As our foundation capabilities erode due to network ubiquity, virtualization, etc., we have to consider new ways to secure our environments. We are used to the bottom-up approach (often because standardization enables a bit of security scalability) but it is much more important these days to focus on the application and the data.

The question to ask yourself is whether you have an acceptable risk profile if you assume that network security and even operating system security is completely ineffective (it isn't, but its effectiveness is eroding).