AI Advisor · Free Tool

Technology Landscape Advisor

Describe your technology challenge and get an AI-generated landscape analysis: relevant technology categories, key vendors (commercial and open source), recommended architecture patterns, and a curated shortlist — all tailored to your industry, organisation size, and constraints.

Vendor-neutral analysis

Architecture patterns

Downloadable Word report

Analyse My Landscape View All AI Advisors

Infrastructure Security in the Cloud Era: Beyond Perimeter Defense

4.2 days Average dwell time of an attacker in an enterprise network before detection — down from 24 days in 2020, but still sufficient for significant lateral movement and data exfiltration (CrowdStrike Global Threat Report, 2024)

The network perimeter is not gone — it has fragmented into thousands of micro-perimeters. Every cloud workload, every container, every API endpoint, every remote worker's device is simultaneously inside and outside some boundary. The enterprise security model built around a clear inside/outside distinction — where the firewall at the network edge was the primary control — does not map to this reality.

Infrastructure security in the cloud era requires a fundamentally different architecture: one that assumes attackers will gain some level of access (the "assume breach" principle), limits lateral movement through segmentation and least privilege, and detects threats through behavioral monitoring rather than perimeter enforcement alone.

This guide addresses the key dimensions of modern infrastructure security: zero trust network architecture, segmentation strategies that limit blast radius, runtime protection for cloud workloads, and the detection and response capabilities that identify attacks before dwell time translates to major damage.

Explore infrastructure and network security vendors: Network Security & Firewall Directory → | Cloud Security & CSPM →

The Perimeter Model's Failure Mode

Understanding why perimeter security is insufficient is essential for designing architectures that actually work. The perimeter model fails in three specific scenarios that are now universal in enterprise environments:

Failure 1: Compromised internal host Once an attacker compromises a single endpoint inside the network perimeter, the traditional model provides no further resistance. The attacker is "inside" and trusted. Lateral movement to other internal systems — pivoting from a compromised workstation to a file server, from a file server to an Active Directory domain controller — faces no security boundary. The perimeter kept them out; once through it, everything is reachable.

Failure 2: Hybrid and multi-cloud Workloads running in AWS, Azure, and GCP are not "inside" any physical network perimeter. They communicate over the internet with on-premises systems, SaaS services, and other cloud workloads. Network perimeter controls at the data center edge have no visibility into — and no control over — cloud-to-cloud or SaaS-to-cloud traffic.

Failure 3: Remote and hybrid work Users accessing corporate applications from home networks, coffee shops, and airports are not inside the perimeter. VPN partially addresses this by extending the perimeter to the remote device — but introduces a new failure mode: a compromised remote device on the VPN has the same "inside" trust as a device in the corporate office.

Zero Trust Architecture: The Modern Framework

Zero trust replaces the inside/outside binary trust model with a continuous verification model: every access request — regardless of network origin — is authenticated, authorized, and continuously evaluated.

The Five Pillars of Zero Trust

1. Identity Verification: Every user and every service must authenticate with strong credentials before accessing any resource. Network location (being on the corporate network) is not a trust signal.

2. Device Health: Access should be conditioned on device compliance — the requesting device must meet defined security standards (OS patching current, endpoint protection active, disk encryption enabled, managed device certificate present).

3. Least Privilege Access: Grant the minimum access required for the specific task. Time-bound, scope-limited access tokens replace broad, persistent permissions.

4. Micro-segmentation: Networks are segmented into small zones with strict access controls between them. Lateral movement requires explicit access grants, not just network reachability.

5. Continuous Monitoring: Access decisions are not permanent. Ongoing telemetry (device posture changes, anomalous behavior, threat intelligence) can trigger re-authentication, step-up challenges, or session termination.

Zero Trust Implementation Reality

Zero trust is a journey, not a binary state. The CISA Zero Trust Maturity Model defines five pillars (Identity, Devices, Networks, Applications, Data) and three maturity levels (Traditional, Advanced, Optimal) for each. Most organizations begin at Traditional across all pillars and progress iteratively.

Practical starting points for zero trust:

Deploy Identity-Aware Proxy (IAP) for internal applications — requiring authentication and device posture check for every application access, regardless of network location
Replace VPN with Zero Trust Network Access (ZTNA) for remote access — granting access to specific applications rather than full network access
Implement microsegmentation for your most critical workload tiers
Enforce MFA universally across all applications and privileged access

Google's BeyondCorp project, begun in 2011 and published in 2014, was the first major enterprise implementation of a zero trust architecture — moving all Google employees off VPN to application-level access control based on device and identity, regardless of network location. BeyondCorp became the blueprint for what is now universally called "zero trust." Google's detailed public papers on BeyondCorp remain among the best practical references for zero trust implementation.

Network Segmentation and Microsegmentation

Network segmentation divides infrastructure into zones with controlled communication paths between them, limiting the blast radius of any single compromise. Microsegmentation extends this concept to the workload level — defining access policies at the individual service or application layer rather than the network layer.

Traditional Segmentation (Macro)

Traditional segmentation uses VLANs, subnets, and firewall rules to separate network zones:

DMZ: Public-facing services (web servers, load balancers)
Application tier: Internal application servers
Database tier: Data stores, accessible only from the application tier
Management network: Administrative access, isolated from production

This model provides meaningful blast radius limitation when implemented correctly. Its limitation: flat east-west traffic within each zone. A compromised application server can freely communicate with every other application server in the same segment.

Microsegmentation

Microsegmentation enforces access policies at the workload level — typically through host-based firewalls, software-defined networking (SDN) policy, or a service mesh. Communication between specific workloads requires explicit allow rules, even within the same network segment.

Microsegmentation approaches:

Host-based (agent): Security agents on each host enforce network policy, allowing or denying connections based on workload identity (not just IP address). Illumio, Guardicore (now Akamai), and VMware NSX use this approach.

Infrastructure-defined (SDN): The network fabric enforces microsegmentation policy. VMware NSX, Cisco ACI, and cloud-native security groups (AWS Security Groups, Azure NSGs) operate at this layer.

Service mesh: In Kubernetes environments, service meshes (Istio, Linkerd) enforce mTLS between services and can apply fine-grained traffic policies based on service identity rather than IP addresses.

Approach	Granularity	Cloud Native	Operational Complexity	Best For
VLANs / Subnets	Network segment	Low	Low	Traditional data center
Cloud Security Groups	Instance / service	High	Medium	Cloud IaaS
Host-based agents	Process / workload	Medium	Medium	Hybrid environments
Service mesh	Service / pod	Very High	High	Kubernetes / microservices

Runtime Protection for Cloud Workloads

Perimeter controls prevent known threats from entering. Runtime protection detects and responds to threats that have already gained access — whether through a zero-day exploit, a compromised credential, or a supply chain attack.

Cloud Workload Protection Platforms (CWPP)

CWPP solutions provide security monitoring and protection for cloud workloads — VMs, containers, and serverless functions — at runtime. Key capabilities:

Vulnerability management: Continuous scanning of running workloads for OS vulnerabilities, package vulnerabilities, and misconfigurations.

Runtime anomaly detection: Establishing baselines for normal workload behavior (network connections, file system access, process execution) and detecting deviations. A web server process that spawns a shell, connects to an external IP, and begins writing files is exhibiting classic post-exploitation behavior — detectable by runtime anomaly detection even if the exploit was previously unknown.

Container security: Container-specific runtime protection monitoring for container escape attempts, privilege escalation, and cryptomining (a common objective of compromised container workloads).

File integrity monitoring (FIM): Detecting unauthorized modifications to critical system files, configuration files, and application binaries. An attacker who modifies /etc/passwd, replaces a system binary, or installs a persistence mechanism will trigger FIM alerts.

eBPF-Based Runtime Security

eBPF (extended Berkeley Packet Filter) has emerged as a powerful technology for kernel-level runtime security without kernel modules or invasive instrumentation. eBPF-based security tools (Falco, Tetragon, Cilium) can observe every system call, network connection, and file access with minimal performance overhead, enabling deep runtime visibility that was previously only achievable through kernel module loading.

Shift Runtime Protection Left: The most cost-effective runtime protection strategy begins at image build time. Container images scanned for vulnerabilities before deployment have a dramatically lower attack surface at runtime. Implement image scanning in CI/CD pipelines (Trivy, Snyk Container, Aqua) and block deployment of images with critical vulnerabilities. Runtime protection then addresses the residual risk from zero-days and misconfigurations that scanning cannot catch.

Lateral Movement Prevention

After initial access, attackers move laterally through the environment to reach their ultimate objective — typically privileged credentials, sensitive data, or ransomware deployment targets. Preventing lateral movement is the primary security value of microsegmentation, zero trust, and privileged access management working together.

Key Lateral Movement Techniques and Defenses

Pass-the-Hash / Pass-the-Ticket: Reusing authentication material (NTLM hashes, Kerberos tickets) captured from one system to authenticate to another without knowing the actual password.

Defense: Credential Guard (Windows), Protected Users security group, PAM with session isolation

Remote Services Abuse: Using legitimate remote management protocols (WMI, PSExec, RDP, SSH) with captured credentials to move between systems.

Defense: Microsegmentation restricting management protocol access, PAM session management, just-in-time access

Living off the Land: Using legitimate system tools (PowerShell, WMI, certutil, bitsadmin) for malicious purposes — avoiding custom malware that endpoint security would detect.

Defense: Process execution monitoring, PowerShell constrained language mode, application control (AppLocker, WDAC)

Service Account Abuse: Exploiting over-privileged service accounts to access multiple systems.

Defense: Service account PAM, least-privilege service accounts, managed service accounts (gMSA)

Endpoint Detection and Response (EDR) Integration

Infrastructure security is incomplete without endpoint visibility. EDR platforms deployed on servers (not just user workstations) provide the process-level, file-level, and network-level telemetry needed to detect lateral movement, privilege escalation, and attacker tools.

Key EDR capabilities for infrastructure security:

Process tree analysis: Visualizing parent-child process relationships to detect anomalous process spawning
Memory scanning: Detecting injected code and fileless malware executing in process memory
Network connection monitoring: Alerting on connections to C2 infrastructure or unexpected external hosts
Threat hunting: Interactive querying of endpoint telemetry for IOC-based and behavior-based threat hunting

Explore EDR and endpoint security vendors: Endpoint Security & EDR Directory →

Vendor Ecosystem

Zero Trust Network Access (ZTNA)

Zscaler Private Access — Market-leading ZTNA. Eliminates VPN by providing application-level access from any location.
Cloudflare Access — Strong ZTNA with integrated WAF and DDoS protection. Good developer experience.
Palo Alto Networks Prisma Access — Integrated ZTNA within the SASE framework.

Microsegmentation

Illumio — Leader in host-based microsegmentation. Application dependency mapping as a foundation for policy.
Akamai Guardicore — Microsegmentation with strong visualization and policy simulation.
VMware NSX — Infrastructure-defined microsegmentation for VMware environments.

Cloud Workload Protection

CrowdStrike Falcon Cloud Security — Strong cloud workload protection integrated with endpoint telemetry.
Orca Security — Agentless cloud security combining CWPP, CSPM, and vulnerability management.
Aqua Security — Container and cloud-native workload protection. Strong in Kubernetes environments.
Sysdig — eBPF-based cloud-native security and runtime protection.

Buyer Evaluation Checklist

Infrastructure Security Platform Evaluation

Zero Trust / ZTNA

Application-level access control (not full network access)
Device posture check integration
Identity provider integration (Okta, Entra ID, etc.)
User experience comparable to or better than VPN
Split tunneling and selective routing

Microsegmentation

Application dependency discovery (map communication patterns before writing policy)
Policy simulation mode (test rules before enforcement)
Cloud and hybrid environment support
Integration with existing network management tools

Cloud Workload Protection

Vulnerability scanning for VMs, containers, and serverless
Runtime anomaly detection with low false positive rate
Container escape and privilege escalation detection
Integration with CI/CD for shift-left scanning

Detection and Response

Lateral movement detection
Living-off-the-land technique detection
Integration with SIEM and SOAR for automated response
Threat hunting query capability

Operational

Agent performance impact documentation (CPU/memory overhead)
Cloud-native deployment (SaaS management plane)
API for integration with existing security toolchain

Key Takeaways

Infrastructure security in the cloud era is not a matter of finding better perimeter controls — it is a matter of adopting an architectural model that doesn't rely on the perimeter to begin with. Zero trust, microsegmentation, and runtime protection together provide defense in depth that limits blast radius when — not if — an attacker gains initial access.

The threat landscape makes the urgency clear: 4.2-day average dwell time means attackers move quickly after initial access. The organizations that limit damage are those that have reduced lateral movement opportunities through segmentation, stripped standing privileges through least privilege and PAM, and deployed runtime detection that catches post-exploitation behavior before it reaches critical systems.

The implementation is a multi-year journey, but each phase delivers compounding security value: ZTNA immediately improves remote access security, microsegmentation progressively reduces east-west attack surface, and runtime protection closes the gap between perimeter controls and behavioral detection.

infrastructure securityzero trustnetwork segmentationmicrosegmentationcloud securityruntime protectionendpoint securityCSPMhybrid cloudlateral movement