When enterprises shifted from on-premises networks to the cloud, the traditional network perimeter didn’t vanish—it multiplied. In modern cloud and AI-driven environments, the real risk isn’t just at the edge; it’s the unmonitored space between your workloads. Attackers don’t need to batter down a single wall anymore—they exploit implicitly trusted paths, pivot laterally, and quietly stage data for exfiltration. That’s the architectural gap we have to close.
My colleague Scott Leatherman will be tackling this head-on at InfoSec World (Day 1, October 27, 1:30–2:00 PM) in his session, “First Principles for Cloud & AI Security: Defending Against the Next Wave of Threats.” If you’re responsible for cloud security, platform engineering, or safeguarding AI initiatives, this is a session you’ll want to attend.
TL;DR
The shift to the cloud created security gaps between workloads.
Cloud Native Security Fabric (CNSF) provides essential zero trust network security controls like microsegmentation.
Scott's session will provide a blueprint for evaluating and improving your cloud security posture.
Why This Conversation Can’t Wait
Three forces are reshaping our risk surface:
The internet became the enterprise backbone. Sensitive inter-service traffic and APIs routinely traverse public infrastructure.
Perimeters atomized. Every VPC/VNet, cluster, and function becomes its own micro-perimeter—creating uneven, often inconsistent controls.
Apps went ephemeral. Short-lived components spin up and down across clouds and zones, constantly morphing the attack surface.
These shifts create the largest unguarded territory in the enterprise: the east-west pathways between workloads. The answer isn’t “more tools at the edge.” It’s zero trust network security: runtime, in-line enforcement where your applications actually communicate.
Cloud Native Security Fabric (CNSF): Moving Zero Trust Network Security from Aspiration to Enforcement
Cloud Native Security Fabric (CNSF) is a unifying approach that embeds security into the cloud runtime so that zero trust network security is enforced—consistently—across clouds and environments. In practice, that looks like:
In-line, identity-aware controls that decide “who can talk to what, when, and under what conditions” at the moment connections occur.
Microsegmentation that follows workload identity rather than brittle IP constructs, with default-deny east-west by design.
Unified policy and telemetry across AWS, Azure, Google Cloud, data centers, and edge—so you don’t re-solve the same problem five different ways.
Policy-as-code and IaC-friendly guardrails that empower developers without slowing delivery.
CNSF turns zero trust from a strategy into runtime reality.
What Scott Will Cover—and Why You’ll Want a Front-Row Seat
Scott’s talk is structured around three concrete outcomes you can put into practice immediately. Here’s a preview, with a practical lens on how it applies to your estate.
1) Adapt defense-in-depth for AI behavior
AI changes traffic patterns and decision-making in ways traditional controls don’t anticipate. “Shadow AI” tools, autonomous agents, and AI-generated services create new, often invisible data flows. You need a defense-in-depth model that assumes:
Default-deny east-west: Only allow workload communications that match declared intent.
Strong egress governance: Constrain where sensitive data is allowed to go, even with valid credentials.
Behavior-aware baselines: Enforce policies that incorporate identity, context, and workload behavior—so “allowed” paths don’t become data exfiltration highways.
What this looks like in practice:
Workload-to-Internet: Egress policies restrict outbound destinations to sanctioned SaaS and AI endpoints; DNS and layer-3/4 controls are tied to workload identity and purpose.
Workload-to-Workload: Services communicate only through approved, authenticated paths with least privilege; movement outside those paths is blocked by default.
Microsegmentation: High-value zones (e.g., PII, payment processing, R&D datasets) are isolated with identity-aware policies that can be rolled out incrementally and verified with runtime telemetry.
2) Implement identity- and behavior-based controls
Static lists and IP-centric rules can’t keep up with ephemeral infrastructure. The winning pattern is identity plus behavior, enforced in-line:
Identity-based allow-lists at connection time—service accounts, SPIFFE/SVID, workload identity, and signed artifacts become the gatekeepers.
Contextual policy that adapts to risk signals (e.g., unusual data volumes, unsanctioned destinations, off-hours activity).
Unified control plane that applies these policies consistently across clouds and clusters, with one source of truth for policy and one lens for visibility.
Outcomes you can expect: dramatic reduction in lateral movement opportunities, containment of blast radius when something goes wrong, and fewer “surprises” in where sensitive data actually travels.
3) Empower developers with policy-as-code
Security and velocity don’t have to be at odds. The fastest teams are the ones with clear, automated guardrails:
Codify security intent (segmentation, egress, encryption, inspection) as code that ships with the service.
Integrate policy checks into CI/CD so violations are caught pre-deployment.
Offer golden paths: reusable patterns for common topologies (public-facing APIs, data pipelines, model-serving endpoints) that make the secure way the easy way.
The result is a virtuous cycle: developers ship faster on approved patterns; security gains consistent enforcement and cleaner telemetry; leadership gets measurable progress toward zero trust outcomes.
How to Evaluate Your Current Cloud Security Posture (A Quick Self-Diagnostic)
Bring these questions to Scott’s session and pressure-test your answers:
Can you list, with evidence, which workloads are allowed to talk to which—and why?
If a single service is compromised, what’s the enforced blast radius today?
Where can sensitive data egress from your environment, and which destinations are explicitly sanctioned?
How quickly can you roll out a new segmentation or egress policy across clouds without breaking releases?
Are your controls based on workload identity and behavior—or still anchored to IPs and manual gates?
If any of these produce long silences or “it depends,” you’ll benefit from the zero trust network security patterns Scott is going to share.
What You’ll Take Back to Your Team
You’ll leave with a pragmatic blueprint to:
Refactor defense-in-depth for cloud and AI—shifting enforcement closer to runtime and constraining egress by default.
Deploy identity- and behavior-based controls that materially reduce lateral movement and dwell time.
Make security composable with policy-as-code and golden paths so developers move faster while risk goes down.
Whether you sit in security, platform, or application leadership, you’ll get concrete steps to translate zero trust network security ambitions into day-one, in-line enforcement across your multicloud footprint.
Join Us at InfoSec World: Learn How to Operationalize Zero Trust Network Security Principles
If you’re wrestling with implementing zero trust network security principles with multicloud complexity, accelerating AI adoption, and the widening gap between policy and runtime, don’t miss Scott’s session. He’ll cut through buzzwords and show how Cloud Native Security Fabric helps you secure the space between workloads—so you can innovate at speed without surrendering control.
InfoSec World — Day 1, October 27, 1:30–2:00 PM Session: First Principles for Cloud & AI Security: Defending Against the Next Wave of Threats Bring your toughest questions. Leave with a plan your developers, platform teams, and security leaders can actually execute.
Explore why many organizations are stuck at stage 1.0 of zero trust maturity.
