/
Zero Trust Segmentation

How Using Labels and Tags Can Simplify Cloud Migration and Zero Trust Segmentation

Moving applications to the cloud brings with it an array of advantages, such as cost, agility and most importantly, the regaining of your broom closet for actual cleaning supplies.

The move to the cloud also brings an important conversation to be had within your organization about how to tag assets in a cohesive manner. These tags provide a way to group workloads into categories that make sense for your business needs, including running reports, auditing for compliance or billing internal business units. So, if you’re in the position of having a clean slate with no existing tagging strategies already half-implemented, congratulate yourself on being the lucky one percent! But where do you begin?

This blog post is not about providing best practices surrounding tagging strategies. There are numerous well-written posts on tagging strategies from AWS, CloudCheckr, CloudZero and Microsoft worth reading. But what is worth discussing here is a common theme among them: While they all recommend a liberal usage of tags, they also recognize that tags are organized into categories that fit the purpose for which they are written. This grouping of related tags makes segmentation policy implementation achievable and simple to understand.

Keep label categories practical

Here's an analogy to help:

If you have ever attempted the task of creating a personal budget to control your finances, most experts on the subject will tell you how to do it in three easy steps: Create categories for the things you spend money on, assign dollars to them, and then desperately attempt to stay below that amount before the month is half over. (That’s usually how far I make it before stealing money from my "Noble Causes" bucket to pay for movie tickets…)

Now, suppose I start with creating categories for monthly bills, groceries and savings. I could go crazy and make sub-categories under groceries for "Necessities" like milk and bread and "Sugary Goodness" like donuts and mocha lattes. These sub-categories might be useful for tracking how much I’ve wasted on empty calories. But at the end of the day, it’s the “Groceries” category that I’m trying not to exceed. I’m not assigning dollars to donuts but to groceries. So, within the context of enforcing a budget as my primary goal, the limited set of categories helps me never overspend the dollars assigned to that category. I could make dozens of tags that are handy for ways to analyze what I’ve eaten, but when it comes to my accountant (i.e., spouse), it’s that "Groceries" category that she’s keeping an eye on.

So now that you’re on your way to financial freedom, let’s take this concept and apply it to a microsegmentation conversation.

Map and categorize workloads up front

Shifting to the cloud can make traffic flows difficult to map. And if you cannot map out and categorize what’s talking to what, it is hard to apply consistent security policies. It is this up-front exercise of categorization that pays dividends down the road and will help implement security policies that don't leave workloads exposed. Or equally dangerous: Workloads that you think are protected, but leave you vulnerable due to conflicting rulesets and rule-order confusion — this is the danger of using discrete tags as a basis for one-to-one security mappings.

So what does any of this have to do with Illumio?

At Illumio, we are all about helping companies achieve Zero Trust through simple strategies to get your microsegmentation deployment off the ground. Illumio's multi-dimensional labeling design helps guide customers through the process of inventorying their tag usage. We help you develop categories of labels that are practical for implementing segmentation policies.

Labeling Workloads
Illumio delivers a structured set of “plain language” labels to provide context for each workload, making it easier to understand and apply policies.

These labels make it easy to develop a "human-readable," declarative model to describe what you want to protect instead of worrying about the how. Leave the how to Illumio.

Use Illumio CloudSecure's label mapping tool

We recognize that tagging hygiene is difficult to maintain. Each business unit may have started with its own tagging conventions. And as your company grows, migrates and merges, these former islands of tags become an alphabet soup of overlapping names, inconsistent syntax and outdated conventions.

This is where Illumio CloudSecure can help. CloudSecure has a label mapping tool built in so you can begin the journey of organizing tags into useful labels for your cloud-native applications.

Illumio CloudSecure label mapping
Mapping cloud tags to Illumio's standardized labels makes it easier to understand traffic flows and write security rules for cloud-native applications.

This will help you write security rules so that tags like “Production,” “prod,” and “Hands off! This is a critical app!” can be merged into a common label of “Production” on our visibility map.

Perhaps your company is working with several cloud providers such as AWS and Azure. Illumio can unify disparate tagging strategies across your clouds by:

  • Collecting object metadata and flow telemetry.
  • Applying a common label schema.
  • Providing a visualization of all your workloads and their interactions on a single viewing window.


Now, if only personal budgeting was this easy.

Contact us today to start your secure migration to the cloud with Illumio CloudSecure.

Related topics

Related articles

What Organizations Want From Their Zero Trust Segmentation Providers
Zero Trust Segmentation

What Organizations Want From Their Zero Trust Segmentation Providers

Zero Trust is gaining traction all over the globe as a best practice approach for mitigating serious cyber risk.

Cybersecurity Awareness Month: Our Top 5 Segmentation Tips for a More Secure Organization
Zero Trust Segmentation

Cybersecurity Awareness Month: Our Top 5 Segmentation Tips for a More Secure Organization

This Cybersecurity Awareness Month, take note of these five Zero Trust Segmentation tips to protect your organization and limit damage from ransomware and cyberattacks.

The Evolution of Adaptive Segmentation
Zero Trust Segmentation

The Evolution of Adaptive Segmentation

Illumio’s initial innovation around the Adaptive Security Platform (ASP) came to address those challenges directly. Some key foundational elements were identified that would allow us to build our solution:

Why 93% of Security Leaders Say Cloud Security Requires Zero Trust Segmentation
Zero Trust Segmentation

Why 93% of Security Leaders Say Cloud Security Requires Zero Trust Segmentation

Get insight from new research on the current state of cloud security and why Zero Trust Segmentation is the key to cloud resilience.

3 Benefits of Zero Trust Segmentation in the Cloud
Zero Trust Segmentation

3 Benefits of Zero Trust Segmentation in the Cloud

Learn why you need to extend Zero Trust Segmentation to your cloud environments now and how Illumio CloudSecure can help.

Zero Trust Segmentation Is Critical for Cloud Resilience
Zero Trust Segmentation

Zero Trust Segmentation Is Critical for Cloud Resilience

Cloud resilience starts with Zero Trust. Learn the top three cloud issues solved by Zero Trust Segmentation, as shared by ZTS creator John Kindervag.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?