.svg)
.png)
Quick answer: Network segmentation divides a network into broad zones using VLANs, subnets, and firewalls. Microsegmentation takes that concept further by applying identity-based, least-privilege policies to individual workloads, devices, and users, regardless of where they sit on the network. The result: network segmentation governs zone-to-zone traffic, while microsegmentation governs every east-west connection inside those zones.
The Segmentation Gap
Organizations struggle to understand the difference between network segmentation and microsegmentation, often treating them as interchangeable. This confusion leads to security gaps where east-west traffic flows unchecked between workloads on the same VLAN or subnet. Traditional network segmentation creates broad zones but cannot enforce granular policies at the workload level, and attackers know it. The lateral movement attack chain, in which an intruder lands on one device and pivots quietly toward higher-value systems, runs almost entirely inside those trusted zones. Our guide to understanding and preventing lateral movement covers that attack chain step by step.
Nearly 1 in 2 security leaders experienced a lateral movement attack in the past year, the kind of east-west traffic that zone-level segmentation does not see.
Omdia 2026 Microsegmentation Survey of 352 cybersecurity decision makers
The Numbers Behind the Segmentation Gap
Network segmentation alone cannot stop lateral movement. Microsegmentation enforces granular, identity-based policies at the workload level to close the gaps traditional approaches leave open. The data behind that statement:
Network Segmentation: The Foundation That Is Showing Its Age
Definition: network segmentation is the practice of dividing a network into smaller zones, typically with VLANs, subnets, firewall zones, and access control lists (ACLs), so that traffic between zones must cross an enforcement point where policy can be applied.
Network segmentation has been a core security practice for decades. The concept is straightforward: divide a flat network into smaller zones so that a compromise in one zone does not automatically grant access to everything else. It is the digital equivalent of putting walls and doors in an open-floor building.
The model works at the perimeter of each zone. A firewall or routed boundary inspects north-south traffic as it crosses from one zone to another, and frameworks from PCI DSS to NERC CIP to IEC 62443 (with its zones-and-conduits model for industrial networks) have institutionalized the approach. Done well, it limits broad exposure and satisfies network segmentation compliance requirements across regulated industries.
Its weakness is what happens inside each zone. Every device in a segment shares the same trust level, so a single compromised workstation, server, or IoT sensor can reach everything else in its zone without ever touching an enforcement point. Re-segmenting to shrink those zones means re-addressing, re-cabling, firewall rule sprawl, and maintenance windows, which is why most segmentation projects stop at a handful of coarse zones. Our analysis of network segmentation and east-west attacks looks at this gap in detail.
Microsegmentation: Granular Control at the Workload Level
Definition: microsegmentation is the practice of enforcing least-privilege security policy at the level of the individual workload, device, or user, creating a micro-perimeter around each asset rather than around groups of assets.
Microsegmentation extends the concept of segmentation down to the individual workload, device, or user. Instead of creating broad zones and trusting everything within them, microsegmentation creates a security perimeter around each asset and enforces policies based on identity, context, and behavior. For the full definition, architecture, and benefits, see our guide to what microsegmentation is and how it works.
NIST Special Publication 800-207, the federal Zero Trust Architecture standard, names microsegmentation as one of its three core deployment approaches, alongside enhanced identity governance and software-defined perimeters. The CISA Zero Trust Maturity Model takes the same position: its network pillar progresses from macro-segmentation at the traditional stage to micro-perimeters at the optimal stage. In other words, the standards bodies treat microsegmentation as the destination that zone-based segmentation matures toward, not as a rival technology.
How a platform reaches that destination varies widely. Some approaches install host agents, some embed in hypervisors or service meshes, and some enforce identity-based policy through the network access layer you already operate, agentless and with no new hardware. Our comparison of the five types of microsegmentation breaks down each approach.
Key Differences Between Microsegmentation and Network Segmentation
These are the dimensions that matter most when you are evaluating the two approaches for your own environment.
