Adaptive Segmentationmicro-segmentation September 14, 2022

3 Qualities to Look For in a Zero Trust Segmentation Platform

Dorothy Moore, Competitive Intelligence Director

When cyberattacks strike, they strike fast.  

Within minutes, tens of thousands of devices are locked up. Business comes to a halt. The demand for ransom begins. 

The best way to protect against cyberattacks spreading throughout your network is to deploy Zero Trust Segmentation, enforcing access controls that block the pathways breaches like ransomware depend on. That way, even if an attack makes its way into the network, it can’t spread. The attack remains a single spark, not a wildfire

But not all approaches to Zero Trust Segmentation guard against cyberattacks the same way. Some approaches are more effective than others. 

Based on our experience working with leading organizations such as financial services, healthcare, hospitality, and retail, we can say that segmentation works best when it is: 

  • Comprehensive, protecting as much of an organization’s IT assets as possible, regardless of where those assets are located. 
  • Manageable, easy to configure and – critically – easy to configure correctly, so that segmentation rules work as intended. 
  • Responsive, so that when attacks strike, security teams can respond quickly, isolating infected devices to prevent the attack from spreading further. 

Here are three qualities of the Illumio Zero Trust Segmentation Platform that make it so effective at protecting from the spread of cyberattacks. 

Illumio’s protection is comprehensive 

Let’s start with scalability. Illumio can support a wide range of customer environments from very small deployments for our mid-enterprise customers to some of the largest and most complex environments in the world. Customers can scale as the size and scope of their own environment grows.

What sets Illumio apart is our ease of use and deployment with the ability to quickly scale. This gives customers peace of mind that as they grow, their Zero Trust Segmentation provider grows with them.  

Illumio scales up to 200,000 managed workloads or over 700,000 unmanaged workloads in a single deployment, providing extensive protection against ransomware. To provide single pane of visibility, Illumio also supports a wide range of customer environments in the cloud, on-premises, and in hybrid environments. 

Operating systems supported include Windows, Linux, Solaris, and AIX. Illumio also supports cloud and container environments including AWS, Azure, Kubernetes, Google Cloud Platform (GCP), IBM Cloud, and Oracle – just to name a few. This flexibility is increasingly important as more companies adopt multi-cloud strategies.  

In addition to all of this, Illumio also supports IoT/OT environments which are important in many healthcare and manufacturing environments. And Illumio is constantly innovating and adding new platforms to the list! 

Illumio enables security teams to adopt one, comprehensive segmentation solution for all their on-premises, cloud, and hybrid environments, enabling single pane of visibility.  

Illumio’s protection is manageable 

Illumio’s solution is easier to manage in part because its security philosophy is so straightforward.  

Keeping true to the design goals of Zero Trust security – that is, trust nothing by default – Illumio blocks all traffic by default and only allows explicitly authorized traffic to pass through. The Illumio policy engine allows only one command – allow traffic to pass through – in its security policies. 

This design constraint turns out to greatly simplify security policies. Illumio’s application dependency map shows security teams, application owners, and other stakeholders the traffic that’s needed to support legitimate business operations. Using this information, stakeholders define policies permitting this legitimate traffic.  

illumio-application-dependency-map

Illumio's application dependency map provides an easy-to-understand map of network communications.

Illumio blocks everything else. Within days or even just hours, teams can analyze traffic patterns, define policies, model those policies without enforcement for further fine tuning, and then deploy effective Zero Trust Segmentation that protects even the busiest and most complex data centers from malware. 

The security model used by other platforms is more complex. It offers security teams multiple commands for crafting policies: Allow, Block, Override, and Reject. Because all traffic isn’t blocked by default, security enforcement depends on rules being in the right order.  

For example, traffic within a data center might be blocked, but traffic to and from an application might be allowed, unless that traffic is going to an external IP address, in which case it’s blocked. 

With scenarios like this one and even more complex scenarios, it’s easy for rules to be overlooked or misunderstood, allowing dangerous traffic to pass through or legitimate traffic to be inadvertently blocked. 

From our conversations with customers, we’re convinced that the straightforward design offered by Illumio is much easier to manage.  

Illumio’s protection is responsive 

It’s inevitable that an organization's network will be breached. When that happens, security teams need to act fast, isolating the attack at the point of entry so it can't spread through the network. 

With Illumio, that isolation can be enforced in just seconds, using Illumio’s built-in, configurable containment switch. That switch can be activated by security team members manually. Or it can be activated as part of a script, such as a Security Orchestration, Automation and Response (SOAR) playbook. 

In either case, the organization gets immediate protection against ransomware spreading further on the network. Once the infected endpoint is isolated, the security team can analyze the attack and remediate it. 

See Illumio for yourself 

If you’d like to see firsthand how Illumio Zero Trust Segmentation helps protect organizations from ransomware, contact us today to arrange a demo. 

Or, take Illumio for a test drive in hands-on labs led by Illumio experts. 

Continue learning about Illumio Zero Trust Segmentation: 

Adaptive Segmentationmicro-segmentation
Share this post: