- Anomalous traffic patterns trigger alerts and blocks

Dwell Time Is the Enemy

Micro-Segmentation Implementation Approaches

Micro-segmentation can be implemented through multiple architectural approaches, each with different tradeoffs:

1. Host-Based Micro-Segmentation

Policy enforcement at the host (VM or bare metal) level using host-based firewalls and agents.

How it works:

Agent installed on each host
Agent enforces firewall rules based on workload identity
Central policy engine distributes policies
Works across physical, virtual, and cloud environments

Technologies:

Illumio Core
Guardicore (now Akamai)
VMware NSX Distributed Firewall
Cisco Secure Workload (Tetration)

Pros: Broad compatibility, works in any environment, existing workloads supported Cons: Requires agents, host-level permissions, potential performance overhead

2. Network-Based Micro-Segmentation

Policy enforcement at the network infrastructure level using software-defined networking (SDN).

How it works:

SDN controller maintains workload inventory
Virtual network overlays isolate segments
Distributed switches enforce policies
Policies follow workloads as they move

Technologies:

VMware NSX-T
Cisco ACI
Nuage Networks (Nokia)
OpenStack Neutron

Pros: No host agents, network-level control, strong isolation Cons: Infrastructure dependency, may not protect within hypervisors

3. Service Mesh Micro-Segmentation

Policy enforcement through sidecar proxies attached to each workload, typically in containerized environments.

How it works:

Sidecar proxy (e.g., Envoy) deployed alongside each container
All traffic routed through the proxy
Proxy enforces mTLS and authorization policies
Control plane manages certificates and policies

Technologies:

Istio (with mTLS and AuthorizationPolicy)
Linkerd (with policy)
Consul Connect
Cilium (eBPF-based, no sidecar)

Pros: Application-layer visibility, automatic mTLS, cloud-native Cons: Kubernetes/container focus, added complexity, latency overhead

Micro-Segmentation Approaches Comparison
Approach	Best For	Granularity	Complexity	Cloud-Native Fit
Host-Based	Hybrid environments, VMs	Process/VM level	Medium	Moderate
Network-Based (SDN)	Data centers with SDN investment	VM/Host level	High	Low
Service Mesh	Kubernetes, microservices	Container/pod level	Medium-High	Excellent
eBPF-Based	Kubernetes, high performance	Container/process level	Medium	Excellent
Cloud-Native	Single cloud environments	Workload level	Low-Medium	Excellent (vendor-specific)

Choose Based on Your Environment

Designing Micro-Segmentation Policies

Effective micro-segmentation requires thoughtful policy design. Poorly designed policies either create security gaps (too permissive) or break applications (too restrictive).

Policy design principles:

Policy Design Principles

•Default deny — If not explicitly allowed, traffic is blocked. This ensures no implicit trust exists.
•Least privilege — Allow only the specific protocols, ports, and operations required for legitimate function.
•Application-aware — Understand actual application communication patterns, not just network flows.
•Identity-based — Reference workload identities, not IP addresses, which are ephemeral.
•Hierarchical — Use policy inheritance and grouping to manage complexity at scale.
•Observable — Log policy decisions for debugging, auditing, and continuous improvement.

Discovering communication patterns:

Before writing policies, you must understand how your applications communicate. This is called application dependency mapping.

Approaches to dependency mapping:

Passive observation: Monitor actual traffic flows in the environment
- Flow logs (VPC flow logs, Kubernetes network policies in audit mode)
- Service mesh telemetry
- Agent-based traffic analysis
Application documentation: Work with application teams
- Architecture diagrams
- API specifications
- Service catalogs
Automated discovery: Use tooling to map dependencies
- APM tools (Datadog, New Relic service maps)
- Micro-segmentation vendor discovery features
- Service mesh topology views

Example dependency map:

┌─────────────────────────────────────────────────────────────────────────┐
│                          E-Commerce Application                          │
└─────────────────────────────────────────────────────────────────────────┘

                    ┌──────────────────────────────┐
                    │       Load Balancer          │
                    │     (Ingress Controller)     │
                    └───────────────┬──────────────┘
                                    │ HTTPS (443)
                                    ▼
                    ┌──────────────────────────────┐
                    │      Web Frontend (BFF)      │
                    │         3 replicas           │
                    └───────────────┬──────────────┘
                                    │
              ┌─────────────────────┼─────────────────────┐
              │ gRPC (9090)         │ gRPC (9090)         │ gRPC (9090)
              ▼                     ▼                     ▼
    ┌─────────────────┐   ┌─────────────────┐   ┌─────────────────┐
    │  User Service   │   │ Catalog Service │   │  Cart Service   │
    │    2 replicas   │   │    4 replicas   │   │    2 replicas   │
    └────────┬────────┘   └────────┬────────┘   └────────┬────────┘
             │ TCP (5432)          │ TCP (5432)          │ TCP (6379)
             ▼                     ▼                     ▼
    ┌─────────────────┐   ┌─────────────────┐   ┌─────────────────┐
    │   User Database │   │ Catalog Database│   │   Redis Cache   │
    │   (PostgreSQL)  │   │   (PostgreSQL)  │   │                 │
    └─────────────────┘   └─────────────────┘   └─────────────────┘

