Most organisations today operate in a hybrid world — a mix of on-premises data centres and cloud infrastructure. And most of them still rely on perimeter-based defences as their primary security strategy. The problem? Once an attacker gets past that perimeter, there's often very little stopping them from moving laterally across your entire network.

During my Masters degree in Cybersecurity at the University of Essex, I researched this exact challenge. My dissertation focused on network segmentation in hybrid on-premises and cloud infrastructures, comparing identity-based segmentation with microsegmentation to determine which approach delivers stronger security outcomes. The results were clear — and they carry practical implications for any business leader thinking about their security posture today.

The Perimeter Is No Longer the Castle Wall

For decades, network security followed a fortress model: build a strong wall, and keep threats outside. But modern hybrid environments have made that model obsolete. Your data lives in AWS, your applications run across multiple VPCs, your teams connect from everywhere, and your on-premises data centre still houses critical workloads.

A single firewall sitting at the edge of your network cannot adequately protect this distributed architecture. What happens when an attacker compromises one cloud instance? Without internal controls, they can pivot across subnets, discover vulnerable services, and escalate their access — all while remaining inside your "trusted" network.

This is where the concept of defence-in-depth becomes critical. Security should not depend on a single control. It needs to be layered, enforced at multiple points, and designed around the assumption that breaches will happen.

Zero Trust: The Mindset Shift

Zero Trust Architecture moves away from the idea of "trusted" internal networks entirely. As NIST outlines, no implicit assurance should be granted based on an asset's location within the network. Every access request must be verified, every connection must be justified, and every device should be treated as potentially compromised.

In my research, I tested two approaches that align with Zero Trust principles. Identity-based segmentation uses next-generation firewall capabilities to control traffic based on application identity rather than IP addresses alone. Microsegmentation goes further — applying security policies at the individual workload level using tools like cloud security groups.

What My Research Showed

In the hybrid lab environment I built — connecting an on-premises ESXi data centre to AWS via redundant VPN tunnels — I tested both approaches against the same set of vulnerable hosts running services like FTP, Telnet, HTTP, and TFTP alongside secure protocols like SSH and HTTPS.

Identity-based segmentation, implemented through a Palo Alto Next-Generation Firewall, reduced the attack surface by approximately 71% by filtering traffic based on application identity and restricting access to only SSH and HTTPS. That is a significant improvement over an unsegmented baseline.

Microsegmentation delivered even stronger results — it not only blocked insecure protocols, it prevented scanners from even discovering the hosts. Granular, workload-level control meant each instance could have tailored policies based on its specific role.

The key takeaway: microsegmentation does not replace perimeter security — it complements it. The strongest posture comes from layering both approaches together.

Bridging On-Premises and Cloud Security

One of the most practical insights from my research is that organisations do not need to choose between traditional on-premises security and cloud-native tools. The best outcomes come from combining them.

On the on-premises side, next-generation firewalls with identity-based policies provide strong perimeter and inter-zone controls. They excel at application-level visibility and enforcement across VLANs and security zones within your data centre.

On the cloud side, security groups and network ACLs offer workload-level microsegmentation that scales dynamically as your infrastructure grows. New instances can be automatically assigned to the appropriate security group based on their role, ensuring consistent policy enforcement without manual intervention.

The VPN tunnels connecting these two environments create an encrypted bridge, but the security controls on either side must be designed to work in concert. A breach in one environment should not cascade into the other. That is the essence of layered defence.

What This Means for Your Organisation

If you are a technology or business leader evaluating your security strategy, here are three principles worth considering:

  • Layer your defences. No single tool or technique will protect you. Combine perimeter firewalls, identity-based controls, and microsegmentation to create multiple barriers an attacker must overcome.
  • Adopt a Zero Trust mindset. Stop assuming that internal traffic is safe. Verify every connection, limit access to the minimum required, and design your policies around the assumption that any device could be compromised.
  • Use the right tool for the right environment. On-premises firewalls and cloud security groups each have strengths. Deploy them together, not as alternatives, and ensure your policies are coordinated across both environments.

Final Thought

The threat landscape is evolving faster than most organisations' security strategies. Microsegmentation is not a luxury — it is a foundational element of modern network defence. Whether you are running a hybrid infrastructure or planning a cloud migration, building security into every layer of your architecture is no longer optional.

It is the difference between an attacker compromising one system and an attacker owning your entire network.

Adrian Boscu holds an MSc in Cybersecurity from the University of Essex, where his dissertation research focused on network segmentation techniques in hybrid cloud and on-premises environments.