Illumio Blog
November 30, 2017

No New Hardware Required: Segmenting Environments For A Hedge Fund

Janani Nagarajan,

Find me on:

A major hedge fund in the US with over $10B under management wanted to segment their high-value client databases and trading systems—without re-architecting their applications or infrastructure. The enhanced focus on cybersecurity was driven from leadership’s increased concerns around critical information assets and compliance requirements.

ill_blog_header_featured_use_case_v4A.jpgTHE CHALLENGE

In a highly sensitive industry like financial services, high-value assets and compliance are invariably critical issues that put a spotlight on security. Historically, this hedge fund's segmentation projects moved slowly due to the manual network changes required by their existing security tools.

With over 1000 workloads involved, they estimated this new project would take months to complete:

  1. Discovery of existing application dependencies, enabling prioritized segmentation decisions.
  2. Extensive testing to determine if policy changes would break applications and negatively impact the business.
  3. Micro-segmentation enforcement to the group of workloads hosting their high-value applications without application re-architecting.

Finally, the fund had one additional driver: it wanted a cloud-delivered service, rather than introduce additional hardware and network traffic steering in their existing environment.

THE SOLUTION

Delivered directly as a cloud service, Illumio Adaptive Security Platform (ASP) provided software-based application dependency mapping and micro-segmentation for the entire environmentwithout adding any firewalls or requiring network reconfiguration.

How does Illumio ASP work? Imagine that a firewall already exists in front of every server, virtual machine, container, or network port in your data center and you could manage all of them simply and automatically at scale. That is what adaptive micro-segmentation provides. 

The Policy Compute Engine (PCE) – think about it as a central "brain" – activates and manages enforcement capabilities in assets that already exist in the data center without adding additional hardware or software chokepoints that impact performance and increase complexity. 

workloads_v3b.jpg

 

 

 

Illumio ASP constantly monitors and manages the company’s environment for potential policy changes or security violations. This helped operations and security teams see and lock down unauthorized network communications across their entire data center.

Taking advantage of the product’s rich REST APIs, Illumio ASP delivered the workflow and automation to integrate with the company’s orchestration tools (Puppet) and integrate seamlessly with the SIEM platform in their Security Operations Center.

THE BENEFITS

Illumio ASP was deployed on top of the company’s existing environment with only minimal changes. Key benefits included:

  • The ability to visualize and test new segmentation policies without any changes to the network.
  • Segmentation of the environment in hours and days versus the weeks and months associated with legacy network security solutions.
  • Segmentation policies only needed to be set up once; then they automatically stay in place as their applications move between environments and locations, or auto-scale up/down.
  • No need to purchase additional costly hardware or maintain it.
  • Full integration with SIEM for alerts and event notifications eliminated the need for new tools or processes in the SOC.

Operating at speed and providing precise protection of critical data helped this hedge fund move from expensive networking hardware to Illumio software.  

Topics: Adaptive Segmentation

Share this post: