What is a micro-segmentation concept in Zero Trust architecture?

Micro-segmentation in Zero Trust is the practice of dividing the network into small, isolated segments around individual workloads so that communications are only allowed when explicitly authorized. This creates micro-perimeters around assets and enforces granular policies at the workload level, which makes it much harder for an attacker to move laterally if they breach one segment. Policies are typically based on identity, device posture, application, and data sensitivity, enforced through software-defined networking, virtualization, or host-based controls. This approach contrasts with relying on a single perimeter firewall, which guards the outer edge, or with antivirus baselines or single sign-on, which address endpoint protection or authentication but not fine-grained internal segmentation.