Table of Contents

What is Network Segmentation?

Network segmentation is a design and security practice that divides a computer network into smaller, isolated subnetworks called segments. Each segment is dedicated to a particular group of users, devices, or functions, and traffic between segments is controlled by policy. Segmentation improves security by containing threats within a segment, improves performance by separating traffic, and simplifies management by narrowing the scope of any problem.

Why segment a network?

A flat network, one in which every device can reach every other device, is simple but dangerous. If any single device is compromised, an attacker can move freely across the whole network, a technique called lateral movement. A flat network is also inefficient, because all traffic shares the same space, and hard to troubleshoot, because a problem anywhere can affect everything.

Segmentation addresses all three. By dividing the network and controlling traffic between the pieces, a breach in one segment is contained and cannot spread. Critical systems are isolated from general traffic. And when a problem occurs, IT can focus on the affected segment rather than the entire network.

Physical vs. virtual segmentation

There are two broad approaches.

Physical segmentation separates networks using distinct hardware, different switches, cabling, and sometimes internet connections for different groups. It is highly secure because the separation is physical, but it is expensive and inflexible: adding or changing a segment can mean adding or rewiring hardware.

Virtual segmentation achieves the same logical separation on shared hardware, most commonly using VLANs (Virtual Local Area Networks). A VLAN makes a single physical switch behave as several isolated networks, each with its own policies. Virtual segmentation is far more cost-effective and flexible than physical, which is why it dominates modern networks, though it grows more complex to manage as the number of segments increases.

What is microsegmentation?

Microsegmentation is a more granular extension of the idea. Where traditional segmentation divides a network into relatively large zones (for example, one segment for staff and another for guests), microsegmentation isolates individual workloads or applications from each other, often down to the level of a single server or service.

The distinction is often described in terms of traffic direction. Traditional segmentation mainly controls "north-south" traffic, moving between the network and the outside world, while microsegmentation controls "east-west" traffic, moving laterally between systems inside the network. Microsegmentation gives much tighter control and is central to securing data centres and sensitive applications, at the cost of greater complexity.

Common use cases

Segmentation is applied wherever different groups need different levels of access. Guest access is isolated so visitors get internet connectivity but cannot reach internal systems. BYOD and IoT devices, which are often insecure, are placed on restricted segments to limit the damage if they are compromised. Different user groups, for example separating one department from another, are kept apart so that access to sensitive systems is controlled. And regulated data, financial records, personal information, is confined to tightly controlled segments to simplify compliance and audits.

How segmentation supports Zero Trust

Zero Trust security operates on the principle of least privilege: no user or device is trusted by default, and each is granted only the access it needs. Segmentation is a foundational enabler of this. By dividing the network and restricting each user and device to only the segment their identity permits, segmentation enforces least privilege at the network level and prevents a compromised account or device from reaching anything beyond its assigned zone.