A three-tier microsegmentation framework for enterprise networks under Zero Trust Architecture

Traditional perimeter-based security models are increasingly inadequate for modern enterprise environments, often leading to “security silos” where inconsistent policies across infrastructure layers facilitate lateral movement by attackers. Current microsegmentation methods frequently apply regulations in isolation, resulting in discontinuous protection and a significantly worsened security posture. This paper presents a unified three-tier microsegmentation orchestration framework designed for Zero Trust Architecture (ZTA). The framework integrates a network-level Zero Trust Orchestration and Governing (ZTOG) plane utilizing the Dynamic Network Optimization and Segmentation (DNOS) algorithm for automated switch control, the programmable ZFLOW framework for system-level process security, and lightweight eBPF-based endpoint agents for edge enforcement. Evaluated using real-world datasets from a super-speciality hospital and an academic campus, the implementation demonstrates that Enterprise Network Internal Connectivity Exposure (ENICE) is reduced by over 99%. Furthermore, the total number of potential attack paths decreased by 99.7%, while network resilience increased by 60%–90%. Scalability studies show a deterministic end-to-end latency of approximately 130 ms for 1000 simultaneous users, which is on par with reported benchmarks for commercial platforms like Cisco ACI and VMware NSX under non-identical test conditions. These findings indicate that the proposed method offers a practical, scalable, and open-source Zero Trust microsegmentation solution. By operationalizing ZTA principles across all infrastructure tiers and improving resource availability to 99.9%, the framework provides robust defense-in-depth particularly suitable for research and resource-constrained enterprise environments.