By NHI Mgmt Group Editorial TeamPublished 2026-04-09Domain: Cyber SecuritySource: Illumio

TL;DR: Lateral movement appears in nearly 90% of attacks while 82% of organisations still trust perimeter detection, according to Illumio citing The 2025 Global Cloud Detection and Response Report. Static firewall rules and fragmented policy governance leave modern hybrid environments exposed once attackers get inside.


At a glance

What this is: This article argues that firewalls alone cannot contain attacks in modern hybrid environments because lateral movement happens after perimeter defences are bypassed.

Why it matters: It matters to IAM and security teams because containment now depends on workload-level segmentation, policy governance, and privilege boundaries that reduce blast radius across human and non-human access paths.

By the numbers:

👉 Read Illumio's analysis of firewall gaps and lateral movement containment


Context

Lateral movement is the phase of an attack where an intruder uses existing access to move from one system to another after initial compromise. In hybrid and multi-cloud environments, static perimeter controls rarely provide enough visibility into east-west traffic, policy drift, or workload-to-workload trust, so containment becomes the more important control objective than simple edge blocking.

The identity angle is real even in a segmentation story. Workload communication paths often mirror privilege boundaries, and the same governance gaps that weaken NHI control, such as standing access, poorly scoped trust, and unmanaged policy change, also make it harder to stop an intruder from turning one foothold into environment-wide reach.


Key questions

Q: What breaks when firewall-only security is used in hybrid environments?

A: Firewall-only security breaks down when attackers already have internal access and can move laterally through allowed east-west paths. Perimeter controls may still block some ingress, but they do not reliably contain workload-to-workload movement, policy drift, or over-broad internal trust. In hybrid environments, that gap turns one foothold into a much wider blast radius.

Q: Why do lateral movement attacks expose weaknesses in modern segmentation?

A: Lateral movement attacks expose weaknesses when segmentation is tied to static network assumptions instead of application context and workload identity. If internal trust is broad, the attacker can reuse legitimate paths after entry. Effective segmentation reduces this by limiting which workloads can communicate and by making internal access intentional, visible, and continuously enforced.

Q: How do security teams know if segmentation is actually reducing risk?

A: Teams know segmentation is working when unnecessary workload communications disappear, exception volume falls, and policy changes are validated continuously rather than assumed. A good signal is that one compromised workload cannot reach adjacent systems without hitting an explicit control. If internal traffic remains widely open, the organisation still has a propagation problem, not a containment strategy.

Q: Who is accountable when internal policy drift leaves breaches easier to spread?

A: Accountability usually sits across network security, platform teams, and the owners of the applications that define the trust relationships. If policy drift is not assigned to a clear owner, exceptions multiply and controls go stale. Governance should specify who approves internal flows, who validates enforcement, and who remediates drift when the environment changes.


Technical breakdown

Why perimeter firewalls miss east-west attack movement

Perimeter firewalls are designed to inspect ingress and egress traffic, not to continuously model trust between internal workloads. Once an attacker gains a foothold, east-west traffic becomes the real attack surface because the intruder can enumerate services, test trust relationships, and move through allowed paths that look legitimate to edge controls. In hybrid environments, workload placement and IP addresses change faster than static rules can be rewritten, which creates blind spots and policy drift. Segmentation works differently because it treats communication as an application policy problem, not a network location problem.

Practical implication: teams need internal traffic visibility and segmentation controls that follow workloads, not static network boundaries.

How centralized policy governance reduces firewall rule drift

When firewall policy, segmentation policy, and validation live in separate systems, teams lose confidence that the intended control still matches the enforced control. Rule sprawl grows as exceptions accumulate, change windows widen, and nobody can easily prove which policy is active at any moment. Centralized policy governance addresses that by reconciling intent, enforcement, and drift detection in one control plane. That matters because security failures in modern estates are often governance failures first and technology failures second.

Practical implication: align policy ownership, validation, and exception review so drift is visible before it becomes exposure.

Why workload segmentation is a containment control, not just a network control

Workload-to-workload segmentation limits which systems can communicate, which reduces the paths available for lateral movement after compromise. This is a containment pattern, similar in purpose to zero standing privilege in identity governance, because it limits the attacker's ability to reuse initial access across the environment. The control is most effective when policies are expressed in business terms such as application, role, and environment, then enforced continuously as workloads move or scale. That prevents security from depending on the stability of infrastructure objects that are no longer stable.

Practical implication: define segmentation in application context and treat it as blast-radius reduction, not as a firewall replacement.


Threat narrative

Attacker objective: The attacker aims to turn one initial compromise into broader internal reach so they can access more systems, increase persistence, and deepen operational impact.

  1. Entry occurs after an attacker gets past the perimeter or compromises a trusted workload, then lands inside the network where east-west visibility is weaker.
  2. Escalation and movement happen as the attacker uses allowed internal paths, policy drift, and over-broad trust relationships to reach additional workloads.
  3. Impact follows when the intruder reaches key assets or spreads far enough that breach containment fails and business disruption expands.

NHI Mgmt Group analysis

Lateral movement containment is now a governance problem, not only a network problem. Firewalls can still reduce exposure at the edge, but modern attacks exploit what happens after the first trusted entry point. The decisive question is whether internal movement is constrained by policy that follows workloads and access context. Practitioners should treat containment as a governance objective, not just a perimeter design choice.

