How No-Fear Policy Creation Redefines Identity-Based Segmentation and Zero-Trust Control

This interview features Piotr Kupisiewicz, Chief Technology Officer at Elisity, who shares his perspective on redefining segmentation through identity, enforcement, and trust. With over two decades of experience in cybersecurity and enterprise architecture, Kupisiewicz brings deep technical and operational insight into modern network protection.

His background spans open-source development, IT/OT security design, and building scalable cybersecurity ventures within Cisco’s innovation programs.

Kupisiewicz explains why static segmentation models fail modern infrastructures, how consistency scoring enhances trust in identity data, and why deny-by-default and zero-trust principles are critical for stopping lateral movement. 

His answers reveal how segmentation can evolve from a compliance task into a measurable business enabler. Get a closer look at how enforcement through the existing network fabric, deny-by-default strategies, and zero-trust access redefine segmentation for hybrid enterprises.

Vishwa: For teams that see segmentation as just network zoning or firewall rules, how do you define segmentation to them? What does modern identity-based segmentation involve in practice?

Piotr: Defining Modern Identity-Based Segmentation

To teams with network security traditional thinking, I redefine network segmentation or microsegmentation as identity-driven access control that follows users and devices. Modern identity-based segmentation fundamentally moves beyond static IP addresses and network location-based security.

Instead, it uses user identity, device classification, and contextual metadata to enforce granular security policies that adapt dynamically to changing conditions.

In practice, this means creating policies like "Finance team devices can access accounting network segments, but only from corporate-managed laptops with current patches and compliant security posture," rather than the traditional "subnet A can talk to subnet B on specific ports."

Modern microsegmentation platforms should correlate metadata from multiple sources—CMDBs, EDR platforms, and identity providers—to build a comprehensive understanding of users, devices, and their security context across the network.

The key architectural requirement is enforcement at the network layer using existing switching infrastructure rather than relying on application-layer inspection or endpoint agents. This means making access decisions based on verified identities and device security posture, then enforcing those decisions through the network fabric itself.

Effective identity-based segmentation must provide granular, least-privilege network access that persists as users and devices move across network locations, eliminating the dependency on brittle IP-based controls that break during infrastructure changes. 

The platform should integrate with enterprise-grade switches from vendors like Cisco, Juniper, Aruba, Hirshmann, or Arista without requiring hardware replacement, agent deployment, or application modifications

Vishwa: Identity data often comes from multiple systems. How do you evaluate whether those sources are reliable enough to enforce segmentation or access policies?

Piotr: Evaluating Identity Source Reliability

We evaluate identity sources based on data integrity, strong attribution, and cross-source consistency validation. Reliable sources must provide consistent device-to-identity mapping and maintain accurate information about roles, device types, and security posture.

For example, a CMDB system integrated with Active Directory typically offers more reliable identity data than manually maintained spreadsheets or CSV imports. Modern microsegmentation platforms should validate data by correlating across multiple sources—CMDBs, EDR platforms like CrowdStrike, asset management systems like ServiceNow, and network flow analysis.

This validation works through consistency scoring that measures agreement across identity sources. Each connector or data source independently classifies devices based on the information it has. The platform then calculates a consistency score based on how well these independent classifications align. 

For instance, if five identity sources classify a device as a printer but a single source identifies it as a PC, the consistency score quantifies this discrepancy and helps identify which source is providing inaccurate information. This approach provides administrators with a confidence measure for each device classification.

A high consistency score indicates strong agreement across multiple authoritative sources—for example, when ServiceNow, Armis, and network flow analysis all identify a device as a medical imaging system. 

A low consistency score flags potential data quality issues or misconfigurations in specific identity sources.

Rather than blindly trusting any single source or enforcing rigid data freshness windows, the platform continuously evaluates which sources provide the most consistent and accurate identity information, ensuring the data driving microsegmentation policies remains trustworthy even when individual sources contain errors.

Vishwa: Flow visibility is key for segmentation, but telemetry isn’t always clean. When data is limited, what fallback strategies help ensure segmentation is still safe?

Piotr: Fallback Strategies for Limited Telemetry

When telemetry is incomplete or unreliable, we implement a layered defensive strategy starting with deny-by-default. If we can't validate context—such as device compliance status, patch level, or user authentication state—we automatically block the connection until sufficient data is available. This prevents potential lateral movement even when visibility is compromised.

Beyond blocking, we employ passive network analysis and application fingerprinting to infer context from traffic patterns, port usage, and protocol behavior. For instance, we can often identify database servers, domain controllers, or manufacturing equipment based on their communication patterns, even without direct telemetry from those systems. 

We also implement behavioral baselining, where devices earn trust through consistent, expected behavior over time. Our Virtual Edge technology can enforce these policies directly through existing network switches, maintaining security boundaries even when agent-based telemetry fails. 

The key principle is progressive trust—systems start with minimal access and earn broader permissions as we gain confidence in their identity and posture.

Vishwa: Business teams often resist tight access controls. What language or metrics have you found useful to make segmentation feel like a business enabler, not a blocker?

