Zero Trust Network Segmentation Best Practices

March 30, 2023 | By IANS Faculty

When it comes to zero trust, network segmentation vendors tend to focus either on microsegmentation in the data center or zero trust network access (ZTNA) for end-user access to resources. There are a number of factors to consider in the space, but no solution actually handles both use cases well. Overall, it’s important to focus on ease of implementation/management, application discovery and policy control granularity. This piece provides an overview of the zero trust segmentation space and explains the factors to consider when choosing a solution for your environment.

Zero Trust Network Segmentation Technologies 

There are two high-level categories to choose from when selecting zero trust network segmentation technologies:

  • Microsegmentation is focused on internal workloads and assets (primarily within the data center). It can also be extended into IaaS and PaaS cloud environments to help isolate and control application interaction and behaviors for workloads.
  • ZTNA is focused primarily on end-user access to internal and cloud-based resources and is usually delivered as a cloud service model. 


READ: Best Practices for Network Segmentation in the Cloud


Microsegmentation Factors to Consider 

When evaluating internal network micro segmentation technologies, be sure to consider:

  • Agents: Are there agentless discovery and application mapping capabilities, or are agents always required? If so, do they cover all types of workloads (virtual/physical servers, containers, etc.)? Also, be sure any tools you evaluate work in cloud-based environments.
  • Customization: Do the local agents simply rely on Windows firewalls or iptables with Linux, or is it a custom access control solution?
  • Coverage: How broad is the application discovery and identification catalog? Many solutions are not as comprehensive and accurate as advertised, so be sure to test this.
  • Monitoring flexibility: Be sure any solution offers a passive monitoring mode that can then be “flipped” to active blocking easily.
  • Integrations: Ask providers if their solutions offer any integration with security orchestration, automation and response, or other automation tools, as well as network detection and response, endpoint detection and response, and/or SIEM.

Zero Trust Network Access Factors 

For ZTNA services, look at breadth of coverage and granularity of access control policies as a starting point. Also, be sure to evaluate the following:

  • Are user grouping and endpoint controls integrated with user directories? They should be, and endpoint identity controls should be easy to implement for a diverse group of systems.
  • Are API-based methods supported for cloud services? This can greatly simplify integration with SaaS services for DLP and other policy controls.
  • Are agents always required? Most of the time, the answer is yes, but be careful. There are numerous cases where these agents can conflict with existing VPN clients already installed on end-user systems.


DOWNLOAD:  Zero Trust:  A Step-by-Step Guide


Evaluating Zero Trust Network Segmentation Solutions 

Evaluating zero trust segmentation products can get complex fast. When getting started, be sure to:

  • Look at coverage. Most organizations have hybrid infrastructure today, so coverage of on-premises and all cloud workload types is critical. Don’t forget agent performance requirements, either.
  • Focus on ZTNA performance and policy granularity. ZTNA is largely an end-user technology, so service providers need strong SLAs for uptime and endpoint controls, as well as granular identity and network-based policies to manage access.
  • Understand there may not be “one ring to rule them all.” Most vendors do either internal micro segmentation or end-user ZTNA, but not both. Be wary of “we cover it all” sales pitches.
  • Be ready to commit significant upfront operational resources to deployment for either of these segmentation and access control solutions and projects. They will require lots of testing and tuning before they're ready for production rollout.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.