Quantifying Zero Trust in the Enterprise: Measuring Microsegmentation for Users, Workloads, and Devices

Enterprises today face an evolving threat landscape where perimeter-based security is no longer sufficient.  Attackers continuously find ways to move laterally across networks, leveraging compromised credentials, misconfigured access policies, and unsegmented environments. And these attackers are increasingly leveraging AI to rapidly analyze network scanning data and identify potential entry points. In response, organizations are increasingly adopting Zero Trust security models that assume breaches will occur and enforce stringent access controls accordingly.  And those same organizations are implementing processes and KPIs for quantifying Zero Trust in the enterprise.

A critical component of Zero Trust is microsegmentation, which enforces least-privilege access by controlling communications between users, workloads, and devices based on identity and contextual risk.  However, adopting microsegmentation is not enough—organizations must also measure its effectiveness to ensure security policies are working as intended. 

This article explores how enterprises can quantify their Zero Trust maturity, focusing on microsegmentation and real-time policy enforcement across hybrid IT environments.  By tracking the right metrics, security teams can demonstrate improvements in risk reduction, compliance, and operational efficiency. 

Understanding Zero Trust Maturity: The CISA Zero Trust Maturity Model 

The Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model provides a framework for organizations to assess and improve their Zero Trust posture.  The model defines four stages of maturity across five key security pillars—Identity, Devices, Networks, Applications & Workloads, and Data—each with corresponding cross-functional capabilities in visibility, automation, and governance. 

1. Traditional: Security is static and perimeter-based, relying heavily on implicit trust. Network controls are often manual, and access decisions do not dynamically adjust based on risk. 

1. Initial: Organizations begin adopting multi-factor authentication (MFA), identity governance, and basic microsegmentation but rely on periodic reviews rather than real-time, continuous evaluation. 

1. Advanced: Access control decisions become risk-based and context-aware, integrating adaptive authentication, dynamic segmentation, and automated policy enforcement. Least-privilege principles extend across users, workloads, and devices, with identity-centric security models replacing network-based trust assumptions. 

1. Optimal: The organization fully embraces Zero Trust automation. Security policies are continuously refined using AI-driven analytics, access is granted on a just-in-time basis, and workloads communicate only with explicitly authorized entities. 

Enterprises that quantify their Zero Trust maturity can better understand where gaps exist and how to prioritize security investments. Measuring progress across identity, workload isolation, and endpoint security ensures a strategic approach to reducing risk and improving resilience. 

The Role of Microsegmentation in Zero Trust Maturity 

Microsegmentation is the process of restricting network access at a granular level, preventing unauthorized communication between different parts of the infrastructure. Unlike traditional segmentation methods, which rely on static VLANs and firewall rules, microsegmentation dynamically enforces policies based on identity, risk context, and real-time analytics. 

Enterprises that fail to implement strong segmentation controls expose themselves to widespread lateral movement in the event of a breach. In contrast, organizations that adopt microsegmentation can significantly reduce their attack surface by ensuring that only authorized users, workloads, and devices can communicate. 

Measuring microsegmentation effectiveness requires organizations to assess how much of their network is segmented, how often policies are enforced, and how quickly security teams can detect and contain unauthorized access. For instance, tracking the percentage of total network traffic subject to segmentation policies can indicate how well an organization is limiting excessive access. Additionally, measuring policy enforcement success rates can help teams determine whether security policies are too permissive or restrictive. 

Measuring Zero Trust Across Users, Workloads, and Devices 

User Access and Authentication Metrics for Zero Trust

A fundamental principle of Zero Trust is that no user should be inherently trusted. Every access request must be authenticated and continuously validated based on risk indicators. 

• Multi-Factor Authentication (MFA) Compliance: The percentage of users required to authenticate using phishing-resistant MFA methods such as FIDO2 or certificate-based authentication.
  

• Why this matters: Higher MFA adoption reduces the risk of credential-based attacks, ensuring that users must verify their identity beyond just a password.  

• Just-in-Time (JIT) Privileged Access Usage: The proportion of privileged accounts with standing access versus those requiring temporary elevation.
  

