To ensure security, traditional networks are usually divided into “security zones,” where groups of assets such as servers or desktops are put on different network subnets or segments. Security policies and inspections are then performed over the traffic between these security zones. The security zones can be set up as needed for departmental boundaries (e.g. R&D, finance), functions (e.g. web servers vs. databases), or for security requirements (e.g. DMZ). This physical segmentation creates regions where breaching in a specific security zone will not quickly spread elsewhere and has been the basis of security enforcement before today’s cloud age.