TL;DR: Modern breaches increasingly succeed after the first foothold, when attackers move laterally through hybrid and multi-cloud environments that perimeter firewalls cannot fully see, according to Illumio. The practical shift is from edge-centric prevention to internal visibility and containment, because blast-radius control now matters more than blocking every initial entry.
NHIMG editorial — based on content published by Illumio: How Illumio Complements Your Firewalls
Questions worth separating out
Q: What fails when perimeter firewalls are the main control for internal attacks?
A: Perimeter firewalls fail when the attacker is already inside because they are built to control boundary traffic, not internal movement between workloads.
Q: Why do NHIs make lateral movement harder to govern?
A: NHIs make lateral movement harder to govern because service accounts, tokens, and automation credentials often hold broad, persistent trust that outlives the task they support.
Q: How do security teams know whether internal containment is working?
A: Internal containment is working when high-value systems are unreachable through unnecessary pathways, privileged workloads cannot talk freely across zones, and an initial compromise does not expand into multiple segments.
Practitioner guidance
- Map east-west communication paths Build an application-centric inventory of which workloads, services, and identities actually communicate inside the environment, then remove any pathway that lacks a documented business need.
- Segment by workload identity and labels Replace static IP-based assumptions with labels, metadata, and identity-aware policy so controls move with ephemeral workloads.
- Constrain lateral reach for NHIs Review service accounts, tokens, and automation credentials for unnecessary internal connectivity, then trim privileges to the smallest set of systems required for the task.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- How the platform maps east-west traffic into application-centric views that can support segmentation decisions.
- How labels and metadata are used to make policy follow workloads as infrastructure changes.
- How breach containment is applied to high-value assets without depending only on perimeter inspection.
- How the vendor frames internal visibility as a complement to existing firewall deployments.
👉 Read Illumio's analysis of why lateral movement is the real firewall failure →
Lateral movement containment: what IAM and security teams miss?
Explore further
Lateral movement containment is now an identity governance problem, not only a network design problem. The article correctly shifts attention from perimeter enforcement to what happens after a foothold is established. That matters because compromised credentials, service accounts, and other NHI access paths are often the first internal trust relationship attackers exploit. Practitioners should treat east-west reach as a governance surface, not just a connectivity problem.
A question worth separating out:
Q: Who is accountable when lateral movement controls are missing?
A: Accountability should sit with both security leadership and the teams that own identity, platform, and network policy, because lateral movement is a shared control problem. Frameworks such as NIST CSF and OWASP NHI make it clear that internal access, visibility, and containment are governance responsibilities, not optional hardening tasks. Ownership must be explicit before an incident forces the issue.
👉 Read our full editorial: Lateral movement is the real firewall failure in modern environments