By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: IllumioPublished August 4, 2025

TL;DR: As organisations spread workloads across AWS, Azure and Google Cloud Platform, manual segmentation and fragmented visibility create blind spots that make lateral movement harder to detect, according to Illumio. The practical issue is not cloud choice but whether policy, telemetry and enforcement can stay consistent across environments.


At a glance

What this is: Illumio argues that expanding Google Cloud Platform support is meant to reduce multi-cloud visibility gaps and make segmentation more consistent across distributed workloads.

Why it matters: For IAM and security teams, the key issue is whether identity, access and segmentation controls still hold when applications and workloads move across clouds and enforcement becomes inconsistent.

👉 Read Illumio's analysis of GCP support for multi-cloud segmentation and containment


Context

Distributed cloud environments create a governance problem as much as a technical one. When workloads span AWS, Azure and Google Cloud Platform, teams lose a single operational view of access paths, traffic flows and policy exceptions, which makes segmentation harder to sustain.

In identity-heavy cloud environments, those gaps matter because access control is only as strong as the consistency of enforcement. Where policy differs by platform, the practical challenge becomes controlling workload communication, privilege and blast radius without multiplying manual effort.


Key questions

Q: How should security teams validate cloud segmentation in practice?

A: Security teams should validate segmentation by testing observed traffic against the intended policy boundary, not by relying on configuration alone. Start with workloads that should have constrained reach, then examine whether risky services, lateral paths, or unexpected destinations remain available. The goal is evidence that enforcement matches architecture, not just approval from a design review.

Q: Why do service accounts and workloads still create lateral movement risk in cloud environments?

A: Because many environments still trust the host, namespace, or cloud boundary more than the workload's actual state. If a compromised process can inherit identity or reuse credentials after execution starts, lateral movement becomes easier even when permissions look narrow on paper. The control problem is trust inheritance, not just entitlement size.

Q: What breaks when cloud segmentation is managed separately in each platform?

A: What breaks is policy consistency. Separate management creates different rule sets, different exceptions and different visibility standards, which makes it easy for drift to hide in plain sight. Over time, teams lose confidence that what they intended to block is actually blocked, and that uncertainty becomes an attack surface.

Q: How do teams know if microsegmentation is actually working?

A: Microsegmentation is working when a compromised workload cannot reach anything outside its explicit policy boundary. The best signal is not the existence of a segmentation design, but the reduction in reachable assets after compromise. If east-west traffic still flows broadly, the control is not changing attacker economics.


Technical breakdown

Why multi-cloud segmentation breaks down

Multi-cloud segmentation breaks down when each cloud provider exposes different native controls, policy models and telemetry. Security teams then have to translate intent across platforms, which creates drift between the policy they think they applied and the traffic that is actually allowed. In practice, this is a control-plane consistency problem: the more environments you manage separately, the harder it becomes to preserve the same trust boundaries everywhere.

Practical implication: standardise segmentation intent centrally and test whether cloud-specific enforcement matches that intent in each environment.

What agentless visibility changes in distributed environments

Agentless visibility reduces deployment friction by removing the need to install software on every workload, but it does not remove the need for strong policy design. The value is in seeing communication paths quickly enough to identify unexpected connections, east-west movement and exposure between workloads. Without that mapping, teams are left reacting to logs after policy gaps have already widened.

Practical implication: use agentless telemetry to map workload relationships first, then validate which paths should be allowed before broadening enforcement.

Why lateral movement is the real cloud containment problem

In distributed cloud environments, attackers often win by moving laterally rather than by causing a loud perimeter event. If workloads can talk to each other more freely than business need requires, compromise in one area can become access to adjacent systems. Segmentation is therefore about containment, not just neat architecture. Real-time observability matters because it shows where trust is being extended beyond the intended boundary.

Practical implication: prioritise containment rules for high-value workloads and verify that east-west traffic is limited to explicit business dependencies.


Threat narrative

Attacker objective: The objective is to expand a single compromise into broader access across cloud workloads by exploiting inconsistent segmentation and weak visibility.

  1. Entry typically begins after an attacker gains a foothold in one cloud workload or service and uses that position to inspect internal traffic paths.
  2. Escalation follows when over-permissive inter-workload communication or inconsistent segmentation lets the attacker reach adjacent systems without triggering obvious perimeter alarms.
  3. Impact occurs when the attacker moves laterally across the distributed environment and reaches higher-value workloads or data stores than the original entry point exposed.

NHI Mgmt Group analysis

Distributed cloud security is becoming a policy consistency problem, not just a tooling problem. The article reflects a broader reality in which security teams are expected to maintain the same control intent across AWS, Azure and GCP while each platform behaves differently. That makes segmentation governance harder than simple deployment, because drift is introduced whenever policy must be translated by hand. Practitioners should treat multi-cloud consistency as an operating model issue, not a feature checklist.

