By NHI Mgmt Group Editorial TeamPublished 2026-04-15Domain: Cyber SecuritySource: Illumio

TL;DR: Japanese organisations report the fewest daily alerts, the fastest average detection time at 10.3 hours, and only 31% saying they receive more alerts than they can investigate, according to Illumio’s analysis of the 2025 Global Cloud Detection and Response Report. The data suggests operational calm can mask weak east-west visibility and slower understanding of lateral movement risk.


At a glance

What this is: This analysis argues that Japan’s cloud security posture appears efficient on the surface but still has serious blind spots in east-west visibility and lateral movement detection.

Why it matters: For IAM and security teams, the lesson is that lower alert volume does not equal stronger control, especially where workload communication, identity context, and containment are incomplete.

By the numbers:

👉 Read Illumio’s analysis of Japan’s cloud security visibility and containment gap


Context

Japan’s cloud security challenge is not obvious overload, but incomplete internal visibility. A quiet environment can still be risky when security teams cannot clearly see how workloads, identities, and encrypted traffic interact once an attacker moves off the perimeter.

That makes the article relevant to identity-led security programmes as well as cloud teams. When east-west traffic lacks context, IAM, workload identity, and containment controls lose some of their value because teams cannot reliably connect access to movement or movement to impact.


Key questions

Q: What fails when cloud teams rely on alert volume as a security measure?

A: Alert volume only shows how noisy an environment is, not whether defenders can see attacker movement. A quiet estate can still hide lateral movement, weak telemetry, or missing context. Teams should judge visibility by whether they can reconstruct internal paths, correlate workload identity, and confirm that reduced alerts reflect better control rather than blind spots.

Q: Why do workload communication gaps matter for IAM and NHI governance?

A: Because access does not stop at login. In cloud environments, service accounts and workload identities often communicate internally, so opaque east-west traffic makes it hard to connect entitlements to real movement risk. That weakens both IAM decision-making and NHI governance, especially when attackers use legitimate internal channels to spread.

Q: How do teams know if lateral movement detection is actually working?

A: They should be able to trace a path, not just detect an alert. Effective detection means security teams can identify source workload, destination workload, identity context, and the policy or control that should have blocked the connection. If investigations end with uncertainty about the route, detection is incomplete.

Q: What should organisations do when containment happens faster than understanding?

A: They should treat the gap as a governance issue, not a success metric. Fast containment without path reconstruction leaves the underlying exposure intact, which means the same movement pattern can recur. Teams need post-incident analysis that ties response actions to workload relationships, identity use, and internal communication paths.


Technical breakdown

East-west traffic visibility and workload context

East-west traffic is communication between workloads inside the environment, rather than traffic entering or leaving it. In modern cloud and hybrid estates, that traffic often carries the real attack path because adversaries rarely stop at initial access. The problem is not just whether traffic is seen, but whether it is understood in context. Without workload relationships, identity context, and policy boundaries, defenders may observe packets but miss the meaning of the interaction. That creates a blind spot in investigation and prioritisation, especially when traffic is encrypted or containerised.

Practical implication: teams need visibility controls that correlate workload identity, communication paths, and policy intent, not just network telemetry.

Why low alert volume can still hide lateral movement

Alert volume measures noise, not coverage. A quiet environment can look healthy if the detection stack is tuned tightly, but that same quiet can also reflect missing telemetry, weak detection logic, or blind spots in east-west movement. Lateral movement is especially hard to catch because attackers often blend into legitimate workload-to-workload communication after initial compromise. If security teams rely on perimeter assumptions or alert counts alone, they may underestimate how far an attacker can travel before detection. The result is a false sense of control built on incomplete evidence.

Practical implication: validate whether reduced alert counts reflect better tuning or weaker visibility by testing lateral movement detection paths directly.

Contained incidents versus truly understood incidents

Containment and understanding are not the same thing. A team may limit blast radius through manual action or fast intervention while still failing to map the attacker’s route, the affected identities, or the exposed assets that enabled movement. In cloud environments, this distinction matters because the fastest response is not always the most informed response. If teams cannot trace how a workload connected to another workload, they may stop one incident but leave the underlying exposure unchanged. That gap becomes more serious as environments grow more distributed and identity-driven.

Practical implication: measure whether incident response includes path reconstruction and exposure analysis, not only service restoration.


Threat narrative

Attacker objective: The attacker’s objective is to move quietly across connected workloads long enough to increase impact while remaining hidden inside normal-looking cloud traffic.

  1. Entry typically begins with initial access to a cloud workload or adjacent service, after which the attacker uses legitimate-looking internal connectivity to avoid perimeter-based detection.
  2. Escalation occurs through lateral movement in east-west traffic, where weak visibility into workload relationships and encrypted communications hides the attacker’s path.
  3. Impact follows when the attacker reaches additional systems, expands blast radius, or exfiltrates data before security teams fully understand the movement pattern.

