Zero-Trust Network Segmentation: Why Flat Networks Are the Biggest Security Risk

7 min Reading Time

A compromised printer in accounting. Sounds harmless – until the attacker jumps from it to the domain controller via the flat network, then to production control, and three days later encrypts the entire manufacturing line. Network segmentation prevents exactly that. Yet, according to Zscaler, 68 percent of German SMEs have no Zero Trust concept for their internal networks.

TL;DR

🔒 68 percent of DACH SMEs have no Zero-Trust network concept (Zscaler, 2025).
📊 Lateral movement is the most common attack step after initial access (MITRE ATT&CK, 2025).
⏱️ Average dwell time of an attacker in a network: 10 days (Mandiant M-Trends, 2025).
🏢 Siemens has fully separated IT and OT since 2024. A model for industrial companies.
🛡️ Microsegmentation reduces the attack surface by up to 90 percent (Forrester, 2025).

Why Flat Networks Are the Biggest Security Risk

In a flat network, every device can communicate with every other. The intern’s laptop talks to the ERP server, the reception printer reaches the production control system. For attackers, this is paradise: a single compromised endpoint opens the door to everything.

MITRE ATT&CK documents lateral movement as the most common attack step after initial access. The attacker moves horizontally through the network, escalates privileges, and reaches their real target: data, control systems, or backup infrastructure. Mandiant puts the average dwell time at 10 days – ten days during which the attacker operates undetected.

“Microsegmentation reduces the blast radius of an attack to a minimum. Instead of compromising the entire network, the attacker remains trapped in an isolated segment.”

Forrester Research, Zero Trust Microsegmentation Report, 2025

Zero Trust Network Segmentation in Three Stages

Stage 1: Macrosegmentation (Immediately actionable). Divide your network into large zones: office IT, production OT, guest Wi-Fi, server DMZ. Each zone gets its own VLANs and firewall rules. No communication between zones without explicit approval. Siemens implemented exactly this step in 2024 across all German sites: IT and OT are now physically and logically fully separated.

Stage 2: Microsegmentation (3-6 months). Within each zone, individual workloads are isolated. The web server only communicates with the database, not the file server. Tools like Illumio, Guardicore (Akamai), or VMware NSX enable this without hardware changes. Forrester estimates a 90 percent reduction in the attack surface.

Stage 3: Identity-based segmentation (6-12 months). Access is no longer determined by the network segment but by the user’s identity and device. Zero Trust Network Access (ZTNA) replaces traditional VPNs. Zscaler, Cloudflare, and Palo Alto offer ZTNA as a cloud service. For companies with remote work and multi-cloud environments, this is the logical next step.

68 %

of DACH SMEs without Zero-Trust networks (Zscaler)

10 Days

average dwell time of an attacker in a network (Mandiant)

-90 %

attack surface reduction through microsegmentation (Forrester)

The Counterargument: Segmentation Slows Agility

Not every IT leader is enthusiastic. The most common argument against strict segmentation: it slows development. DevOps teams need fast access to different environments. Microsegmentation with rigid rules can slow deployment cycles and cause incidents when legitimate traffic is blocked.

The solution lies in Policy-as-Code: segmentation rules are not manually configured in firewalls but defined as code, versioned, and automatically deployed. Terraform, Ansible, and the APIs of segmentation platforms make this possible. The initial effort is higher, but long-term agility improves because rule changes are implemented in minutes rather than days.

Conclusion: Segmentation Is the Most Cost-Effective Security Investment

Network segmentation doesn’t require million-euro budgets. Macrosegmentation with existing switches and firewalls can be implemented in weeks. Software-based microsegmentation starts at €10,000 per year for mid-sized environments. The cost-benefit ratio is unbeatable: 90 percent less attack surface for a fraction of the cost of an EDR platform. The first step: map your network. Who talks to whom? The results will surprise you.

Frequently Asked Questions

We have 200 employees and a flat network. Where do we start?

Begin with macrosegmentation: separate at least four zones (office IT, servers, guests, management network). This can be done with existing managed switches (VLAN configuration) and one firewall rule per zone transition. Time required: 2 to 4 days for a network admin. Cost: nearly zero if the hardware supports VLANs.

Does microsegmentation work in virtualized environments?

Yes, and particularly well. VMware NSX, Illumio, and Guardicore operate at the hypervisor level and can isolate individual VMs without hardware changes. In Kubernetes environments, Network Policies serve the same function. The advantage over hardware-based segmentation: rules move with the workload when it’s relocated.

How expensive is microsegmentation for a company with 500 endpoints?

Open-source options (OPNsense, pfSense with VLANs) cost nothing beyond implementation effort. Commercial software solutions (Illumio, Guardicore) start at around €10,000 to €25,000 per year for 500 endpoints. Enterprise platforms (Cisco Secure Workload, Palo Alto Prisma) range from €30,000 to €80,000. By comparison, the average ransomware incident costs €1.8 million (Sophos, 2025).

We have an OT environment (production). Do different rules apply?

Yes. OT segmentation follows the Purdue Model: strict separation between enterprise IT (Levels 4-5) and production networks (Levels 0-3) via a demilitarized zone (DMZ Level 3.5). No direct access from IT to OT. Siemens has implemented this across all German sites and recommends as a minimum standard: separate firewalls between IT and OT, no shared Active Directory domains, and dedicated management networks for SCADA systems.

Does segmentation disrupt our remote employees’ VPN access?

Traditional site-to-site VPNs do, because they funnel users into a network segment with full access. The solution: Zero Trust Network Access (ZTNA) instead of VPNs. ZTNA grants access to individual applications rather than entire networks. A remote employee can reach their ERP system but not the adjacent backup server. Zscaler, Cloudflare Access, and Palo Alto Prisma Access offer this as a cloud service.