Subscribe to the Non-Human & AI Identity Journal

East-west visibility

East-west visibility is the ability to observe traffic and communication between internal systems, workloads, and services. In cloud environments, it is essential for spotting lateral movement because many malicious actions happen after initial access and look legitimate unless relationships and baselines are known.

Expanded Definition

East-west visibility describes the monitoring and analysis of traffic that moves laterally inside an environment, rather than only north-south traffic entering or leaving the perimeter. In practice, it covers service-to-service calls, workload-to-workload communication, internal API requests, and identity-linked interactions that can reveal unexpected trust paths. For cloud, container, and microservice estates, the term is often used alongside detection engineering, network observability, and workload telemetry, but it is not the same as full packet capture or generic logging. The distinction matters because a platform can generate many logs without providing enough context to identify abnormal internal movement or privilege misuse.

Usage in the industry is still evolving because different teams place the boundary in different places: some mean network flow metadata, others include application traces and identity events. NIST SP 800-53 Rev. 5 Security and Privacy Controls is relevant here because it emphasizes monitoring, auditing, and incident detection capabilities that support internal visibility across enterprise systems. For identity-centric environments, east-west visibility also helps reveal where NHI, service accounts, or agent workloads are interacting in ways that exceed their intended scope. The most common misapplication is treating perimeter monitoring as sufficient, which occurs when teams assume north-south inspection will reveal lateral movement inside cloud-native and hybrid environments.

Examples and Use Cases

Implementing east-west visibility rigorously often introduces telemetry overhead and operational noise, requiring organisations to weigh richer detection against storage, performance, and tuning costs.

  • Security teams monitor service mesh traffic to identify a workload calling an internal database it normally never reaches, then correlate the request with workload identity and time-of-day baselines.
  • Cloud defenders inspect VPC or flow logs to spot a compromised host moving laterally to adjacent subnets after a phishing or token-theft event.
  • Identity teams correlate internal API calls with NHI activity to see whether an application credential is being reused across systems outside its approved function.
  • Detection engineers combine network telemetry with SIEM rules and endpoint signals to distinguish routine east-west chatter from beaconing, reconnaissance, or privilege escalation.
  • Incident responders use internal traffic patterns to reconstruct blast radius after compromise and to determine which services, secrets, or certificates may need rotation.

For control mapping, NIST SP 800-53 Rev 5 Security and Privacy Controls provides a useful reference point for monitoring and logging expectations that underpin these use cases. In cloud-native environments, east-west visibility is usually strongest when network data is paired with identity context, application traces, and asset metadata, rather than treated as a standalone feed.

Why It Matters for Security Teams

Security teams care about east-west visibility because internal movement is where many attacks become harder to distinguish from normal operations. Once an attacker or unauthorized agent gains initial access, they often blend into routine service interactions, reuse trusted credentials, or abuse machine-to-machine trust relationships. Without internal visibility, investigations can miss the transition from a single compromised identity to broader environment impact. This is especially important where NHI, service accounts, or AI agents have execution authority and tool access, since those identities can create large internal footprints with very little human involvement.

East-west visibility also supports segmentation validation, incident scoping, and control assurance. It helps teams verify whether Zero Trust and least-privilege assumptions are actually holding inside the environment, not just at the edge. For organisations using cloud-native platforms, strong internal observability often depends on combining flow data, workload telemetry, and identity signals into one investigation path, rather than relying on any single tool. Teams often discover the business value of east-west visibility only after a breach investigation reveals undocumented service relationships, at which point the capability becomes operationally unavoidable to contain spread and prove what was accessed.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM Detective monitoring and continuous assessment align to internal traffic visibility.
NIST SP 800-53 Rev 5 AU-2 Audit event generation supports capturing internal communication and access activity.
NIST Zero Trust (SP 800-207) Zero Trust assumes continuous verification of internal communications and access paths.
OWASP Non-Human Identity Top 10 Non-human identities can generate hidden lateral movement across services and workloads.

Correlate east-west telemetry with NHI usage to catch misuse of service credentials and tokens.