What is network segmentation, and how does it relate to a zero trust model?
Short answer
Segmentation divides a network into isolated zones so a breach in one can't freely reach others, limiting lateral movement. Zero trust goes further: it removes implicit trust based on network location entirely, authenticating and authorizing every request regardless of where it originates — microsegmentation is one way to implement it.
Both ideas attack the same weakness: the old assumption that once you're inside the network, you're trusted. That flat-network model means one compromised host can roam freely — exactly how ransomware spreads.
Network segmentation
Segmentation carves the network into isolated zones — by VLAN, subnet, security group, or firewall policy — and controls the traffic allowed between them. The goal is to constrain lateral movement: if an attacker compromises a workstation in the user zone, segmentation stops them from pivoting straight into the database tier. Each boundary is an enforcement and detection point. Done well at fine granularity — microsegmentation — you control traffic down to the individual workload, allowing only the specific flows each service needs.
Zero trust
Zero trust is the architectural philosophy "never trust, always verify." It rejects the idea that network location confers trust at all. Whether a request comes from the corporate LAN or the public internet, it must be authenticated, authorized, and continuously evaluated based on identity, device posture, and context — not on which subnet it sits in. The perimeter effectively moves to every resource.
How they relate
Segmentation is a mechanism; zero trust is the model. Microsegmentation is one of the primary ways you implement zero trust at the network layer — but zero trust is broader, layering strong identity, device health checks, least privilege, and policy enforcement on top. You can have segmentation without zero trust (still trusting traffic within a zone), but you can't really do zero trust without segmentation-style controls.
What interviewers look for
A senior answer distinguishes the two cleanly: segmentation limits lateral movement, zero trust eliminates implicit location-based trust. The depth signal is framing microsegmentation as one implementation of zero trust and tying both back to identity and least privilege, not just VLANs.
Likely follow-ups
- What is lateral movement and how does segmentation slow it down?
- What does 'never trust, always verify' mean operationally?
- How do you segment workloads in a cloud VPC versus on-prem?