May 23, 2025 Leave a Comment
Avatar
Security

END-TO-END SEGMENTATION BLOG

5 min read

Segmentation as a security imperative

Today, containment is the new frontline. While enterprises pour resources into detecting threats, many overlook a critical truth – breaches are inevitable, but their devastation isn’t. A single device breach can quickly escalate into a full-blown infestation without containment. Segmentation isn’t just good hygiene – it’s damage control.

This blog explores how leveraging the four key pillars – Identity, Segment, Verify and Respond can change the game from ‘detect and react’ to one of control, containment, and resilience.

Exactly what is end-to-end segmentation?

It is a security strategy that leverages capabilities from common frameworks such as NIST, CISA and others to identify, protect, detect, respond and recover from cybersecurity incidents. The focus is on logically dividing networks, workloads, applications, and data across all environments into distinct, secure segments, thus limiting the scope of communication and limiting risk.

Unlike traditional perimeter-based defences that are a place in the network (PIN), segmentation applies zero trust principles across the full IT environment, treating every user, device, network, and workload as potentially untrusted until proven otherwise. This technique restricts traffic between segments to only what’s necessary, based on policies, identity, or context, greatly reducing the blast radius if a system is infected.

Network-based segmentation is much like the layered security you experience in a hotel. When you check in, you must show identification and confirm your identity and reservation – this is similar to authenticating users and devices before they can access the network. Once you’re checked in, you receive a smart card that allows you to use the elevator, but only to certain floors or areas, just as network segmentation (using VLANs, ACLs, or security tags) can restrict users and devices to specific zones within the network. Finally, when you reach your assigned room, your card only unlocks that particular door, mirroring micro-segmentation, which limits access at a granular level, often down to individual protocols, reach and applications.

The four key pillars – as applied to an ideal step-by-step security scenario

Let’s assume that best practice for a hardened network infrastructure is in place.

Step 1 – Establish User and Device Trust (Identity)

When a user connects to the access infrastructure, the first step is authentication, verifying their identity, like our hotel example. Alongside this, the user’s device is validated for posture compliance, ensuring it meets security standards before being granted access. Based on this combined validation, the system assigns a level of trust, not a blanket ‘wide open’ permit. This is the authorisation result and acts as the first control point, similar to receiving a hotel key card that only grants access to specific floors or areas.

For non-user devices such as printers, phones, or IoT devices, traditional access authentication isn’t always possible. Instead, these devices are profiled and continuously monitored for behaviour patterns to assess their trustworthiness and trust profile, for example – printers might be allowed, but only printer protocols will be allowed – no data centre or Internet access would be permitted.

Under the hood –

  • Cisco Identity Services Engine (ISE) is the backbone of this trust model, enforcing access based on identity, role, posture, and risk.
  • Cisco Duo provides multi-factor authentication (MFA), host posture , secure access application access.
  • Cisco Continuous Identity Intelligence (CII) adds real-time behavioural monitoring, dynamically updating trust levels based on context.
  • For IoT or unmanaged devices, ISE enables profiling and behavioural baselining to assign appropriate trust levels and restrictions – IoT devices, medical carts, and CCTV have limited access.

Step 2 – Segmentation Enforcement

Once a base of trust is established, it is enforced at the access layer where the user and device connect. If they move within the network, this trust level follows them, ensuring security is maintained dynamically.  This is not possible in statically configured environments. On campus networks, for example, policies are applied at ingress, and optional tagging of the user’s traffic is shared throughout the network for other devices to consume, such as security devices from Cisco and 3rd parties.

At branch locations, devices such as firewalls or SD-WAN routers enforce policies based on these tags, which represent user authentication, device identity, posture, time, location, and all elements of what we call ‘context.’

Inside the Data Center (Physical or cloud) the edge firewalls can also use these context-based policies to control access policy. Within the DC fabric, these tags integrate into endpoint groups, enabling policy enforcement all the way down to the DC access layer, where our workloads connect (physically or virtually).  Solutions like Secure Workload can absorb these tags and enforce granular policies based on that context,  extending enforcement down to the workload.

Under the hood –

  • Cisco Catalyst Center provides a centralised interface to define and push these enforcement policies across access switches and wireless controllers. It ensures policy consistency and compliance throughout your infrastructure.
  • On the WAN edge, Catalyst SD-WAN consumes identity tags and applies segmentation policies consistently across branches.
  • In the data centre, Cisco firewalls use those same identity tags and context to enforce granular segmentation at the North-South boundary.
  • Within the data centre fabric, Cisco ACI and Cisco Secure Workload bring micro-segmentation all the way down to the application layer – limiting lateral movement between workloads and applying least privilege at the finest level.

Step 3 – Continuous Verification and Validation

By continuously monitoring the user’s behaviour and access, we can ensure that trust is constantly re-assessed after initial access. The system monitors for warning signs like unusual user behaviour (e.g. odd access times, repeated login failures), network traffic anomalies, and changes in device posture. If a user roams or connects from a new location, their trust level is dynamically revalidated based on this updated context.

Using behavioural analytics and network detection tools, continuous validation enables real-time threat detection and response, maintaining strong security throughout the user’s session.

Under the hood –

  • Cisco Duo with its Continuous Identity Intelligence (CII) to monitor user and device behaviour in real time throughout the session.
  • If behaviour changes – such as access from an unusual location or device – Cisco ISE and Duo dynamically recalculate trust, adjusting access permissions instantly through Host Isolation or Session Revocation.
  • Network and user analytics tools integrated with Catalyst Center and Secure Workload provide visibility and insights for behaviour anomalies, traffic spikes, and potential threats.

Step 4 – Respond

When a potential threat or increased risk is perceived, an immediate and appropriate response is crucial to contain the scope of the issue. This response can range from network isolation, segregating the affected device within the network or host-based quarantine that restricts the device’s activities at the endpoint level.

Additionally, Security Operations Center (SOC) workflows can be triggered to investigate, validate, and remediate the issue per policy. The response is commensurate to how serious the risk is

This approach embodies true end-to-end segmentation, using context as a continuous, dynamic policy construct and leverages the infrastructure and its control points. It also plays a critical role in security operations, enabling rapid isolation or quarantine of individual devices when suspicious activity is detected – minimising risk and containing threats effectively.

Under the hood –

  • Cisco Secure Workload can automatically quarantine compromised workloads, isolate traffic, or restrict application-level behaviour.
  • Cisco ISE can trigger a network based response to quarantine a host or redirect suspicious devices to remediation zones.
  • SOC workflows can be automated or manually launched , giving SecOps the tools to investigate, remediate, and respond per policy.

Smarter Security

In summary, your network is protected at every level, from wired or wired access layer, across the WAN, to the firewalls at the data centres and into the workloads, whether they’re on-premises or connected to a cloud service provider. You can see who and what is connected and where the devices are for proper inventory – and if something suspicious happens, like unusual access or traffic, you can quickly adjust or block access.

End-to-end segmentation helps limit damage, enforce strict access rules, and keep your network secure. Cisco’s approach connects users, devices, and workloads with strong, flexible security. By using this strategy, organisations reduce risk and build a network that can grow safely.

#SecuredAI #AIDefense #FoundationAI