Microsegmentation in Zero Trust: Building Policy-Controlled Access into Your Architecture

CISA’s newly released guidance, Microsegmentation in Zero Trust Part One: Introduction and Planning, confirms that microsegmentation is foundational for Zero Trust. Rather than saving microsegmentation for an advanced stage of Zero Trust initiatives, organizations can and should prioritize granular segmentation as a core building block of Zero Trust architecture.  

Beyond advising on the importance of microsegmentation for Zero Trust, CISA’s latest report highlights the need for policies that evolve dynamically, using contextual data such as identity, device posture, behavioral indicators, and more – an adaptive approach CISA calls “Policy-Controlled Access.”  

Buried in the Microsegmentation in Zero Trust release, CISA included a flowchart illustrating how dynamic, conditional access decisions should be made for optimal Zero Trust. We’ll take a closer look at this process and share how Zero Networks enables the dynamic controls CISA considers key.  

Policy-Controlled Access: A Step-by-Step Walkthrough  

CISA defines policy-controlled access as dynamic access control through policy, utilizing a Policy Enforcement Point (PEP) and an associated Policy Decision Point (PDP) to better protect sensitive systems.  

To help bring this concept into focus, CISA’s flowchart illustrates the major components of policy-controlled access and how this dynamic decision process occurs. 

Not every system is ready to support this approach in practice, so while we don’t agree that this process is feasible for all connections, it’s a must for privileged access. So, let’s walk through it and explore how Zero Networks delivers every core component where it counts:  

1–2: A User Asks for Access 

CISA shows a user (a “Subject”) making a request to access a resource (an “Object”) through a Policy Enforcement Point (PEP). This is the frontline control where decisions are enforced. 

With Zero Networks, this happens every time someone tries to access privileged resources. Our enforcement points act as that real-time gatekeeper – inline, identity-aware, and invisible to users until access is needed. If it's privileged, Zero Networks automatically blocks access and requests PDP policy evaluation. 

3–4: The Policy Decision Point Gets to Work 

The request is passed to a Policy Decision Point (PDP), which CISA describes as using identity, device, and risk attributes to determine whether access should be allowed. 

In practical terms, this is where Zero Networks integrates with Identity Providers that provided PDP functionality. The IDP dynamically evaluates each request based on policies, behavior, user identity, resource sensitivity, and more. 

5–6: The Decision Is Recorded and Enforced 

The PDP records its decision and passes it back to the PEP, which either allows or denies access – sometimes conditionally (e.g., requiring stronger authentication). 

That’s exactly how Zero delivers just-in-time access. Temporary, least-privilege access is granted only when needed, only if it meets policy, and only for the time required. No persistent access, no excessive privilege.  

Why Not Every Connection Can Be JIT (Yet) 

CISA’s model notes that policy-controlled access is key to achieving optimal Zero Trust maturity; still, not every application or workload is designed to support just-in-time access. Some legacy systems require persistent connectivity. Others break under real-time gating. 

Barriers to JIT connectivity make a risk-aligned approach critical. For example, Zero Networks applies JIT MFA where it makes the most impact – on lateral movement paths, privileged activity, and interactive sessions. For everything else, we still enforce least privilege, but without disrupting operations. 

A risk-aligned approach to JIT helps you get as close as your environment allows to comprehensive just-in-time verification, accelerating Zero Trust maturity even with legacy limitations.  

It’s important to note that Zero’s JIT MFA can be applied to just about anything – non SaaS assets, legacy applications, and business critical applications. It creates another layer of security that blocks lateral movement when layered with our network segmentation and identity segmentation. 

CISA’s Phased Approach to Microsegmentation and Why Automation Matters 

CISA recommends a phased approach to microsegmentation: start with key assets, iterate, and scale. The problem? Manual segmentation is slow, brittle, and hard to maintain, making the climb to Zero Trust a never-ending trek and leaving critical security gaps in the meantime.  

By automating asset tagging and grouping as well as policy generation and enforcement, organizations can avoid the need to map dependencies or manually configure rules. Rather than embarking on a multi-phase journey, security teams can accelerate Zero Trust with automation, unlocking optimal maturity in a fraction of the time.  

From Framework to Enforcement: Dynamic Access Controls Made Practical  

CISA’s policy-controlled access model offers a clear blueprint for what Zero Trust microsegmentation should look like in the real world. For security teams with segmentation strategies that don’t already align with CISA’s guidance, it’s time to reevaluate.  

With a robust automation engine, identity-based access controls, and JIT MFA enforced at the network layer, Zero Networks makes it easy to align with the approach CISA is advocating.  

The future of Zero Trust isn’t theoretical – it’s operational. Request a demo to see how Zero Networks brings dynamic access controls within reach for every team.