Adaptive Segmentationmicro-segmentation July 21, 2022

10 Reasons to Choose Illumio for Zero Trust Segmentation

Dorothy Moore, Competitive Intelligence Director

More and more organizations are interested in microsegmentation, especially Zero Trust Segmentation.

Zero Trust Segmentation denies access to applications and devices unless they are specifically required for operations. By blocking unnecessary network traffic, Zero Trust Segmentation shuts down the paths that ransomware and other cyberattacks depend on for moving across a network.

At Illumio, we offer a Zero Trust Segmentation solution that can be helpful to organizations of all sizes who are looking to get started on their Zero Trust journey. Here are 10 ways that Illumio provides a superior Zero Trust Segmentation experience.

1. Scalability

Illumio scales up to 200,000 managed workloads or over 700,000 unmanaged workloads. And these workloads can be in the cloud, on-premises, and in hybrid environments. Illumio supports some of the largest microsegmentation installations in production anywhere, providing the most comprehensive protection available anywhere against ransomware.

2. Single Pane of Visibility

You can't remediate what you can't see. The more platforms supported translates into a more comprehensive single pane of visibility. Illumio's wide range of platforms and single pane of visibility greatly improves your security posture and ability to prevent and respond rapidly to cyberattacks.

Illumio is able to offer a single pane of visibility enabling Zero Trust Segmentation because it supports cloud, virtual machines, hybrid and on-premises environments. This includes a wide range of platforms and environments including Windows, Linux, AIX, Solaris, Kubernetes, OpenShift, VMware, AWS, Azure, Google Cloud Platform (GCP), IBM, and Oracle.

With Illumio, organizations can define and enforce Zero Trust Segmentation policies that take effect everywhere: on-premises, on third-party cloud platforms, at remote locations such as home offices, and in IoT environments. For example, Illumio's integration with Cylera helps extend visibility into IoT environments like medical devices.

Unlike other platforms, Illumio provides a comprehensive solution that protects most environments against ransomware and other forms of cyberattack.

3. Simplicity instead of complexity

Part of the work of configuring any microsegmentation product is setting up the tags and user groups that will be used to define specific segmentation policies. For example, security architects might want to tag all the assets associated with a specific type of data center environment. Or they might want to define a user group comprising all the users in a specific department.

With many microsegmentation products, setting up groups and tags is time-consuming, error-prone work. It requires a lot of trial and error to get right.

With Illumio, setting up groups and tags is quick and easy. One way that Illumio streamlines this work is by integrating with next-generation firewalls such as Palo Alto Networks. We also integrate with IT Service Management tools such as ServiceNow's Configuration Management Database (CMDB) to import workload tags to provide more context to workloads.

When segmentation products make grouping and tagging difficult, customers often cut corners, grouping users and devices too broadly simply to get the work of assigning groups done. By simplifying this work, Illumio makes it easier for IT and security teams to set up the precise segmentation policies that best meet their needs.

4. No time-consuming, error-prone rules ordering

Some microsegmentation platforms offer too many types of rules for enforcing microsegmentation policies: Allow, Block, Override and Reject. Because they support multiple rules, the ordering of rules matters a great deal when implementing segmentation policies.

For example, security analysts might decide to allow most traffic from an endpoint to enter a data center, but they might decide to reject some of the traffic from certain applications or at certain times. In cases like this, it’s critical that security analysts get the order of rules right; otherwise, the wrong traffic will be blocked.

Rule ordering might seem straightforward with just one or two examples. But when the scope of work expands to hundreds of workloads, it becomes much more time consuming and problematic.

Illumio provides a simple and straightforward model for segmentation rules. By default, all traffic is blocked. Only explicitly authorized traffic is allowed to pass through. There’s never any confusion about which rules are in effect. And you no longer need to worry about packets being dropped either.

Because Illumio makes it easy to model segmentation policies, security teams can easily determine which traffic should be authorized. They explicitly allow that traffic, and Illumio blocks the rest in accordance with Zero Trust best practices.

The result? As close to airtight protection a company can get for stopping the spread of cyberattacks on its networks.

5. Zero Trust Segmentation without the cost and complexity of deep packet inspection

Some segmentation companies have invested in deep packet inspection technology for its microsegmentation product line. Deep packet inspection inspects the contents of network traffic, expanding the scope of work involved in analyzing traffic for policy enforcement.

At Illumio, we’ve found that we don’t need deep packet inspection to define and enforce segmentation policies. Operating at layer 4 in the network stack turns out to be sufficient for determining whether or not traffic is authorized.

By dispensing with deep packet inspection, Illumio is able to provide Zero Trust Segmentation without adding unnecessary cost and complexity to deployments or jeopardizing the network performance with intrusive inspections that result in delays.

6. Containing ransomware

Illumio provides enforcement boundaries to contain attackers from moving laterally across the organization. This enables security architects to immediately isolate any workload or endpoint compromised in an attack. The enforcement boundaries can be activated instantly through scripts or by manual control, isolating workloads and endpoints already infected from spreading across the organization.

7. Visualization included at no extra cost

All Illumio products include application dependency mapping for no extra cost. Using its powerful graphical features, business leaders, application owners, and security teams can monitor real-time application usage and traffic patterns and determine which traffic should be allowed for business-critical operations. Once they understand which traffic patterns are legitimate, these teams can work together to quickly define policies that allows business-critical traffic to pass through while blocking everything else.

8. Build, model and test

It’s much easier to build, model and test segmentation policies with Illumio. Illumio’s real-time application dependency mapping provides the guidance business and security teams need for defining policies that protect the traffic legitimately needed for business. Business and security teams can model those policies, seeing alerts about the traffic that Illumio would block were the policies actually being enforced. This kind of modeling makes the work of fine-tuning policies quick and straightforward.

Because Illumio supports natural language definitions for policies, organizations can divide the work of designing rules from those individuals who are implementing them. This provides checks and balances for compliance purposes, preventing one application group from overwriting rules of another group of rule designers. This also can prevent the havoc around implementing the wrong set of rules that can stop mission critical traffic from communicating. A team that can oversee these rules can put these policies in place that prevents disruption to the business, giving your business leaders and application teams peace of mind.

9. Integrations

Illumio supports a wide range of integrations, including integrations with VMware vSphere, Ansible, ArcSight, AWS, Docker, Chef, Google Cloud Platform (GCP), Okta, RedHat, Microsoft Azure, Puppet, ServiceNow, and Splunk. These integrations make it easier to import data for workload tagging and visibility and to coordinate Illumio enforcement actions with SIEM and SOAR playbooks and other automated workflows.

10. Expertise

At Illumio, our expertise is Zero Trust Segmentation. Illumio's platform is purpose-built to solve the problem of delivering microsegmentation solutions at scale for companies across multiple industries. Forrester Research's recognition of Illumio as a leader in two of its Forrester Wave reports – one for microsegmentation and one for Zero Trust – testifies to the success of our approach.

Discover more about Illumio Zero Trust Segmentation

Adaptive Segmentationmicro-segmentation
Share this post: