Advanced Network Segmentation Strategies in Modern Cloud Infrastructures

Abstract

Modern digital infrastructures, characterized by the pervasive adoption of cloud computing, containerization, serverless architectures, and multi-cloud deployments, present an unprecedented attack surface. Traditional perimeter-centric security models, once foundational, are now demonstrably insufficient against sophisticated, agile threats that leverage lateral movement within supposedly trusted networks. This comprehensive report meticulously examines advanced network segmentation as a pivotal strategy for enhancing security, optimizing performance, and simplifying manageability within these complex, dynamic environments. We delve into the intricacies of micro-segmentation, exploring its application across virtualized, containerized, and serverless workloads, and detailing the diverse implementation mechanisms ranging from host-based controls to sophisticated Software-Defined Networking (SDN) overlays and cloud-native constructs. The report then elaborates on the paradigm shift introduced by Zero Trust Network Access (ZTNA) principles, demonstrating how ZTNA not only complements but fundamentally transforms segmentation by enforcing continuous verification and least-privilege access at every interaction point. We further investigate the role of SDN in providing the agility and programmatic control essential for dynamic segmentation in cloud environments, alongside the formidable challenges and strategic approaches for achieving consistent cross-cloud and hybrid-cloud segmentation. The critical function of Network Detection and Response (NDR) tools in providing unparalleled visibility into segmented traffic, enabling proactive threat detection, and facilitating rapid incident response, is also thoroughly analyzed. Finally, the report addresses the significant architectural considerations and multifaceted operational challenges inherent in deploying and maintaining effective, scalable, and resilient segmentation strategies across diverse, often federated, infrastructures, offering insights into best practices for overcoming these hurdles in an era of relentless digital transformation.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction

The digital landscape has undergone a profound transformation, moving away from monolithic applications hosted within well-defined, on-premises perimeters towards highly distributed, agile, and often ephemeral workloads spanning multiple cloud providers and hybrid infrastructures. This shift, driven by the imperatives of innovation, scalability, and cost efficiency, has fundamentally altered the security equation. The notion of a ‘trusted’ internal network, once a cornerstone of enterprise security, has dissolved, giving way to an environment where every workload, user, and device is a potential point of compromise. The proliferation of containerized applications, serverless computing functions, and intricate multi-cloud deployments has exposed the critical inadequacies of traditional, coarse-grained perimeter security models.

In this dynamic and adversarial environment, network segmentation emerges not merely as a beneficial practice, but as an indispensable, foundational security strategy. Its core objective is to dismantle the flat networks that enable rapid lateral movement of threats, thereby confining the ‘blast radius’ of any security incident to the smallest possible scope. Beyond its primary security benefits, effective segmentation simultaneously enhances network performance by optimizing traffic flow and resource utilization, and simplifies complex network management by isolating operational issues. This report undertakes an in-depth exploration of advanced segmentation techniques, dissecting their theoretical underpinnings, practical implementation strategies, and their critical integration into the fabric of modern cloud-native and hybrid IT infrastructures. By examining the synergy between these advanced techniques and emerging security paradigms, we aim to provide a comprehensive understanding of how organizations can construct robust, resilient, and adaptive security architectures fit for the demands of the twenty-first century.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Network Segmentation: A Foundation for Security and Performance

Network segmentation, at its essence, is the practice of dividing a computer network into smaller, distinct, and logically isolated segments or subnetworks. This fundamental architectural principle, while not new, has evolved dramatically in its application and sophistication to address the complexities of modern IT environments. The primary driver behind segmentation is to create granular control points within the network, effectively enforcing boundaries that restrict communication flows and contain potential security breaches.

2.1 Core Advantages of Network Segmentation

The benefits derived from implementing a well-designed segmentation strategy are multifaceted and extend beyond mere security:

• Enhanced Security Posture and Reduced Attack Surface: By separating critical systems, sensitive data stores, and various user groups into distinct segments, organizations drastically reduce the attack surface available to potential adversaries. In the event of a breach, segmentation acts as a crucial barrier, preventing attackers from easily moving laterally across the network to access high-value assets. This containment significantly limits the ‘blast radius’ of a successful compromise, transforming what could be a widespread data exfiltration or system takeover into an isolated incident. For instance, an attacker gaining access to a non-critical web server in one segment would be prevented from directly reaching a database server in another, highly restricted segment, without first bypassing specific segmentation controls ([akamai.com]).

• Improved Compliance and Regulatory Adherence: Many regulatory frameworks and industry standards, such as PCI DSS (for credit card data), HIPAA (for healthcare information), GDPR (for personal data protection), and ISO 27001, mandate strict controls over access to sensitive data and systems. Network segmentation provides a robust mechanism for achieving these compliance objectives by ensuring that specific data types and the systems processing them are isolated, and access is rigorously controlled and auditable. This isolation demonstrates due diligence and simplifies the scope of compliance audits for particular segmented environments.

• Optimized Network Performance and Reduced Congestion: Segmentation effectively reduces broadcast domains, leading to a decrease in unnecessary network traffic and broadcast storm impacts. By logically separating departments, applications, or workload types, traffic flows can be localized within segments, minimizing congestion on core network infrastructure. This optimization can lead to improved application response times and more efficient use of network bandwidth, particularly beneficial in high-traffic or latency-sensitive environments.

• Simplified Network Management and Troubleshooting: When network issues arise, segmentation helps to localize the problem to a specific segment, significantly narrowing down the scope for troubleshooting. Instead of sifting through logs and traffic across an entire sprawling network, administrators can focus their efforts on the affected segment, leading to quicker identification and resolution of faults. This also facilitates more organized network administration and policy enforcement.

• Support for Governance and Policy Enforcement: Segmentation enables organizations to apply specific security policies, quality-of-service (QoS) settings, and access controls tailored to the unique requirements of each segment. This granular control ensures that different business units or applications can operate under distinct operational and security mandates without impacting others.

2.2 Traditional Segmentation Methods: VLANs and Subnets

Historically, network segmentation has been primarily achieved through two foundational methods:

2.2.1 Virtual Local Area Networks (VLANs)

VLANs provide a method for logically segmenting a network at Layer 2 (Data Link Layer) of the OSI model, within the same physical infrastructure. A single physical switch or set of interconnected switches can host multiple VLANs, effectively creating several distinct broadcast domains. Devices within the same VLAN can communicate directly, while communication between different VLANs typically requires a Layer 3 device, such as a router or a Layer 3 switch, which enforces routing policies.

