When I speak with security architects they are often in agreement the best way to prevent security incidents in the data center is to try and put as much friction in the data center to stop the spread of malware or prevent lateral movement. The one thing they don't realize is that they don't need to do this via a network transformation.  Another key point we discuss is when they have the visibility they need to make policy simple and safe to implement, they then have the desire to revisit segmentation.

I find it interesting how many companies have been implementing segmentation and struggle to do it for so long because they are using conventional methods like hardware firewalls, switches, routers and hypervisors.  All of these at a small scale can do policy enforcement somewhat effectively, however when you start to scale segmentation their lack of a map and an abstracted policy model makes it very difficult to develop and apply security policy without causing an outage.

The article discusses segmentation as a means to make it much harder for ransomware to spread laterally.  I suggest limiting protocols like ssh and RDP to a small number of jump hosts using segmentation.  It's a fast simple policy you can implement in a very safe manner.