Elisity Blog

What a Multi-Site Microsegmentation Rollout Actually Looks Like (and Why Most Take Years)

Most of the security leaders I meet have been quoted years to segment their sites, and they’ve stopped believing anyone who promises faster. The honest range is one to three years for most multi-site microsegmentation programs. Then St. Luke’s University Health Network segmented 15 hospitals, 350 practices, and 85,000 devices in 46 days. Both numbers are true.

The gap between them isn’t the software; per-site deployment often takes minutes to hours. The years come from everything around it: change control, site readiness, and the decisions about what to enforce, in what order, on whose sign-off. Deployment is decoupled from policy, and policy from enforcement. An activated site is not a protected site.

Night-shift factory floor blurs with motion around a still network appliance during a microsegmentation deployment
A rollout the night shift never notices: production keeps moving while the site comes online in learning mode.

Multi-Site Microsegmentation Rollouts by the Numbers (2026):

How long does a multi-site microsegmentation rollout really take?

A multi-site microsegmentation deployment usually reaches full enforcement in one to three years, even though a single site can come online in minutes to hours. Software rollout and enforcement run at two speeds, and everyone quotes you the slow one.

Two deployment arcs dominate. Different mechanics, same finish: in both, the tail is organizational.

Phase Typical agent-based arc Identity-based, agentless arc
Per-site rollout Install approvals per platform team; per-OS certification Nothing to install; a site comes online in minutes to hours
Policy build Often rebuilt site by site Build once, clone with the variables changed
Simulation Passive observation phase; moving out of it takes an executive push Every policy runs against live traffic before it touches production
First enforcement Larger cutovers, breakage risk concentrated Incremental, lowest-risk device groups first, rollback one action away
Full-estate enforcement Months to years; the enforcement tail is the long pole Weeks to quarters per site, sites in parallel; the tail is still organizational

St. Luke’s lived at the slow end first: five years of trying to architect microsegmentation had stalled. The team then spent about a month preparing infrastructure, deployed Elisity, and completed its major segmentation buckets in roughly 46 days without major outages, against 18-month consultant-heavy quotes. “Within 46 days, we went from no microsegmentation to having all of our microsegmentation completed,” is how Daniel Dopsovic, the health system’s Senior Enterprise Information Security Architect, described it. CISO David Finkelstein had asked for two months; the team beat that by two weeks. The full account is in the 46-day health-system case study.

The slow end deserves the same honesty. In one global manufacturing program, software reached nearly all of roughly 29 sites within six months, while full enforcement ran from month four to month 15. I’ve seen a team activate 70-something sites in four or five months and apply policy at just two or three. Across mature deployments, the steady state is roughly half of all policies enforced, half still in simulation, which sounds like a stalled program until you remember that every enforced policy earned a change window and a sign-off first. Activation is cheap. Enforcement is deliberate. A site count never tells you how much of the estate is protected.

Why do most multi-site segmentation projects take years?

Most multi-site segmentation projects take years because the work that stalls them is organizational, not technical. Omdia’s 2025 survey of 352 cybersecurity decision makers across healthcare and manufacturing found 99% are implementing or planning microsegmentation, yet only 9% have protected more than 80% of critical systems. Nearly everyone starts. Almost no one finishes. My colleague William Toll breaks the survey down in his Omdia manufacturing analysis and digs into why segmentation projects fail with RedSeal’s chief product and technology officer.

What I keep running into:

  • Change-control calendars, freezes, and holidays. One global program planned around a year-end freeze, a December furlough, and a summer-only maintenance window. Enforcement waited on the calendar, not the console.
  • Single-threaded site experts. When a site’s one expert takes a six-month leave, that site sits until someone rebuilds the plan.
  • Asset-inventory surprises. I can’t tell you the number of times a team says it has 50,000 devices and discovery turns up closer to 78,000. One site found roughly 150 OT assets hiding behind unmanaged hardware.
  • Network prerequisites. Minimum firmware, controller upgrades, and licensing reboots each need their own window and gate the site behind them.
  • Snowflake sites. Teams that rebuild policy from scratch at every location build a years-long rollout by construction.

Agent-based approaches carry extra weight here, and I mean that architecturally, not as a vendor knock. When deployment depends on installing software on endpoints, the friction front-loads: bulk-install approvals from every platform team, certification for every operating system in the fleet, and an agent lifecycle to run at every site for as long as the program lives. Mature platforms now offer agentless tiers for exactly that reason. Every install approval you delete is calendar time you get back.