Translating to policies:

From this map, we can derive explicit policies:

Load Balancer → Web Frontend: HTTPS (443) only
Web Frontend → User Service: gRPC (9090) only
Web Frontend → Catalog Service: gRPC (9090) only
Web Frontend → Cart Service: gRPC (9090) only
User Service → User Database: PostgreSQL (5432) only
Catalog Service → Catalog Database: PostgreSQL (5432) only
Cart Service → Redis Cache: Redis (6379) only

Everything else is denied by default.

Start with Observation Mode

Service Mesh Micro-Segmentation Deep Dive

Istio's security architecture:

┌─────────────────────────────────────────────────────────────────────────┐
│                           Istio Control Plane                            │
│  ┌───────────────┐  ┌───────────────┐  ┌───────────────────────────┐    │
│  │    istiod     │  │   Citadel     │  │  Authorization Policy     │    │
│  │  (Pilot +     │  │  (Certificate │  │  Engine                   │    │
│  │   Config)     │  │   Authority)  │  │                           │    │
│  └───────────────┘  └───────────────┘  └───────────────────────────┘    │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
         Certificate distribution + Policy configuration
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│                              Data Plane                                  │
│  ┌─────────────────────┐          ┌─────────────────────┐               │
│  │   Pod A             │  mTLS    │   Pod B             │               │
│  │  ┌───────┐ ┌──────┐ │◀────────▶│ ┌──────┐ ┌────────┐ │               │
│  │  │ App A │◀┤Envoy │ │          │ │Envoy ├▶│ App B  │ │               │
│  │  └───────┘ └──────┘ │          │ └──────┘ └────────┘ │               │
│  └─────────────────────┘          └─────────────────────┘               │
└─────────────────────────────────────────────────────────────────────────┘

Traffic flow:
1. App A sends request to App B
2. Request goes to local Envoy sidecar
3. Envoy encrypts request using mutual TLS with App B's identity
4. App B's Envoy receives request, verifies identity
5. Envoy checks AuthorizationPolicy: Is App A allowed to call this endpoint?
6. If authorized, request passes to App B; otherwise, denied

Istio AuthorizationPolicy example:

# Policy: Only allow frontend service to call the user service
# and only for specific paths with specific methods
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: user-service-policy
  namespace: production
spec:
  selector:
    matchLabels:
      app: user-service
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - "cluster.local/ns/production/sa/frontend-service"
    to:
    - operation:
        methods: ["GET", "POST"]
        paths: ["/api/users/*", "/api/auth/validate"]
  - from:
    - source:
        principals:
        - "cluster.local/ns/production/sa/admin-service"
    to:
    - operation:
        methods: ["GET", "POST", "PUT", "DELETE"]
        paths: ["/api/users/*", "/api/admin/*"]

This policy specifies:

Who can access: Only frontend-service and admin-service identities
What they can access: Specific paths and methods
Everything else: Implicitly denied

Istio Security Features for Micro-Segmentation

•Automatic mTLS — PeerAuthentication resources enforce mTLS mesh-wide. Every service-to-service connection is encrypted and authenticated.
•SPIFFE-based identity — Each workload gets a SPIFFE ID based on namespace and service account. No IP-based trust.
•Fine-grained authorization — AuthorizationPolicy supports L7 attributes: paths, methods, headers, JWT claims.
•Request-level logging — Envoy access logs capture every request with full context for auditing.
•Deny rules — Combine ALLOW and DENY policies for complex whitelisting and blacklisting scenarios.
•External authorization — Integrate with external authz services (OPA, custom services) for complex policy decisions.

eBPF-Based Alternatives

Segmentation Strategies

Not all workloads require the same level of segmentation. Strategic segmentation focuses the most controls on the most sensitive assets while maintaining manageable complexity.

