Network segmentation divides a computer network into smaller, isolated segments to limit the spread of attacks and restrict access to sensitive resources. In a flat, unsegmented network, an attacker who compromises a single device can potentially reach every other device and system. Segmentation creates internal boundaries that contain breaches and enforce access controls between different parts of the network.
The most common segmentation boundaries include separating guest WiFi from the corporate network, isolating IoT devices on their own network segment, placing servers in a dedicated subnet, and creating separate segments for different sensitivity levels (e.g., payment processing systems isolated from general office traffic). VLANs (Virtual Local Area Networks) are the standard technical mechanism for segmentation, with firewall rules controlling traffic between segments.
Guest WiFi deserves specific attention because it is a common and often poorly configured entry point. Guest networks should be completely isolated from the corporate network, visitors should be able to access the internet but not internal resources. The guest network should have its own SSID, its own VLAN, and firewall rules that block all traffic to internal network segments.
For small and mid-sized businesses, even basic segmentation provides significant security improvement. Separating guest WiFi, server infrastructure, and general office endpoints into three segments with appropriate firewall rules between them is far better than a flat network. More mature organizations may implement micro-segmentation, where individual workloads or applications are isolated with granular access controls.
Network segmentation is a key underwriting factor for cyber insurance because it directly limits the blast radius of ransomware and lateral movement attacks. Insurers ask whether the network is segmented and how critical systems are isolated. Organizations with flat networks present a higher risk profile because a single compromised endpoint can lead to enterprise-wide ransomware encryption.
Demonstrating network segmentation, particularly isolation of sensitive systems like payment processing, financial databases, and backup infrastructure, signals to underwriters that the organization has taken steps to contain potential incidents. This can result in lower premiums and more favorable coverage terms.
Healthcare networks must segment medical devices, clinical systems, and administrative networks. Medical IoT devices often run outdated operating systems that cannot be patched, making segmentation the primary control for containing compromise. HIPAA's Technical Safeguard requirements support network segmentation as part of access control.
Law firms should segment networks to isolate case management systems and document management servers from general office traffic. Ethical wall requirements for conflicts of interest can be supported by network-level segmentation in addition to application-level access controls.
PCI-DSS strongly encourages network segmentation to reduce the scope of the cardholder data environment. A well-segmented network where payment processing occurs in an isolated segment dramatically reduces the number of systems subject to PCI-DSS requirements and audit. FFIEC guidance expects financial institutions to segment their networks.
Retail locations should segment POS networks from back-office and customer WiFi networks. PCI-DSS compliance is significantly simplified when cardholder data flows are isolated in a dedicated network segment. Multi-location retailers should ensure consistent segmentation across all sites.
NIST 800-171 control SC.L2-3.13.1 requires monitoring and control of communications at external and key internal boundaries. Network segmentation is a primary mechanism for implementing this control. CMMC assessors verify that CUI environments are appropriately segmented from general-purpose networks.
Assess the current network architecture and identify critical systems that require isolation
Implement VLANs to separate guest WiFi, server infrastructure, and general office endpoints at minimum
Configure firewall rules between segments, allowing only the traffic necessary for business operations
Isolate IoT devices and any legacy systems that cannot be patched onto dedicated network segments
Document the network architecture, segmentation boundaries, and inter-segment traffic rules
Test segmentation effectiveness by verifying that devices on one segment cannot reach resources on restricted segments
Want to know how your organization measures up on this control?
Take the free assessment →