Failure Pattern
East west firewalls filter traffic but still trust the identity of workloads incorrectly. Attackers exploit this gap to spread quickly.
What We See in the Field
Encrypted traffic between workloads appears allowed. East west firewalls permit it because it originates from trusted IP ranges. Malicious behavior blends into normal patterns.
Underlying Causes
IP-based identity assumptions
Lack of cryptographic workload identity
East-west traffic too dynamic
Metadata-based rules
Inability to inspect encrypted flows
Trust-Native Network Resolution
DTL ensures every east-west session is authenticated using TrustKeys. Firewalls enforce identity rather than metadata. Attackers cannot create trusted pathways.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.