Zero Trust Maturity Model Updates: Moving Beyond Traditional Firewalls

The zero trust maturity model has been updated this week, and the new guidance makes an important distinction clear: traditional firewalls and microsegmentation are not competing technologies — they serve different layers of the maturity model, and you need both at different stages.

Architectural Differences

Traditional firewalls operate at network chokepoints. Traffic entering or leaving a segment passes through the firewall, which inspects packets and applies rules based on source and destination IP addresses, ports, and protocols. This is north-south security — protecting the perimeter and segment boundaries.

Microsegmentation, by contrast, is distributed. Policy enforcement happens at the workload level — on the host itself, in the hypervisor, or via a software agent. There is no single chokepoint. Every workload is its own enforcement point. This is east-west security — controlling traffic inside your network.

The updated maturity model places firewalls at the “initial” and “managed” stages of zero trust maturity, and microsegmentation at the “defined” and “quantitatively managed” stages.

Where Traditional Firewalls Fall Short

The maturity model update highlights three limitations of firewall-based segmentation:

East-west blind spots. A traditional firewall sees traffic that passes through it. East-west traffic between servers in the same segment never touches the firewall, so it is invisible. You are flying blind when it comes to lateral movement.

Static policy models. Firewall rules are defined by IP addresses and ports. Every time a workload moves or a server is replaced, the rules need updating. This leads to “rule bloat” — thousands of rules, many of which exist because nobody remembers what they do.

Cloud incompatibility. You cannot put a hardware firewall inside AWS or Azure. Virtual firewall appliances help but introduce complexity and cost. Traffic between VPCs, across regions, or between cloud providers becomes difficult to manage.

How Microsegmentation Fills the Gap

Microsegmentation policies are defined by workload identity. A policy says “all web servers can talk to application servers on port 443,” not “10.0.1.50 can talk to 10.0.2.100 on port 443.” When a new web server spins up, it automatically inherits the web server policy.

This identity-based model is what enables the “defined” and “quantitatively managed” stages of zero trust maturity. It also provides the visibility that firewalls cannot:

• Every connection between every workload is logged and inspected
• You can map exactly which workloads talk to which others
• Changes in traffic patterns are detected immediately

The Complete Architecture

A mature zero trust architecture uses both:

• Perimeter firewalls for north-south traffic (internet-facing) — initial and managed maturity stages
• WAF and DDoS protection for application-layer threats
• Microsegmentation for east-west traffic and workload isolation — defined and quantitatively managed stages
• Zero Trust Network Access (ZTNA) for user-to-application connections

For web application protection at the perimeter layer, waap-security.uk provides the WAAP capabilities that complement your east-west microsegmentation strategy. For AI-driven security analytics that can help measure segmentation policy effectiveness, aisecurities.uk provides the continuous monitoring and anomaly detection layer.

The Bottom Line

If your network is a few servers behind a single firewall, traditional segmentation is fine. But if you are running a modern, distributed environment — containers, multi-cloud, DevOps pipelines — microsegmentation is the only path to the higher maturity levels that zero trust programs require.

Want to go deeper? Check out these resources on Amazon:

• Network Security Assessment
• Zero Trust Architecture: The Ultimate Guide

As an Amazon Associate I earn from qualifying purchases.