Zero-trust / Default-deny
Is splitting networks into subnetworks, each called a network segment, typically by a combination of firewalls and VLANs.
Segmentation is primarily for boosting performance and especially for improving security. Segmentation improves performance by limiting the number of hosts on a segment and therefore minimizing local traffic – assuming all hosts in a segment are receiving all traffic local traffic. Also, local failures are isolated.
Segmentation improves security by containing broadcasts to the local network so that internal network structure is not visible from the outside. Some attacks only spread within the local area. Segments can split based on type of usage such as database servers vs web servers vs user machines. Thus access privileges for users in one area don’t grant access to resources to users who don’t normally need it.
Microsegmentation is more fine-grained segmentation that is normally only practical with SDN including inside VPCs.
This further reduces the risk of an attacker moving from one compromised resource to another. Security settings can be tailored down to the level of flows between particular workloads, where they can move when the workload replicates and moves. Since microsegmenation is only practical in software, it often conincides with the centralization of security policies into a centralized control system.