Skip to main contentSkip to main content
    Back to Glossary
    security
    2 min read

    Network Segmentation

    Network segmentation divides a network into smaller subnetworks, isolating systems and limiting lateral movement if an attacker compromises one segment.

    Network segmentation (or microsegmentation) is a security practice that divides networks into separate segments with independent security controls.

    Segmentation approaches: - Physical Segmentation: Separate hardware and network - VLANs: Virtual LANs on shared infrastructure - Subnets: IP-based network division - Microsegmentation: Software-defined boundaries down to workload level - Zero Trust Network Access: Identity-based access regardless of location

    Common segmentation strategies: - Separate production from development - Isolate sensitive data (PCI cardholder data environment) - Segment by business function or department - Separate internet-facing systems from internal - Isolate management/admin networks

    Benefits: - Limits blast radius of breaches - Reduces attack surface - Simplifies compliance scope - Enables granular access control

    Why It Matters

    In most breaches, attackers spend days or weeks moving laterally across flat networks before reaching their target data. Network segmentation limits this lateral movement, containing breaches to smaller blast radiuses. For PCI DSS, proper segmentation can reduce the scope of compliance by 90%, dramatically reducing cost and complexity. Microsegmentation takes this further, enforcing policies at the individual workload level.

    Key Points

    Limits lateral movement after initial breach
    Can reduce PCI DSS scope significantly
    Microsegmentation enables workload-level isolation
    Zero trust extends segmentation with identity verification
    Essential for containing modern attacks

    Applicable Compliance Frameworks

    PCI DSSSOC 2ISO 27001HIPAA

    Related Terms

    Zero Trust

    Zero Trust is a security model that requires strict identity verification for every person and device, regardless of network location.

    Access Control

    Access control is a security mechanism that regulates who can view or use resources in a computing environment, ensuring only authorized users can access systems and data.

    Firewall

    A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

    Frequently Asked Questions

    What is the difference between segmentation and microsegmentation?

    Traditional segmentation uses VLANs/subnets at network level. Microsegmentation uses software to enforce policies at individual workload level, even within the same network segment.

    Does network segmentation reduce PCI scope?

    Yes, properly implemented segmentation can significantly reduce PCI DSS scope by isolating the cardholder data environment from other systems.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    GDPR Compliance

    EU data protection and privacy regulations

    Learn more
    Standard

    ISO 9001 Certification

    Quality management system standards

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with Network Segmentation?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms