Zero Trust Segmentation for Cloud-Native and AI Service Architectures: An Intelligent Policy Enforcement Framework to Minimize Lateral Movement
Keywords:
Micro-Segmentation, Zero Trust Architecture, Cloud-Native Security, Kubernetes Workload Identity, Service Segmentation With AI, Blocking Lateral Movement, Policy Enforcement, Service MeshAbstract
Cloud-native architectures break the concept of a perimeter, making lateral movement a focus of concern for distributed enterprise systems. AI services add to the attack surface via east-west traffic. As every workload, every pipeline, and every model-serving endpoint is a potential attack pivot point, layering zero-trust segmentation controls across identity, network, workload, and data planes provides a complementary strategy that restricts lateral movement in modern cloud-native and AI environments. The paper proposes a micro-segmentation model, disassociating policy decision and policy enforcement components in the context of securing data flow networks. The proposed model leverages workload identity, explicit allow-listing of communication patterns, and a service mesh to achieve micro-segmentation. Another AI-specific segmentation model addresses the introduction of the LLM tool chain‚ vector databases‚ and agentic services into a system's trust boundaries․ This model adopts operational governance‚ evidence generation‚ and alignment with the NIST SP 800-207 and AI Risk Management Framework as early design requirements for the implementation and operation of zero trust segmentation in regulated and critical services contexts․ It allows security architects and platform leaders to implement solutions through structured evidence generation.
Downloads
References
Scott Rose et al., "Special Publication 800-207, Zero Trust Architecture," NIST, 2020. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Ramaswamy Chandramouli, Zack Butcher , "Special Publication 800-207A, Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments," NIST, Gaithersburg, MD, USA, 2023. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207A.pdf
National Institute of Standards and Technology, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," NIST, Gaithersburg, MD, USA, 2023. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf
National Institute of Standards and Technology, "Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (NIST AI 600-1)," NIST, Gaithersburg, MD, USA, 2024. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
OWASP, "OWASP Top 10 for Large Language Model Applications 2025," OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-v2025.pdf
Cybersecurity and Infrastructure Security Agency et al., "Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems," CISA, 2024. [Online]. Available: https://media.defense.gov/2024/Apr/15/2003439257/-1/-1/0/CSI-DEPLOYING-AI-SYSTEMS-SECURELY.PDF
Murugiah Souppaya, John Morello, Karen Scarfone, "Special Publication 800-190, Application Container Security Guide," NIST, Gaithersburg, MD, USA, 2017. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
Cybersecurity and Infrastructure Security Agency, "Zero Trust Maturity Model," Version 2.0, CISA, Washington, DC, USA, Apr. 2023. [Online]. Available: https://share.google/Cpflc2KflsC7Uh3Yh
John Kindervag, "No More Chewy Centers: Introducing the Zero Trust Model of Information Security," Forrester Research, Cambridge, MA, USA, Tech. Rep., 2010. [Online]. Available: https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
Brandon Kriege et al., "Cloud Native Security Whitepaper," Version 2, CNCF, San Francisco, CA, USA, 2022. [Online]. Available: https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf
E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.3," Internet Engineering Task Force, RFC 8446, Aug. 2018. doi: 10.17487/RFC8446. [Online]. Available: https://doi.org/10.17487/RFC8446
Butler Lampson, et al., "Authentication in Distributed Systems: Theory and Practice," ACM Transactions on Computer Systems, vol. 10, no. 4, pp. 265–310, Nov. 1992. Available: https://pages.cs.wisc.edu/~remzi/Classes/739/Spring2003/Papers/theory-practice.pdf
Cloud Native Computing Foundation, "SPIFFE and SPIRE: Secure Production Identity Framework for Everyone," CNCF, San Francisco, CA, USA, 2023. [Online]. Available: https://spiffe.io/docs/latest/spiffe-about/overview/
JOINT TASK FORCE, "Special Publication 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations," NIST, 2020. doi: 10.6028/NIST.SP.800-53r5. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
National Institute of Standards and Technology, "Cybersecurity Framework 2.0," NIST, Gaithersburg, MD, USA, Feb. 2024. doi: 10.6028/NIST.CSWP.29. [Online]. Available: https://doi.org/10.6028/NIST.CSWP.29
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.
IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.