Master comparison: 7 key differences
| Dimension | Network segmentation | Microsegmentation |
|---|---|---|
| 1. Granularity | Coarse: zones and subnets containing hundreds to thousands of devices | Fine: each workload, device, or user carries its own security context |
| 2. Enforcement point | Zone boundaries: firewalls, routed VLAN borders, ACLs | As close to the asset as possible: access layer, host, hypervisor, or service mesh |
| 3. Identity-awareness | None: policy keys on IP address, port, and subnet | Core attribute: policy keys on user, device, and workload identity plus context |
| 4. East-west coverage | Partial: stops zone crossing, blind to traffic inside a zone | Full: governs every workload-to-workload connection, including within a zone |
| 5. Hardware dependency | High: firewall appliances and VLAN re-architecture are usually required | Low to none: identity-based approaches run on the infrastructure you already operate, no new hardware |
| 6. Deployment time | Weeks to months per zone change, with maintenance windows | Weeks for identity-based, agentless approaches; months to years for agent-based |
| 7. Trust model | Implicit trust inside each zone | Least privilege per asset, aligned with NIST SP 800-207 Zero Trust principles |
Network segmentation operates at the zone or subnet level. You create segments that contain dozens, hundreds, or thousands of devices, and everything within a segment shares the same trust level. Microsegmentation operates at the individual asset level. Each device, workload, or user has its own security context and policy set, so two devices on the same access-layer port can have completely different permissions based on their identity.
Why Network Segmentation Alone Is No Longer Sufficient
I have talked to CISOs at healthcare systems, manufacturing companies, and financial institutions who all describe the same pattern: they invested heavily in network segmentation years ago, and it served them well as a compliance checkbox. But when they look at their actual exposure to lateral movement, they realize that segmentation alone is not containing the threats they care about.
The numbers explain why. The IBM Cost of a Data Breach Report 2024 measured an average of 194 days to identify a breach and another 64 days to contain it, a 258-day lifecycle that gives intruders months to move east to west inside trusted zones. The Verizon 2025 Data Breach Investigations Report found that stolen credentials were involved in 32 percent of breaches, exactly the access that zone-level controls implicitly trust, and that ransomware was present in 44 percent of breaches. A ransomware operator who lands inside a flat zone inherits the blast radius of that entire zone, which is why blocking lateral movement with microsegmentation has become the control boards ask about by name.
The device population makes the gap wider every year. Unmanaged IoT devices, OT assets on industrial networks organized around the Purdue Model, and connected medical devices (IoMT) cannot take an endpoint agent and rarely fit cleanly into a VLAN plan. IoT segmentation at zone granularity leaves every one of those devices trusted by its neighbors.
There is an upside hiding in the same research: IBM’s Cost of a Data Breach Report 2024 found that organizations with mature Zero Trust deployments saved an average of $1.76 million per breach. Gartner, in its Market Guide for Microsegmentation, projects that by 2026, 60 percent of enterprises working toward a Zero Trust architecture will use more than one form of microsegmentation, up from less than 5 percent in 2023. The economics now favor finishing the job that segmentation started.
When to Use Network Segmentation vs Microsegmentation
This is not an either-or decision. In my experience, the most effective security architectures layer both approaches for defense in depth: network segmentation provides the macro boundaries and microsegmentation enforces granular policies within those boundaries. Network segmentation is your walls and doors. Microsegmentation is the access badge system that determines who can open which door and when.
