As shown in the white paper, custom source code is out of the question for authentication. Physical devices such as switches, routers, servers, etc. are also not required. In particular, these are a set of tools and techniques for configuring and managing the virtual networks that reside on the physical networks, known as software-defined -data center. So that's all software, not hardware. And network management, not custom application code.
In turn, they advocate a set of tools and techniques to redefine virtual networks, not just as a group of addresses, routes, and endpoints, but as a group of isolated workloads, each of which is then linked to a specific virtual network, isolating workloads for lateral movement to prevent.
In this way, if a resource was violated for a particular workload, the attacker would not have access to the larger network that might appear on a traditional server in a traditional network segment, but only to the specific network resources and endpoints deployed to the network become virtual network for this specific workload.