Network Segmentation in Zero Trust

Zero-trust networking ends ‘inside the firewall = trusted.’ The patterns are well-known; the discipline is the gap.

Why ZT networking

Old: trust based on network location. New: trust based on identity + posture per request.

Default-deny is the baseline; allow is explicit.

Four components

• 1. Workload identity.
• 2. Per-service authorization.
• 3. mTLS between services.
• 4. Continuous policy enforcement.

Migration pattern

Phase 1: workload identity (SPIFFE/SPIRE or workload identity).

Phase 2: mTLS between services.

Phase 3: per-service authz policies.

Phase 4: deprecate VPN-trust.

Policy engine

Open Policy Agent (OPA), Cilium NetworkPolicies, Istio AuthorizationPolicy.

Each enforces declared policy; engineers ship policy as code.

Antipatterns

• Default-allow with whitelist exceptions. Compromise = lateral movement.
• Identity without authorization. Auth without authz.
• Manual policy updates. Drift.

What to do this week

Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.