Azure Landing Zone · Deep dive 02

Containing the blast radius: hub-spoke as damage control

Lateral movement drives most breaches and can cross a flat network in under an hour. Segmentation is what turns one compromised host into a contained incident.

Draft outline · Security / reliability lens
The anchor

2025 breach data (Verizon DBIR and the Illumio segmentation research) puts lateral movement in 60 to 70% of successful breaches, with observed propagation as fast as 18 to 48 minutes. A flat network is the amplifier; hub-spoke with enforced segmentation is the containment.

Sources we build on
Primary
Verizon DBIR 2025 / Illumio lateral-movement research

Industry breach data quantifying how often lateral movement features and how fast it is.

Journalism
The Record / journalism on flat-network ransomware

Named incident reporting where a lack of segmentation turned a foothold into an enterprise event.

Article outline
  1. Why flat networks fail. One foothold, unrestricted reach, minutes to spread.
  2. Hub-spoke as containment. Shared services central, workloads isolated in spokes.
  3. Enforcing the boundaries. NSGs, firewall in the hub, private endpoints, deny-by-default east-west.
  4. The reliability dividend. Blast-radius limits also limit outage scope, not just breach scope.
  5. Getting there without a rebuild. Migrating existing workloads into spokes.
How it aligns to what we do

Leads with containment and reliability, with security as the driver rather than a scare. It shows the landing zone is designed for the bad day, and reinforces that we deploy an opinionated topology rather than hand over a diagram.

Points to hit
Control it ratifies
ISM / E8 ISM network segmentation and segregation controls; the topology is what makes those controls real rather than aspirational.