Network Segmentation That Survives the Real World
How to design network segmentation an enterprise can operate: zone models, enforcement points, identity integration, and a migration path from flat networks.
Engineering Publication · iampavel.com
Enterprise Architect · AI Integrity Engineer · Cybersecurity Leader
Pavel Glukhikh is an enterprise architect, AI integrity engineer, and technology executive based in the Greater New Orleans area. He is a Sr. Enterprise Architect in the Enterprise IT / AI Enablement Group at DXC Technology, where he drives enterprise architecture and AI adoption, and he is the founder and CEO of Nubinity, LLC, a managed services and connectivity provider. His engineering work spans enterprise architecture, cybersecurity, infrastructure and platform engineering, enterprise networking, industrial control systems, and responsible AI.
This site is my engineering notebook at publication scale: articles, research, reference architectures, and field notes from two decades of building, breaking, and running systems. Everything here is written to teach. Nothing is written to sell.
Knowledge Base
Enterprise AI architecture, AI integrity, and responsible AI engineering — governance, evaluation, security, and deployment patterns from production systems.
Infrastructure engineering and platform architecture — Kubernetes, hosting, observability, and operations patterns proven at enterprise scale.
Enterprise network architecture from a CCNP practitioner — routing, switching, BGP, DNS, network security, and design patterns for reliable connectivity at scale.
Security architecture, defensive engineering, and risk-driven design — practical cybersecurity guidance for enterprise infrastructure, cloud, and AI systems.
ICS, SCADA, and OT engineering from hands-on process-control experience — architectures, security models, and operational practices for industrial environments.
Servant leadership for technical organizations — managing engineering teams, account technology strategy, and building trust from a practicing technology executive.
Areas of Expertise
Not a skills cloud — the disciplines I practice, each backed by the operational history that earned it a place on this list.
Target-state design, architecture governance, and decision records for organizations where the diagram has to survive contact with production. Chaired solution review boards; led technical strategy across Fortune 500 account portfolios.
Making AI systems trustworthy in production: governance engineers accept, evaluation that gates releases, security against manipulation, and architectures that keep humans accountable. Currently practicing this daily in Enterprise IT / AI Enablement at DXC.
Identity-first design, segmentation that operators can live with, ransomware-resilient recovery paths, and security reviews that find what matters. Security as a property of the design, not a stage of the project.
Routing, BGP, DNS, and network design from a CCNP practitioner who also runs a connectivity provider. Networks judged by the only metric that matters: how they behave during failures.
Four years administering live process-control networks at a petrochemical plant. ICS/SCADA architecture, OT/IT convergence, and security models that respect the physics on the other side of the PLC.
Production Kubernetes architecture and the platform discipline around it — GitOps delivery, upgrade strategy, and the troubleshooting method behind guides read by thousands of engineers on Medium.
Metrics, logs, and traces engineered as decision-grade telemetry — retention economics, alerting that pages on symptoms, and the operational maturity that turns monitoring into fewer outages.
Founded and operated hosting and connectivity providers since 2012 — Universal Hosting for twelve years, Nubinity since 2019. The pager-carrying end of every architecture opinion on this site.
Servant leadership practiced on delivery teams of 30+, ITAR operations, and 100-member volunteer organizations. Decision quality, technical ownership, and trust built through competence rather than title.
Philosophy
Every article here is an application of a small set of convictions, formed by operating systems long after their launch parties. Expand any of them — each one is defended at length somewhere in the publication.
Every architecture decision is a loan against future operations. The fashionable design with nine dependencies will demo beautifully and then bill you for years — in upgrades, in on-call pages, in the meeting where nobody can explain why it works. Elegant systems are usually simpler than fashionable ones. When two designs solve the same problem, the one with fewer moving parts wins on a five-year horizon almost every time.
Anyone can deploy software. Keeping it healthy for five years is engineering. The real test of an architecture is not the launch — it is the 2 AM outage eighteen months later, handled by someone who wasn't in the design meetings. I evaluate every design against that person: what will they see, what can they safely do, and how fast can they know they were right.
Good infrastructure becomes invisible. Users should never think about networking, identity, storage, routing, or power — those systems should simply work, quietly, for years. The corollary is that infrastructure work is measured by absence: the incident that didn't happen, the migration nobody noticed. That is a strange career incentive, and exactly why infrastructure quality varies so much between organizations.
The fastest system is worthless if it cannot survive failure. Perfection-oriented design tries to prevent every fault; recovery-oriented design assumes faults and engineers the path back. Backups that restore, failovers that have actually run, blast radii that are decided in advance — these are product features, whether or not they appear on the roadmap.
Every technology stops being exciting. Then someone has to maintain it — patch it, monitor it, explain it to auditors, keep it alive through three reorgs. Those people determine whether the technology succeeds, and they are almost never in the room when it is chosen. The most reliable predictor of a platform's long-term cost is not its license fee; it is how it treats the people who operate it.
AI is not magic. It requires governance, architecture, operational controls, security, and lifecycle management — the same disciplines every other production system requires, applied to a component that is probabilistic instead of deterministic. Building AI and operating AI are different disciplines, and the second one decides the outcome. The organizations that win with AI will be the ones that treat it as infrastructure rather than entertainment.
Security that exists by inspection — reviews at the end, findings in a spreadsheet — is friction. Security that exists by design — identity as the perimeter, segmentation as containment, recovery as an engineered property — is confidence. Good security reduces uncertainty about how the system behaves under attack. Bad security just makes the system harder to use while the attacker logs in anyway.
The database is faster but the application timeouts got worse; the team shipped more tickets but the product shipped later. Component optimization is easy to measure and frequently counterproductive. Systems thinking — following the constraint, not the metric — is the discipline that separates engineering from tuning. It applies to architectures and to organizations, which are also systems.
Latest
How to design network segmentation an enterprise can operate: zone models, enforcement points, identity integration, and a migration path from flat networks.
A technology roadmap is a set of decision records over time, not Gantt theater. How to anchor to EOL realities, sequence by risk, and re-plan quarterly.
Critical infrastructure protection explained by dependency: sector interdependencies, CISA and NERC CIP context, and the defenses that matter to operators.
A staged enterprise AI adoption framework from an architect's seat: use-case triage, build vs buy vs wait, platform foundations, and metrics that matter.
Operational resilience as an engineered property: failure domains, degraded-mode design, tested RTO over dashboard uptime, and real failover discipline.
Serving a static Astro build from Cloudflare Workers: trailing slashes, custom 404s, caching, and the one-command deploy loop — this site's exact setup.
AI risk management that engineers can run: a five-domain taxonomy, assessments that produce decisions, NIST AI RMF mapping, and monitoring that closes the loop.
What digital transformation actually gets funded to mean, why most programs fail, and how to tell a real modernization program from an expensive show.
An infrastructure modernization approach without transformation theater: what to replace, what to keep, strangler patterns, funding, and risk-first sequencing.
Research Areas
Long-horizon questions I am actively working: measurement frameworks for AI integrity, energy as the binding constraint on computing, and how far infrastructure can safely heal itself. Practitioner research — methods and findings published, results never invented.
Ongoing
An investigation into closed-loop infrastructure automation — from auto-remediation to AI-driven operations — and where human accountability must survive.
Active
Why power availability — not chips or capital — is becoming the limiting factor for AI-era infrastructure, and what it means for architecture decisions today.
Active
An active research program on measuring AI integrity: why accuracy metrics miss it, dimensions like grounding faithfulness, and harness design.
Industry Experience
Process-control and office networks at Chevron Oronite; OT security earned on a live plant floor.
Account technology leadership for large healthcare portfolios — compliance-heavy, downtime-intolerant systems.
Enterprise technology strategy for major retail accounts: seasonal scale, thin margins, zero patience for outages.
Led US ITAR cloud operations across 12+ regulated client environments with a 15-engineer team.
Founder-operator of service providers since 2012 — hosting, DNS, VPN, and managed infrastructure.
Credentials behind the record: B.S. Computer Science (network security concentration), Cisco CCNP Routing & Switching, FAA Part 107. Full history on the about page.
Featured Publications
Speaking
Talks on AI integrity, ICS security, enterprise architecture, and technology leadership — built from production experience, not vendor decks. Most recently at CyberNOLA.
Topics & bookingCurrent Projects
Managed services & connectivity provider — founder/CEO since 2019.
Privacy-focused VPN operated under Nubinity.
Production-grade home datacenter — the proving ground for most articles here.
Measurement frameworks for trustworthy AI, published as open research.
Questions
Pavel Glukhikh is an enterprise architect, AI integrity engineer, and technology executive based in the Greater New Orleans area. He is a Sr. Enterprise Architect in the Enterprise IT / AI Enablement Group at DXC Technology and the founder and CEO of Nubinity, LLC, a managed services and connectivity provider. His background spans enterprise architecture, cybersecurity, industrial control systems, enterprise networking, and platform engineering.
AI integrity is the engineering discipline of making AI systems trustworthy in production: verifiable behavior, governed data paths, security against manipulation, and architectures that keep humans accountable for outcomes. It treats AI as software that requires governance, evaluation, observability, and operational controls — not as magic. The AI topic section covers the discipline in depth.
Six clusters: AI and AI integrity, infrastructure and platform engineering, enterprise networking, cybersecurity, industrial control systems, and technology leadership — plus research programs, whitepapers, reference architectures, and a lab notebook. Everything is written from practitioner experience with architecture, tradeoffs, and operational reality.
Yes, selectively — architecture reviews, security and AI integrity assessments, infrastructure design, and ongoing advisory, delivered personally. Engagement models and pricing are on the consulting page; the best first step is a short note describing the problem and timeline via the contact page.
Four years administering both office and process-control networks at a Chevron Oronite petrochemical plant, followed by continued ICS/OT security research and writing. The industrial systems section covers SCADA design, the Purdue model, OT/IT convergence, and critical infrastructure protection from that operational vantage point.
Email me@iampavel.com, use the contact form on the contact page (delivered first-party through this site's own infrastructure), or connect on LinkedIn at linkedin.com/in/pglukhikh. Messages reach Pavel directly — there is no sales team.