The NSA’s Guidelines on Network Segmentation and Zero-Trust

The future of cybersecurity plans relies on macro and micro segmentation

The NSA has released a guide emphasizing the importance of Network Segmentation and Zero-Trust policies. While zero-trust has remained an important subject in IT safety, it’s shifted away from suggestion territory to highly required. Zero-trust needs to be part of the cybersecurity plan for organizations of any size, especially with today’s modern threats.

It’s also best used in conjunction with “network segmentation,” a topic we’ve touched on before. The idea is to partition network spaces to limit access to appropriate parties and better control the flow access of data. Combined with zero-trust, this can resolve and stop critical security breaches from occurring. Because of cloud computing, business apps, and IoT, data finds itself in fuzzy zones like Shadow IT, making it harder to protect. But utilizing segmentation and zero-trust better protects enterprise information.

That said, zero-trust and segmentation have changed due greatly to the complexity of modern IT environments. Therefore, the challenging is properly implementing these policies while grappling with the complicated demands of IT environments, especially those that utilize cloud infrastructure.

NSA Guide

The entire NSA document – the Zero Trust Environment Network Pillar – can be found here. The document goes to great lengths to discuss the characteristics of zero-trust and modern network segmentation methods.

It’s an extensive document that focuses on seven key areas (or pillars).

  • User – Monitoring and assessing user activity, governing access to parts of a network
  • Device – Assessing risk of devices, understanding their safety relevant to business operations
  • Applications – Emphasis on securing virtual machines, cloud infrastructure, and software applications
  • Data – Enable transparency of data, applications, infrastructure, encryption, and data-tagging
  • Network and Environment – Emphasis on isolating physical and digital environments within the enterprise IT infrastructure
  • Automation – Development of automated responses to cyber threats based on policies created by analytics, AI, and data insights
  • Analytics and Visibility – Using analytics, personalize a defense model for the enterprise zero-trust environment to build a stable, segmented network

The pillars help centralize the core ideas of network segmenting and zero-trust and provide an effective summation of the ideas. Having said that, they are complex concepts and not expected to immediately integrate into enterprise IT.

However, paired with zero-trust philosophies, an enterprise can expect to establish a robust, proactive defense that has powerful data insight and analytics.

Adding Micro and Macro Segmentation

The NSA guideline also talks about the key benefits of micro and macro segmentation, designed to further isolate data privileges, access, and internal network activity. Because a data breach can be grievous and costly, it’s in the best interest of organizations that rely on IT and tech to apply these concepts.

Macro segmentation is a general, familiar concept. The idea is to ensure that only correct parties and users with access privileges interface with data relevant to them, while limiting or blocking access to other parts of said network. You can think of this like dividing a network into groups and categories.

An example:

  • IT and Tech Support
  • Accounting/Human Resources
  • Management
  • Staff/Remote Workers

This is not an exhaustive list and a very elementary example of what macro-segmentation would look like. But as you see, the idea is separating core parts of an enterprise into different data sectors. Combined with zero-trust, the idea is to ensure that only relevant data is access by the privileged parties.

The guideline doc takes it a step further with micro segmentation. Micro segmentation is described as “granular,” breaking down internal network traffic on controlled levels to further limit the flow of data through an IT network. The document provides a brief idea by further segmenting network resources within a group. Example, within the accounting hub, not all staff should have access to each other’s accounting resources to prevent the freeflow of important data.

This is to isolate “workflows, applications, and processes” to teams or individuals. When combined with zero-trust, staff can readily assess the integrity of messages, data flow, and requests. Another example:

In the IT department, you have “team 1” and “team 2.” While they’re segmented on their part of the enterprise network, team 1 and 2 are micro segmented on their unique set of software, interfaces, and workflows. This is important as the complexity and scale of data has drastically increased over the years, creating a necessity for this level of insight and control.

The implementation of these policies, of course, is easier said than done. It requires a deep understanding of an enterprise’s needs, its current data paths, and total IT assets. It’s not expected to integrate the entirety of these processes immediately. Granular segmentation combined with zero-trust policies is time intensive. It’s also important not to rush the process given its stringent requirements.


The NSA’s new guidelines will help enterprise IT and organizations build a strong foundation for a reactive, insight-driven segmented network. By utilizing these techniques and zero-trust, an enterprise can reduce data leaks, breaches, and security events while maintaining insight on its workflow processes and their safety.

For more assistance with IT support and MSP solutions, contact Bytagig today.

Share this post: