The Segmentation Blueprint

Raghunath Kulkarni is a principal engineer for the Cisco Security Technical Assistance Center (TAC) team. He focuses on cybersecurity operations and strategic collaboration, including threat intelligence, defensive measures, and ensuring that customers derive maximum value from their security investments. He has worked in technology and security at Cisco for over 16 years, ranging from deep technical support to cross-functional leadership roles with engineering and sales teams. His focus is guiding organizations through the adoption of robust defensive frameworks to minimize business risk and enhance operational resilience. Raghunath has extensive experience in advancing cybersecurity education across various sectors, including government, higher education, and enterprise security. Utilizing his CISSP and all five MITRE ATT&CK Defenders (MAD) certifications, Raghunath has architected comprehensive training programs and specialized engineering curricula for multiple universities. Raghunath’s technology focuses include cyberthreat intelligence for proactive defense, testing and evaluation for security validation, and implementation of network security architectures to support digital transformation. Raghunath resides in Bengaluru, India, and when he is not consumed with technology, he is an avid reader and movie buff.Kaarthik Sivakumar is a principal engineer in the Cisco Security Business Group, working in the Multi-Cloud team that comprises the Secure Workload and Isovalent products. He focuses primarily on microsegmentation platforms and policies. Kaarthik has been working in the industry for 26 years, ranging from routing protocols, forwarding tables, DWDM optical line system, and Cisco Secure Firewall. Kaarthik has spent many years in product security and trusted network infrastructures, such as using Trusted Platform Module for storing confidential material and validating the trust status of a device, topics on which he has published blogs on the Cisco Blogs platform. He has also published in IEEE journals on the security of microservices architectures and static analysis security testing. As an ACM India Eminent Speaker, he is invited to lectures in ACM chapters around the country on the topic of security and trust. Kaarthik resides in Chennai, India. He contributes some of his free time to open-source projects and tools to improve his personal life, some to his study of the Sanskrit language, and the rest to outdoor activities.Renato Morais has been a cybersecurity solutions engineer at Cisco since 2017, and he has 20 years of experience in the networking and cybersecurity market. He works on projects with customers throughout the Americas, developing security architectures and solutions to protect users, data, and applications. A graduate in computer engineering, he holds various professional certifications, including CCIE, CISSP, and CCSP. Renato has also dedicated part of his career to training students in Cisco Networking Academy and preparing them for the CCNA certification. Furthermore, he has been recognized as a top contributor in the Cisco community for his contributions as a speaker at regional and global events such as Cisco Live and Cisco Connect, as well as for his work as a blog author.Outside work, Renato enjoys home automation, music, books, movies, and sports, and he describes himself as a craft beer hunter. He lives in Campinas, Brazil, with his wife and two sons.Patrick Lloyd is a senior solutions architect for the Cisco Security Professional Services team. He focuses on identity and access management, including segmentation, network access control, identity exchange, and identity integration for “smart” architectures in the continental United States and Canada region. Patrick has worked in technology delivery at Cisco for 16 years, including stints in the Technical Assistance Center (TAC) and working as a routing and switching design engineer, security design engineer, and security solutions architect. His focus is guiding customers through introducing structured approaches to increase visibility and identity exchange to minimize business risk and lateral attack vectors.Previously, Patrick worked in higher education and defense industries in system administration and operational roles. Patrick has extensive experience in integrating identity into various industries, including healthcare, manufacturing, finance, and defense. Utilizing Cisco technologies and the methodologies covered in this book to build a layered security model, Patrick has architected segmentation architectures, including smart building architectures, for more than 100 customers. Patrick’s technology focus is on TrustSec for segmentation, analyzing traffic flow with Cisco Secure Network Analytics/Stealthwatch for development of segmentation policies, implementing firewall and remote access architectures, and securing critical building systems through policy and segmentation while maintaining availability. Patrick resides in Durham, North Carolina, where he teaches self-defense and is an instrument-rated private pilot when not consumed with technology

• Introduction xxiiiChapter 1 The Segmentation Mindset 1Pillars of Zero Trust 2Policy and Governance 2Identity 5Vulnerability Management 8Enforcement 9Analytics 10Beyond the Five Pillars 11Addressing the Problem Head On: Why Do Segmentation Strategies Fail? 11The Importance of the Team 13Information Security 14Network Engineering/Desktop Engineering 15Network Security 15Operations 16Cross-Team Collaboration 17Business Entities 18Executive-Driven Vision 19Other Considerations Beyond Standard Teams 19Aligning Strategy and Tactics 21Maturing in Segmentation Strategy 22A Look Ahead 23Summary 24Reference 24Chapter 2 Alignment with Business Outcomes 25Identifying the Need for Segmentation in Modern Hybrid Networks 25Patterns Driving Modern Hybrid Networks 27Bring Your Own Device (BYOD) 27Internet of Things (IoT) 28Artificial Intelligence (AI) 29Security Risks: A Hacker’s Playground 30Compliance Mandates: The Regulatory Maze 33Microsegmentation for Regulatory Compliance 34Payment Card Industry Data Security Standard (PCI DSS) 359780135462362_print.indb 12 09/04/26 2:28 PMHealth Insurance Portability and Accountability Act (HIPAA) 37General Data Protection Regulation (GDPR) 39Performance, Scalability, and Adaptability 42Operational Complexity: The Management Nightmare 43Cloud and Multicloud Adoption: The Consistency Crisis 45Developing a Segmentation Strategy 45Reducing Risk via Organizational Perspectives 46The Leadership Perspective 46Strategic Oversight 47Effort Versus Value 48Resource Allocation 50Policy Development 51Risk Management 52Stakeholder Engagement 53Training and Awareness 54Performance Metrics 54Continuous Improvement 55The Architect’s Perspective 56Design and Planning 56Integration and Alignment 58Innovation and Adaptation 58Collaboration and Communication 59The Asset Management Perspective 60The Network and Security Administrator’s Perspectives 61The Application Development Perspective 63Perspectives on Infrastructure, Network, Applications, and Automation 64Roles and Responsibilities of the Application Team for Effective Segmentation 65Bringing It All Together: An Actionable Segmentation Framework 66Summary 68References 69Chapter 3 Developing a Segmentation Strategy 71Cisco SAFE 72How to Use Cisco SAFE 73Capability Phase 75Architecture Phase 77Design Phase 82The Foundations of Segmentation 85Physical Segmentation 86Logical Segmentation 87Virtual Local Area Networks (VLANs) 87Private VLANs (PVLANs) 90Wireless SSID 92Access Control List (ACL) 92SD-Segmentation and Cisco TrustSec 94Security Zones 97Network Virtualization 99Extending Network Segments with VXLAN 101Session Layer Segmentation with QUIC 102Segmentation as a Service in Public Cloud 105Cloud-Native Segmentation 106Kernel-Level Segmentation with eBPF 112Segmentation Strategy and the Shared Responsibility Model 113Summary 115Chapter 4 Macrosegmentation 117Gaining Visibility While Architecting Segmentation 118Network Virtualization 120An Overlay for an Overlay: VLANs 122Achieving Macrosegmentation with Firewalls 123Understanding Traditional Access Control Lists 124Understanding Interface-Based Firewalls 125Understanding Zone-Based Firewalls 126Hybrid Mesh Firewall 127Linking Concepts Together 130Practical Macrosegmentation Policy Development 130Segmentation Involves the Infrastructure but Is Really About the Endpoint 134Mapping with Cisco SAFE Architecture 136Campus: Securing Guest Wi-Fi Access in a Campus Network 136Solution with Macrosegmentation Features 137Conclusion 137Branch: Protecting Payment Processing in a Branch Network 137A Solution with Macrosegmentation Features 138Conclusion 139Data Center: Securing Remote Access in a Data Center 139Solution with Macrosegmentation Features 140Conclusion 140Internet PIN: Securing SaaS Application Access in the Internet PIN 140Solution with Macrosegmentation Features 141Conclusion 141Cloud PIN: Securing Workload Communication in a Cloud PIN 142Solution with Macrosegmentation Features 142Conclusion 143Edge PIN: Securing IoT Endpoints in an Edge PIN 143Solution with Macrosegmentation Features 143Conclusion 145Summary 145References 145Chapter 5 Microsegmentation 147Benefits of Microsegmentation 148Implementing Microsegmentation 148Challenges in Implementing Microsegmentation 150Microsegmentation in the Campus 152Application Segmentation 153Cloud-Native Segmentation Controls 154Organizing Workloads 155Segmentation 156Applying Policies 157Network Service Mesh 160Automated Zero Trust Microsegmentation 160Grouping Workloads 162Organizing Workloads 164Automating Scope Discovery 166Critical Common Services 169Providing Access to Scopes 170Workload Information 170Policies 171Policy Creation 172Policy Discovery 174Measuring Segmentation 175Achieving Microsegmentation with a Next-Generation Firewall 175Seeing Through the Fog: Application Awareness 176Knowing Who’s at the Gate: User Identity Policies 177Labeling the Landscape: Security Group Tags 178Reading the Room: Context-Aware Policies 179Cisco Secure Firewall: The Skilled Artisan 179Applying More Granular Enforcement Mechanisms Closer to the Endpoint 182Integration with Other Cisco Technologies for Enhanced Segmentation 186Summary 188References 188Chapter 6 Building the Segmentation Fabric 189Cisco SD-Access Components 190Cisco Catalyst Center 190Cisco Identity Services Engine 192Operational Planes 195LISP: The Overlay Control Plane 195VXLAN: The Data Plane 195Cisco TrustSec: The Policy Plane 196Cisco Catalyst Center: The Management Plane 196Architecture Components 197Fabric 197Underlay Network 197Overlay Network 198Shared Services 200Fabric Roles 201Control Plane Node 201Edge Nodes 203Intermediate Nodes 204Border Nodes 204Extended Nodes 208Fabric WLCs 209Fabric-Mode Access Points 210SD-Access Embedded Wireless 210Fabric in a Box 210Transit Networks 211Transit Control Plane Nodes 211Fabric Site 212SD-Access Design Strategy 212Small Sites 213Medium Sites 214Large Sites 215A Reference Model to Deploy SD-Access for Distributed Campus 217Interconnecting Multiple Domains to Enable End-to-End Segmentation over the Internet 219End-to-End Segmentation with Cisco SD-WAN 220Cisco SD-WAN Design Considerations 223Cisco Secure Access: Cloud-Based Security Controls with Context-Aware Policy Enforcement 224Implementing Secure Private Access with Cisco Secure Access 226Delivering Secure Internet Access with Cisco Secure Access 228Achieving Seamless Segmentation Using Integrated Cisco Solutions 229Summary 230References 230Chapter 7 Implementing Segmentation with Cisco Technology 231Configuring Cisco Secure Firewalls for Segmentation 231Application Visibility and Control (AVC) 231User Identity–Based Policies 233Integrating with Identity Services Engine 235Expanding Integrations to Include Cisco Secure Workload 237Using Context-Aware Policies 237Configuring Cisco Identity Services and Switches for Segmentation 240Configuring a Switch to Communicate to ISE 244Configuring a Dynamic VLAN 245Configuring a Downloadable ACL 246Configuring TrustSec Tags 247Assigning Policies to the TrustSec Matrix 251Configuring Policies 255Building the Network Inventory with Endpoint Profiling 256Cisco AI Endpoint Analytics: Advanced Endpoint Classification 259Achieving Consistency with ISE Data 263Simplifying Multidomain Segmentation with Cisco ISE Common Policy 263Introduction to Cisco ISE pxGrid 264SXP: Enabling SGT Propagation Across the Network 265Cisco ACI Integration: Extending Control into the Data Center 266Public Cloud Integrations: Mapping Workload Context for Unified Policy Enforcement 268CMDB Integration: Mapping the Unknowns 269Cisco Cyber Vision Integration: Enhanced Visibility for Industrial Networks 270Third-Party Integrations: Extending Visibility and Control with Specialized Solutions 271Ordr: Endpoint Visibility and Behavioral Insights 272Medigate: Optimizing Security in Healthcare Environments 272Armis: Comprehensive Asset Security Across IoT and OT 273Summary 273References 274Chapter 8 Segmenting Applications in the Data Center and Cloud 275Zero Trust Microsegmentation with Cisco Secure Workload 275Cisco Secure Workload First-Time User Experience 276Visibility into Network Traffic Flows 280Workload Profiles 284Policies 284Automated Policy Discovery Using AI 287Measuring Segmentation Scores 289Segmenting the Data Center with Cisco ACI 290Components of an ACI Fabric 291Physical Components 291Logical Constructs (Policy Model) 292Network-Centric Versus