• How they work: VLANs are implemented by tagging Ethernet frames with a VLAN ID (using IEEE 802.1Q standard). Network devices (switches) read this tag to determine which VLAN a frame belongs to and forward it only to ports assigned to that same VLAN. This creates logical separation even if physical cables are connected to the same switch. For example, a Human Resources department might be assigned to VLAN 10, while the Finance department is assigned to VLAN 20. Users in VLAN 10 cannot directly communicate with users in VLAN 20 without traffic passing through a router configured with specific access control lists (ACLs).
• Strengths: VLANs are cost-effective to deploy as they leverage existing physical hardware, provide good isolation for moderate security requirements, and reduce broadcast traffic. They are widely supported across enterprise networking equipment.
• Limitations: While effective for coarse-grained segmentation, VLANs can become administratively complex in large, dynamic environments with hundreds or thousands of VLANs. They offer limited granularity, typically segmenting at the departmental or application tier level, not down to individual workloads. Furthermore, if a compromise occurs within a VLAN, an attacker still has unimpeded lateral movement across all other systems within that same VLAN. This ‘flatness’ within a VLAN makes them less suitable for highly sensitive environments requiring fine-grained control.

2.2.2 Subnets

Subnets operate at Layer 3 (Network Layer) and divide an IP network address space into smaller logical groups. Each subnet is assigned a unique range of IP addresses. Devices within the same subnet can communicate directly via Layer 2, but communication between different subnets requires routing through a Layer 3 device.

• How they work: Subnets are defined by an IP address and a subnet mask. The subnet mask determines which part of the IP address identifies the network segment and which part identifies the host within that segment. By configuring routers to forward traffic only between approved subnets, administrators can enforce segmentation policies. For instance, a /24 subnet might represent a server farm, while another /24 represents user workstations.
• Strengths: Subnets are fundamental to IP networking and are straightforward to implement and understand. They enforce clear Layer 3 boundaries and facilitate efficient IP address management. Routing between subnets provides natural enforcement points for security policies (e.g., firewall rules).
• Limitations: Similar to VLANs, subnets provide relatively coarse-grained segmentation. Their effectiveness relies heavily on the careful configuration of routers and firewalls. In cloud environments, where IP addresses and network topology are highly dynamic, managing static subnet-based segmentation can be challenging and prone to misconfiguration. They do not intrinsically offer granular control down to individual workloads or applications within a given subnet.

Both VLANs and subnets have proven effective in traditional data center architectures but face significant limitations in the context of highly dynamic, virtualized, containerized, and multi-cloud environments. The need for more granular, automated, and identity-aware segmentation has driven the evolution towards advanced techniques, which are discussed in the subsequent sections ([geeksforgeeks.org]).

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. Micro-Segmentation: Granular Security in Cloud Environments

Micro-segmentation represents a revolutionary advancement in network security, moving beyond the traditional, broad network boundaries of VLANs and subnets to create secure zones around individual applications, workloads, or even specific processes. This approach dramatically enhances the granularity of security, enabling the enforcement of highly specific, dynamic security policies tailored to the unique communication requirements of each resource. Its effectiveness is particularly pronounced in cloud environments, where workloads are inherently dynamic, ephemeral, and distributed, rendering static, perimeter-based defenses obsolete.

3.1 Principles and Evolution

Traditional segmentation focuses on ‘north-south’ traffic (traffic entering or leaving the data center/network) and creating large, relatively static segments. Micro-segmentation, by contrast, targets ‘east-west’ traffic (traffic flowing between workloads within the data center or cloud). It operates on the principle of ‘default deny,’ meaning all communication is blocked unless explicitly permitted by a defined policy, thereby enforcing the principle of least privilege at a microscopic level ([en.wikipedia.org/wiki/Microsegmentation_%28network_security%29]).

The evolution of computing from physical servers to virtual machines (VMs), then to containers and serverless functions, necessitated this shift. In a virtualized environment, multiple VMs reside on the same physical host, bypassing traditional physical network controls. Containers and serverless functions further abstract the infrastructure, making individual workload identification and policy enforcement crucial.

3.2 Key Implementation Techniques

Micro-segmentation can be implemented through various technologies and approaches, often in combination:

3.2.1 Host-Based Firewalls and Agents

This technique involves deploying security agents or leveraging native operating system firewalls on individual hosts (VMs, containers, physical servers) to enforce communication policies. The firewall rules are configured directly on the workload itself.

• Mechanism: For Linux systems, iptables or nftables are common examples; for Windows, the Windows Defender Firewall is used. Vendor-specific micro-segmentation solutions often deploy lightweight agents that integrate with the OS firewall or implement their own kernel-level packet filtering. These agents identify the workload and apply policies based on predefined rules (e.g., ‘web server A can only talk to database server B on port 3306’).
• Strengths: Provides highly granular control directly at the workload level, independent of underlying network topology. Effective for controlling east-west traffic. Relatively straightforward for small-scale deployments. Can apply policies based on workload identity rather than just IP addresses.
• Limitations: Management complexity scales rapidly with the number of hosts; manual configuration is impractical for large environments. Requires agents to be installed and maintained on every workload, which can introduce overhead and compatibility issues. Policy consistency can be challenging across diverse operating systems and cloud environments without a centralized orchestration layer.

3.2.2 Software-Defined Networking (SDN) Overlays and Network Virtualization

SDN-based solutions decouple the network control plane from the data plane, allowing for centralized, programmatic management of network policies. In the context of micro-segmentation, SDN platforms create virtual overlay networks that abstract the underlying physical infrastructure.

• Mechanism: Platforms like VMware NSX-T, Cisco ACI, or open-source solutions such as OpenStack Neutron, create virtual networks where policy enforcement points (e.g., distributed firewalls or virtual routers) are deployed at the edge of each workload (e.g., VM vNIC, container interface). The SDN controller centrally defines policies based on attributes like application tags, security groups, or user roles. These policies are then pushed down to the distributed enforcement points, which sit directly in the data path of the workloads. For example, NSX-T’s distributed firewall can enforce rules between VMs on the same host, without traffic ever leaving the host’s kernel ([vmware.com/products/nsx.html]).
• Strengths: Offers exceptional granularity and scalability, capable of segmenting thousands of workloads. Centralized policy management simplifies operations and ensures consistency. Policies can be dynamic, adapting to workload migrations or changes in application topology. Decouples security from the underlying physical network, enabling greater agility.
• Limitations: Requires significant investment in specialized SDN infrastructure and expertise. Can introduce complexity in design and deployment, especially in brownfield environments. Integration with existing physical networks and troubleshooting can be challenging.

