Platform / Network Segmentation
FR EN

Platform

Network Segmentation

Network segmentation: partition components to limit lateral movement.

Plane
Platform
Flow steps
2
Frameworks
NIST 800-53 · 800-207

Technology

Why use it

Split the network into isolated zones so a compromise doesn’t spread across the whole system.

Why it matters to security

Reduces blast radius: a compromised component reaches only what is explicitly opened to it.

Implementations micro-segmentationKubernetes NetworkPoliciesservice meshVPC / subnets

Assume breach: segment so the attacker stays boxed in.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Zone separation (DMZ, application, data).
    NIST 800-53 SC-7
    Sensitive components aren’t reachable from outside.
  • Inter-zone flows denied by default.
    NIST 800-53 SC-7(5)
    Open only the explicitly necessary flows.
  • Information-flow control between zones.
    NIST 800-53 AC-4
    Allowed traffic is defined; the rest is blocked.

Enterprise

Enterprise standard
  • Per-workload micro-segmentation.
    NIST 800-53 SC-7 · SC-32
    Each service has its perimeter, not just each zone.
  • Service identity required to communicate (mTLS).
    NIST 800-53 SC-8 · IA-9
    No anonymous service-to-service communication.
  • Inter-service flow logging.
    NIST 800-53 AU-2
    Lateral movement becomes visible.

Advanced

High-assurance / regulated
  • Network policy conditioned on identity and risk.
    NIST 800-53 AC-4NIST 800-207 §2.1
    Network access becomes a Zero-Trust decision, not an IP question.
  • Lateral-movement detection.
    NIST 800-53 SI-4
    A service talking to an unusual neighbor is flagged.
  • Network policies as code, tested.
    NIST 800-53 CM-3
    Segmentation is versioned and verifiable.

Architecture notes

  • Segmentation contains what other controls let through.details ▸
    No barrier is perfect.
    Assume a component falls and limit in advance what it can reach.

References

NIST SP 800-53 Rev5
SC-7 / SC-7(5) (Boundary / deny-by-default), SC-32 (System Partitioning), AC-4, SC-8, IA-9, SI-4.
NIST SP 800-207
§2.1 — network access governed by identity, not location.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone