News

Cloud environments have become critical to modern organisations, but they face a constantly evolving threat landscape. Misconfigurations, sophisticated cyberattacks, and strict compliance requirements are among the challenges in safeguarding private clouds. Unsurprisingly, global spending on cloud security is soaring – an estimated $20 billion by 2025 according to Gartner. To protect sensitive assets in these environments, practitioners, developers and organisations are adopting multilayered defences and innovative strategies. With NOUS aiming to become a large-scale European cloud platform which integrates cutting edge technologies like the HPC – QC – Traditional cloud pipeline, the need for a robust and equally novel cybersecurity solution is even more pressing. Let’s have a look at the current state of the art in cloud security and specifically on how Zero Trust and darknet technologies can be combined to usher in a new era of secure private clouds.

Protecting a cloud system typically involves defence-in-depth: strong identity and access management, network segmentation, encryption of data in transit and at rest, and continuous monitoring for threats. Many organizations operate hybrid and multi-cloud architectures, adding complexity to policy enforcement and visibility. Ensuring consistent security across on-premises and multiple cloud platforms is difficult, leading to potential gaps. Moreover, the rise of remote work and cloud connectivity has expanded the attack surface. In fact, recent analyses note a 47% rise in cyberattacks (e.g. phishing) as employees work from home. These challenges have driven a shift in strategy: Zero Trust Architecture (ZTA) has rapidly emerged as a new norm for cloud security. According to one industry survey, 87% of organizations are now focusing on a zero-trust approach that strictly verifies each access request based on user identity, device, and context, following least-privilege principles. In short, trusting the network by default is falling out of favour, continuous verification is in.

Zero Trust Architecture represents a paradigm shift from the traditional perimeter-based model of security. Instead of assuming users or devices inside a corporate network are trustworthy, zero trust requires every access attempt to be authenticated, authorized, and encrypted regardless of the network origin. In a zero trust model, no implicit trust is granted to any user, system, or service, even if it’s behind the company firewall or was previously verified. Every request is checked against the identity of the entity, the device posture, and the contextual factors (such as location or behaviour) before access is granted. Key tenets include the principle of least privilege (granting minimal rights necessary), continuous verification of credentials and device health, and micro segmentation of networks to contain any potential breaches.

This approach has quickly become synonymous with state-of-the-art cloud security. It’s advocated by standards bodies (for example, NIST’s guidelines on zero trust) and has been called the “modern gold standard” for protecting digital assets. In practice, zero trust is being implemented via technologies like zero trust network access (ZTNA) solutions that replace or augment VPNs. A prominent example is Google’s BeyondCorp initiative, which shifted Google’s own enterprise access controls to a context-aware, zero trust model that no longer relies on a privileged network perimeter. In the commercial sphere, numerous vendors now offer ZTNA services, effectively validating each user and device continuously, to help companies adopt this model. The consensus in both industry and government is that zero trust greatly strengthens cloud and network security by limiting implicit trust which attackers could otherwise exploit.

While zero trust focuses on authentication and minimal privilege, darknet technologies offer a different but complementary angle: making systems harder to find or target in the first place. The term darknet refers to an overlay network on the internet that can only be accessed with specific software, configurations, or authorization. In other words, darknets are networks within the Internet that are not discoverable via normal means. One must know the exact address or use special protocols to reach them. Well-known examples include the Tor network (which uses onion routing for anonymity), I2P, and Freenet. These systems were originally designed to provide strong anonymity, privacy, and censorship-resistance for users. They require cryptographic handshakes and often decentralized trust models to connect, and nodes do not readily reveal their identities or IP addresses to outsiders.

Darknets are often associated with the “dark web,” but their technologies have legitimate uses and important security properties. For instance, journalists and whistleblowers use Tor hidden services (accessible via “.onion” addresses) and platforms like SecureDrop to communicate securely and anonymously. The core principle is that a service can operate in the “dark”: invisible to anyone not authorized or not using the right network, drastically reducing unwanted exposure. Notably, the concept of keeping systems hidden from general visibility has roots in the early internet: in the 1970s, ARPANET darknets referred to nodes that were deliberately kept isolated, not listed in network directories and not responding to pings, for security purposes. In effect, they were machines that could receive data but remained invisible, an early embodiment of “security through obscurity” done right.

From a defensive standpoint, the lesson from darknet technologies is that stealth can enhance security. If attackers cannot easily find or reach a resource, they cannot attack it. Modern darknet systems achieve this through enforced anonymity, encryption, and trust barriers at the network layer. These same ideas can potentially be applied to cloud environments: imagine cloud workloads or APIs that only respond to properly authenticated and cloaked requests, and are otherwise undiscoverable on the network. With darknet principles, organizations could make their private cloud infrastructure a moving target or even a proverbial black hole to attackers, while still fully accessible to authorized users.

