Firewall-only security breaks down when attackers already have internal access and can move laterally through allowed east-west paths. Perimeter controls may still block some ingress, but they do not reliably contain workload-to-workload movement, policy drift, or over-broad internal trust. In hybrid environments, that gap turns one foothold into a much wider blast radius.
Why This Matters for Security Teams
Firewall-only security assumes the most important risk sits at the edge, but hybrid environments rarely behave that way. Once cloud workloads, on-prem systems, SaaS apps, and remote admins share trust paths, attackers can exploit allowed traffic instead of trying to break through the perimeter. That is why modern control planning increasingly depends on the NIST Cybersecurity Framework 2.0, which treats protection, detection, and response as connected functions rather than a single gate.
The practical issue is not whether a firewall is useful. It is whether it can distinguish legitimate from malicious activity once access is already inside the environment. It usually cannot, especially when identities, tokens, service accounts, and automation tools are in play. NHI Management Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which means a single compromised credential can create broad internal reach.
In practice, many security teams discover this only after lateral movement has already begun, rather than through intentional containment design.
How It Works in Practice
In hybrid environments, security has to assume that some traffic is already trusted, some identities are already authenticated, and some paths are already approved. Firewalls still matter for ingress and segmentation, but they are only one layer. The real question is how east-west access is governed, how service-to-service trust is restricted, and how identity is verified continuously across cloud and on-prem systems.
That is where NHI control becomes central. Machine identities, API keys, certificates, and automation roles often bypass the scrutiny applied to human users. If those credentials are long-lived, over-privileged, or embedded in pipelines, a firewall cannot limit what an attacker does after compromise. Current guidance suggests pairing network segmentation with identity controls, rotation discipline, and monitoring of service accounts and secrets. The NHI Management Group research on the Ultimate Guide to NHIs also shows why this matters operationally: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Restrict east-west paths with segmented trust zones, not only perimeter rules.
- Apply least privilege to workloads, service accounts, and automation tokens.
- Rotate secrets and certificates on a defined schedule, with revocation that actually works.
- Log identity use, not just network flows, so suspicious tool use and credential reuse can be detected.
- Correlate firewall events with IAM, PAM, SIEM, and cloud control-plane telemetry.
For control mapping, NIST CSF 2.0 is useful because it pushes teams toward governance, protection, detection, and response across the whole environment, while hybrid attack patterns are often easier to understand through MITRE ATT&CK techniques such as lateral movement and valid account abuse. These controls tend to break down when legacy networks, shared admin tooling, and unmanaged service accounts all coexist, because the same identity can be trusted across too many segments.
Common Variations and Edge Cases
Tighter segmentation often increases operational overhead, requiring organisations to balance containment benefits against migration complexity and application fragility. That tradeoff is especially visible in hybrid estates with legacy systems, shared middleware, or frequent DevOps releases. In those environments, strict firewall rules can slow delivery, so teams sometimes loosen controls to keep services working. That is a security debt, not a solution.
There is no universal standard for how much east-west traffic should be allowed by default. Best practice is evolving toward identity-aware policy, service-to-service authentication, and zero trust principles, but the implementation path differs by architecture. For example, a workload using mutual TLS and short-lived credentials can be governed more tightly than a flat subnet with static secrets. The Ultimate Guide to NHIs is especially relevant here because it highlights how excessive privileges and poor rotation amplify risk even when the perimeter looks strong.
Edge cases also matter in third-party integrations, admin jump hosts, and automation pipelines. A firewall may permit those flows by design, but that does not make them safe. When access depends on long-lived credentials, shared accounts, or unclear ownership, the control model breaks down quickly. In those cases, teams should treat the identity layer as the primary enforcement point and the firewall as a supporting control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC | Hybrid firewall limits fail when access control is not identity-aware. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero trust requires internal traffic to be continuously verified, not implicitly trusted. |
| OWASP Non-Human Identity Top 10 | Compromised service accounts and API keys are core to firewall bypass scenarios. | |
| NIST SP 800-63 | IAL/AAL | Identity assurance helps reduce implicit trust in hybrid admin and automation paths. |
| MITRE ATT&CK | T1021 | Lateral movement techniques explain why perimeter-only controls miss internal abuse. |
Use PR.AC to enforce least privilege and segmentation across users, workloads, and services.
Related resources from NHI Mgmt Group
- Why do hybrid identity environments create more audit and security risk than single-directory setups?
- How should security teams govern certificate lifecycles across hybrid environments?
- How should security teams reduce standing privilege in hybrid environments?
- How should security teams use identity security posture scores in hybrid environments?