3.2.3 Cloud-Native Security Constructs

Public cloud providers offer a suite of built-in security features that can be leveraged for micro-segmentation, albeit with some provider-specific nuances.

• Mechanism:
  • Security Groups (e.g., AWS, Azure, GCP): These act as virtual firewalls at the instance level (EC2 instances, Azure VMs) or network interface level, controlling inbound and outbound traffic. Rules are defined based on IP addresses, port numbers, and sometimes other security groups. For example, an AWS EC2 instance can be part of a ‘Web Tier Security Group’ which only allows ingress from a ‘Load Balancer Security Group’ and egress to a ‘Database Tier Security Group’ on specific ports.
  • Network Access Control Lists (NACLs) (e.g., AWS): Stateless firewalls at the subnet level, providing another layer of defense. NACLs can be used to block specific IPs or ports for an entire subnet.
  • VPC/VNet Flow Logs (e.g., AWS VPC Flow Logs, Azure Network Watcher Flow Logs): Provide detailed visibility into network traffic, crucial for validating segmentation policies and detecting anomalies.
  • Service Mesh (e.g., Istio, Linkerd): For containerized microservices architectures, a service mesh operates at the application layer (Layer 7). It intercepts and controls communication between services, enforcing policies based on service identity rather than network constructs. This offers true application-level micro-segmentation, even if services are in the same network segment. Policies can dictate which service can call which other service, on what methods, and with what authentication.
• Strengths: Deeply integrated with the cloud platform, leveraging native capabilities for often seamless deployment and management. Cost-effective as they are built-in features. Inherently scalable with cloud resources. Service meshes provide the highest level of application-aware segmentation.
• Limitations: Policies can be disparate across different cloud providers, leading to operational complexity in multi-cloud environments. Security groups are stateful, while NACLs are stateless, requiring careful design. Service mesh requires application-level changes or sidecar injection and can add performance overhead and operational complexity if not managed well ([nist.gov]).

3.2.4 Identity-Based Policies

Moving beyond IP addresses and ports, modern micro-segmentation increasingly relies on identity for policy enforcement. This means policies are defined based on the identity of the workload (e.g., ‘all production web servers’), the user (e.g., ‘developers’), or the application component, regardless of its IP address or location.

• Mechanism: This requires a mechanism to discover and tag workloads with their identities. Agents or SDN controllers can assign tags (e.g., ‘environment:production’, ‘application:ERP’, ‘role:database’) to VMs or containers. Policies are then written using these tags (e.g., ‘allow traffic from application:frontend to application:backend on port 8080′). This provides logical grouping and policy consistency even as IP addresses change dynamically.
• Strengths: Highly resilient to IP address changes, making it ideal for dynamic cloud environments. Simplifies policy management by abstracting away network details. Directly aligns with the Zero Trust principle of ‘identity is the new perimeter.’
• Limitations: Requires robust tagging strategies and lifecycle management. Can be challenging to implement in heterogeneous environments without a unified identity management system.

3.3 Benefits of Micro-Segmentation

• Profoundly Reduced Attack Surface: By creating per-workload or per-application security boundaries, micro-segmentation dramatically shrinks the attack surface. An attacker gaining a foothold in one segment finds their lateral movement severely restricted, preventing them from easily reaching other critical assets.
• Enhanced Compliance and Auditing: The granular control offered by micro-segmentation makes it easier to demonstrate adherence to regulatory requirements for data isolation (e.g., PCI DSS scope reduction, HIPAA data segregation). Policy enforcement points provide detailed logs for auditing, showing exactly what communication was allowed or denied.
• Improved Threat Containment: In the event of a breach, micro-segmentation prevents malware or unauthorized access from spreading rapidly across the network. This containment minimizes the potential damage and simplifies incident response efforts.
• Greater Operational Agility: By decoupling security policies from the underlying network topology, organizations can deploy, scale, and move workloads with greater flexibility without requiring extensive network reconfigurations.
• Superior Visibility: Micro-segmentation solutions often provide detailed insights into east-west traffic patterns that were previously opaque. This visibility is invaluable for understanding application dependencies, identifying anomalous behavior, and validating security policies ([akamai.com]).

While offering significant advantages, the implementation of micro-segmentation demands careful planning, a clear understanding of application dependencies, and robust policy management to avoid creating overly complex or restrictive environments.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Zero Trust Network Access (ZTNA): A Paradigm Shift in Security

Zero Trust is not merely a technology but a fundamental security philosophy, often summarized by the mantra ‘never trust, always verify.’ It represents a radical departure from traditional perimeter-based security models, which inherently trust users and devices once they are inside the corporate network. ZTNA, as an implementation of Zero Trust principles, extends this concept by requiring continuous verification of trust for every user, device, and workload attempting to access resources, regardless of their network location. This paradigm shift enforces strict access controls and relentless monitoring throughout the access lifecycle ([crowdstrike.com]).

4.1 Evolution from Traditional Security to Zero Trust

Traditionally, security was like a castle-and-moat defense: strong perimeter defenses (firewalls, VPNs) protected a supposedly ‘trusted’ internal network. Once inside, users and devices often had broad access. This model crumbles in the face of cloud adoption, remote work, and sophisticated attackers who inevitably breach perimeters or originate from within.

Zero Trust, first coined by Forrester Research in 2010, posits that no user or device should be implicitly trusted, even if they are already on the internal network. Every access request must be authenticated, authorized, and continuously monitored based on context. This applies to north-south traffic (access from outside to inside) as well as east-west traffic (internal communications).

4.2 Core Principles of ZTNA

The implementation of ZTNA is guided by several key tenets:

• Least-Privilege Access: This principle dictates that users and devices are granted only the minimum level of access necessary to perform their legitimate tasks, and no more. Access rights are narrow and specific, reducing the potential impact of a compromised credential or device.

• Continuous Authentication and Authorization: Trust is never static. ZTNA systems continuously verify the identity of users and the security posture of devices (e.g., patch level, anti-malware status, geographic location) before and during resource access. If context changes (e.g., device health degrades, user location becomes suspicious), access can be revoked or escalated for re-authentication.

