When I talk with many security architects one of the most common misconceptions is that they have to go all in when doing security segmentation. They think they have to apply segmentation to every single server and device in the data center. This is not the case and in many cases it is our recommendation to start small concentrating on a high value asset or application containing their most critical data.
One benefit of doing segmentation at the host level is you can enforce policy for a single application that spans multiple data centers and deployment types (physical, virtual or container). In fact many of my customers deploy applications in more than one data center to allow that application to survive if a data center went down.
So when embarking on a segmentation initiative, remember to focus on your highest priorities and get a quick win. You will quickly benefit in a way that you can protect your brand and your customers data.
When considering what apps to protect, it’s important to consider what other resources and apps can be reached by someone who gains access to that app.