Segmentation by sensitivity:

Segmentation Tiers by Data Sensitivity
Tier	Data Types	Segmentation Level	Example Workloads
Critical	Secrets, cryptographic keys, authentication stores	Maximum isolation, dedicated segments, MFA for all access	HSM, Vault, root CA, identity provider
Highly Sensitive	PII, financial data, health records	Strong segmentation, restricted access, encryption required	Customer DB, payment processing, patient records
Sensitive	Internal business data, non-public APIs	Standard micro-segmentation, authentication required	CRM data, analytics, internal tools
Internal	Non-sensitive internal services	Basic segmentation, internal identity required	Logging, metrics, internal dashboards
Public	Public content, static assets	Minimal segmentation, rate limiting	CDN content, public APIs, marketing site

Domain-driven segmentation:

Align micro-segmentation boundaries with business domain boundaries (bounded contexts from Domain-Driven Design):

┌─────────────────────────────────────────────────────────────────────────┐
│                         Domain Boundary Segmentation                     │
└─────────────────────────────────────────────────────────────────────────┘

  ┌──────────────────────┐  ┌──────────────────────┐  ┌─────────────────┐
  │   Payments Domain    │  │   Inventory Domain   │  │  Users Domain   │
  │  ┌────────────────┐  │  │  ┌────────────────┐  │  │  ┌───────────┐  │
  │  │Payment Service │  │  │  │Inventory Svc   │  │  │  │User Svc   │  │
  │  └───────┬────────┘  │  │  └───────┬────────┘  │  │  └─────┬─────┘  │
  │          │           │  │          │           │  │        │        │
  │  ┌───────▼────────┐  │  │  ┌───────▼────────┐  │  │  ┌─────▼─────┐  │
  │  │Payment DB      │  │  │  │Inventory DB    │  │  │  │User DB    │  │
  │  └────────────────┘  │  │  └────────────────┘  │  │  └───────────┘  │
  │                      │  │                      │  │                 │
  │  ┌────────────────┐  │  │  ┌────────────────┐  │  │  ┌───────────┐  │
  │  │Fraud Detection │  │  │  │Warehouse Svc   │  │  │  │Auth Svc   │  │
  │  └────────────────┘  │  │  └────────────────┘  │  │  └───────────┘  │
  └──────────────────────┘  └──────────────────────┘  └─────────────────┘
          │                          │                        │
          └──────────────────────────┼────────────────────────┘
                                     │
                          Cross-domain communication
                          requires explicit APIs and
                          strong authentication

Benefits of domain-aligned segmentation:

Services within a domain share context and can be more permissive
Cross-domain communication is strictly controlled through well-defined APIs
Aligns with team ownership—each team manages their domain's policies
Reduces policy complexity—fewer cross-domain dependencies to model

Environment Segmentation

Operational Considerations

Micro-segmentation adds security but also adds complexity. Successful implementations require careful operational planning.

Common Operational Challenges

•Policy debugging — When requests fail, is it a policy issue or an application bug? Detailed logging and tracing are essential.
•Policy management at scale — Thousands of services create policy complexity. Policy-as-code, version control, and testing are required.
•Performance overhead — Each hop through a proxy adds latency. Optimize sidecar resources and use connection pooling.
•Certificate management — mTLS requires certificate rotation, expiry handling, and root CA protection.
•Emergency access — When micro-segmentation blocks legitimate traffic, operators need break-glass procedures.
•Third-party integrations — External services may not support mTLS or identity-based auth. Plan for edge cases.

Best practices for operations:

1. Policy-as-code with CI/CD

policies/
├── base/
│   └── default-deny.yaml
├── domains/
│   ├── users/
│   │   └── user-service-policy.yaml
│   ├── payments/
│   │   └── payment-service-policy.yaml
│   └── catalog/
│       └── catalog-service-policy.yaml
└── kustomization.yaml

Treat policies like application code:

Version control all policies
Require code review for policy changes
Test policies in staging before production
Automate deployment through GitOps

2. Observability for security

Implement comprehensive observability:

Access logs for every request
Policy decision logs
Service topology visualization
Anomaly detection on traffic patterns

3. Gradual rollout strategy

Discover: Map all communication patterns
Define: Write policies based on discovered patterns
Monitor: Deploy in audit mode, validate no legitimate breakage
Enforce: Enable enforcement, start with least critical services
Expand: Gradually cover all services
Maintain: Continuously update policies as applications evolve

Break-Glass Procedures

Summary: Micro-Segmentation

Let's consolidate the key concepts of micro-segmentation for Zero Trust:

Key Takeaways

•Micro-segmentation contains blast radius — Each workload is its own trust boundary. Compromise of one doesn't cascade to others.
•Identity-based, not IP-based — Policies reference verified workload identities, not ephemeral network addresses.
•Default deny is essential — If not explicitly allowed, traffic is blocked. No implicit trust within segments.
•Multiple implementation approaches exist — Host-based, network-based, service mesh, and eBPF. Choose based on your environment.
•Service meshes excel for cloud-native — Istio, Linkerd, and Cilium provide transparent mTLS and fine-grained authorization.
•Dependency mapping precedes policy writing — Understand actual communication patterns before defining policies.
•Operational complexity is real — Invest in policy-as-code, observability, and break-glass procedures.
•Align with domain boundaries — Domain-driven segmentation balances security with manageable complexity.

What's next:

Page Complete