• Micro-Segmentation: As discussed in Section 3, micro-segmentation is a cornerstone of Zero Trust. By creating granular security boundaries around individual applications and workloads, ZTNA ensures that even if an authorized user or device gains access to one resource, their ability to move laterally to other, unauthorized resources is severely restricted. This prevents lateral movement by containing breaches.

• Context-Aware Policy Enforcement: Access decisions are not static but dynamic, based on multiple contextual factors, including user identity, device posture, location, time of day, application sensitivity, and the specific data being accessed. This allows for highly adaptive and intelligent access control.

• End-to-End Encryption: All communications, both north-south and east-west, are encrypted to protect data in transit, preventing eavesdropping and tampering.

• Continuous Monitoring and Logging: All access attempts and network activities are meticulously logged and continuously monitored for anomalous behavior. This provides crucial visibility for threat detection, incident response, and compliance auditing.

4.3 ZTNA Architecture and Implementation

ZTNA solutions typically involve several components:

• Identity Provider (IdP): Integrates with existing identity management systems (e.g., Okta, Azure AD) for user authentication.
• Policy Engine/Controller: The brain of the ZTNA system, which evaluates access requests against predefined, context-aware policies.
• Access Proxy/Gateway: Sits between the user/device and the protected resource, enforcing policies from the controller and brokering secure, encrypted connections. These proxies are often cloud-based (Security Service Edge, SSE).
• Endpoint Agents: Optional agents on devices collect posture information (e.g., OS version, firewall status, presence of EDR software) to feed into the policy engine.

There are generally two models for ZTNA:

1. Client-Initiated ZTNA: An agent on the user’s device establishes an encrypted tunnel to a ZTNA gateway, which then connects to the requested application. Access is established on a per-application basis, not a network segment.
2. Service-Initiated ZTNA: The application itself connects outbound to the ZTNA gateway, creating a ‘dark’ service that is not exposed to the internet. Users connect to the gateway, and the gateway brokers the connection to the application. This model is common for securing cloud workloads.

4.4 Integration with Network Segmentation

ZTNA and network segmentation are highly complementary strategies that reinforce each other to create a robust security posture:

• Policy Enforcement within Segments: ZTNA provides the framework for enforcing granular, identity-based access controls within each network segment created by micro-segmentation. While micro-segmentation defines the boundaries and allowed communication paths, ZTNA dictates who (user/device identity and context) can traverse those paths and to what specific resources.

• Dynamic Access Control: ZTNA’s continuous authentication and authorization capabilities make network segmentation policies dynamic. For instance, if a device’s security posture degrades, ZTNA can instantly revoke its access to certain segments or resources, even if it was previously permitted.

• Eliminating Implicit Trust: Combining ZTNA with micro-segmentation means that even if an attacker manages to compromise a segment, they still face identity and context-based barriers to access individual workloads within that segment, as well as to move to other segments. The principle of ‘never trust, always verify’ is applied uniformly.

• Enhanced Visibility and Auditing: ZTNA solutions provide detailed logs of every access attempt, including user identity, device posture, and resource accessed. When combined with NDR insights from segmented traffic, this offers unparalleled visibility for security operations and compliance audits.

By integrating ZTNA principles with micro-segmentation, organizations can construct a resilient security architecture that effectively addresses both external threats and the often more insidious risks of internal lateral movement. This holistic approach is critical for securing hybrid and multi-cloud environments where the traditional network perimeter has become largely irrelevant ([zscaler.com]).

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Software-Defined Networking (SDN): Dynamic and Programmable Network Management

Software-Defined Networking (SDN) represents a revolutionary architectural approach to network management that fundamentally decouples the network’s control plane (which makes decisions about where traffic is sent) from the data plane (which forwards the actual traffic). This separation allows for centralized, dynamic, and programmable control over network infrastructure, moving away from the static, device-centric configurations of traditional networking. In the context of network segmentation, SDN provides the agility, automation, and centralized policy enforcement capabilities that are essential for implementing advanced segmentation techniques like micro-segmentation, especially in dynamic cloud environments ([sciencedirect.com/topics/computer-science/network-segmentation]).

5.1 The Architecture of SDN

SDN typically comprises three architectural layers:

1. Application Layer: Contains network applications that communicate their requirements to the control layer. These can include security applications, load balancers, traffic engineering tools, and orchestration systems.
2. Control Layer (SDN Controller): The central intelligence of the SDN architecture. The controller maintains a global view of the network, translates application requirements into network policies, and communicates these policies to the data plane. It often uses open protocols like OpenFlow to interact with network devices.
3. Data Layer (Forwarding Plane): Consists of the physical or virtual network devices (switches, routers) that forward data packets based on instructions received from the control layer. These devices become simple forwarding elements, executing policies rather than making complex routing decisions themselves.

The key enabler is the programmatic interface (Application Programming Interface – API) between these layers. Northbound APIs allow applications to communicate with the controller, while Southbound APIs (e.g., OpenFlow) allow the controller to program the data plane devices.

5.2 SDN’s Role in Dynamic Network Segmentation

SDN’s centralized control and programmatic nature offer significant advantages for implementing and managing network segmentation:

• Centralized Policy Management and Orchestration: An SDN controller acts as a single point of truth for defining and managing network segmentation policies across the entire infrastructure. Instead of configuring ACLs on individual routers and firewalls, administrators define policies centrally. This drastically reduces the risk of misconfigurations, ensures consistency, and simplifies auditing.

• Dynamic Segmentation and Automation: In traditional networks, creating or modifying segments is a manual, often time-consuming process involving reconfiguring multiple network devices. SDN enables dynamic segmentation, allowing network segments to be created, modified, or decommissioned in real-time, often automatically, in response to application deployments, workload migrations, or changes in security requirements. For example, when a new VM or container is provisioned, the SDN controller can automatically apply appropriate segmentation policies based on its tags or attributes, without human intervention.

• Network Virtualization and Overlay Networks: SDN is fundamental to network virtualization, where logical networks (overlay networks) are created on top of the physical underlay infrastructure. Technologies like VXLAN (Virtual Extensible LAN) allow for the creation of virtual networks that span multiple physical data centers or cloud regions. Within these virtual networks, SDN controllers can deploy distributed firewalls or virtual routers that provide highly granular segmentation at the virtual network interface level, as seen in solutions like VMware NSX-T or Cisco ACI.

