Network segmentation is one of the most effective architectural controls for reducing the impact of a security breach. It limits the "blast radius" — the scope of damage an attacker can cause once they have gained access to a single point in your network. This post explains what network segmentation is, why it matters, what it looks like in practice for organizations of different sizes, and how to get started.
What Network Segmentation Is
Network segmentation is the practice of dividing a computer network into separate subnetworks — segments — so that systems with different functions and different trust levels cannot communicate freely with each other without explicit policy allowing that communication.
In an unsegmented ("flat") network, all devices share a single logical network. A laptop, a server, a printer, a point-of-sale terminal, a guest wireless device, and an IoT thermostat can all communicate with each other by default. There is no architectural barrier limiting which devices can reach which other devices.
In a segmented network, different categories of devices and data live in separate network segments (typically implemented as VLANs — Virtual Local Area Networks). Communication between segments requires explicit policy — a firewall rule or access control list that says "devices in segment A are allowed to communicate with devices in segment B on ports X and Y." Communication not explicitly allowed is blocked by default.
What Lateral Movement Means and Why Segmentation Stops It
Lateral movement is the technique attackers use to move through a network after gaining initial access. Ransomware does the same thing: it encrypts files on the initially compromised system, then attempts to discover and reach other systems on the network to encrypt their files as well.
In a flat network, lateral movement is limited primarily by operating system permissions and authentication requirements — not by network architecture. An attacker with a compromised set of domain credentials, or ransomware using Windows file sharing protocols, can often reach all systems on the network from a single initial compromise point.
In a segmented network, lateral movement is constrained by network policy. An attacker who has compromised a workstation in the user segment cannot reach servers in the server segment unless there is explicit policy allowing that communication. Ransomware that has infected a device in the guest wireless segment cannot reach the servers where critical data lives if those segments are separated by firewall policy.
The practical result: a breach that would have encrypted everything in a flat network may be contained to a single segment in a properly segmented network.
Compliance Dimensions
Network segmentation is not just a security best practice — it is referenced as a requirement or strong recommendation in multiple compliance frameworks:
HIPAA Security Rule — The HIPAA Security Rule's access control requirements (45 CFR §164.312(a)(1)) require covered entities to "implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights." Network segmentation that isolates ePHI systems to a segment accessible only by authorized systems and users satisfies this requirement architecturally.
PCI-DSS — PCI-DSS Requirement 1 (Install and maintain network security controls) explicitly addresses network segmentation. While PCI-DSS does not require segmentation, implementing segmentation to reduce the scope of the cardholder data environment is a recognized and valuable scoping strategy. Without segmentation, every system that can communicate with cardholder data systems is in scope.
NIST Cybersecurity Framework — The NIST CSF Protect function (PR.AC-5) includes "network integrity is protected, incorporating network segregation where appropriate" as a subcategory. Network segmentation is a documented NIST CSF control.
CMMC Level 2 — NIST SP 800-171 Practice 3.13.2 requires "employ[ing] architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems." Network segmentation is a core architectural design for CUI environment protection.
What Segmentation Looks Like in a Small Organization
Segmentation does not require enterprise-grade hardware or a dedicated network security team. A small organization with a modern managed switch and a capable firewall can implement meaningful segmentation with:
Server VLAN — A separate network segment for servers: file servers, application servers, backup systems. Access from user workstations to servers is controlled at the firewall level.
User workstation VLAN — The segment where user laptops and desktops live. Users can reach their needed server resources through controlled firewall policy; they cannot reach each other's workstations except as explicitly allowed.
IoT / building systems VLAN — Smart thermostats, security cameras, door access systems, printers, and other IoT devices. These devices often have weak security postures and should not be able to reach production servers. Isolating them to a separate segment prevents a compromised thermostat or printer from becoming a pivot point.
Guest wireless VLAN — A separate wireless network for guests, contractors, and personal devices. Guest wireless should have internet access but no access to internal network segments.
Regulated data VLAN (if applicable) — If your organization handles ePHI (HIPAA), cardholder data (PCI-DSS), or CUI (CMMC), the systems that store or process that data should be in an isolated segment with tightly controlled access.
How to Get Started
The starting point for most organizations is a network architecture assessment — an accurate documentation of your current network topology, a review of existing segmentation (or the absence of it), and a design for implementing segmentation appropriate to your environment and compliance requirements.
Explore SecureNext's network infrastructure design service or request a network security assessment to evaluate your current architecture and identify segmentation opportunities.