Identity-based Segmentation for Zero Trust Security

Airgap Networks
3 min readMar 5, 2021

Never trust, always verify. Zero Trust has now become the latest buzzword of the cybersecurity world. It is a security model consolidating the idea that no organization should automatically rely upon anything outside or even inside its boundaries. Every individual in an enterprise must validate everything and authenticate every person before granting access to connect with their systems.

Traditional security architectures are built on a castle-and-moat approach that is powered by firewalls, access controls, and VPNs, etc. so no access is obtained from an external network but every insider is automatically trusted. Zero Trust entails strict verification with an extra layer of security for each device and every user. The philosophy behind Zero Trust is that attackers exist both outside and inside the network so trust no one. Principle of least privilege, micro-segmentation, device access control, and multi-factor authentication (MFA) are the main principles of Zero Trust and therefore necessary to practice in endeavoring an organization from advanced cyber data breaches and threats even if the perimeters get compromised.

Implementing Zero Trust Security

So far, a thorough implementation was required by security engineers to put the Zero Trust model into practice, but a granular inspection approach can graft efficiently, for example, an identity-based segmentation. It has recently become recognized as the best practice to enable Zero Trust driven by the espousal of public & hybrid cloud. Organizations no longer avail a set of firewalls in their environment but projecting an abstracted function near the workload and enabling a single policy across the organization is preferred. This granular model is identical to segmentation and inspection, with only a minor change.

Identity-based segmentation is also known as Zero Trust segmentation and when chosen in the right style can lessen the risks to the environment. The modernized segmentation in which inspection, perimeter, policy, and segmentation all are hitched to individual workloads is known as identity-based segmentation. It can be used in three styles; network-based, agent-based, and hypervisor-based.

Benefits of Identity-based Segmentation

This granular segmentation devises the following benefits:

· Curbs the spread of malware in the network.

· Assists the segmentation and isolation of septic systems.

· Augmented breach containment when applied via policy automation.

· Perform as a compensatory control of the whole network.

· Policy execution beyond VLAN level.

· Workload level traffic control.

· Customized policy creation and application are consistent with the principle of least privilege.

With other use cases like cloud security and DevSecOps, identity-based segmentation concretely implements Zero Trust security architecture. Starting with its principles like workload identity and deny-by-default to workload communication it gears up all other features. Though, primarily it is and should be applied to detect workload and communication flows in a network.

However, 100% Zero Trust cannot be attained but it should be determined where this identity-based segmentation delivers the maximum benefit. Security professionals use this approach to acquire improved least-privilege controls that do not further rely on IP addresses as the basic source of trust. Another benefit of identity-based segmentation for Zero Trust security access is it significantly simplifies network and system management, you can cope with hundred address-based complex deployment rules with a minimum of simple identity-based policies.

To schedule a demo with Airgap team on how we practice Zero Trust Isolation with Identity-based Segmentation, visit

About Airgap

Ransomware threats are growing rapidly. While there are a whole bunch of security companies that are trying to prevent ransomware from getting into your network, Airgap’s “Zero Trust Isolation Platform” protects your organization even if your perimeter is breached or if you have unpatched vulnerable servers inside your data center. Additionally, Airgap’s “Ransomware Kill Switch” is the most potent ransomware response for the IT organization. Airgap can be deployed in minutes without any agents, forklift upgrades, or design changes. The company is founded by highly experienced cybersecurity experts and the solution is trusted by large enterprises and service providers. For more details, check out



Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation.