Zero Trust Isn’t a Product, It’s a Stack, & Microsegmentation Is the Layer Most Teams Are Missing

I had a great time on stage at the Modern Operations Summit this spring. Brandon Friedrich and I ran a zero trust segmentation workshop together, and the room was packed with exactly the conversations I hoped for: real questions from people who have been trying to make zero trust happen in their environments for years, and who are tired of the buzzword bingo that usually comes with it.

A lot of what we covered on stage is the same guidance we bring into our customer engagements every week. I thought it was worth putting the short version here, for anyone who couldn’t make it, or anyone who was there and wants a cleaner reference than the notes they scribbled on the back of an agenda.

The one-line version: zero trust isn’t a product, it’s a stack. The reason most segmentation programs stall isn’t because any single layer is bad. It’s because the stack hasn’t been designed end to end. Most organizations we talk to have five different teams running five parallel “zero trust” projects on five different policy admin consoles, and nothing is actually enforced east to west where it matters.

Here’s how we help customers fix that, and why microsegmentation with Elisity is the layer most stacks are missing.

The Only Zero Trust Decision That Matters: Where Policy Lives

If you’ve read NIST 800-207 cover to cover, congratulations. It’s a long document. The part worth tattooing on the back of your hand is the distinction between two things:

• Policy Enforcement Points (PEP). Where traffic actually gets allowed or denied. A firewall. A switch ASIC. A cloud security edge. An agent on a laptop. Something physical, virtual, or cloud-delivered has to do the work of saying no.
• Policy Administration Points (PAP). Where a human writes the policy. A firewall manager. An SSE console. A NAC server. An identity platform. Somewhere an engineer is defining what allowed looks like for every flow in the environment.

Every tool in the stack has both. And the reason zero trust gets messy in the real world isn’t that we’re short on tools. It’s that every new tool adds another PAP. Another console. Another source of truth. Another place a junior engineer has to open a ticket to change one rule.

When Brandon and I run workshops, the first question isn’t what policy the customer wants to write. It’s where they already have PEPs and how many PAPs they’re administrating. If the answer is five or six, the project is already stuck. The goal isn’t to rip anything out. The goal is to get policy administration down to as few points as possible so the enforcement points can stay in sync without a human reconciling them on Friday afternoons.

The Rest of the Stack, In One Paragraph

Firewalls are still in the stack and always will be, but they’re best at north-south inspection and zone-level enforcement, not east-west microsegmentation across a campus full of devices that live on the same VLAN. SSE and SASE are excellent at what they were designed for (replacing VPN, securing mobile users, handling user-to-internet and user-to-cloud traffic) but they can’t see the hospital floor, the factory floor, or the retail back-of-house where thousands of connected devices don’t have a human on them. Cisco TrustSec and the tag-based approaches every other OEM has since copied are architecturally the right idea, and ISE deployments still do real work for customers in production, but standing up tag propagation, posture, and multi-vendor interoperability across hundreds of switches is a three-to-five-year undertaking, and plenty of teams end up with a working proof of concept and a production program that never scaled. All three of those layers are in the stack for almost every customer we work with. None of them closes the east-west campus and branch gap on their own.

That gap is where microsegmentation goes. And for most customers, it’s the layer that finally makes the rest of the stack make sense.

Microsegmentation with Elisity: The Layer Most Stacks Are Missing

The first time Brandon and I sat down with Elisity, we were skeptical. The pitch was: overlay on your existing switches and wireless, no new hardware, no agents on endpoints, no VLAN redesign, build policy around the identity of the device, and enforce inside the ASIC of the switch you already own. Works across Cisco, Arista, Juniper, HPE Aruba, and Palo Alto. We put it in the lab because we didn’t believe it. It worked the way they said it would.

Here’s what the Elisity layer actually does in a customer stack:

• Uses your existing network infrastructure as the enforcement point. Elisity pulls telemetry through native constructs like NetFlow and device tracking. No new appliance sits inline in your traffic path. No agent on the medical device, PLC, or camera.
• Ingests identity from the systems you already operate. Active Directory, Entra ID, CrowdStrike, SentinelOne, Microsoft Defender, ServiceNow, Claroty, Armis, Dragos, Nozomi. Whatever you already use to track devices feeds the Elisity IdentityGraph™, which builds one unified identity for every asset on the network.
• Writes policy against identity, not IP. An infusion pump is an infusion pump whether it’s in Ward 3 today or Ward 7 tomorrow. Policy follows the device.
  • Starts in visibility mode. When you turn it on, nothing is being enforced yet. The platform maps every east-west flow it sees. Our advice to customers is almost always the same: deny the flows that have never happened first. That single move drops the blast radius meaningfully with zero production impact.
• Runs on one cloud-delivered policy admin point. This is the part that actually solves the PAP consolidation problem. One console for campus and branch east-west policy, regardless of which switching vendor is underneath.

The reason this is the layer most stacks are missing isn’t that microsegmentation is new. It’s that every previous attempt at it asked the customer to redesign their network before any security value showed up. Elisity inverts that order. Overlay first. Enforce incrementally. Never redesign.

The customer outcomes we’ve been seeing are the part that convinced me this approach is real. Health systems that spent years stalled on TrustSec and firewall-everywhere quotes going from contract to operational least-privilege segmentation in a handful of weeks. Manufacturing customers segmenting OT fleets without touching the control plane. Enterprises finally solving east-west between devices sitting on the same VLAN without a network redesign project. These are outcomes we’ve genuinely struggled to deliver with any other tool in the stack.

How We Help

The reason we talked about all of this on stage is that this is exactly the work we do with customers every week. A few ways that usually plays out:

• Zero trust workshops. Two to four hours, on-site or remote. We map your current PEPs and PAPs, figure out where the gaps are, and build a short list of consolidation moves worth making in the next two quarters. No vendor pitch. Just your stack, on a whiteboard, with someone who has done this across dozens of organizations.
• Architecture design. Once the gaps are clear, we help design the end-state zero trust architecture, including which enforcement points do what, how identity flows across them, and where microsegmentation fits. If Elisity is the right fit, we’ll say so. If a TrustSec path or a firewalls-first path makes more sense for your environment, we’ll say that too.
• Deployment and operations. When it’s time to deploy, our engineering team runs the implementation and the integrations end to end: infrastructure onboarding, identity source connections, EDR and NAC integrations, policy design, visibility-first rollout, and the handover to your team’s ongoing operations.

Our goal is the version of zero trust that actually gets done. Not because it’s elegant on a whiteboard, but because every piece of the stack is carrying weight it was designed to carry, and no piece is being asked to do the whole job.

If you were in the room at Modern Operations Summit, thanks for coming. If you weren’t and any of this sounds like the place you’re stuck, we’d love to walk through it together. Bring your current stack. We’ll help you figure out what’s missing.