• Context-Aware and Identity-Based Policies: SDN controllers can integrate with identity management systems and orchestration platforms to create segmentation policies based on workload identity, application tags, user roles, or security posture, rather than just IP addresses. This aligns perfectly with micro-segmentation and Zero Trust principles, enabling policies like ‘allow all finance applications to communicate with the central database on port 1433’ regardless of their underlying IP addresses.

• Enhanced Visibility and Troubleshooting: With a centralized view of the network and all traffic flows, SDN controllers can provide comprehensive telemetry and flow data. This granular visibility is crucial for validating segmentation policies, detecting anomalies, and quickly troubleshooting connectivity issues within and between segments.

5.3 Specific SDN Implementations for Segmentation

• VMware NSX-T: A leading network virtualization and security platform that uses SDN principles to deliver micro-segmentation for virtual machines, containers, and bare-metal workloads. Its distributed firewall enforces policies at the vNIC of each VM, providing extremely granular control over east-west traffic within the hypervisor layer.
• Cisco Application Centric Infrastructure (ACI): An SDN solution designed for data centers, ACI uses a policy-driven approach to automate network configuration and segmentation. It defines policies based on ‘Endpoint Groups’ (EPGs), which are logical groupings of workloads with similar security or network requirements, abstracting the underlying network details.
• Cloud Provider SDN (e.g., AWS VPC, Azure VNet, Google Cloud VPC): Public cloud providers leverage SDN principles extensively to create their virtual networking constructs. For instance, AWS VPCs, subnets, Security Groups, and NACLs are all managed through a highly programmable, API-driven SDN backend, allowing users to define segmentation policies with great flexibility.

By centralizing control, automating policy deployment, and abstracting the underlying infrastructure, SDN transforms network segmentation from a cumbersome, static process into a dynamic, agile, and highly scalable security capability. This makes it an indispensable technology for deploying and managing advanced segmentation strategies in complex, modern IT environments ([catonetworks.com]).

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Cross-Cloud and Hybrid-Cloud Segmentation Strategies: Bridging the Divide

As organizations increasingly adopt multi-cloud and hybrid-cloud strategies, the challenge of maintaining consistent and effective network segmentation across disparate environments becomes paramount. While each cloud provider offers its own native segmentation tools (e.g., AWS Security Groups, Azure Network Security Groups, Google Cloud Firewall Rules), managing these distinct sets of policies across multiple platforms, often alongside on-premises data centers, introduces significant complexity, potential for misconfigurations, and compliance gaps. Cross-cloud segmentation aims to unify these efforts, ensuring a cohesive and robust security posture regardless of where workloads reside ([nist.gov]).

6.1 The Complexities of Multi-Cloud Environments

Multi-cloud adoption is driven by various factors, including avoiding vendor lock-in, leveraging best-of-breed services, meeting geographical redundancy requirements, and compliance. However, this distributed model creates unique challenges for segmentation:

• Disparate Toolsets and APIs: Each cloud provider has its own unique networking and security constructs, APIs, and management consoles. This leads to operational silos and a steep learning curve for security teams.
• Inconsistent Security Models: The implementation of firewalls, routing, and identity management varies significantly across clouds, making it difficult to apply a single, overarching security policy.
• Visibility Gaps: Gaining a unified view of network traffic and security events across multiple clouds and on-premises environments is challenging, hindering effective monitoring and incident response.
• Policy Sprawl: Managing thousands of individual security group rules or firewall policies across different cloud accounts and subscriptions becomes unmanageable, increasing the likelihood of errors.
• Network Latency and Performance: Secure communication between clouds often involves VPN tunnels or direct connect services, which can introduce latency and bandwidth constraints.
• Compliance Fragmentation: Demonstrating compliance across different cloud providers, each with potentially different interpretations of regulatory requirements and shared responsibility models, is a significant hurdle.

6.2 Strategies for Unified Cross-Cloud Segmentation

Effective cross-cloud segmentation requires a strategic approach that leverages a combination of native cloud capabilities, third-party solutions, and consistent architectural patterns.

6.2.1 Leveraging Cloud-Native Segmentation with Centralized Management

The foundational step involves utilizing each cloud provider’s inherent segmentation capabilities:

• AWS: VPCs (Virtual Private Clouds) for isolated network environments, Security Groups for instance-level firewalls, Network ACLs for subnet-level stateless firewalls, and AWS Transit Gateway for centralizing routing between multiple VPCs and on-premises networks. AWS Organizations and Service Control Policies (SCPs) can enforce guardrails across accounts.
• Azure: Virtual Networks (VNets) for isolated environments, Network Security Groups (NSGs) for VM-level firewalls, Application Security Groups (ASGs) for grouping VMs with similar security policies, and Azure Virtual WAN for simplified multi-cloud connectivity.
• Google Cloud: VPCs for global networks, Firewall Rules for instance-level or network-level traffic control, and Shared VPCs for centralizing network management for multiple projects.

To manage these native tools consistently, organizations can employ:

• Infrastructure as Code (IaC): Tools like Terraform, CloudFormation, Azure Resource Manager, or Google Cloud Deployment Manager allow for defining network and security configurations programmatically. This ensures consistency, repeatability, and version control across different environments.
• Cloud Security Posture Management (CSPM) Tools: These tools continuously monitor cloud configurations against security benchmarks and compliance standards, identifying misconfigurations in segmentation policies across multiple clouds.

6.2.2 Third-Party Cloud Security Platforms and Overlays

Dedicated third-party solutions offer a unified control plane for security across multiple clouds and hybrid environments:

• Cloud Network Firewalls (Next-Generation Firewalls – NGFWs): Virtual NGFWs from vendors like Palo Alto Networks, Fortinet, or Check Point can be deployed as virtual appliances in each cloud environment. They offer advanced threat prevention, deep packet inspection, and a single pane of glass for policy management across clouds.
• Cloud-Native Network Virtualization Overlays: Solutions like VMware NSX-T can extend their network virtualization and micro-segmentation capabilities across multiple cloud providers and on-premises environments. This creates a consistent security fabric that abstracts the underlying cloud network, allowing for uniform policy enforcement.
• Multi-Cloud Network Segmentation Platforms: Specialized vendors provide platforms designed specifically to abstract and centralize segmentation policy management across heterogeneous cloud environments, often integrating with native cloud APIs to push policies.

