Many of the assumptions security decisions rely on no longer hold.

One of them is that systems are organised around hosts.

Security models continue to assume that infrastructure is stable.

They are built on the expectation that:

  • systems persist

  • assets can be controlled over time

  • boundaries can be defined

These assumptions shaped how control is applied.

They no longer reflect how systems operate.

The assumption

Traditional control models are host‑centric.

They focus on:

  • patching systems

  • hardening configurations

  • monitoring activity at the host level

Control is applied where systems are expected to exist.

What changed

Cloud environments are not organised that way.

Infrastructure is:

  • ephemeral

  • replaced, not repaired

  • scaled dynamically

Workloads move.
Environments change.

What does not persist cannot be relied on for control.

The mismatch

As a result:

  • controls are applied to entities that do not persist

  • effort focuses on what is continuously replaced

  • visibility degrades as environments change

Control is being applied where it no longer holds.

What actually persists

Despite this change, some elements remain consistent.

Across environments:

  • identities persist

  • permissions persist

  • relationships between components persist

The system is organised around these.

Control is not.

The consequence

This creates a gap between:

  • how the system operates

  • how it is secured

The result is:

  • controls that appear present, but do not hold

  • outcomes that vary across environments

  • reliance on assumptions that no longer apply

A useful reframing

Instead of asking:

“How do we secure our systems?”

Ask:

“Where is control actually applied?”

Closing thought

Control is no longer applied where systems exist.

“It sits with what persists.”

Keep Reading

© 2026 Cloudguardian.
beehiivPowered by beehiiv