When to use each approach
| Scenario | Network segmentation | Microsegmentation | Layer both? |
|---|---|---|---|
| Compliance-driven isolation (PCI DSS cardholder data environment) | Primary | Supplementary | Recommended |
| Flat or lightly zoned network with a heavy IoT and OT device mix | Limited | Primary | Ideal |
| Ransomware blast-radius reduction | Limited | Primary | Ideal |
| Legacy on-premises data center with stable workloads | Primary | Add as risk requires | Best practice |
| Cloud-native and containerized workloads | Insufficient | Primary | Required |
| Healthcare environments with IoMT devices and HIPAA obligations | Partial | Primary | Required |
| Zero Trust program aligned to NIST SP 800-207 | Starting point | Primary | Required |
If you need a decision rule, use these five criteria in order:
- Regulatory floor: if a framework explicitly requires zone isolation (PCI DSS, NERC CIP), keep network segmentation as the documented boundary control.
- East-west exposure: if a single compromised asset could reach systems it never needs to talk to, you need microsegmentation; zone controls will not see that traffic.
- Device agent feasibility: if a meaningful share of your assets (IoT, OT, IoMT, legacy servers) cannot run an agent, choose an agentless, identity-based approach.
- Rate of change: if devices and workloads appear, move, and change addresses constantly, IP-based and VLAN-based policy will decay; identity-based policy will not.
- Time to value: if the goal is measurable lateral movement reduction this quarter, favor an approach that deploys in weeks on the infrastructure you already run, with no new hardware.
Migration Path: From Network Segmentation to Microsegmentation
You do not rip out network segmentation to adopt microsegmentation. You keep the macro zones you have, then add identity-based enforcement inside them in phases. A proven sequence, drawn from our step-by-step microsegmentation implementation guide:
- Discover and classify. Build a live inventory of every user, workload, and device, including unmanaged IoT, OT, and IoMT assets, and enrich it with identity attributes.
- Map flows and dependencies. Observe east-west traffic to learn what each asset actually needs to talk to before any policy is written.
- Simulate policy. Author least-privilege, identity-based policies and run them in monitor-only mode to verify nothing breaks.
- Enforce in waves. Activate enforcement for the highest-risk asset classes first (crown-jewel applications, IoMT, OT), then expand site by site.
- Operationalize. Feed policy decisions from your identity providers and CMDB so segmentation keeps pace as the environment changes.
Migration at a glance
| Phase | What happens | Typical duration (identity-based, agentless) | Success measure |
|---|---|---|---|
| 1. Discovery | Asset inventory and identity enrichment across every data plane | Days | Percentage of assets identified and classified |
| 2. Flow mapping | East-west traffic baselining and dependency mapping | 1 to 2 weeks | Dependency map coverage of critical applications |
| 3. Policy simulation | Least-privilege policies tested in monitor-only mode | 1 to 2 weeks | Zero would-be-blocked legitimate flows |
| 4. Enforcement waves | Enforcement activated for priority asset classes, then expanded | Weeks | Reduction in reachable attack surface per wave |
| 5. Operations | Policy automation tied to identity providers and CMDB | Ongoing | Policy drift and exception count over time |
Implementation Approaches Compared
Deployment model is where segmentation projects succeed or stall. Three architectures dominate, and they behave very differently in production:
Implementation comparison
| Criterion | Traditional network segmentation | Agent-based microsegmentation | Identity-based, agentless microsegmentation |
|---|---|---|---|
| Deployment time | Weeks to months | Months to years | Weeks |
| Agent required | No | Yes, on every covered workload | No |
| New hardware required | Often (firewall appliances, re-cabling) | No | No |
| Policy basis | IP address, port, subnet, VLAN | Per-workload flow rules | User, device, and workload identity, auto-discovered |
| Unmanaged IoT, OT, and IoMT coverage | Coarse zones only | Poor: agents cannot be installed | Strong: enforcement does not depend on the endpoint |
| Dynamic environment support | Poor: policy decays as addresses change | Moderate | Strong: identity follows the asset across any data plane |
The categories run broader than these three, and the labels matter when you read analyst coverage. The vendor-neutral way to slice it:
Segmentation approaches by category (vendor-neutral)