Piotr: Making Segmentation a Business Enabler

I reframe microsegmentation discussions around measurable business outcomes rather than security compliance checkboxes. 

The most compelling metrics I use include:

• Quantifiable breach containment: Research shows that effective microsegmentation can reduce breach costs by up to 45% by limiting lateral movement. I translate this to specific dollar figures based on their industry averages—healthcare breaches average $9.23 million, so containment represents millions in risk reduction.
• Compliance automation and cost reduction: Automated least-privilege demonstration for regulations like HIPAA, PCI-DSS, and SOX reduces audit preparation time by 50% and eliminates manual documentation efforts that typically consume weeks of staff time.
• Operational resilience: Zero-trust segmentation prevents single points of failure from cascading across the business, protecting revenue-generating operations.

The language I consistently use emphasizes "business agility," "competitive advantage," and "operational resilience"—showing how modern segmentation enables growth initiatives rather than constraining them. 

I often reference our GSK case study, where Dynamic Edge Segmentation reduced implementation time by 300% while improving security posture.

Vishwa: Many teams still see segmentation as just network zoning or firewall rules. How do you define segmentation today, and what does modern identity-based segmentation actually involve in practice?

Piotr: Modern Segmentation vs. Traditional Approaches

Beyond the identity-centric definition I mentioned, modern segmentation is infrastructure-agnostic, can be configured to be automatically adaptive, and policy-driven rather than network-topology dependent. 

Traditional approaches require creating complex VLAN architectures, managing hundreds of firewall rules, and coordinating changes across multiple business and network teams—often taking weeks for simple policy adjustments.

Our approach works with existing network infrastructure through Virtual Edge technology that integrates with standard switches from vendors like:

• Cisco, 
• Juniper, 
• Aruba, 
• Hirshmann, or 
• Arista

No hardware replacement or downtime required. 

The platform includes policy visualization and simulation capabilities using actual traffic data, which addresses one of the biggest barriers in segmentation projects: the risk of breaking production systems with untested policies.

The practical transformation is dramatic. Where traditional segmentation might require a change control process, network engineering resources, and scheduled maintenance windows to adjust a single policy, our approach enables policy changes in minutes that automatically follow users across any network location. 

Teams can see exactly what policies will do before implementing them, with color-coded visual representations and traffic flow analysis that make complex network relationships immediately understandable.

The architecture difference is equally important—instead of carving static "network railroad tracks" through VLANs and subnets, we create dynamic, software-defined security perimeters that adapt based on real-time identity, device posture, and threat intelligence. 

Our "no-fear" policy creation engine with built-in simulation capabilities eliminates the brittleness that makes traditional segmentation projects fail or become abandoned over time, because teams can validate every change before it impacts production traffic.

Vishwa: In hybrid or federated networks, some infrastructure seems to be always missing. What types of assets or environments most often escape visibility in identity-based designs?

Piotr: Assets That Escape Visibility

In hybrid and federated networks, the assets most consistently missed are:

• legacy operational technology (OT) systems, 
• IoT devices, 
• unmanaged endpoints, and 
• shadow IT infrastructure. 

These devices typically lack the APIs, agents, or modern protocols needed for traditional identity-based platforms to discover and classify them. Specific examples include:

• aging SCADA systems in manufacturing environments that run proprietary protocols,
• smart building systems like HVAC controllers that communicate via legacy protocols,
• medical devices (IoMT) that can't support security agents due to FDA certification constraints, and 
• contractor-owned devices that connect via guest networks. 

In healthcare environments, we regularly discover 40% more devices than organizations initially estimated, particularly patient care equipment and building automation systems.

The key is creating device-type-based policies that provide appropriate security controls even when traditional identity integration isn't possible.

Vishwa: What identity or segmentation controls do you consider non-negotiable for stopping lateral movement in today’s enterprise networks?

Piotr: Non-Negotiable Lateral Movement Controls

The essential controls for stopping lateral movement, particularly against MITRE ATT&CK techniques, include:

• Identity-based access policies: Security decisions must be based on verified user roles and device posture, not network location.
  • This directly counters techniques like T1021 (Remote Services), where attackers abuse legitimate remote access protocols.
• Zero-trust network enforcement: Implement explicit least-privilege access by default, eliminating implicit trust relationships that attackers exploit through techniques like T1021.002 (SMB/Windows Admin Shares) and T1550 (Use Alternate Authentication Material).
• Continuous device posture validation: Device security status—patch levels, running processes, compliance state—must be continuously monitored and immediately impact access decisions.
  • This helps detect and contain T1570 (Lateral Tool Transfer) and T1080 (Taint Shared Content).
• Complete east-west traffic visibility: Comprehensive monitoring of lateral network communications is fundamental—you cannot defend against what you cannot see.
  • This enables detection of techniques like T1563 (Remote Service Session Hijacking) and abnormal authentication patterns associated with T1550 attacks.

These controls specifically target the MITRE ATT&CK Lateral Movement tactic (TA0008), which appears in over 70% of successful breaches. 

Our identity-based approach is particularly effective because it breaks the attack chain that relies on network-based trust relationships and credential reuse that traditional perimeter-focused security cannot address.