Zero Trust architecture: identity-aware microsegmentation
The firewall's job used to be keeping outsiders out. In Zero Trust it brokers every session, even between two servers in the same rack.
Why a new trust model
A traditional perimeter design assumes one thing: hosts inside the network are trustworthy and hosts outside are not. Once an attacker phishes a laptop or exploits an exposed service, that assumption becomes a liability. From a single foothold the attacker moves laterally, reaching file shares, databases, and admin consoles that never re-check who is asking, because they all sit inside the trusted zone.
Zero Trust removes the implicit trust that used to come from network location. Its guiding rule is 'never trust, always verify': no request is granted because of where it originates. Instead, every request is authenticated, authorized, and evaluated against policy at the moment it is made. Trust is never permanent; it is granted per session and then revoked when the session ends.
Perimeter trust and lateral movement
Trace
The traditional model checks traffic only at the boundary. Once an attacker phishes one laptop, that host inherits the implicit trust of the flat internal zone, so every internal service answers it without re-checking identity. From a single foothold the attacker reaches file shares, databases, and admin consoles that never ask who is calling, then pivots to the directory for domain takeover.
Control plane and data plane
Zero Trust splits the architecture into two planes. The data plane is where traffic actually flows and is enforced by a Policy Enforcement Point (PEP), an inline component that terminates every connection and holds no standing permissions of its own. The control plane makes the decisions. It is built from a Policy Engine, which weighs the verified identity, device posture, and context (time of day, risk score) to produce a grant-or-deny decision, and a Policy Administrator, which carries that decision out by telling the PEP to open or keep closed a single session. Together the Policy Engine and Policy Administrator are the Policy Decision Point.
The sequence is always the same. The subject (a user plus their device) sends a request. The PEP does not answer on its own; it asks the control plane. The Policy Engine evaluates identity and context, the Policy Administrator issues or withholds a per-session grant, and only then does the PEP open a path, to exactly one resource, for exactly that session.
Control plane and data plane: brokering one session
Trace
Zero Trust splits enforcement (data plane) from decision (control plane). The PEP terminates the connection and holds no standing permissions, so it defers to the Policy Decision Point. The Policy Engine weighs verified identity, device posture, and context drawn from external trust sources, then the Policy Administrator issues or withholds a per-session grant. Only on a grant does the PEP open a path, to exactly one workload, for exactly that session.
Identity-aware microsegmentation
Segmentation is the practice of dividing a network so that a breach in one part cannot spread freely to the rest. Classic segmentation draws the boundaries with subnets and VLANs: everything in a subnet can talk to everything else in it, and firewalls filter only at the edges between subnets. Microsegmentation shrinks the boundary all the way down to the individual workload, so each application or server becomes its own trust zone.
What makes it identity-aware is that the allow decision is driven by the verified identity and posture of the subject, not by its IP address or subnet. Two servers can share a physical LAN and still be unable to reach each other, because neither one has a policy grant to the other. In the reference design an authenticated HR user is granted a session to the HR application only; any attempt to reach the finance application or the shared database is denied, even though those hosts are network-adjacent. This is least privilege made concrete: the subject gets access to exactly what policy allows and nothing more.
Identity-aware microsegmentation on one physical LAN
Trace
Every workload is its own trust zone, even though all four share one physical LAN. The distributed PEP brokers every hop and the allow decision follows verified identity, not subnet. An HR user reaches only the HR app; a Finance user reaches only Finance; apps reach the shared database only through their own grants; a contractor on an unmanaged device fails posture and is denied everywhere. Two segments cannot reach each other without a policy grant.
What this buys you, and what it demands
The payoff is threat scope reduction, sometimes called shrinking the blast radius. Because every hop is brokered and evaluated, a compromised host cannot pivot to neighbors it has no grant to reach, and lateral movement, the technique attackers rely on after an initial foothold, largely stops working. Access is adaptive: if a device falls out of compliance or a session looks risky, the next request is simply denied.
The cost is that the control plane becomes critical infrastructure. The Policy Engine and Policy Administrator must be highly available, because if they cannot make decisions, no new sessions can open. Policy must be authored and maintained carefully, and the PEP has to sit inline on the paths that matter. Zero Trust is not a single product you buy; it is an architecture you assemble from identity, policy, and enforcement working together.
Blast-radius reduction and the critical control plane
Trace
What the design buys you: because every hop is brokered, a compromised host is contained to its own segment. Its attempts to pivot to network-adjacent neighbors are denied for want of a grant, and every decision is logged for detection. What it demands: the control plane is now critical infrastructure. The Policy Engine and Administrator must be highly available across zones, because if they cannot decide, no new session can open.