| Approach | How it enforces | Agentless | Identity-driven | Typical fit |
|---|---|---|---|---|
| VLAN and firewall segmentation | Zone boundaries on managed network hardware | Not applicable | No | Compliance boundaries, macro zones |
| Host-based microsegmentation | Endpoint agents controlling the host firewall or eBPF layer | No | Partial | Server estates and cloud workloads that can run agents |
| Hypervisor and SDN segmentation | Virtual networking layer (SDN overlays, VXLAN) | Partial | Partial | Virtualized data centers |
| Service mesh and cloud-native controls | Sidecars, security groups, CWPP integrations | Partial | Partial | Kubernetes and cloud-native applications |
| Identity-based, agentless microsegmentation | Policy enforced through the access infrastructure you already run, across any data plane | Yes | Yes | Campus, healthcare, and industrial environments with mixed managed and unmanaged devices |
What Compliance Frameworks Expect from Segmentation
Auditors increasingly distinguish between having segments and being able to prove least-privilege control. The major frameworks map cleanly onto the two approaches, which is why microsegmentation for compliance has become a primary adoption driver. The PCI Security Standards Council made PCI DSS v4.0 requirements mandatory on March 31, 2025, and healthcare teams tracking the proposed HIPAA Security Rule update face a 240-day implementation window for controls that include network segmentation once the rule is finalized.
Compliance framework applicability
| Framework | What network segmentation satisfies | What microsegmentation adds |
|---|---|---|
| PCI DSS v4.0 (Requirement 1.3) | Cardholder data environment perimeter isolation; traffic restricted to that which is necessary | Workload-level isolation inside the CDE and evidence of least-privilege flows |
| HIPAA Security Rule (45 CFR §164.312) | Network-level technical access controls | Device-level governance of ePHI access, including IoMT |
| NIST SP 800-207 (Zero Trust Architecture) | Network boundary controls as a starting posture | Named deployment approach: identity-based, per-asset access policy |
| CMMC Level 2 (NIST SP 800-171, 110 requirements) | CUI network isolation | Asset-level least-privilege enforcement and auditable policy |
| NERC CIP (electric sector OT) | IT and OT zone separation, electronic security perimeters | Per-device control inside OT zones |
| IEC 62443 (industrial automation) | Zones-and-conduits architecture | Granular conduit policy keyed to asset identity rather than address |
The Role of Identity in Modern Microsegmentation
Identity is what I have found separates effective microsegmentation deployments from ones that stall out.
First-generation microsegmentation required you to understand every network flow, manually map application dependencies, and write rules based on IP addresses and port numbers. That approach worked in small, static environments. It collapsed under the weight of real enterprise networks where devices change IP addresses, applications get containerized, and new IoT devices show up daily.
Identity-based microsegmentation inverts the model. Policy attaches to who and what an asset is (its verified user, device, and workload identity) rather than where it happens to sit, so the policy survives address changes, moves between sites, and works across any data plane. It is the same shift that Zero Trust Network Access (ZTNA) brought to remote access and that SASE brought to the network edge, now applied to east-west traffic inside the campus, the data center, and the industrial floor. That is why Zero Trust microsegmentation programs treat identity as the control plane, not an attribute bolted on afterward.
Identity also changes the operational math. When policies are generated from observed behavior and identity context instead of hand-written per-address rules, the rule base stops growing with every DHCP lease, and security teams spend their time approving policy rather than reverse-engineering traffic captures.
Elisity Microsegmentation: Accelerate Zero Trust Security in Weeks, Not Years
Everything above is architecture, and it holds true regardless of vendor. Where Elisity enters the picture is the last column of the implementation table: identity-based, agentless microsegmentation that enforces least-privilege policy through the access infrastructure you already run, across any data plane, with no new hardware and no endpoint agents. That architecture is what makes the weeks-not-years deployment timeline real for environments full of unmanaged IoT, OT, and IoMT devices.
