Is your network segmented and protected with modern controls (NGFW, ZTNA, microsegmentation)?
Demonstrate that the organization has implemented a segmented network architecture protected by next-generation controls that enforce identity-aware, application-level policies and restrict lateral movement between zones.
Description
What this control does
Network segmentation divides an organization's network into isolated zones based on function, data sensitivity, or trust level, preventing lateral movement of attackers and containing breaches. Modern controls include Next-Generation Firewalls (NGFW) that inspect application-layer traffic and apply identity-aware policies, Zero Trust Network Access (ZTNA) that grants context-based access without exposing the network, and microsegmentation that enforces granular policies at the workload or container level. These technologies replace flat network architectures and perimeter-only defenses, reducing the attack surface and enforcing least-privilege network access. Effective segmentation requires architectural design, policy enforcement at multiple layers, and continuous monitoring of inter-zone traffic.
Control objective
What auditing this proves
Demonstrate that the organization has implemented a segmented network architecture protected by next-generation controls that enforce identity-aware, application-level policies and restrict lateral movement between zones.
Associated risks
Risks this control addresses
- Attackers achieving initial compromise can traverse the entire network laterally to reach critical assets or sensitive data repositories
- Malware or ransomware spreads unchecked across systems due to lack of containment boundaries between network zones
- Insider threats or compromised credentials provide unrestricted access to resources beyond an individual's legitimate need-to-know
- Legacy perimeter firewalls fail to detect or block application-layer attacks, command-and-control channels, or data exfiltration via approved protocols
- Flat network architecture exposes sensitive systems (e.g., databases, HR systems, development environments) to compromise from lower-trust segments
- Lack of microsegmentation in cloud or containerized environments allows east-west traffic to bypass security controls entirely
- Inadequate segmentation results in compliance violations when regulated data systems are accessible from uncontrolled network zones
Testing procedure
How an auditor verifies this control
- Obtain the current network architecture diagram showing all network segments, security zones, trust boundaries, and interconnections between them.
- Inventory all deployed network security devices including NGFW appliances, ZTNA gateways, software-defined perimeter controllers, and microsegmentation enforcement points.
- Review segmentation policies and rulesets governing traffic flow between zones, examining criteria for application identification, user/device identity, and context-based enforcement.
- Select a representative sample of critical assets and trace allowed network paths from lower-trust zones (e.g., guest WiFi, partner networks, user workstations) to verify enforcement of deny-by-default policies.
- Examine NGFW configurations to confirm application-aware inspection, threat intelligence feeds, SSL/TLS decryption policies, and integration with identity providers.
- Test ZTNA implementation by verifying that direct network access to protected resources is blocked and that access requires authentication, device posture validation, and session-based authorization.
- Review logs from segmentation enforcement points for a recent 30-day period to identify blocked lateral movement attempts, policy violations, and anomalous inter-zone traffic patterns.
- Interview network and security engineering teams to assess change management processes for segmentation policy updates and validate incident response procedures for containment using segmentation controls.