cerf
Vendor-neutral design pattern

Vendor-neutral design pattern

Zero Trust architecture: identity-aware microsegmentation

The firewall's job used to be keeping outsiders out. In Zero Trust it brokers every session, even between two servers in the same rack.

Why a new trust model

A traditional perimeter design assumes one thing: hosts inside the network are trustworthy and hosts outside are not. Once an attacker phishes a laptop or exploits an exposed service, that assumption becomes a liability. From a single foothold the attacker moves laterally, reaching file shares, databases, and admin consoles that never re-check who is asking, because they all sit inside the trusted zone.

Zero Trust removes the implicit trust that used to come from network location. Its guiding rule is 'never trust, always verify': no request is granted because of where it originates. Instead, every request is authenticated, authorized, and evaluated against policy at the moment it is made. Trust is never permanent; it is granted per session and then revoked when the session ends.

Perimeter trust and lateral movement
Perimeter trust and lateral movementUntrustedCorporate LAN: one flat trust zone inside = trustedphishing campaigninbound email1. foothold established2. reach file share3. reach database4. reach internal app5. pivot to admin6. domain takeoverAttackerexternal threatInternetuntrusted networkPerimeterfirewallnorth-south onlyEmployee laptopinitial footholdFile sharetrusted zoneDatabasetrusted zoneInternal apptrusted zoneAdmin consoletrusted zoneDirectory /domain…trusted zone
Trace
The traditional model checks traffic only at the boundary. Once an attacker phishes one laptop, that host inherits the implicit trust of the flat internal zone, so every internal service answers it without re-checking identity. From a single foothold the attacker reaches file shares, databases, and admin consoles that never ask who is calling, then pivots to the directory for domain takeover.

Control plane and data plane

Zero Trust splits the architecture into two planes. The data plane is where traffic actually flows and is enforced by a Policy Enforcement Point (PEP), an inline component that terminates every connection and holds no standing permissions of its own. The control plane makes the decisions. It is built from a Policy Engine, which weighs the verified identity, device posture, and context (time of day, risk score) to produce a grant-or-deny decision, and a Policy Administrator, which carries that decision out by telling the PEP to open or keep closed a single session. Together the Policy Engine and Policy Administrator are the Policy Decision Point.

The sequence is always the same. The subject (a user plus their device) sends a request. The PEP does not answer on its own; it asks the control plane. The Policy Engine evaluates identity and context, the Policy Administrator issues or withholds a per-session grant, and only then does the PEP open a path, to exactly one resource, for exactly that session.

Control plane and data plane: brokering one session
Control plane and data plane: brokering one sessionUntrustedControl plane: Policy Decision Point highly availableData planeTrust sources the Policy Engine consults1. request + identity2. authorize?3. evaluateverified identitydevice posturerisk / contextcert validityaccess policy4. grant / deny5. open session (token)6. one session, one workloadSubject +deviceuser + endpointPolicyEnforcement…data plane, inlinePolicy Enginemakes the decisionPolicyAdministratorexecutes the decisi…Identityproviderverifies whoDevice posture/ CDMverifies device sta…Threat intel /SIEMcontext + riskPKIcertificate validat…Policy storeauthored access rul…Target workloadone segment
Trace
Zero Trust splits enforcement (data plane) from decision (control plane). The PEP terminates the connection and holds no standing permissions, so it defers to the Policy Decision Point. The Policy Engine weighs verified identity, device posture, and context drawn from external trust sources, then the Policy Administrator issues or withholds a per-session grant. Only on a grant does the PEP open a path, to exactly one workload, for exactly that session.

Identity-aware microsegmentation

Segmentation is the practice of dividing a network so that a breach in one part cannot spread freely to the rest. Classic segmentation draws the boundaries with subnets and VLANs: everything in a subnet can talk to everything else in it, and firewalls filter only at the edges between subnets. Microsegmentation shrinks the boundary all the way down to the individual workload, so each application or server becomes its own trust zone.

What makes it identity-aware is that the allow decision is driven by the verified identity and posture of the subject, not by its IP address or subnet. Two servers can share a physical LAN and still be unable to reach each other, because neither one has a policy grant to the other. In the reference design an authenticated HR user is granted a session to the HR application only; any attempt to reach the finance application or the shared database is denied, even though those hosts are network-adjacent. This is least privilege made concrete: the subject gets access to exactly what policy allows and nothing more.

Identity-aware microsegmentation on one physical LAN
Identity-aware microsegmentation on one physical LANSubjectsOne physical LAN / VLAN: per-workload microsegmentsTrust zone: HRTrust zone: FinanceTrust zone: DataTrust zone: Analyticsrequestrequestrequestper-session grantsHR user: permit (A)Finance user: permit (B)users denied, apps only (C)contractor denied, failed posture (D)grant: HR app to datagrant: Finance app to datalateral move: denyHR usermanaged deviceFinance usermanaged deviceContractorunmanaged deviceDistributed PEPbrokers every hopPolicy DecisionPointissues per-session …HR applicationsegment AFinanceapplicationsegment BShared databasesegment CAnalyticsservicesegment D
Trace
Every workload is its own trust zone, even though all four share one physical LAN. The distributed PEP brokers every hop and the allow decision follows verified identity, not subnet. An HR user reaches only the HR app; a Finance user reaches only Finance; apps reach the shared database only through their own grants; a contractor on an unmanaged device fails posture and is denied everywhere. Two segments cannot reach each other without a policy grant.

What this buys you, and what it demands

The payoff is threat scope reduction, sometimes called shrinking the blast radius. Because every hop is brokered and evaluated, a compromised host cannot pivot to neighbors it has no grant to reach, and lateral movement, the technique attackers rely on after an initial foothold, largely stops working. Access is adaptive: if a device falls out of compliance or a session looks risky, the next request is simply denied.

The cost is that the control plane becomes critical infrastructure. The Policy Engine and Policy Administrator must be highly available, because if they cannot make decisions, no new sessions can open. Policy must be authored and maintained carefully, and the PEP has to sit inline on the paths that matter. Zero Trust is not a single product you buy; it is an architecture you assemble from identity, policy, and enforcement working together.

Blast-radius reduction and the critical control plane
Blast-radius reduction and the critical control planeContained breachOther segments: no grant, no pivotControl plane: critical, highly availableVisibilitycontrols hostattempts pivotno grant: deniedno grant: deniedauthorize every hopevaluatehealth checkfailoverpromote on failuregrant / denylog decisionAttackercontrols one hostCompromisedhostsegment A footholdPolicyEnforcement…brokers every hopNeighbor appsegment BDatabasesegment CPolicy Engineactive, zone 1Policy Enginestandby, zone 2PolicyAdministratorHA pairHealth check /failoverkeeps the PDP avail…Audit log /SIEMrecords every decis…
Trace
What the design buys you: because every hop is brokered, a compromised host is contained to its own segment. Its attempts to pivot to network-adjacent neighbors are denied for want of a grant, and every decision is logged for detection. What it demands: the control plane is now critical infrastructure. The Policy Engine and Administrator must be highly available across zones, because if they cannot decide, no new session can open.

Sources

Practice what you just read

6 questions from this architecture

Loading…