What’s the fastest way to roll out microsegmentation across multiple sites?

The fastest way to roll out microsegmentation across multiple sites is to deploy every site quickly in learning mode, then run enforcement as a separate, deliberate track behind it. This is the playbook I’d hand a team starting today.

Microsegmentation deployment timeline: sites activate fast in learning mode while enforcement runs as a slower parallel track
Two decoupled tracks in a multi-site rollout: every site comes online in learning mode within minutes to hours, while enforcement advances site by site through a handful of short change windows. Later waves start learning while earlier waves enforce.
  1. Pick a template site, not your biggest site. Choose a location your team knows well and can reach easily, so the first pass becomes a reusable pattern. Familiarity matters more than size.
  2. Deploy in learning mode with nothing to install on endpoints or the network. An identity-based, agentless approach brings a site online passively, in minutes to hours, on the infrastructure you already have. One exception worth naming: the Active Directory integration uses an agent; your network and endpoints stay agentless.
  3. Build identity-based policy from observed traffic. Let the platform show you real flows, then group assets by what they are and who uses them, not by IP address. Start coarse and refine later.
  4. Validate with the people who run the site. Sit with the clinical, plant, or facilities engineers who know which flows are normal. They catch the exceptions your observation window missed; skipping this step is how fast rollouts break.
  5. Enforce incrementally, lowest-risk device groups first. Move policies from simulation to enforcement in small change windows, easy high-traffic groups first and the riskiest last, with rollback one action away. Simulation reports what a policy would have blocked before anything goes live.
  6. Clone the policy template to the next wave. Once a site enforces cleanly, the next site is the same workflow with the source and destination variables changed. This is what turns a single-site win into a program.
  7. Run subsequent site waves in parallel. Deploy new sites in learning mode as fast as your change calendar allows, with policy as its own track, so many sites learn while earlier sites enforce. Parallelism is what compresses the calendar.

Site-level speed is real. Southern Illinois Healthcare stood up its Elisity proof of concept in under an hour: deployed on existing access-layer infrastructure, monitoring and blocking. For the procedure itself, see our step-by-step implementation guide.

How do you sequence sites in a multi-site rollout?

You sequence a multi-site rollout by choosing a template site first, ordering device groups from easiest to riskiest, and parallelizing across locations once the pattern holds. Get the first site right and the rest of the estate becomes repetition.

Southern Illinois Healthcare sequenced this way, per its 400-bed deployment story. The pilot started at a daytime-only Cancer Institute, where the team could deploy and fix after hours, then moved to the largest site, worked down to the smallest, and finished with remote clinics. Four hospitals and around 400 beds across 17 to 19 counties ran on three total resources: two network engineers plus one security administrator. That was the whole team.

Wave sizing keeps it manageable: five to 10 similar sites per wave, each attached to an always-in-simulation copy of your policy set, audited, then flipped into enforcement by reassigning a site label. No policy rebuild. At GSK, Security Architect Jeff Binkley reported over 50 locations rolled out in three to four months, a single site in about 15 minutes.

What do the first 30, 60, and 90 days look like?

The first 90 days of a per-site microsegmentation deployment follow a predictable arc: visibility in week one, broad simulation by day 30, partial enforcement by day 60, and mature enforcement, 75 percent coverage or better, by roughly week 12.

Days 0 to 7. Prerequisites do most of the gating: firmware, licensing, time sync, service-account rights, firewall paths. Once those clear, enforcement points come online in small, often evening, windows; visibility appears within days and identity connectors start classifying assets.

Days 7 to 30. Everything runs in simulation against live traffic. Teams review flagged flows daily and widen analytics to a month to catch scheduled jobs like backups. The observation window is criticality math: a day or two for low-risk pairs, six weeks or more for life-safety systems.

Days 30 to 90. Enforcement arrives in waves. Each activation is a scheduled window, an hour or two, with user-acceptance checks before and after and sign-off from application, security, and network owners. I’ve watched sites take four to 11 waves to reach full enforcement. The winning pattern is boring on purpose.

Haleon secured its 24/7/365 pharmaceutical operations on Elisity with “no P1s, no outages, deploying in the environment without hurting the business,” as CISO Edmond Mack put it in the zero-downtime pharmaceutical case study. The business then asked how to move faster. That’s not a promise of zero risk; it’s what a procedural mitigation looks like when it holds.