Bringing together zero trust and darknet principles yields a vision of cloud security that is both highly restrictive and stealthy. In such a model, even if an attacker penetrates the outer network, they would struggle to locate any valuable target, and even if they did, they would still face strict authentication at every step. One existing approach that embodies this vision is the Software-Defined Perimeter (SDP), sometimes called a “black cloud.” An SDP, originally developed by the Cloud Security Alliance, follows a zero-trust model of verifying identity and device posture before granting any access. The result is that application infrastructure protected by an SDP is effectively made invisible to unauthorized users, lacking any public DNS entries or responding IP addresses. In other words, unless a user or device authenticates through the SDP controller, the services might as well not exist from an outsider’s perspective. Proponents note that this dramatically reduces the attack surface by preventing attackers from even scanning for open ports or launching denial-of-service attacks on unseen servers.

Several commercial solutions now implement this kind of secure cloaking. BeyondCorp-style ZTNA services from providers like Zscaler and Cloudflare, for example, broker every connection and hide the applications behind them from direct access. Similarly, products based on SDP (e.g. Appgate SDP or Perimeter 81) create encrypted tunnels on demand and keep all services “dark” until trust is established. These real-world implementations show the feasibility of blending zero trust authentication with darknet-like network hiding. Even cloud vendors are adding private access endpoints and identity-aware proxies that eliminate the need to expose services to the open network. The need-to-know connectivity model inherent in these solutions mirrors the darknet idea that only nodes with the right keys or knowledge can even initiate contact.

Academic research is also exploring related frontiers. Techniques like moving target defence (frequently changing network addresses or routes) and network micro-segmentation have a similar goal of confounding attackers by obfuscating the environment. Researchers have noted that a zero trust architecture could be strengthened by ephemeral, hidden service endpoints, essentially applying an onion-routing mindset to cloud services to thwart attacker reconnaissance. Even though this is an emerging area, the pieces are in place: the use of cryptographic identities instead of stable IP addresses, dynamic trust evaluation, and overlay networks for communication. Early adopters in the open-source community have even experimented with peer-to-peer overlay VPNs that require mutual authentication (such as Nebula or Tailscale), effectively creating a private darknet for cloud resources accessible only to nodes with valid certificates. These developments point toward an evolution of cloud security where both verification and invisibility are core design principles.

In any case, both academia and industry are contributing solutions that illustrate this forward-thinking evolution in cloud security. On the industry side, we have seen Zero Trust Network Access (ZTNA) become a staple: for example, companies implementing ZTNA report more confidence in granting remote access without expanding the attack surface. Google’s BeyondCorp and similar frameworks are now offered commercially, underscoring that zero trust for private apps is practical at scale. Complementing this, the concept of an enterprise darknet is gaining traction. The Cloud Security Alliance’s SDP specification led to implementations where a company’s internal cloud services are only reachable via an authenticated, encrypted overlay, a clear echo of darknet principles in a business context.

In the academic realm, the zero trust model itself originated from research (the term was coined in a 1994 doctoral thesis) and has since been studied extensively. Now, researchers are examining how to leverage darknets for defence rather than offense. For instance, one line of work looks at deploying honeypot “darknets”, which are unused IP address spaces that silently record any incoming traffic, to detect illicit scanning and infiltration attempts in cloud networks. Another experimental idea is using established anonymity networks like Tor to secure inter-cloud communications. While using Tor for enterprise traffic is not mainstream, the underlying idea is appealing: by routing data through encrypted, multilayered paths and requiring knowledge of a hidden service address, an organization could shield sensitive data exchanges from interception. Indeed, systems like SecureDrop already use Tor to protect sensitive communications, hinting at how similar approaches could protect corporate data exchanges or backups in the future.

Things are rapidly advancing in cloud security. Zero trust architecture has moved from buzzword to baseline, fundamentally improving how we authenticate and authorize anything and everything in the cloud. At the same time, darknet technologies remind us that making infrastructure less visible can markedly enhance security. The convergence of these ideas, i.e., trust no one and hide everything (until trust is established), is a logical next step in the evolution of cloud security. This forward-thinking approach promises to reduce attack surfaces to near-zero, as only authenticated, verified users can even see that a resource exists. In an era of escalating threats, such an approach could be transformational. It represents a proactive, research-driven path to private cloud security that is not only reactive to known threats but inherently resilient against the unknown. Embracing zero trust and darknet principles together will position organizations at the cutting edge of cybersecurity, where cloud environments are secure by design, yet friendly and accessible to those who belong. This novel and exciting approach is an integral part of the NOUS architecture and will play an important role in securing the result of this ambitious, pan-European effort. Stay tuned on all the exciting things which lie in store!