In a virtualized environment, several workloads share the same physical host and the same IP subnet. After one payroll VM is compromised, the security team wants to prevent that VM from freely scanning or reaching the other workloads on the host. Which control best addresses this lateral-movement risk?
Microsegmentation creates fine-grained trust boundaries between workloads, even when they share the same subnet or host. This limits east-west traffic and reduces the ability of a compromised VM to discover or attack neighboring systems. It is the most direct control for this risk.
Why this answer
Microsegmentation allows granular security policies to be applied per workload or per VM, even within the same subnet and on the same hypervisor. By enforcing firewall rules at the virtual switch or hypervisor level, it prevents a compromised payroll VM from scanning or communicating laterally with other VMs on the same host, directly addressing the lateral-movement risk.
Exam trap
The trap here is that candidates often confuse subnetting or IP addressing changes (like expanding the subnet mask or using static IPs) with actual network security controls, failing to realize that only policy-based segmentation at the hypervisor or virtual switch layer can block lateral traffic within the same broadcast domain.
How to eliminate wrong answers
Option B is wrong because expanding the subnet mask (e.g., from /24 to /16) actually increases the broadcast domain and makes more IP addresses reachable, which would facilitate lateral movement rather than prevent it. Option C is wrong because creating a shared administrator account for all VMs would reduce accountability and provide an attacker with a single set of credentials to compromise all workloads, increasing lateral-movement risk. Option D is wrong because disabling DHCP and forcing static IPs does not restrict network communication between VMs; it only changes how IP addresses are assigned, leaving all traffic unblocked and the VM free to scan the subnet.