Policy drift creates a control gap that attackers can exploit faster than teams can remediate. Hybrid estates change continuously, while static rules age poorly and exceptions accumulate. That makes the gap between intended policy and enforced policy a persistent risk surface. The practical conclusion is that validation must be continuous, not occasional, if segmentation is expected to work under real operational churn.

Blast-radius control is the right lens for hybrid environments. Once attackers assume initial access, the question is how far they can travel before detection and isolation stop them. That makes workload segmentation, privilege scoping, and policy governance part of the same containment strategy. Security teams should evaluate every internal trust path as a potential propagation route.

Network policy and identity policy are converging at the workload boundary. In practice, the same environment that demands stronger NHI governance also demands tighter east-west segmentation because both are about reducing unauthorized reuse of trust. A workload allowed to talk everywhere is the infrastructure equivalent of standing privilege. Practitioners should align network controls with identity boundaries rather than managing them as separate disciplines.

What this signals

Blast-radius governance is becoming a shared requirement across identity and network teams. The same organisations that struggle to govern AI and NHI privilege need to think about internal traffic the same way they think about access scope, because both determine how far compromise can travel. For teams using the NIST Cybersecurity Framework 2.0, that means stronger alignment between protect, detect, and respond controls, not isolated hardening projects.

Policy drift will increasingly be measured as an operational resilience issue. When workloads move faster than rules, containment becomes probabilistic instead of dependable. Teams should expect more pressure to prove that internal controls are validated continuously, not just documented, and to connect that evidence to the NHI Lifecycle Management Guide where identities and access paths intersect.

Identity and segmentation are converging at the point where trust is actually consumed. That means practitioners should review service account reach, automation permissions, and internal workload trust together, because an over-extended identity can defeat a well-placed firewall. The practical signal to watch is whether a compromised workload can still reach anything it should never have been able to touch.


For practitioners

  • Map east-west trust paths before tightening edge policy Inventory the workload-to-workload connections that are currently allowed, then identify which ones are unnecessary, risky, or not tied to an application requirement. Use that map to separate genuine business traffic from inherited trust that can expand blast radius. This is the visibility layer that reveals where segmentation should begin.
  • Centralise policy intent and drift validation Create a single review process for firewall rules, segmentation policies, and exceptions so that intent and enforcement are checked together. Reconcile changes continuously rather than waiting for periodic audits, because drift accumulates faster than most manual review cycles can catch it.
  • Treat segmentation as containment for privilege abuse Design policies so that compromise of one workload does not automatically grant access to adjacent systems. Align policy labels to application, role, and environment, then enforce default deny for non-essential flows. This reduces the pathways an attacker can use after a foothold.
  • Link workload isolation to NHI governance Review where service accounts, API keys, or automation identities can move between systems without a corresponding access boundary. If a credential can reach multiple workloads, the network design may be extending the identity blast radius instead of constraining it. Use the NHI Lifecycle Management Guide to tie access scope to containment decisions.

Key takeaways

  • The core problem is not firewall failure at the edge, but the inability of static perimeter controls to contain movement once an attacker is already inside.
  • The evidence points to a persistent gap between perceived perimeter confidence and real internal attack exposure, especially in hybrid environments with policy drift.
  • Teams should focus on workload segmentation, continuous policy validation, and identity-aware containment to reduce blast radius before lateral movement becomes a breach multiplier.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe article focuses on stopping internal movement and limiting breach spread.
NIST CSF 2.0PR.AC-4Least-privilege and access restriction are central to segmentation and containment.
NIST SP 800-53 Rev 5AC-4Information flow enforcement fits workload-to-workload segmentation and policy governance.
CIS Controls v8CIS-12 , Network Infrastructure ManagementThe article is about managing internal network policy and segmentation complexity.
NIST AI RMFGOVERNThe governance challenge extends to AI and identity boundaries as policy ecosystems expand.

Align internal flow restrictions to PR.AC-4 and validate that only approved communication paths remain open.


Key terms

  • Lateral Movement: Lateral movement is the phase of an intrusion where an attacker uses existing access to move from one internal system to another. It often succeeds when trust relationships, internal access paths, or privileged credentials are broader than operationally necessary.
  • Microsegmentation: Microsegmentation is the practice of dividing internal environments into smaller communication zones so that only approved traffic can flow between workloads. It reduces blast radius by making movement between systems explicit, policy-based, and easier to validate continuously.
  • Policy Drift: Policy drift is the gap that appears when the intended security policy no longer matches what is actually enforced. It usually grows in dynamic environments where workloads, exceptions, and firewall rules change faster than governance processes can verify them.
  • East-West Traffic: East-west traffic is internal network communication between systems, workloads, or services inside an environment rather than traffic entering or leaving it. It is a critical visibility and control surface because attackers often exploit these internal paths after initial compromise.

What's in the full article

Illumio's full article covers the operational detail this post intentionally leaves for the source:

  • How the Illumio and FireMon integration combines segmentation visibility with centralized policy governance across hybrid environments
  • Why east-west traffic visibility matters when firewall rules no longer reflect how workloads actually communicate
  • How policy drift detection and validation help teams prove that enforcement matches intent
  • Why workload labels such as application, role, and environment are used to simplify scalable segmentation

👉 The full Illumio post covers the integration model, policy governance flow, and segmentation details for hybrid environments

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in a way that supports broader containment and access decisions. It helps security practitioners connect identity boundaries to operational risk across hybrid environments.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org