East-west traffic is communication that moves between systems inside an environment rather than entering or leaving it. In microsegmentation programmes, it is the traffic most likely to expose hidden trust assumptions and is therefore the main target for workload-level policy.
Expanded Definition
East-west traffic is the internal movement of data between workloads, services, containers, and identity-bearing components inside a trust boundary. In NHI security, it matters because the traffic often reveals implicit permissions, undocumented dependencies, and service-to-service paths that perimeter tools do not see. That is why zero trust and workload segmentation efforts increasingly focus on internal flows rather than only ingress and egress.
Definitions vary across vendors on how narrowly the term should be applied. Some teams use it only for data centre or cloud subnet traffic, while others include pod-to-pod, service-to-service, and agent-to-tool communications. For NHI governance, the practical definition is the one that maps to identities, credentials, and policy enforcement points, not just network topology. Guidance from the NIST Cybersecurity Framework 2.0 reinforces the need to understand internal communication paths as part of asset, access, and risk management. NHI Management Group also stresses that internal traffic is where hidden trust assumptions usually persist longest, especially when service accounts and API keys are created for convenience and never revisited in the Ultimate Guide to NHIs.
The most common misapplication is treating east-west traffic as a pure networking concern, which occurs when teams segment subnets but fail to bind policy to workload identity and actual service relationships.
Examples and Use Cases
Implementing east-west controls rigorously often introduces policy complexity and observability overhead, requiring organisations to weigh tighter containment against the cost of mapping and maintaining legitimate service dependencies.
- A payment service calls an internal risk-scoring API using a service account, and microsegmentation rules restrict that path to only the approved workload pair.
- A Kubernetes cluster allows pod-to-pod traffic only where the workload identity is recognised, reducing lateral movement if one pod is compromised.
- A CI/CD runner exchanges tokens with an artifact repository, and the communication path is monitored for unusual volume or destination changes.
- An internal AI agent uses tools to query ticketing and database systems, making east-west policy essential to prevent broad tool reach from a single compromised agent identity.
- Security teams trace lateral movement after an API key leak and discover that unrestricted internal service calls allowed the attacker to pivot across environments.
For a broader NHI context, the Ultimate Guide to NHIs explains why internal trust is often overextended, and the NIST Cybersecurity Framework 2.0 provides a practical anchor for mapping those flows to governance and control objectives.
Why It Matters in NHI Security
East-west traffic is where compromised NHIs turn into enterprise-wide incidents. Once a service account, token, or agent credential is abused, internal traffic becomes the attacker’s route for discovery, privilege escalation, data movement, and persistence. This is especially important in environments where Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges and 80% of identity breaches involved compromised non-human identities. Those figures show why perimeter-only thinking leaves a major gap.
Understanding east-west traffic also supports incident response and control validation. If defenders cannot see how workloads talk to each other, they cannot confidently prove least privilege, isolate blast radius, or detect abnormal lateral movement. The NIST Cybersecurity Framework 2.0 helps organisations align visibility and response activities, but the operational reality is that internal communication paths must be modelled and continuously reviewed. Organisations typically encounter the consequences only after an internal compromise or secret exposure, at which point east-west traffic becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Internal workload-to-workload paths reveal secret misuse and lateral movement risks. |
| NIST CSF 2.0 | PR.AA-04 | Identity-aware access control depends on understanding internal communications. |
| NIST Zero Trust (SP 800-207) | PA-3 | Zero Trust requires continuous verification of internal workload connections. |
Treat every east-west connection as untrusted until explicitly authorised and continuously validated.
Related resources from NHI Mgmt Group
- When should organisations block anonymous network traffic at login?
- How should teams rotate JWT signing keys without breaking production traffic?
- What is the difference between securing V2X traffic and securing automotive identities?
- What is the difference between routing traffic and governing identity at the edge?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