6.2.3 Secure Inter-Cloud Connectivity

Establishing secure and efficient communication channels between cloud segments and on-premises networks is critical:

• IPsec VPN Tunnels: Encrypted tunnels provide secure connectivity over the public internet between cloud VPCs/VNets and on-premises firewalls/gateways. While cost-effective, they can introduce latency and bandwidth limitations.
• Direct Connect / ExpressRoute / Cloud Interconnect: Dedicated, private network connections between on-premises data centers and cloud providers. These offer higher bandwidth, lower latency, and increased reliability compared to VPNs, making them ideal for hybrid cloud segmentation where substantial data transfer is required.
• SD-WAN (Software-Defined Wide Area Network): SD-WAN solutions can optimize traffic routing across multiple clouds and hybrid networks, provide centralized management for connectivity, and integrate security services like firewalls and ZTNA gateways.
• SASE (Secure Access Service Edge): SASE converges networking and security functions into a single, cloud-native service. It enables a unified security policy framework that extends across all users, devices, and applications, regardless of their location (on-premises, branch office, or any cloud), inherently providing consistent segmentation controls from the edge.

6.2.4 Service Mesh for Application-Level Segmentation

For cloud-native, microservices-based applications, a service mesh (e.g., Istio, Linkerd) provides application-level segmentation that transcends network boundaries. It enforces policies between individual services based on service identity, regardless of which cloud or subnet they reside in. This offers the most granular level of control for east-west traffic within the application layer, crucial for multi-cloud microservices deployments.

6.3 Compliance Management Across Federated Environments

Achieving and demonstrating compliance in a cross-cloud environment requires a multi-faceted approach:

• Shared Responsibility Model Understanding: Clearly define responsibilities between the organization and each cloud provider for different aspects of security and compliance.
• Centralized Compliance Frameworks: Implement a unified compliance framework that maps specific controls to the disparate native cloud controls and third-party security solutions.
• Automated Compliance Auditing: Utilize CSPM tools, audit logging services (e.g., AWS CloudTrail, Azure Monitor), and SIEM integrations to continuously monitor configurations and activities for compliance deviations.
• Data Residency and Sovereignty: Carefully design segmentation to ensure sensitive data remains within required geographical boundaries, a common regulatory requirement in multi-cloud scenarios ([cohesive.net/cloud-network-segmentation/]).

Cross-cloud and hybrid-cloud segmentation demands a holistic strategy that balances the benefits of cloud-native tools with the need for unified policy management, robust connectivity, and consistent compliance across heterogeneous environments. This approach is fundamental to securing the modern distributed enterprise.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Network Detection and Response (NDR): Monitoring and Responding to Threats Within Segments

Network Detection and Response (NDR) tools are a critical component of a comprehensive security strategy, particularly in environments leveraging advanced network segmentation. While segmentation proactively reduces the attack surface and limits lateral movement, NDR provides the crucial post-breach detection and response capabilities needed to identify and neutralize threats that inevitably bypass preventative controls. NDR focuses on continuously monitoring network traffic, both north-south and especially east-west, within and between segmented zones, to detect and respond to suspicious activities that indicate a security incident ([sciencedirect.com/topics/computer-science/network-segmentation]).

7.1 Role and Evolution of NDR

Traditional network security tools like Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) primarily relied on signature-based detection of known threats. Firewalls blocked traffic based on rules. However, these tools often struggle with sophisticated, unknown threats, insider threats, and encrypted traffic within a segmented network, especially the vast volumes of east-west communication.

NDR emerged to address these gaps. It goes beyond signature matching by employing advanced analytics, machine learning (ML), and behavioral analysis to detect anomalies and identify patterns indicative of malicious activity that might otherwise go unnoticed. It acts as a continuous ‘security camera’ for the network, providing deep visibility into actual traffic flows and behaviors.

7.2 Key Capabilities of NDR Tools

NDR solutions typically offer a robust set of features:

• Comprehensive Traffic Visibility: NDR tools ingest and analyze raw packet data, flow records (e.g., NetFlow, IPFIX), and metadata from various points in the network, including within segmented zones. This provides unparalleled visibility into all communications, including encrypted traffic (often through decryption capabilities or analysis of metadata patterns).

• Anomaly Detection and Behavioral Analytics: This is a core strength of NDR. By establishing a baseline of ‘normal’ network behavior for each segment and workload, NDR can identify deviations. This includes detecting unusual data transfers, unauthorized port scans, suspicious login attempts, communication with known command-and-control (C2) servers, or lateral movement patterns that don’t conform to expected application behavior. Machine learning algorithms are crucial here, sifting through massive datasets to find subtle indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs).

• Real-Time Alerts and Prioritization: When anomalies or threats are detected, NDR systems generate immediate, high-fidelity alerts. These alerts are often enriched with contextual information (e.g., involved hosts, users, applications, time, severity) to help security teams prioritize and respond effectively, reducing alert fatigue.

• Threat Hunting: NDR provides powerful capabilities for proactive threat hunting. Security analysts can query historical network data to search for specific IoCs, investigate suspicious patterns, or validate assumptions about potential threats that might not have triggered an automated alert.

• Forensic Analysis and Incident Response Support: In the event of an incident, NDR tools offer deep forensic capabilities. They store detailed network metadata and often full packet captures, allowing investigators to reconstruct attack timelines, understand the scope of a breach, identify compromised systems, and pinpoint the exfiltration of sensitive data. This evidence is crucial for rapid containment and remediation.

• Integration with Other Security Tools: NDR solutions typically integrate with other components of the security ecosystem, such as Security Information and Event Management (SIEM) systems for centralized logging and correlation, Endpoint Detection and Response (EDR) platforms for endpoint context, and Security Orchestration, Automation, and Response (SOAR) platforms to automate response actions.

7.3 How NDR Benefits from Segmentation

Network segmentation significantly enhances the effectiveness of NDR in several ways:

• Reduced Noise and Focused Monitoring: By dividing the network into smaller, more manageable segments, NDR tools have a more defined scope for analysis. This reduces the overall volume of traffic to monitor in any single segment, making it easier to establish baselines, detect anomalies, and filter out irrelevant data. The signal-to-noise ratio improves dramatically.