Visibility without containment is only partial control. The article correctly centres the gap between seeing workload behaviour and limiting it. In cloud security terms, observability helps identify risky paths, but security value comes from being able to constrain them before lateral movement expands. Teams should assume that blind spots become attack paths unless segmentation is verified continuously.

Workload access control now intersects with identity governance more directly than many cloud teams acknowledge. Applications, service identities and automation paths increasingly determine which workloads can communicate, and that makes identity-adjacent controls part of cloud containment strategy. This is where NHIMG's workload identity lens matters: if service-to-service access is not governed with the same discipline as human access, segmentation remains brittle. Practitioners should align cloud policy with workload identity boundaries.

Cloud security programmes need a named concept for the failure mode this article describes: segmentation drift. Segmentation drift is the gap between the policy a team believes it has standardised and the practical differences created by cloud-specific controls, manual exceptions and fragmented visibility. Once drift accumulates, lateral movement becomes easier than the governance model assumes. Practitioners should measure drift as a control failure, not a deployment inconvenience.

What this signals

Segmentation drift: as multi-cloud estates expand, the practical risk is no longer just misconfiguration but divergence between intended policy and platform-specific enforcement. That makes workload identity and explicit communication maps more valuable than perimeter-style assumptions, particularly where service-to-service trust crosses cloud boundaries. Teams should expect cloud containment reviews to shift toward dependency-based policy validation.

Identity-adjacent cloud controls are becoming more important as automation and service identities drive east-west communication. The operational question is whether security teams can prove that workload access remains bounded to explicit dependencies rather than inherited trust. For teams building out cloud governance, the next step is to align segmentation reviews with workload identity boundaries and test them against real traffic.

The organisation that cannot explain its allowed workload paths is effectively operating with hidden privilege in the cloud. That is why observability, policy consistency and containment must be treated as one control family, not separate projects. Practitioners should prepare for broader demand to evidence why a workload is allowed to reach another workload, not just whether the rule exists.


For practitioners

  • Centralise segmentation policy intent Define one policy model for workload communication across AWS, Azure and GCP, then map cloud-native controls back to that model so exceptions are visible rather than implicit.
  • Validate east-west traffic paths continuously Use visibility data to review which workloads are talking to each other, then remove or constrain paths that are not tied to explicit business dependencies.
  • Treat workload identities as containment boundaries Tie service-to-service access to explicit workload identity and application dependency maps so access can be restricted when the trust relationship is not required.
  • Measure segmentation drift as a control signal Track policy exceptions, cloud-specific overrides and unmanaged communication routes as evidence that segmentation intent is diverging from enforcement.
  • Prioritise high-value workloads for containment first Start with applications and data stores whose compromise would create the largest lateral movement opportunity, then verify that their inbound and east-west paths are tightly bounded.

Key takeaways

  • Multi-cloud segmentation fails when policy intent diverges from cloud-specific enforcement.
  • The main containment risk is lateral movement across workloads that security teams cannot clearly see or consistently limit.
  • Practitioners should treat segmentation drift and workload identity boundaries as core cloud governance controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0008 , Lateral Movement; TA0007 , DiscoveryThe article centres on limiting spread across distributed workloads and improving visibility.
NIST CSF 2.0PR.AC-4Segmentation consistency across clouds aligns with restricting access to authorised communications.
NIST SP 800-53 Rev 5AC-4AC-4 governs information flow enforcement, which is central to cloud segmentation and containment.
CIS Controls v8CIS-12 , Network Infrastructure ManagementThe post is about controlling distributed network paths and reducing blind spots.
NIST Zero Trust (SP 800-207)Zero trust architecture supports continuous verification of workload communications and trust boundaries.

Map cloud communication paths to lateral movement and discovery techniques, then constrain unnecessary east-west access.


Key terms

  • Segmentation Drift: Segmentation drift is the gap between the access or communication policy a team thinks it has and the controls actually enforced across environments. In multi-cloud estates, drift appears when cloud-specific rules, manual exceptions and inconsistent visibility gradually weaken the intended trust boundary.
  • East-West Traffic: East-west traffic is communication between workloads inside an environment rather than traffic entering or leaving it. It matters because attackers often move laterally through internal paths after initial compromise, so visibility and restriction of east-west flows are central to containment.
  • Workload Identity: Workload identity is the trusted identity assigned to an application, service or automated workload so it can authenticate and authorise itself to other systems. It is a foundation for governing machine-to-machine access, because segmentation and policy decisions depend on knowing which workload is asking for what.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • How Illumio applies segmentation policy across AWS, Azure and Google Cloud Platform in practice.
  • What the agentless integration changes for deployment effort and operational rollout.
  • How Illumio Insights maps distributed workload behaviour and blind spots inside GCP.
  • Why the vendor frames containment as a response to lateral movement in multi-cloud environments.

👉 Illumio's full post covers its GCP integration details, policy model and visibility workflow.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity and secrets management for practitioners who need to connect access control with operational reality. It is designed for security teams that must govern identity boundaries across modern infrastructure and automation.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org