Many of our customers start using Illumio ASP to segment a small number of their critical applications – often to address an immediate audit or compliance issue. The security team generally takes the lead in these initial segmentation projects. They write and provision the segmentation policy for these apps with the assistance of the application teams that own the apps. This approach works well for segmenting a handful of applications.
But what happens if your organization decides they want to expand the segmentation initiative to all enterprise apps?
One approach is to build a “ministry of segmentation” within the security organization. That is easier said than done. According to a recent study by (ISC)2, nearly two-thirds (65%) of responding organizations reported a shortage of cybersecurity staff, with a lack of skilled or experienced security personnel their number one workplace concern (36%).
Even with sufficient resources, the security team may not have detailed knowledge of how every business application is designed to operate. For example, suppose the security team observes an application communicating out to the Internet. How do they know if there is a legitimate reason for this connection? Making the wrong policy decision could either break the application or leave it open an unnecessary security hole.
An alternative to having the security team segment every application is to delegate policy authoring to the application team. Most large organizations have application owners who are accountable for each application, including its security safeguards. App owners can use our real-time dependency map to visualize the workloads and communication flows that comprise their applications and then build and test segmentation policy using natural language.
Today, we are announcing Illumio ASP version 20.1 that includes App Owner View (AOV), a new feature that enables application owners to author policy for their own apps.
Involving application owners in segmentation efforts benefits organizations in the following ways:
- Eliminates the need to hire large numbers of additional IT security staff
- Reduces the time to create application-level policies
- Improves policy accuracy, as app owners can attest to the validity of application flows
- Minimizes risk of accidentally breaking an application through incorrect policy
- Mitigates concerns application teams may have about segmentation by making them active participants in the process
Handing over some of the segmentation responsibility to application owners doesn’t mean the security team gives up all control. The Policy Compute Engine (PCE), the central “brain” that orchestrates policies across workloads, provides granular role-based access control (RBAC) to enforce separation of duties and least privilege access. PCE RBAC ensures that application owners only see information about their applications and limited information about any upstream/downstream dependencies. Everything else is hidden for them. In addition, through RBAC, the security team can limit app owners to writing draft policy but not provisioning the changes. The security team can review and approve all policies against corporate standards before they are provisioned.
We’re excited to share the news about App Owner View and what it means for our customers. Interested in learning more? My colleague, Bharath Shashikumar, breaks down our unique approach and the technical details about these app owner-related enhancements in this blog post.
Ready to give us a try? Check out our 30-day free trial.