GUEST ESSAY: Why cyber defenses need a framework — and a clearer map of boundaries

In the early years of enterprise computing, isolation had a clear home in the networking domain.

Related: The state of cloud security

Network isolation meant a strong perimeter that kept internal traffic separate from the external world. Firewalls, VLANs, and DMZs were the primary tools. The edge was guarded, and anything inside the walls was assumed safe.

That model broke down as applications shifted from monoliths on dedicated servers to microservices spread across hybrid clouds. Multitenancy became the default, and AI workloads began sharing GPUs. Attackers stopped focusing only on the front door and instead moved laterally through weak internal boundaries and under-protected runtime environments.

Today, the challenge is managing interactions inside systems. Traditional north–south separations now coexist with expanding east–west and vertical trust boundaries. Isolation is no longer just a security control—it’s a design principle for resilience, performance, compliance, and efficiency.

Our tools haven’t kept pace. Containers, for all their agility, lack strong isolation. They share the host OS kernel, enabling lateral movement within clusters. GPUs, critical for AI workloads, also lack built-in primitives for secure multitenancy.

Isolation has become an engineering superpower—one that now extends well beyond the security team.

Lessons from the OSI model

The networking community faced similar complexity decades ago. The OSI model gave engineers a shared language. It defined seven layers of networking from physical cables to application protocols, with clear responsibilities.

It helped teams troubleshoot, compare solutions, and make data in motion visible.

Security isolation has reached a similar tipping point. Modern environments are too complex for informal controls. We need a model that maps the many types of isolation from the physical substrate to user processes and enables networking, application, and security teams to collaborate.

Frameworks like Defense in Depth, Seven Layers of Cybersecurity, and Multilevel Security address layered or domain separation. OSmosis and Partitioned Communication Systems explore isolation at OS and embedded levels.

These are valuable but do not yet offer the universal reference point that the OSI model provided for networking.

A new model for security isolation

Today’s attack surface is broad. Shared kernels invite escapes, accelerators fail to scrub memory, and multi-tenant environments mix performance and security risks. A modern model should help teams map trust boundaries, guide design, and provide a shared language.

Here is a proposed Security Isolation Stack that parallels the OSI structure:

The model is broad enough for Kubernetes, AI, SaaS, and hybrid environments. Like the OSI model, it avoids prescribing technologies and instead defines where boundaries can be enforced.

Jailbreaking from the security silo

Security was once a distinct function performed by a specialized team. Now isolation is a concern for every engineering role. Platform, application, SRE, and data engineers all shape isolation, from node placement and authentication to telemetry, filtering, and encryption.

Isolation also has performance benefits. When designed well it enables predictable allocation. Dynamic allocation within isolated zones often outperforms static sizing, especially in bursty environments. Strong boundaries can make systems faster as well as safer.

The drivers making isolation a universal requirement are gaining strength. Artificial intelligence workloads process sensitive data on shared accelerators. Microservices multiply trust boundaries. Compliance rules require precise control over data movement.

Soon the full matrix of isolation approaches across users, services, data, networks, runtimes, nodes, and hardware will be unavoidable. Engineers will need to think about isolation alongside latency and scalability.

Isolation as an Engineering Discipline

The OSI model gave networking a common language. Security isolation now needs the same kind of unifying framework.

Isolation is no longer only about keeping outsiders out but about containing the blast radius of any failure, from kernel exploits to GPU data leakage to rogue API calls. It’s not just security’s responsibility but a skill every engineer must master.

Reference models often outlast the specific technologies they were created to describe because they give practitioners a way to reason about complex systems and clarify where responsibilities begin and end. The OSI model remains relevant decades later, not because we still use the same protocols, but because it helps engineers understand the boundaries between layers and their implications. Security isolation needs the same kind of enduring framework. Without a clear understanding of where isolation boundaries must be drawn, teams risk making fundamental mistakes—the equivalent of a network engineer in the past failing to distinguish between internal and external traffic. A shared model can guide design, reveal gaps, and ensure isolation serves security and operational goals.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

---

(LW provides consulting services to the vendors we cover.)

 

The post GUEST ESSAY: Why cyber defenses need a framework — and a clearer map of boundaries first appeared on The Last Watchdog.