• Richer Context for Detections: When an NDR tool detects suspicious activity, the context provided by segmentation (e.g., ‘this anomaly occurred in the PCI DSS database segment’ or ‘this user attempted to access the HR segment from an unapproved endpoint’) adds critical information, allowing for more accurate threat assessment and faster response.

• Validation of Segmentation Policies: NDR actively monitors traffic flows between segments. This can reveal attempts to bypass segmentation policies, misconfigured firewalls, or unauthorized communication paths, effectively validating whether segmentation is working as intended.

• Identification of Lateral Movement: Segmentation is designed to prevent lateral movement. NDR provides the visibility to detect if an attacker has successfully breached one segment and is attempting to move to another. By observing traffic patterns between segments, NDR can quickly flag unauthorized cross-segment communication, which is a strong indicator of compromise.

• Improved Incident Containment: If NDR detects a breach within a specific segment, the pre-existing segmentation limits the spread of the attack, allowing security teams to focus containment efforts on that isolated area, rather than having to scramble across the entire network.

In essence, network segmentation creates a structured environment where NDR can operate with greater precision and efficacy. Together, they form a powerful defense-in-depth strategy, moving beyond mere prevention to robust detection and rapid response capabilities essential for the modern threat landscape.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

8. Architectural Considerations and Operational Challenges

Implementing and maintaining effective network segmentation in today’s complex, rapidly evolving, and often multi-cloud infrastructures presents a myriad of architectural considerations and significant operational challenges. While the benefits are profound, realizing them requires careful planning, robust execution, and continuous management.

8.1 Architectural Considerations

8.1.1 Granularity and Scope

• Defining Segments: The first step is to logically group assets based on their criticality, sensitivity, function, and regulatory requirements (e.g., PCI DSS zone, HR applications, production environment, development environment, IoT devices). Micro-segmentation extends this to individual workloads, applications, or even specific processes. Deciding on the appropriate level of granularity is crucial; too coarse, and security benefits are limited; too fine, and management complexity skyrockets.
• Traffic Flow Analysis: A thorough understanding of north-south and east-west traffic patterns and application dependencies is paramount. Tools for network mapping, flow analysis (e.g., NetFlow, VPC Flow Logs), and application dependency mapping are indispensable to avoid inadvertently breaking critical application communication paths or creating overly complex policies.

8.1.2 Policy Design and Management

• Default Deny Principle: Segmentation policies should adhere strictly to the principle of ‘default deny,’ only explicitly allowing necessary communication paths. This minimizes the attack surface.
• Attribute-Based Policies: Leveraging attributes and tags (e.g., ‘application:webserver,’ ‘environment:prod,’ ‘compliance:PCI’) rather than static IP addresses provides flexibility and scalability, especially in dynamic cloud environments where IPs change frequently.
• Policy Orchestration: For large and distributed environments, a centralized policy orchestration engine (e.g., SDN controller, security policy management platform) is essential to ensure consistency, prevent conflicts, and simplify changes across heterogeneous infrastructure.

8.1.3 Integration with Identity and Access Management (IAM)

• User and Workload Identity: Modern segmentation, particularly ZTNA and micro-segmentation, must integrate tightly with IAM systems. Policies should be based on verified user identities, device posture, and workload identities, not just network addresses.
• Least Privilege: Ensuring that users and workloads only have access to precisely the resources they need, for the duration they need them, is a core architectural principle that segmentation directly supports.

8.1.4 Network Infrastructure and Overlay Technologies

• Physical vs. Virtual vs. Cloud-Native: The choice of segmentation technology (VLANs/subnets, host-based firewalls, SDN overlays, cloud security groups, service mesh) depends on the underlying infrastructure (on-premises, virtualized, containerized, multi-cloud) and the desired level of granularity.
• Performance Considerations: Segmentation introduces inspection points, which can potentially impact network latency and throughput. Designing for high-performance data paths and offloading security functions to specialized hardware or efficient software implementations is critical, especially for high-traffic applications.

8.2 Operational Challenges

8.2.1 Scalability and Complexity

• Policy Sprawl and Management Burden: As the number of segments, workloads, and cloud environments grows, the volume and complexity of segmentation policies can become overwhelming. Managing thousands of rules across different platforms can lead to human error, misconfigurations, and security gaps. Automation and centralized management are crucial to mitigate this.
• Dynamic Environments: Cloud-native and containerized workloads are often ephemeral, spinning up and down rapidly. Manually updating segmentation policies for these dynamic resources is impossible. Automated policy provisioning and de-provisioning, often through integration with CI/CD pipelines, is essential.

8.2.2 Performance Overhead

• Latency and Throughput Impacts: Each security control point introduced by segmentation (e.g., firewall rule evaluation, packet inspection by an agent) can add a small amount of latency. In high-performance computing or real-time application environments, this cumulative overhead can be significant. Careful design and performance testing are necessary.
• Resource Utilization: Running security agents on hosts or virtual firewalls can consume CPU, memory, and network resources, potentially impacting application performance. Optimizing agent footprint and firewall rule efficiency is important.

8.2.3 Visibility Gaps and Troubleshooting

• East-West Traffic Blind Spots: While segmentation aims to control east-west traffic, it can also make visibility challenging if proper monitoring tools are not in place. Encrypted internal traffic further complicates inspection and anomaly detection.
• Troubleshooting Complexity: Pinpointing the root cause of connectivity issues in a highly segmented environment can be difficult. Determining which specific policy or rule is blocking legitimate traffic requires deep visibility and advanced troubleshooting tools.

8.2.4 Compliance and Auditing

• Demonstrating Compliance: Proving that segmentation policies effectively isolate sensitive data and adhere to regulatory requirements (e.g., PCI DSS scope reduction) requires robust reporting and audit capabilities. This includes demonstrating that all necessary controls are in place and functioning correctly.
• Audit Trail Generation: Ensuring that all relevant network and security events from segmented environments are logged, correlated, and available for auditing is critical for forensics and compliance reporting.

8.2.5 Skills Gap and Organizational Alignment

• Expertise Requirements: Implementing and managing advanced segmentation techniques, especially those involving SDN, cloud-native constructs, and service mesh, requires specialized skills in networking, security, cloud platforms, and automation. A shortage of such expertise can hinder adoption.
• Organizational Silos: Effective segmentation often requires close collaboration between network teams, security teams, application development teams, and cloud operations teams. Organizational silos can impede successful implementation and ongoing management.

