/
Illumio Products

Balancing Security and Operational Resilience: Illumio’s Strategy for Secure and Stable Software Releases

Cybersecurity is all about reducing risk. That’s why it’s so important to consider how your security solutions not only deliver value but also keep you safe if their systems fail.  

At Illumio, our top priorities are staying stable and reliable for our customers. This helps you build a Zero Trust Segmentation architecture that stays resilient even when something fails.

This blog post overviews the design choices we’ve made in the Illumio platform that help keep you secure while reducing the effect of a worst-case scenario.

How Illumio releases new software

When security vendors release new software to customers, it usually happens in one of two ways:

Inline in the data plane: This means the vendor’s software gets put directly into the network infrastructure in the path of network traffic. An inline solution can block malicious traffic. But this means it can also block all traffic if it fails. These solutions also usually need deep access into the operating system, often into kernel space. The deeper it goes, the higher the risk is if something goes wrong.

Out-of-band in the management plane: This means the vendor’s software is separate from the rest of the network infrastructure. It uses existing operating system features and avoids adding redundant solutions. It stays in the user space with little, if any, need to access the kernel space. Failures may temporarily affect the management plane, but they don't affect the data plane. In other words, the customer is still protected and operations aren’t hindered when a failure happens.

Illumio deploys software out-of-band in the management plane.

We use the packet filtering tools already built into major operating systems instead of redundant or inline packet filters. This approach automates these existing tools to segment the workloads directly. Packet filtering is part of the operating system, so Illumio software doesn’t need to be updated as frequently.  

Illumio works with some of the world's largest, most complex enterprises and government agencies. We understand that constant upgrades can be tough on critical systems. Our out-of-band deployment model helps greatly reduce these challenges.

A colorful diagram of the Illumio architecture

How Illumio upgrades its SaaS platform

When we upgrade our SaaS cluster, we use a staggered deployment workflow. This means we use a step-by-step process to upgrade one group of clusters at a time.

First, we test the new updates in several internal, non-production environments. Only after it passes these tests do we start upgrading the SaaS clusters — and we do that using a phased, staggered upgrade workflow. This means upgrades happen in phases, rather than all at once, and only for a few tenants at a time.

If a problem does emerge during the upgrade, we stop the process right away. This way, the issue affects only customers upgraded in the earliest phases. (And we can quickly roll back the last stable Illumio instance.) We never upgrade the SaaS cluster to all customers at the same time.  

How Illumio upgrades segmentation policy

When we make updates to Zero Trust Segmentation policies for workloads, we send them only to the parts of our customers’ environments that need them.

In the Illumio platform, customers create their own intent-based segmentation policy using labels. Role-based access controls (RBAC) prevent creating policies that are too permissive. Illumio updates these policies in the background as IPs change and as workloads are added or removed. Only the workloads affected by specific customer changes get updated policies from Illumio.

For data center and endpoint workloads, Illumio receives and applies policies within the native operating system’s firewall. Customers have full control over this process, deciding when and if they want to upgrade to a new software version.  

When Illumio does have new software versions, the SaaS platform still has backward compatibility. This means it continues to work with older versions of Illumio. Because of this, customers don't have to upgrade often. They can test and roll out upgrades on their own schedule and based on their own change practices.

A simpler architecture means less risk

You can never completely eliminate risk from your security stack. But a simpler architecture means fewer points of failure.

The Illumio platform’s design reduces the number of things that might fail in a worst-case scenario. While no system is completely risk-free, our simpler setup and smaller size make major problems far less likely if something does go wrong.

Contact us today to learn how Illumio helps keep your organization safe and resilient.

Related topics

No items found.

Related articles

Why Hackers Love Endpoints — and How to Stop Their Spread with Illumio Endpoint
Illumio Products

Why Hackers Love Endpoints — and How to Stop Their Spread with Illumio Endpoint

Traditional security leaves endpoints wide open to hackers. Learn how to proactively prepare for breaches with Illumio Endpoint.

Harnessing Natural Language to Define and Simplify Microsegmentation Policies
Illumio Products

Harnessing Natural Language to Define and Simplify Microsegmentation Policies

Harnessing natural language can reflect how users perceive the resources being protected as well as their attitudes toward security in general.

Illumio Endpoint Demo: Getting Quick Endpoint Segmentation ROI
Illumio Products

Illumio Endpoint Demo: Getting Quick Endpoint Segmentation ROI

Watch this Illumio Endpoint demo to learn how endpoint segmentation with Illumio offers quick ROI.

10 Reasons to Choose Illumio for Zero Trust Segmentation
Zero Trust Segmentation

10 Reasons to Choose Illumio for Zero Trust Segmentation

Learn why organizations are adopting Zero Trust Segmentation as a foundational and strategic pillar of any Zero Trust architecture.

3 Qualities to Look For in a Zero Trust Segmentation Platform
Zero Trust Segmentation

3 Qualities to Look For in a Zero Trust Segmentation Platform

The best way to protect against cyberattacks spreading throughout your network is to deploy Zero Trust Segmentation, enforcing access controls that block the pathways breaches like ransomware depend on.

Illumio Named Among Notable Vendors in the Forrester Microsegmentation Landscape, Q2 2024
Zero Trust Segmentation

Illumio Named Among Notable Vendors in the Forrester Microsegmentation Landscape, Q2 2024

See how the Illumio Zero Trust Segmentation Platform aligns with all of the Forrester overview's core and extended use cases in our opinion.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?