Application-Centric Topology 293Network-Centric Topology 294Application-Centric Topology 294ACI Fabric Overlay 295External Connectivity with L3Out 296Connectivity with an SD-Access Fabric 297ACI Fabric Communication Through a Catalyst SD-WAN Mesh 298Virtual Machine Manager (VMM) Integration 299Container Network Interface (CNI) Integration 303Service Graphs for Advanced Security Inspections 305Network Segmentation in ACI 306Cisco Secure Workload and ACI 309The Life of Packets in the End-to-End Segmented Network 312Summary 315Reference 316Chapter 9 Validating Policies, Monitoring Enforcement, and Responding to Deviations 317Cisco Secure Network Analytics: From Visibility Gaps to Actionable Intelligence 318Components and Architecture 320Flow Ingestion 322Host Groups 327Observations, Alerts, Security Events, and Alarms 330Custom Security Events 334Group Policies Monitoring 335Response Management 336Technical Adoption Roadmap 339Cisco Secure Workload: Policy Validation with Live Policy Analysis 340Summary 344References 345Chapter 10 Segmentation Maturity Model and Scorecard 347What Is the Segmentation Maturity Model? 348Using the Capability Maturity Model (CMM) for Segmentation 348Level 1: Ad Hoc/Initial 349Level 2: Repeatable/Managed 349Level 3: Defined 350Level 4: Quantitatively Managed 350Level 5: Optimized 350Segmentation Methods and the OSI Model 351Threat Assessments 352Factors That Trigger a Maturity Level Reassessment 353Role-Based Perspectives 353The Management and Senior Leadership Perspective 354Strategic Oversight 354Resource Allocation 354Policy Development 355Risk Management 355Stakeholder Engagement 356Training and Awareness 356Performance Metrics 357Continuous Improvement 357Evaluating Leadership Effectiveness: A Scorecard Approach 358Mapping the Scorecard and Evaluation Criteria with the SSMM 360The Asset Management Perspective 362Asset Inventory Management 363Lifecycle Management 363End-User Device Management 363Infrastructure Device Management 364Evaluating Asset Management Effectiveness 365Mapping the Scorecard and Evaluation Criteria with the SSMM 367The Architect’s Perspective 367Design and Planning 368Integration and Alignment 370Innovation and Adaptation 372Collaboration and Communication 374Evaluating Architecture Effectiveness: A Scorecard Approach 375Mapping the Scorecard and Evaluation Criteria with the SSMM 377The Network and Security Administrator’s Perspective 378Network Administrator Responsibilities 379Design and Implementation 379Configuration and Maintenance 380Monitoring and Optimization 380Integration Across Hybrid Environments 380Security Administrator Responsibilities 381Security Policy Enforcement 381Threat Detection and Response 381Identity and Access Management 382Incident Management 382Evaluating Network and Security Administrative Effectiveness: A Scorecard Approach 383Alternative Approach 383Mapping the Scorecard and Evaluation Criteria with the SSMM 390Summary 392Chapter 11 Reference Architecture 395The Campus and Branch Domains 399Use Case Example: Smart Hospital, Inc. 411Progressing Beyond an Endpoint Focus 415A Ubiquitous Experience for All 417Beyond Campus and Branch 419Identifying Segmentation Needs with Cisco SAFE 424Building a Secure Architecture with Cisco SAFE 429Previous Reference Architectures 430Asset Identity Management, Asset Monitoring and Discovery, Configuration Management Database, and a Sound Provisioning or Onboarding Process 431Authentication, Authorization, and Accounting (AAA), Certificate Authorities (CAs), and IP Address Management (IPAM) Systems 432Traffic Visibility, Behavioral Analytics, Firewalls, Proxies, and DNS Security 433Analytics, Logging, and Lessons Learned 433Summary 434References 435Chapter 12 The Future of Segmentation 437Core Elements of Segmentation 437The Future Role of AI in Segmentation 438Zero Trust: The Guiding Principle for Granular Segmentation 440Identity as the New Perimeter 440Contextual Awareness for Adaptive Access 440Continuous Verification and Least Privilege 442Microperimeters and Nanosegmentation 443Data Privacy as a Segmentation Imperative 444A Vision for the Future of Segmentation: Distributed Macrosegmentation and Microsegmentation with a Hybrid Mesh Firewall 445The Impact on Nanosegmentation 450Automation: Streamlining Segmentation Processes 450The Impact of Cloud-Native and On-Premises Technologies 451A Call to Action: Integration of Technologies 451Summary 451Reference 451Appendix: Leadership Perspective Scorecard Approach 4539780135462362    TOC   4/13/2026