Network Segmentation in Zero Trust

Zero-trust networking ends ‘inside the firewall = trusted.’ The patterns are well-known; the discipline is the gap.

Why ZT networking

Network location stopped being a useful trust signal once attackers learned to land inside the perimeter. Zero trust replaces 'where' with 'who and what'.

• Old model. Trust based on network location; inside the firewall meant trusted, outside meant not.
• New model. Trust based on workload identity plus posture, evaluated per request.
• Default-deny. Nothing talks to anything until a policy allows it explicitly.
• Lateral movement. The point of ZT is to stop a compromised pod becoming a compromised cluster.

Four components

• 1. Workload identity.
• 2. Per-service authorization.
• 3. mTLS between services.
• 4. Continuous policy enforcement.

Migration pattern

Zero trust is a multi-quarter migration, not a project. Sequencing matters: identity first, then transport, then authorisation, then perimeter trust comes off.

• Phase 1: identity. SPIFFE/SPIRE or cloud workload identity; every service has a signed identity.
• Phase 2: mTLS. Service mesh or platform-level mTLS between services; transport now authenticated.
• Phase 3: authz. Per-service AuthorizationPolicy; default-deny baseline, explicit allows for known callers.
• Phase 4: deprecate VPN-trust. Remove the implicit 'inside the VPC = trusted' assumption from app code and access tooling.

Policy engine

The policy engine is where intent meets enforcement. Pick by where most of your traffic flows; the right answer is rarely a single tool.

• OPA. Generic policy-as-code; fits API gateways, admission controllers, and custom enforcement points.
• Cilium NetworkPolicy. L3/L4 plus L7 enforcement at the eBPF layer; fastest path on Kubernetes.
• Istio AuthorizationPolicy. L7 enforcement at the service-mesh sidecar; richest semantics for service-to-service.
• Policy as code. Whichever engine, policies live in git, reviewed like code; no console-driven exceptions.

Antipatterns

• Default-allow with whitelist exceptions. Compromise = lateral movement.
• Identity without authorization. Auth without authz.
• Manual policy updates. Drift.

What to do this week

Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.