8.2.6 Change Management

• Application Changes: Any change to an application’s architecture or communication patterns necessitates corresponding updates to segmentation policies. A robust change management process that integrates security policy updates into application deployment lifecycles is crucial to prevent service disruptions.
• Policy Versioning: Managing different versions of policies, rolling back changes, and understanding the impact of each modification are significant operational challenges that require sophisticated policy management platforms.

To overcome these challenges, organizations must adopt a holistic approach that prioritizes automation, centralizes policy management, invests in continuous monitoring and visibility tools (like NDR), fosters cross-functional collaboration, and continuously trains personnel on emerging technologies and best practices. A phased implementation, starting with critical assets and gradually expanding, can also help manage complexity and validate effectiveness ([nist.gov], [cohesive.net]).

Many thanks to our sponsor Esdebe who helped us prepare this research report.

9. Conclusion

The relentless evolution of digital infrastructure, characterized by the omnipresence of cloud computing, the agility of containerization, and the distributed nature of serverless architectures, has rendered traditional perimeter-centric security models increasingly obsolete. In this dynamic landscape, advanced network segmentation has emerged as an indispensable and foundational strategy, offering a potent defense-in-depth mechanism against the sophisticated threats that target modern enterprises.

This report has systematically explored the multifaceted dimensions of advanced network segmentation, highlighting its transformative impact on cybersecurity, network performance, and operational manageability. We delved into the intricacies of micro-segmentation, elucidating how its granular, workload-centric approach fundamentally reduces the attack surface and contains the blast radius of potential breaches, particularly within highly virtualized, containerized, and serverless environments. The diverse implementation techniques, ranging from host-based firewalls and SDN overlays to cloud-native constructs and application-layer service meshes, underscore the adaptability required for modern security architectures.

The profound shift towards Zero Trust Network Access (ZTNA) principles was examined, revealing how it complements and strengthens segmentation by enforcing continuous verification and least-privilege access for every user and device, irrespective of their network location. This paradigm moves beyond implicit trust, establishing a robust framework for context-aware, identity-driven access control that is critical in an era without a definitive network perimeter.

We further highlighted the pivotal role of Software-Defined Networking (SDN) in providing the agility, automation, and centralized control necessary for dynamic segmentation. SDN’s ability to programmatically manage network policies across the control and data planes empowers organizations to implement and adapt segmentation strategies with unprecedented speed and consistency. The report also addressed the formidable complexities of cross-cloud and hybrid-cloud segmentation, outlining strategic approaches for achieving unified security policy enforcement and seamless, secure connectivity across disparate cloud providers and on-premises environments.

Finally, the critical function of Network Detection and Response (NDR) tools was detailed, demonstrating their indispensable role in providing continuous, deep visibility into segmented network traffic. By leveraging advanced analytics and machine learning, NDR proactively identifies anomalous behaviors and hidden threats that bypass preventative controls, enabling rapid threat hunting, forensic analysis, and agile incident response within highly segmented domains. This synergy between segmentation and detection is crucial for identifying and neutralizing threats that inevitably breach initial defenses.

While the benefits of these advanced segmentation techniques are significant, their implementation is not without architectural and operational challenges. Issues such as scalability, policy complexity, potential performance overheads, fragmented visibility, and the imperative for continuous compliance demand careful planning, robust toolsets, and a highly skilled workforce. Overcoming these hurdles necessitates a commitment to automation, centralized policy orchestration, inter-departmental collaboration, and ongoing investment in security talent and technology.

In conclusion, a comprehensive and adaptable approach to network segmentation, integrated with Zero Trust principles, empowered by SDN capabilities, and fortified by advanced NDR, is no longer a luxury but a fundamental requirement for maintaining a resilient and robust security posture in the evolving landscape of cloud computing. Organizations that embrace these advanced strategies will be better equipped to protect their critical assets, ensure business continuity, and navigate the complexities of the digital future.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

• Akamai. (n.d.). What Is Network Segmentation? Retrieved from https://www.akamai.com/glossary/what-is-network-segmentation
• arXiv. (n.d.). Distributed Deep Neural Networks over the Cloud, the Edge and End Devices. (Teerapittayanon, S., McDanel, B., & Kung, H. T., 2017). Retrieved from https://arxiv.org/abs/1709.01921
• arXiv. (n.d.). DDUNet: Dual Dynamic U-Net for Highly-Efficient Cloud Segmentation. (Li, Y., Wang, H., Xu, J., Wu, P., Xiao, Y., Wang, S., & Dev, S., 2025). Retrieved from https://arxiv.org/abs/2501.15385
• arXiv. (n.d.). Segregation and Context Aggregation Network for Real-time Cloud Segmentation. (Li, Y., Wang, H., Zhang, J., You, J., Xu, J., Wu, P., Xiao, Y., & Dev, S., 2025). Retrieved from https://arxiv.org/abs/2504.14178
• Cato Networks. (n.d.). Network Segmentation. Retrieved from https://www.catonetworks.com/glossary/network-segmentation/
• Cohesive Networks. (n.d.). Cloud Network Segmentation. Retrieved from https://cohesive.net/cloud-network-segmentation/
• CrowdStrike. (n.d.). What Is Network Segmentation? Retrieved from https://www.crowdstrike.com/en-us/cybersecurity-101/identity-protection/network-segmentation/
• GeeksforGeeks. (2025). Network Segmentation. Retrieved from https://www.geeksforgeeks.org/what-is-network-segmentation/
• NIST. (n.d.). Analysis of Network Segmentation Techniques in Cloud Data Centers. (Chandramouli, R., 2015). Retrieved from https://www.nist.gov/publications/analysis-network-segmentation-techniques-cloud-data-centers
• ScienceDirect. (n.d.). Network Segmentation – an overview. Retrieved from https://www.sciencedirect.com/topics/computer-science/network-segmentation
• VMware. (n.d.). VMware NSX-T Data Center. Retrieved from https://www.vmware.com/products/nsx.html
• Wikipedia. (n.d.). Microsegmentation (network security). Retrieved from https://en.wikipedia.org/wiki/Microsegmentation_%28network_security%29
• Zscaler. (n.d.). What Is Network Segmentation and Why It Matters. Retrieved from https://www.zscaler.com/resources/security-terms-glossary/what-is-network-segmentation