Visibility

Which systems are running in your environment, and what do they communicate with? Surprisingly few companies can answer this question reliably. Network diagrams are outdated, and the CMDB reflects only part of the reality. The traffic between servers remains invisible to traditional perimeter tools anyway. Visibility closes this gap with a continuously up-to-date picture of what is running and communicating in your own infrastructure. This picture is the foundation of every effective security measure, because what you cannot see, you can neither protect nor audit.

What is visibility?

In IT security, visibility refers to the continuously up-to-date view across three levels: the existing assets, from the server to the cloud instance, the communication relationships between these assets, and the data flows that run over these connections. The difference from an inventory list is decisive. Visibility is not a snapshot that becomes outdated once a project ends. It is a continuously updated reflection of reality.

In practice, this means a real-time map of the environment, often called an application dependency map. It shows which application talks to which database and which service unexpectedly phones out to the internet. A traditional CMDB cannot achieve this: it depicts planned target states and structurally lags behind the reality as it is lived.

Particularly critical is east-west traffic, that is, the communication between servers and workloads within the data center or the cloud. Firewalls at the perimeter see only the north-south traffic toward the internet. The internal traffic, along which attackers move laterally after a breach, remains in the dark without dedicated measurement points.

How it works

Building visibility follows a clear sequence:

  • Capture assets: Agents on the workloads and queries of the cloud APIs inventory what is actually running. In the process, systems regularly turn up that were on no list.
  • Record communication: Flow telemetry directly from the workloads and from the network shows who talks to whom over which ports. What is decisive is that the internal east-west traffic is captured too.
  • Enrich context: Raw data is given labels, for example by application and environment. IP addresses and port numbers turn into comprehensible relationships between applications.
  • Build the map: The dependency map visualizes applications and their connections in real time and replaces static network diagrams.
  • Keep it updated: New workloads and changed connections flow in automatically. The map stays current without anyone having to maintain it manually.

Why it matters

  • Security decisions rest on observed facts instead of assumptions and outdated documentation.
  • Rules for microsegmentation can be derived from real communication relationships without jeopardizing productive connections.
  • Lateral movements by attackers stand out, because deviations from normal east-west traffic become visible.
  • Audits, for example to ISO 27001 or for NIS2, draw on verifiable actual data instead of curated target documents.
  • Shadow IT and forgotten legacy systems come to light before they become an entry point.
  • In the event of an incident, the impact radius of a compromised system can be narrowed down quickly.

Typical scenarios

  • Before a segmentation project, a company observes the real traffic over several weeks and derives policies from it that do not disrupt operations.
  • An auditor asks which systems access the finance database. The dependency map provides the answer in minutes instead of after days of research.
  • After an acquisition, the infrastructure of the acquired company is mapped before the two networks are connected.
  • Before a cloud migration, the map shows the dependencies of an application so that no critical connection breaks during the move.
  • After a security incident, the team reconstructs from the flow data which systems the attacker reached.

Visibility, monitoring, or observability?

The three terms overlap but answer different questions. Monitoring watches known systems based on predefined metrics and reports whether a service is available and performing well. Observability goes deeper: it derives the internal state of systems from telemetry data and helps in understanding unknown failure patterns. Visibility, by contrast, has a security focus. It shows which assets exist and who communicates with whom, even where no one is currently looking. Monitoring assumes that you know what you want to watch. Visibility uncovers what you did not even know about before. The disciplines therefore do not replace one another, they complement one another.

KAEMI as your partner

KAEMI begins every segmentation project with a visibility phase. Based on the Illumio platform, a real-time map of the workloads and their communication relationships is created first, including east-west traffic. Only once this map is in place and the business units have validated it do we derive policies for Zero Trust Microsegmentation from it and enforce them step by step. Ongoing operation is handled by the Professional & Managed Services : the map stays current, and deviations are assessed before they turn into risks. If you would like to know what is actually communicating in your network, get in touch .

Frequently asked questions about Visibility

How do visibility and monitoring differ?

Monitoring watches known systems based on predefined metrics, such as availability or response times. Visibility answers a different question: which assets exist at all and who communicates with whom. Monitoring needs a defined target, visibility also uncovers what no one had on their radar before. The two complement each other in a security architecture.

Why is a CMDB not sufficient for visibility?

A CMDB is maintained manually and depicts the planned target state. It becomes outdated as soon as systems move or projects bypass the documentation. Visibility, by contrast, measures the actual state directly in the network and updates itself continuously. The CMDB remains useful as an inventory register, but only the observed picture is suitable as a security foundation.

What is east-west traffic and why is it so hard to see?

East-west traffic is the communication between servers and workloads within a data center or a cloud environment. Traditional perimeter firewalls see only the north-south traffic toward the internet. It is precisely in the internal traffic that attackers move laterally after a breach. Without dedicated measurement points, this area remains invisible and therefore also unprotected.

How quickly does a visibility solution deliver usable results?

First maps emerge shortly after the sensors or agents are rolled out, because live traffic becomes visible immediately. The picture becomes reliable over several weeks, since rare connections such as month-end closings or backup windows also have to be captured. For policy decisions, KAEMI therefore recommends an observation phase spanning at least one full business cycle.

Is visibility a prerequisite for microsegmentation?

Yes. Segmentation rules that are not based on observed communication relationships will sooner or later interrupt productive connections or, out of caution, remain too broadly defined. The visibility phase shows in advance which connections an application really needs. From this, policies emerge that can be tested safely and enforced step by step. KAEMI therefore always starts segmentation projects with this phase.

From term to implementation: KAEMI supports you from the first assessment to day-to-day operations.