top of page
Search

Redefining Network Segmentation for the Zero Trust Era: Dispatching with the Square Onion

  • Writer: derekdodds
    derekdodds
  • Jun 28
  • 4 min read

Introduction

For decades, network architects have built security using a model that I like to refer to as the square onion, layer upon layer of segmented zones, each representing a boundary of trust. DMZs, production zones, corporate networks, and restricted segments were stacked like flat layers, each guarded by IP-based rules and perimeter firewalls. The assumption, if you could control the layers, you could control the risk.


That model was designed for a world that no longer exists.


Today, users work from anywhere, applications live across clouds, and data flows well beyond traditional perimeters. The square onions rigid, location-based, and trust-assuming approach can’t keep up. In the Zero Trust era, segmentation is no longer about where something lives on the network. It’s about who is accessing it, what they’re accessing, where they’re coming from, and under what conditions.

This article explores how segmentation has evolved from static layers to dynamic, identity- and policy driven controls, purpose built for the way we work today.


Traditional Network Segmentation

Relied on defining zones within the network. These zones, such as the DMZ, internal network, or secure application tier were enforced with firewalls and access control lists. Traffic between them was tightly controlled, while traffic within a zone was often trusted implicitly.'


This made sense when:

  • Most applications were hosted on-premises

  • Users worked from corporate offices

  • Networks had clear, enforceable boundaries

  • Security was based on location and infrastructure


Security relied heavily on location and infrastructure, leading to visibility gaps and inflexible controls. Once an attacker breached one layer, they often had lateral freedom within the zone. Plus, constant changes to IP addresses, network paths, and VLANs made segmentation hard to maintain and even harder to scale.


The Shift to Zero Trust Segmentation

Zero Trust changes the game by assuming no implicit trust, regardless of where the user or workload is located. Instead of building walls and hoping nothing slips through, Zero Trust requires organizations to verify every request and always enforce least-privilege access.


The core principles behind Zero Trust segmentation include:

  • Identity first: Access decisions are based on user identity, not IP address or network location.

  • Context aware: Where the user is connecting from, what device they’re on, and how risky the session appears all influence the policy.

  • Policy driven: Access is defined by business context, who needs access to what, and when, not static firewall rules.

  • Adaptive and dynamic: Policies can change in real time based on behavior, risk posture, or compliance requirements.


This approach allows you to segment your environment logically, not physically, enabling precise, flexible control over access without relying on the rigid structure of traditional zones.


What Identity-Driven Segmentation Looks Like

In a Zero Trust-aligned environment, segmentation becomes a function of access control, not network topology. You can think of it like this:

  • Zone Based "This server is in the secure zone, so only allow access from these IPs"

  • Zero Trust "Only finance users with a compliant device and MFA can access the payroll system from approved locations."


This is achieved using tools and integrations that work across infrastructure layers:

  • Identity Providers (IdPs) like Okta or Microsoft Entra ID authenticate users and assign roles

  • Policy engines determine whether access should be granted based on identity, device posture, time of day, and other signals

  • Access platforms like Zscaler ZPA or Cloudflare Zero Trust securely broker the connection between user and app

  • Cloud-native IAM controls enforce permissions at the service level

 

Instead of segmenting by subnet or VLAN, you’re segmenting by access rights, trust level, and risk context, and those can be evaluated continuously, not just at login.


Why This Matters

The Zero Trust approach to segmentation offers several advantages:

  • Reduces lateral movement: Even if a user or device is compromised, access is tightly controlled

  • Improves compliance: Access policies are clearly defined and easier to audit

  • Scales with the business: As you move to cloud or hybrid models, the control plane follows the user and workload, not the infrastructure

  • Improves lifecycle management: Traditional segmentation models struggle with the complexity of commissioning and decommissioning services, IP addresses are reused, rules are duplicated, and old firewall entries are often left behind, increasing risk and operational burden


Getting Started: Evolving Your Segmentation Strategy

To move beyond a zone-based architecture and towards Zero Trust segmentation:

  • Map your environment: Understand who your users are, what apps they use, and how data flows

  • Classify by role and need: Group users and applications by access requirements, not IP

  • Enforce strong identity controls: Implement SSO, MFA, and device posture checks

  • Define contextual policies: Use role, risk, and location as policy inputs

  • Monitor and refine continuously: Use logs and analytics to adjust policies over time


Conclusion: Out with the Onion, In with Identity


“The layered, zone-based security model was built for a different era. Today’s networks require a more fluid, intelligent, and context-aware approach to segmentation.”


Zero Trust shifts the focus from walls to identities, from static rules to adaptive policies, and from implicit trust to continuous verification. It’s not just an evolution of segmentation, it’s a transformation of how we think about trust, access, and security.


 
 
 

Comments

©2025 BY HOUSTON NETWORK SECURITY.

bottom of page