NHI Mgmt Group analysis

Operational calm is not the same as security maturity. Japan’s low alert volumes and faster detection times may indicate disciplined operations, but they do not prove that the environment is well understood. Security programmes that judge success by alert counts risk confusing reduced noise with reduced exposure. The real question is whether defenders can see the attacker’s path across workloads and identities. Practitioner conclusion: treat calm telemetry as a hypothesis, not a control outcome.

East-west visibility is the control gap that matters most in cloud containment. The article shows confidence falling where attackers actually move, especially across workloads, encrypted traffic, and containerised environments. That is a structural weakness in cloud security because perimeter-centric monitoring cannot explain internal propagation. Practitioner conclusion: prioritise visibility into workload-to-workload movement as a first-class control objective.

Visibility without identity context weakens both cloud and IAM programmes. When workload communication is opaque, teams cannot reliably connect access entitlements to real movement risk. This is where NHI governance intersects with cloud security: service identities, workload permissions, and communication paths need to be analysed together. Practitioner conclusion: make workload identity part of containment design, not a separate IAM conversation.

Lean teams need control models that reduce investigation debt, not just tool counts. The article points to a capacity problem as much as a technology problem. When teams are stretched, every missing context signal increases the time needed to decide whether an event matters. Practitioner conclusion: invest in controls that answer who talked to whom, why it mattered, and what path an attacker used, because that is what reduces operational strain.

Blast-radius control is becoming the practical benchmark for cloud resilience. In distributed environments, the question is less whether detection exists and more whether containment happens before internal spread becomes systemic. That reframes cloud security from incident spotting to exposure management. Practitioner conclusion: measure how quickly your controls can shrink blast radius once lateral movement starts.

What this signals

Japan’s lesson for cloud programmes is that calm telemetry can hide expensive uncertainty. Teams should watch for environments where alert counts fall but investigators still cannot explain internal movement, because that usually means the visibility problem has shifted rather than disappeared. That is where workload identity, east-west inspection, and response playbooks need to be joined up.

Workload identity is becoming a practical control surface for cloud containment. When service identities and workload relationships are not visible, incident response turns reactive and expensive. Security leaders should expect more focus on path-based investigation and less tolerance for dashboards that measure activity without explaining exposure.

The governance signal here is simple: organisations will increasingly need proof that they can map communication paths before they can claim resilience. That expectation aligns with broader identity-led controls and with containment models that reduce blast radius rather than merely documenting it.


For practitioners

  • Validate east-west visibility coverage Test whether your monitoring stack can explain workload-to-workload communications across cloud, containers, and encrypted traffic, not just raise alerts on perimeter events. Use controlled movement tests to confirm that the team can reconstruct who talked to whom and when.
  • Correlate identity and network telemetry Link service accounts, workload identities, and communication patterns so investigators can see whether internal traffic is expected, risky, or policy-violating. This reduces the chance that legitimate-looking internal calls mask lateral movement.

Key takeaways

  • Low alert volume and fast detection can still conceal major east-west visibility gaps.
  • Cloud security becomes weaker when teams cannot connect workload identity to internal movement.
  • The practical benchmark is blast-radius control, because containment without path understanding leaves exposure in place.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1Visibility into cloud traffic and anomalies is central to the article’s containment argument.
NIST SP 800-53 Rev 5SI-4System monitoring is needed to detect lateral movement and hidden internal activity.
CIS Controls v8CIS-8 , Audit Log ManagementThe article’s response gap depends on whether internal movement can be reconstructed from logs.
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe article is fundamentally about hidden movement leading to broader breach impact.

Map detection coverage to lateral movement techniques and validate containment against ATT&CK scenarios.


Key terms

  • East-West Traffic: Traffic that moves between systems inside the environment rather than entering from or leaving to the internet. It matters because attackers often use internal connections to move after initial access, making visibility and context more important than perimeter alerting alone.
  • Lateral Movement: The phase of an attack where a threat actor moves from one system or workload to another to expand access or reach higher-value assets. In cloud environments, this often happens through trusted internal communication paths that look legitimate unless identity and network context are analysed together.
  • Blast Radius: The amount of systems, identities, or data an attacker can affect before containment succeeds. A smaller blast radius means controls limited propagation early, while a larger one indicates that visibility, segmentation, or response arrived too late to prevent spread.
  • Workload Identity: The identity assigned to software workloads, services, or applications so they can authenticate and communicate with other systems. It is a key control surface in cloud and NHI governance because it links machine access to policy, telemetry, and containment decisions.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • The report's region-by-region detection and visibility comparisons that show where Japan differs from global averages.
  • The specific east-west traffic and lateral movement observations behind the cloud resilience argument.
  • The operational detail on how Illumio Insights prioritises workload relationships and exposure paths.
  • The environment context and evidence behind the claim that containment needs more context, not more alerts.

👉 Illumio’s full post expands the regional data, east-west visibility findings, and response implications for cloud teams.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It is designed for practitioners who need to connect identity control to broader security operations and resilience.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org