← Back to projects
Security·2024·Network Security Engineer

Zero-Trust Segmentation

Rolled out identity-based micro-segmentation across a data center without disrupting live workloads.

[ segmentation map — hero image ]

Overview

A flat data-center network meant a single compromised host could reach everything. Leadership wanted least-privilege access between workloads.

The challenge

Segmentation traditionally means downtime and broken dependencies. We had to map thousands of undocumented east-west flows first.

The approach

I used flow telemetry to build a real dependency map, then enforced identity-based policy with Cisco ISE and TrustSec, rolling out in monitor-mode before enforcing.

Results

Lateral movement is now contained by policy, audit scope shrank dramatically, and new workloads inherit segmentation automatically at onboarding.