The National Security Agency (NSA) recently released 368 pages of updated zero trust implementation guidance, outlining how organizations should approach modern security architecture. While the document covers a wide range of practices—from identity management to device security—one theme appears repeatedly across the guidance:
Proper network segmentation is not optional.
In fact, the NSA explicitly states that organizations should “Properly segment the network at both the macro and micro levels.”
For many security leaders, this requirement exposes a persistent gap between zero trust strategy and real-world implementation. Because while many organizations have invested heavily in identity security, fewer have implemented the network-level controls required to contain attackers once they get inside.
And that’s exactly where microsegmentation comes in.
Why Microsegmentation Matters in a Zero Trust Model
At its core, zero trust assumes a simple reality:
- Attackers will eventually get in.
- Phishing succeeds.
- Credentials are stolen.
- Devices become compromised.
- Vulnerabilities are exploited.
The question is not if access is gained—but what happens next.
Without segmentation, most enterprise networks remain largely flat. Once an attacker gains a foothold, they can move laterally between systems, escalate privileges, and expand their access across the environment.
This lateral movement is responsible for some of the most damaging and well-known breaches in history, like Cisco, Target, and many more.
Microsegmentation directly addresses this risk by breaking networks into smaller, tightly controlled zones and enforcing policies that restrict communication between systems. Instead of broad network trust, each connection must be explicitly authorized.
The result is simple but powerful: compromise in one area does not automatically lead to compromise everywhere else.
Identity Alone Doesn’t Stop Lateral Movement
Many organizations equate zero trust primarily with identity-based security.
Investments in areas such as:
- Multi-factor authentication
- Identity and access management
- Device posture checks
- Continuous authentication
Are all important components of a modern security program.
But identity controls alone cannot prevent lateral movement once an attacker is inside the network. An attacker operating with stolen credentials may appear legitimate to identity systems. Even compromised endpoints can sometimes pass authentication checks.
Without segmentation controls, that access may still allow communication with other systems across the network. This is exactly why the NSA guidance emphasizes isolating workflows, applications, and processes—not just users.
In other words, organizations must think beyond authentication and begin enforcing network-level containment.
The Containment Principle
One of the key goals of microsegmentation is containment.
If an attacker compromises a device or user account, segmentation policies should ensure that the breach remains limited to a small portion of the environment.
Critical systems should not automatically trust every other system on the network.
Instead, communication should be restricted based on:
- Application requirements
- Device trust level
- User identity
- Security posture
This approach dramatically reduces the blast radius of an attack.
Rather than allowing attackers to explore the entire network, segmentation forces them into isolated pockets with limited pathways forward. For organizations facing increasingly sophisticated threats, this containment model is essential.
Why Many Organizations Still Struggle with Segmentation
Despite its importance, segmentation remains one of the most difficult elements of zero trust to implement.
Traditional approaches often rely on:
- Complex firewall rules
- Static network architectures
- Manual policy management
- Legacy VLAN designs
These approaches can quickly become difficult to maintain, especially in modern environments that include cloud services, remote users, and large numbers of unmanaged devices.
As a result, segmentation projects often stall—or never move beyond high-level architecture plans. This challenge is one reason the NSA guidance stresses incremental implementation, encouraging organizations to begin segmenting key systems and gradually expand protections across the network.
Enabling Microsegmentation Through Network Access Control
One practical way organizations can begin implementing segmentation is through network access control (NAC) platforms.
Modern NAC solutions provide visibility into who and what is connecting to the network, allowing security teams to enforce policies based on identity, device type, and security posture.
This visibility makes it possible to:
- Automatically place devices into appropriate network segments
- Restrict communication between sensitive systems
- Enforce least-privilege access policies across the network
- Continuously monitor device trust and posture
In effect, NAC helps translate zero trust principles into enforceable network controls. Cloud-native NAC platforms, such as Portnox, make this process significantly easier by enabling organizations to implement segmentation policies without the complexity traditionally associated with on-premises infrastructure.
By integrating identity, device posture, and network access enforcement, these platforms allow organizations to begin building the containment capabilities emphasized in the NSA guidance.
Zero Trust Is an Operating Model
The NSA guidance reinforces an important point that security leaders increasingly recognize:
- Zero trust is not a product.
- It is an operating model that requires coordinated controls across identity, devices, networks, applications, and data.
- Microsegmentation plays a critical role in that model by ensuring that authentication alone does not determine access across the entire environment.
- Instead, access becomes contextual, limited, and continuously evaluated.
For organizations working to operationalize zero trust, the takeaway from the NSA’s latest guidance is clear:
Identity is only the beginning.
True resilience comes from combining strong authentication with network-level containment—ensuring that when attackers inevitably gain access, they cannot move freely across the environment. And that containment starts with segmentation.