TL;DR
East-West traffic is network communication between workloads inside a cloud environment: microservice to microservice, container to container.
It accounts for 70–80% of all cloud network traffic, but most cloud security focuses on north-south (perimeter) traffic.
East-West traffic is the primary attack vector for lateral movement: open east-west paths let attackers move from workload to workload after a breach.
Communication Governance secures the east-west layer by defining and enforcing which workloads can communicate with which others.
Most cloud environments have no meaningful east-west policy enforcement, creating unlimited blast radius from any breach.
Definition
Ask your security team what percentage of your cloud network traffic your current controls can actually see and enforce policy on. For most organizations, the honest answer is somewhere around 20–30%. The other 70–80% is east-west traffic, workload-to-workload communication inside your cloud environment, and it's the traffic that lateral movement exploits. East-West traffic is network communication that flows between workloads inside a cloud environment, microservice to microservice, container to container, VM to VM, as opposed to North-South traffic, which flows between external users and internal services. East-West traffic is also the primary attack vector for lateral movement: once an attacker breaches one workload, open east-west paths allow them to reach adjacent workloads without ever touching the perimeter controls where most security investment sits.
East-West vs. North-South Traffic
North-South traffic flows across the network boundary: inbound requests from external users to internal services, and outbound responses back. This is the traffic that perimeter firewalls, WAFs, and VPNs are designed to control. Most cloud security investment has historically focused here.
East-West traffic flows within the network boundary between internal workloads, microservices, databases, and APIs. This traffic never crosses a perimeter control. In most cloud environments, east-west traffic is governed only by broad security group rules that permit most workload-to-workload communication within the same VPC or environment.
The security implication: an attacker who breaches one workload, bypassing perimeter controls through a supply chain attack, credential theft, or vulnerable dependency, can move laterally through open east-west paths without encountering any security controls.
Why East-West Traffic Is Your Biggest Security Risk
The asymmetry between security investment and traffic distribution creates a critical vulnerability. 80% of cloud traffic moves east-west. Most security controls only see north-south traffic. The 80% is effectively ungoverned.
In the Detection Era, this gap was addressed by detection tooling: SIEM and XDR tools that monitor east-west traffic for anomalous patterns. But The Cascade demonstrated the structural limitation: east-west lateral movement can happen faster than detection-and-response cycles operate.
The Containment Era's answer is Communication Governance: govern the 80% with explicit policy rather than trying to detect anomalies in ungoverned traffic.
How to Secure East-West Traffic: Communication Governance
Define east-west policies by workload identity (tags, labels, service accounts), not IP addresses that change constantly
Enable default-deny for all east-west communication not explicitly permitted
Enforce policies at the workload level through distributed cloud firewall, not at centralized chokepoints
Apply default-deny egress to control outbound connections from workloads
Run a Workload Attack Path Assessment (WAPA) to map all existing east-west paths and prioritize which to close
Review and update east-west policies continuously as workloads change
