One of the key findings in Aviatrix’s recently published State of Cloud Network Security 2025 report is that DevOps security and east-west traffic controls are non-existent or lagging. Given the strategic nature of software development, and the non-negotiability of security at every level, this is highly concerning and worth a closer look at the data, its implications, and what to do about it. (There are a lot of other important cloud network security findings as well, so you’ll want to check out the full report.)
DevOps has invested in security, but gaps remain
Long gone are the days when development and security were two distinct silos, connecting only with great difficulty and friction. The shift-left approach has integrated security earlier in the development lifecycle, leading to the expansion of DevOps to DevSecOps. This includes increased security scanning—of applications, as well as containers and dependencies—and increased security automation to improve efficiency and reduce human error. In fact, GitLab reported that the number one DevSecOps investment priority last year was security, beating out even investment in AI.
The good news here is that organizations are taking security within the DevOps pipeline very seriously. The bad news, as our survey uncovered, is that despite all the progress they’ve made—and they have made significant strides—there are still gaps that create exploitable vulnerabilities.
Specifically, 85% of U.S. respondents are facing challenges related to securing their DevOps pipelines. The bottom line is that the vast majority of DevOps pipelines are simply unable to keep up with needed security. And almost half (46%), characterized those challenges as “significant.”
This gap has consequences in addition to the potential exposure. More than three-quarters of respondents (67%) said their organization has had to delay service deployment in the cloud as the result of a security review. So, despite all the shifting left and security tool and process investment, security is continuing to put up innovation speed bumps while still not fully protecting applications and workloads.
Why are DevOps and east-west traffic controls lagging?
To be fair, these gaps aren’t due to a lack of knowledge or under-prioritization. They are difficult to address because they stem from architectural blind spots and fragmented tooling. Traditional security approaches were built for perimeter defense. They patrol the border, so to speak, focusing exclusively on traffic trying to get in or out. Such north-south traffic control—with southbound being data entering from the outside and northbound data leaving the network to the outside world—is critical. But this model doesn’t work in cloud-native architectures where workloads are ephemeral, distributed, and often span multiple clouds.
Here’s why: the perimeter-based approach assumes that once data has passed the perimeter controls, it is safe and can move around freely within the confines of the internal network. It doesn’t address east-west traffic—i.e., communication that happens inside the network perimeter—which was fine when there was a very clear distinction between “inside” and “outside” the network. This is, however, no longer the case. The cloud has pulverized the perimeter, replacing a fortifiable boundary line with thousands, or even hundreds of thousands, of computing “environments,” such as Kubernetes clusters, virtual private clouds, and serverless functions, to name just a few. So, while north-south traffic controls continue to be important, the lack of east-west controls has become hugely problematic.
Furthermore, the ephemeral, API-driven nature of the traffic flowing between so many different kinds of clouds, VMs, clusters, devices, etc., makes it difficult to secure that traffic in a comprehensive and consistent manner that aligns with the best-practice zero trust model.
Advice to secure DevOps pipelines and east-west traffic—and how Aviatrix can help
There are two significant approaches that can enable DevOps teams to address these gaps, both of which can be facilitated by the Aviatrix Cloud Native Security Fabric (CNSF).
1. Infrastructure as Code (IaC)
The first approach is to use infrastructure as code (IaC) tools like Terraform, which enable you to treat management tasks as if they are code. In general, IaC automates manual operations to increase agility and efficiency and to reduce errors. From a security perspective, IaC allows you to define and enforce security policies alongside application deployments. Aviatrix CNSF integrates deeply with Terraform and GitHub Actions so you can use CSP regions, subnets, or tags, for example, to build your policy rules and automate policy enforcement.
2. Use dynamic micro-segmentation
When you create dynamic, logical groupings of cloud resources defined by criteria such as tags, resource types, or IP addresses—aka SmartGroups—you can apply consistent security policies across a multicloud network. An Aviatrix CNSF SmartGroup allows you to dynamically segment traffic based on VM, Kubernetes pod, Kubernetes namespace, and Kubernetes service attributes, enabling scalable, repeatable deployments without IP exhaustion or manual rule updates. Because SmartGroups allow you to use the identity of workloads to allow or reject east-west traffic, you have full control of both ends of that traffic.
The lack of robust DevOps security and east-west controls is alarming, and organizations should include IaC for security policy definition and enforcement and dynamic micro-segmentation (SmartGroups) in their immediate DevOps security investment strategies. Experience the Aviatrix CNSF for yourself with an interactive demo or a personalized walkthrough with one of our cloud security specialists.
