Network segments often reflect history: an office, a platform, a subnet that had available address space. Those boundaries may simplify routing while doing little to contain an attacker. Security segmentation needs a different organizing principle.
Group by impact and trust
Identify systems that can change production, issue identity, access regulated data, manage backups, or control security tooling. Their compromise has a different consequence from a general application workload, so they should not share the same reachability assumptions.
Then map the communication that is actually required. Record source identity or workload, destination service, protocol, purpose, and owner. “Internal network” is not a purpose.
Control identity and network together
A network rule can limit where traffic travels; application and workload identity determine who is allowed to act. Use both. A reachable service should still authenticate the caller, and a valid identity should not create unrestricted network reach.
Segmentation is successful when one compromised component has fewer meaningful next moves.
Start with high-consequence paths
Perfect microsegmentation across an entire estate is a long project. Begin with administration, identity, build systems, recovery infrastructure, and sensitive data. Restrict management protocols and require controlled access paths with strong authentication and logging.
For application tiers, observe current flows before enforcing. Classify unexplained traffic instead of automatically approving it. A clean policy is useful only if the service can still operate and responders can understand exceptions.
Test the boundary
Configuration review does not prove isolation. From representative workloads, verify that approved flows work and prohibited paths fail. Monitor denied traffic for both attack signals and broken assumptions. Review rules when services change, not only during an annual cleanup.
The diagram may still show subnets and zones. The security model should show consequences, permitted relationships, and the controls that make lateral movement a series of difficult decisions instead of one flat network.