The biggest problem with enterprise networks is that an actor who has slipped inside has far too much room to move sideways. This is exactly where the Zero Trust mindset kicks in: being inside the network does not mean being trusted. Every flow, every service and every identity is verified again, and access is held to the narrowest possible boundary.
Why is the classic VLAN approach no longer enough?
For many years, network security was designed around perimeter security. Large trust zones such as DMZ, internal network, server network and user network were created. That model is breaking down today for three reasons:
- Workloads no longer live solely in the data centre; cloud, hybrid links and SaaS services keep producing new flows.
- Users are not in the office; VPN, ZTNA and remote-access layers blur the network boundary.
- Application dependencies are far more complex; ERP, identity services, log collection, messaging and API layers are tightly coupled with each other.
As a result, the assumption of a single “internal network” leaves the attacker with way more room than they should have.
Core principles of Zero Trust segmentation
A robust segmentation design must be built around principles, not products:
- Identity-centred access: Service account, device posture and user identity are evaluated rather than the source IP.
- Least privilege: For every flow, only the required port, protocol and direction are opened.
- Default deny: When a new service is added, access is not opened automatically.
- Continuous observability: Policy violations, denied flows and unusual traffic are watched centrally.
- Business-criticality awareness: An ERP database is not handled at the same risk level as a test environment.
Segmentation layers in an enterprise environment
A successful design never relies on a single segmentation layer. Several layers cooperate:
1. Environment segmentation
Production, test, development and management networks are split physically or logically. This separation reduces the chain effect of a misconfiguration or identity abuse.
2. Application segmentation
Services within the same environment are also separated from each other. For example:
- The web tier only reaches the application tier.
- The application tier only reaches the required database ports.
- Observability agents only send data to telemetry endpoints.
3. Management plane segmentation
SSH, RDP, Kubernetes API, hypervisor management and backup interfaces must live in their own trust plane. This is the layer most often overlooked, yet it is the most critical.
The inventory you must produce before going live
Segmentation projects usually fail not at the technology choice but because of an incomplete inventory. Before you start, you must have clear answers to these questions:
- Which service connects to which other service, on which port?
- Who is the business owner of that flow?
- Is the flow continuous, scheduled or only required during a maintenance window?
- Which business process gets affected if that connection is cut?
- Can the access be solved at the application level, or is network-level control truly needed?
For this exercise NetFlow, VPC Flow Logs, firewall logs and service-discovery data should be read together.
A special case for ERP and core enterprise systems
ERP infrastructure is more sensitive in segmentation terms because it both hosts legacy protocols and carries a great many integrations. A solid pattern here is to split the system into three sections:
- User access tier
- Application processing tier
- Data and integration tier
SAP, Logo, Mikro, custom-built finance applications or HR services can be handled with the same logic. Instead of placing integration servers directly into the core database segment, using a controlled service intermediate layer reduces the risk surface considerably.
A workable roadmap to start with
A realistic transition plan for an enterprise team progresses in this order:
- Make flows visible and produce a 30-day baseline.
- Try the default-deny model in non-production environments.
- Move the management plane under a dedicated access policy.
- Tighten critical applications with micro-segmentation rules.
- Wire policy violations into your SIEM and alerting system.
Zero Trust network segmentation is not a security project the security team can carry alone. It becomes sustainable only when it is treated as an architectural discipline jointly run by network, system, application and business teams. The actual goal is not to close every door, but to render only the necessary doors visible and defensible.