Adaptive Segmentationmicro-segmentation October 10, 2014

Adaptive Security Beyond the Perimeter

Alan S. Cohen,

adaptive security beyond the perimeter

From a security perspective, the locus of attention is shifting to the interior of the enterprise data center and the public cloud (e.g., Infrastructure as a Service such as Amazon Web Services). The network-centric data center perimeter is not disappearing anytime soon. But it is becoming less relevant as computing becomes more distributed, dynamic, and contextual. If you are going to protect your data center, do you put your energy into protecting the data (software) or the center (building, hardware, and cables)? Does your data center need a drawbridge or a series of bodyguards?

Adding new “perimeters” within the data center—whether they are “middle box” devices or firewalls running on VMs—can add more “controls” to the interior by adapting a well-established model. Sounds good, right? Take something you know and repurpose it.

We are not just building a bigger firewall

The issue with this approach is IT winds up retrofitting a new generation of computing capabilities with an older generation of security approaches. How will all the challenges of perimeter, choke-point security disappear when applied to a new, more challenging computing environment? The issue is not about protecting a device or an IP address, but dealing with:

  • Workload motion within and across data centers (public and private—the “anywhere” problem) where a vendor’s “network” gear will not run.
  • The lack of context about your workload / server captured by the network—the network was never built for that.
  • And probably the most insidious problem of them all: taking all of the complexity of traffic steering, IP addresses, and manual intervention and shoving it into a DevOps world designed for continuous delivery and increasingly relying on automation.

The size, complexity, and dynamism of computing should not provoke a corresponding spike in the complexity of managing your security posture. The traditional firewall market—whether it’s delivered through a middle box or a VM—will have the same issue. Or as Gartner has noted, “through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws."1The answer is not to build a bigger firewall.


In fact, the answer requires both a simpler approach and a richer one—one in which security can be expressed in human terms, not in the IP addresses and syntax of firewalls. Nicira co-founder and UC Berkeley professor Scott Shenker has noted that “[t]he ability to master complexity is not the same as the ability to extract simplicity.” 

The new model of security: Letting the workload defend itself

Security controls also must be aligned with the resources that you are trying to protect. If your computing resources change, your security must automatically adapt as well: it must automatically understand the computing workload, the environment, and the communications channels. This is best done at the workload level, and must work on each one. This allows the workload to play a role in its own defense, contributing its context—workload, application, environment, and location—into building a dynamic policy that transcends the computing environment.

The size, complexity, and dynamism of computing should not provoke a corresponding spike in the complexity of managing your security posture.

An analog here is the shift to community policing in New York and Los Angeles under William Bratton. Community policing was a response to a traditional policing model that was crumbling under an unprecedented crime spike spanning the 1970s to the 1990s. It brought in a new element of crime prevention, not just crime reaction, by assigning more officers to street patrol, exposing them to neighborhood concerns, and training them to identify troubled individuals and bring in social service agencies to provide help. The new model reported broken windows, graffiti, and other signs where crime might be likely.

In the Illumio world, the Illumination service brings visibility to the services and activities of every workload. If it sees an open port (the equivalent of a kicked-in or open window), it provides the ability to not only understand the implications but also to lock it down. The workload (the equivalent of the community) helps protect itself: the Illumio Policy Compute Engine takes action based on any changes, attacks, or non-defined parameters, effectively harnessing all of these points of data (the equivalent of the efforts of the community police in New York and Los Angeles).

Illumio Adaptive Security is not a better or rebadged firewall. It is a completely new approach.

[1] Greg Young, “One Brand of Firewall Is a Best Practice for Most Enterprises,” Gartner Inc., November 28, 2012.


Adaptive Segmentationmicro-segmentation
Share this post: