A method for protecting private enterprise computing resources in a cloud computing environment includes determining a virtual topology comprising a secure computing zone, which includes a secure virtual vault, associated with an enterprise application of a private enterprise in a cloud computing environment. A traffic control policy associated with the secure computing zone is determined that comprises a plurality of security rules that define data traffic flow into, out of, and within the associated secure computing zone. A plurality of cloud computing nodes is selected and associated with the secure virtual vault. Any of the cloud computing nodes is a virtual computer or a physical computer device. The traffic control policy is automatically implemented in each of the cloud computing nodes associated with the secure virtual vault, where each cloud computing node is configured to enforce the plurality of security rules at an operating system level of the cloud computing node.