According to the Elisity-commissioned Omdia survey of 352 cybersecurity decision makers, 99 percent of organizations are implementing or planning microsegmentation, yet over 90 percent have protected fewer than 80 percent of their critical systems. The gap is execution, not intent, and an agentless, identity-based approach is designed to close it without network redesign.
That execution gap is what an identity-based, agentless model is built to remove: enforcement runs through the access infrastructure already in place, so initial policy can reach production in weeks rather than the months or years agent rollouts typically demand. Elisity was named a Strong Performer in The Forrester Wave: Microsegmentation Solutions, Q3 2024 and a Cool Vendor in Gartner Cool Vendors in Cyber-Physical Systems Security 2025, and the same architecture is at work in leading healthcare security programs and emerging use cases such as microsegmentation for agentic AI threats.
For the full architecture, download the Elisity identity-based microsegmentation solution brief.
Microsegmentation vs Network Segmentation FAQ
Get answers to the most common questions about how microsegmentation and network segmentation differ, when to use each, and how they work together.
What is the difference between microsegmentation and network segmentation?
Network segmentation divides a network into broad zones using VLANs, subnets, and firewalls to control north-south traffic between zones. Microsegmentation goes further by creating granular, identity-based policies that control east-west traffic between individual workloads, devices, and users within the same network zone. Network segmentation is coarse-grained and topology-dependent. Microsegmentation is fine-grained and identity-driven.
Can microsegmentation and network segmentation work together?
Yes. Network segmentation and microsegmentation are complementary, not competing approaches. Network segmentation provides the broad perimeter zones and north-south traffic controls, while microsegmentation layers granular east-west controls within those zones. Most mature security architectures use both: network segmentation as the macro boundary and microsegmentation as the workload-level enforcement layer.
Is microsegmentation better than VLANs?
Microsegmentation addresses the core limitations of VLANs. VLANs create network boundaries but trust everything within each VLAN, leaving organizations vulnerable to lateral movement. Microsegmentation enforces identity-based policies at the individual asset level, so even devices on the same VLAN are governed by least-privilege access rules. VLANs still serve a purpose for broad traffic separation, but they are insufficient as a standalone security control against modern threats.
How does microsegmentation support Zero Trust?
Microsegmentation is a foundational component of Zero Trust architecture, and NIST SP 800-207 names it as a core deployment approach. Zero Trust requires that no user, device, or workload is trusted by default, and every access request must be verified. Microsegmentation enforces this principle at the network layer by applying identity-based, least-privilege policies to every connection, regardless of network location. Without microsegmentation, Zero Trust strategies lack the granular enforcement needed to prevent lateral movement.
What are the challenges of implementing microsegmentation?
Traditional microsegmentation approaches required installing agents on every endpoint, manually mapping application dependencies, and writing thousands of firewall rules. These challenges made deployment slow and operationally complex. Modern identity-based microsegmentation platforms solve these problems by using existing network infrastructure, automating asset discovery, and generating policies based on device and user identity rather than IP addresses, reducing deployment timelines from years to weeks.
Does microsegmentation replace firewalls?
Microsegmentation does not replace firewalls. Firewalls remain essential for perimeter security and north-south traffic inspection. Microsegmentation complements firewalls by extending security controls to east-west traffic inside the network, where firewalls have limited visibility. Together, they create a layered defense: firewalls protect the perimeter, and microsegmentation contains threats that breach the perimeter.
How long does it take to deploy microsegmentation?
Deployment time depends on the approach. Re-architecting VLANs and firewall zones typically takes months and requires maintenance windows. Agent-based microsegmentation commonly runs months to years because software must be installed and tuned on every workload. Identity-based, agentless microsegmentation enforces policy through the infrastructure you already run, so organizations typically reach initial enforcement in weeks, with no new hardware. Our implementation guide walks through each phase.
Microsegmentation Best Practices
Microsegmentation and Zero Trust: A Powerful Security Duo
The Benefits of Identity-Based Microsegmentation for Network Security