• Why this matters: Minimizing persistent privileged accounts lowers the risk of account takeover and insider threats, enforcing least-privilege access. 

• Identity-Based Access Failures: The number of unauthorized access attempts blocked due to identity misalignment, such as login attempts from unrecognized locations or devices.  

• Why this matters: A high number of failed access attempts can indicate credential stuffing attacks or misconfigured access policies that need immediate remediation. 

Workload Isolation and Segmentation Metrics for Zero Trust

Zero Trust mandates that workloads—whether in cloud environments, data centers, or hybrid infrastructures—must not have unrestricted access to each other. Instead, security policies should control interactions based on risk. 

• Percentage of Workload Communications Subject to Microsegmentation: A high percentage indicates strong isolation between applications and services. 
  

• Why this matters: Proper workload segmentation prevents unauthorized access between applications, reducing the risk of lateral movement and privilege escalation. 

• Service-to-Service Authentication Coverage: The proportion of workload interactions using mutual TLS (mTLS) or other strong authentication mechanisms instead of relying on implicit network trust.
  

• Why this matters: Ensuring that services authenticate to each other helps prevent unauthorized inter-service communication, limiting exposure to attacks.  

• Unauthorized Workload Connection Attempts: The number of instances where workloads attempt to communicate in ways that violate segmentation policies.
  

• Why this matters: Blocking unauthorized connections prevents attackers from exploiting misconfigured permissions or default access settings. 

Device Security and Network Segmentation Metrics 

Devices—whether corporate endpoints, unmanaged IoT sensors, or OT systems—represent a major attack surface. Organizations must ensure that only compliant, authorized devices can access network resources. 

• Zero Trust Network Access (ZTNA) Adoption: The percentage of remote access requests routed through a Zero Trust access model rather than traditional VPNs.
  

• Why this matters: ZTNA ensures that remote users and devices are authenticated and continuously verified, reducing the risk of unauthorized access. 

• Percentage of Devices Enforcing Least-Privilege Access: This metric tracks how many enterprise devices have restrictive access policies applied versus those with open access to multiple network segments.
  

• Why this matters: Enforcing least-privilege access ensures that devices can only communicate with necessary resources, limiting exposure. 

• Time to Detect and Contain Unauthorized Devices: The average time taken to identify, isolate, and remediate unauthorized devices attempting to connect to the network.
  

• Why this matters: A shorter response time helps security teams contain threats before they escalate, reducing potential damage. 

Sample Table of Metrics Used for Zero Trust Quantification 

Implementing Zero Trust Microsegmentation with Elisity 

Elisity simplifies the implementation of Zero Trust microsegmentation by automating identity discovery, policy enforcement, and risk-based segmentation without requiring additional hardware, firewalls, or network reconfigurations. 

The Elisity IdentityGraph™ discovers and classifies every user, workload, and device on the network, integrating metadata from existing identity systems, CMDBs, and EDR solutions. This enriched identity data is then correlated across different security domains, enabling security teams to enforce segmentation policies dynamically. 

Once identity relationships are established, organizations can apply static policies (predefined segmentation rules) and dynamic policies (real-time adjustments based on risk, user behavior, and device health). Elisity’s Cloud Control Center provides a united platform for creating, simulating, and enforcing these security controls. 

By leveraging Elisity Virtual Edge, enterprises can apply Zero Trust segmentation at the network access layer, using existing switches from vendors like Cisco, Juniper, Arista and more —eliminating the need for complex firewall rules or VLAN segmentation. 

Organizations that adopt identity-driven microsegmentation with Elisity can contain lateral movement, enforce least-privilege access, and rapidly accelerate their Zero Trust maturity. 

Next Steps For Your Zero Trust Maturity Journey 

Enterprises that measure and implement Zero Trust microsegmentation effectively can improve their security resilience, reduce attack surfaces, and demonstrate quantifiable security gains. Organizations should start by assessing segmentation coverage, monitoring access control success rates, and automating real-time enforcement to ensure continuous Zero Trust security across their infrastructure. 
 
Ready to enhance your organization's defense against lateral movement attacks? Contact Elisity today to learn how our identity-based microsegmentation platform can strengthen your security posture.