Microsegmentation deployment first 90 days: learning mode, simulation against live traffic, then enforcement in waves
The per-site rhythm of the first 90 days: come online in learning mode, simulate against live traffic, then enforce in waves to 75 percent coverage or better by roughly week 12.

What goes wrong even in fast rollouts?

Fast rollouts still break. They break in the same handful of places, and none of them are a reason to slow down, only to keep the discipline that makes speed safe.

  • Over-scoped first policies. Too much granularity up front slows the whole site. Start coarse and refine once traffic confirms reality.
  • Skipping validation with the floor. A device class that never appeared in your observation window, thin-client carts, say, surfaces the day after enforcement. The engineer who runs the floor knows before your data does.
  • Under-communicating enforcement dates. A site that hears about its change window a week out will find a reason to slip it. Enforcement is also change-managed in both directions; reverting deserves the same window and rollback plan as activating.
  • Assuming site two is identical to site one. Local overrides exist for a reason, like duplicate IP schemas after a merger; absorb the differences instead of fighting them.
  • Forgetting that identity sources are now production infrastructure. Once policy depends on identity, directory maintenance and connector limits carry a segmentation blast radius.

A word about “no rip and replace,” a phrase that gets oversold. Identity-based, agentless deployment means no re-IP, no new VLANs, no routing changes. You still configure telemetry on gear you already own: you touch the network, just not your packets or your topology. For an operational hospital, as Bupa’s Group CISO Paul Haywood noted, a full rip and replace “would have been too disruptive.”

Chart contrasting microsegmentation deployment: sites activated rises fast while percent of estate enforced trails behind
The board-level view of the same program. The count of activated sites climbs fast and says little about risk. The percentage of the estate actually enforced is the number that matters, and it moves at the speed of your change calendar.

Frequently Asked Questions About Multi-Site Microsegmentation Rollouts

What’s the fastest way to roll out microsegmentation across multiple sites?

Deploy every site quickly in learning mode, then run enforcement as a separate track behind it. Pick a template site, build identity-based policy from observed traffic, validate with the site team, enforce lowest-risk groups first, then clone the template across parallel site waves. St. Luke’s University Health Network covered 15 hospitals and 85,000 devices in 46 days.

How do I deploy zero trust segmentation quickly?

Start with identity, not the network. Bring sites online passively in learning mode with nothing to install on endpoints, group assets by identity from real traffic, and run every policy in simulation before enforcing. Enforce incrementally in short change windows, rollback ready. Southern Illinois Healthcare stood up its proof of concept in under an hour.

How long does it realistically take to deploy microsegmentation across multiple sites?

Realistically, one to three years to full enforcement across a large estate, even though each site can be brought online in minutes to hours. Microsegmentation deployment is fast; the enforcement tail is the long pole. At GSK, Security Architect Jeff Binkley reported over 50 locations rolled out in three to four months.

Why do microsegmentation projects take years to finish?

Because the blockers are organizational, not technical: change-control freezes, single-threaded site experts, asset-inventory surprises, network prerequisites, and treating every site as unique. Omdia’s 2025 survey of 352 cybersecurity decision makers across healthcare and manufacturing found 99% are implementing or planning microsegmentation, yet only 9% have protected more than 80% of critical systems.

Can I deploy zero trust segmentation without downtime or maintenance windows?

You can deploy and monitor without downtime, but enforcement still uses short, scheduled change windows. The mitigation is procedural, not a guarantee: simulation shows what a policy would block before it goes live, and rollback stays one action away. Haleon protected its 24/7/365 pharmaceutical operations with no P1 incidents and no outages this way.

How do I roll out microsegmentation without ripping and replacing the network?

Choose identity-based, agentless deployment: no re-IP, no new VLANs, no routing changes, nothing to install on endpoints. You still configure telemetry on gear you already own; you touch the network, just not your packets or your topology. Bupa’s Group CISO Paul Haywood put it plainly: a full rip and replace “would have been too disruptive” for an operational hospital.

Stop measuring your program by how many sites you’ve activated. Activation is the easy half. What matters is how much of what needs protecting is enforced, and that moves at the speed of your change calendar and site conversations. The teams that finish build a small, repeatable, reversible per-site playbook and run it in parallel, wave after wave, until the estate is done.

Further reading:

About the Author

Charlie Treadwell is Chief Marketing Officer at Elisity and writes from the deployment rooms, alongside the teams rolling out identity-based microsegmentation across multi-site enterprises. Connect with Charlie on LinkedIn.

No Comments Yet

Let us know what you think