Anthropic-Cybersecurity-Skills/skills/configuring-microsegmentation-for-zero-trust/references/standards.md

Standards and Frameworks Reference

NIST SP 800-207: Zero Trust Architecture

Microsegmentation as ZTA Deployment Model

NIST SP 800-207 identifies microsegmentation as one of three primary deployment approaches for zero trust:

• Places individual or groups of resources on a unique network segment protected by a gateway security component
• The enterprise places infrastructure devices such as intelligent switches, next-generation firewalls, or special-purpose gateway devices to act as PEPs protecting each resource or group of resources
• This approach can be implemented using software-defined networking (SDN) or hypervisor-level enforcement

Applicable Controls

• AC-4 (Information Flow Enforcement): Microsegmentation enforces approved information flows between workloads
• SC-7 (Boundary Protection): Each microsegment boundary acts as a security boundary
• SI-4 (Information System Monitoring): Microsegmentation tools provide flow telemetry for monitoring

CISA Zero Trust Maturity Model v2.0

Network Pillar - Microsegmentation Maturity

Level	Network Segmentation	Microsegmentation	Traffic Management
Traditional	Large, macro-segmented perimeters	None	Static ACLs
Initial	Defined architecture with some isolation	Initial workload isolation	Basic flow visibility
Advanced	Ingress/egress micro-perimeters	Workload-level microsegmentation	Identity-based traffic rules
Optimal	Full microsegmentation, dynamically defined	Automated, adaptive policies	ML-driven anomaly detection

Cross-Cutting: Visibility and Analytics

• Flow telemetry from microsegmentation agents feeds into SIEM/SOAR
• Application dependency maps provide baseline for anomaly detection
• Policy violation alerts enable real-time incident detection

PCI DSS v4.0

Microsegmentation for Scope Reduction

• Requirement 1.3: Network controls restrict access to and from the cardholder data environment (CDE)
• Requirement 1.4: Network connections between trusted and untrusted networks are controlled
• Microsegmentation can reduce PCI scope by isolating CDE workloads from non-CDE systems
• Compensating control: host-based microsegmentation validated by QSA as equivalent to network segmentation

Forrester Zero Trust eXtended (ZTX) Framework

Workload Security Pillar

• Microsegmentation is a core capability for securing workloads
• Policies should be based on workload identity and context, not network location
• Continuous monitoring of east-west traffic for anomaly detection
• Integration with DevOps pipelines for automated policy management

VMware NSX Distributed Firewall

Architecture

• Stateful Layer 4-7 firewall embedded in the hypervisor kernel
• Policies evaluated at the vNIC level before traffic reaches the physical network
• Context-aware rules using Active Directory groups, VM tags, and application identification
• No network topology changes required for deployment

Illumio Core Platform

Architecture

• Virtual Enforcement Node (VEN) agents installed on workloads
• Policy Compute Engine (PCE) centralizes policy management and visualization
• Enforcement via native OS firewall (iptables on Linux, WFP on Windows)
• Label-based policy model: Role, Application, Environment, Location

Guardicore (Akamai)

Architecture

• Lightweight agents provide process-level visibility and enforcement
• Reveal module builds application dependency maps
• Centra management platform for policy creation and monitoring
• Supports bare-metal, VM, container, and cloud workloads