A method for workload security rings that includes receiving a plurality of workloads, each associated with respective security criteria and scheduled for execution on a distributed computing system divided into a plurality of security rings each associated with a respective subset of computing devices of the distributed computing system that is physically isolated from the other security rings. For each respective workload, the method includes determining, using the respective security criteria, a security level of the respective workload and identifying, using the security level of the respective workload, one or more of the plurality of security rings that are eligible for executing the respective workload. The method also includes executing the respective workload on one or more computing devices selected from one of the respective subsets of computing devices associated with the identified one or more of the plurality of security rings eligible for executing the respective workload.