Adaptive Segmentationmicro-segmentation November 24, 2014

Mapping the “Security Genome”

Alan S. Cohen,

The human genome project was one of the most ambitious research efforts in recent history. The lofty goal of the project was to understand the fundamental building blocks of human genetics and to develop better treatments from a deeper understanding of disease, its causes, and its progression. Pharmaceutical and medical researchers worked with excitement about the possibility that medicine, for the first time, had the potential to better target disease—or even prevent it—instead of just treating symptoms and dealing with unintended side effects. 

It is a long stretch to compare computing and security with the amazing complexity of the human body and the genome project, but I have attempted such a comparison at a high level for purely illustrative purposes.

Mapping the security genome

Security and the problem with treating symptoms

Today’s distributed and dynamic computing environments require system interactions and communications across heterogeneous environments. Advances in technology have created fundamental changes in the way computing resources are created and managed. Server virtualization and cloud computing, along with networking improvements, have made it possible to run application workloads (database, web server, etc.) on bare-metal servers, virtual machines, and Linux containers, and in elastic private or public cloud services.

Current approaches to securing data centers have only addressed the “symptoms” of security problems. Treating these symptoms without addressing their root cause has resulted in businesses facing the consequences of massive data breaches, insider threats, data-stealing malware, and other security challenges.

The problem is due in large part to the drastic differences between the growing complexity of computing environments and the slow evolution of the security systems that protect them. Instead of adapting to today’s needs, security solutions have attempted to protect dynamic computing environments through incremental layering of existing technologies, like firewalls to guard data centers or network segmentation mechanisms (like SDN or VLANs with security zones) to isolate application environments.

The unintended side effects of these approaches have been the need to develop manual processes to maintain security policies and firewall rules, slower rollouts of new projects due to security concerns, and a general sense that security is a problem rather than a solution.

Genomes and security

In the human body, the genome represents the genetic material carried in the DNA. Understanding genomes and their chemistry has led physicians and researchers to better understanding of the human body and how disease affects it.

At Illumio, we mapped the “security genome” to create our Adaptive Security Platform (Illumio ASP), which matches the defenses required by today’s dynamic computing environments. Just as cells represent the basic structural unit of living things, individual application workloads represent the atomic unit of computing in distributed environments. The “context” of these workloads is then the security genome that we need to understand to create better security and defenses.

At Illumio, we mapped the “security genome” to create Illumio ASP, which matches the defenses required by today’s dynamic computing environments.

Human cells have unique context and function depending the organ and the genetic material that they carry. Similarly, individual workloads have unique context. For example, a workload might be the database server for a sales app, running in the production environment, and located in the Denver data center. So, the workload context includes its role (database, web server, app server, etc.), application type (HR, sales, finance, etc.), environment (development, test, production, etc.) and location (Denver, Amazon AWS, Microsoft Azure, Europe, rack #3, etc.). In addition, context also provides information about the workload’s properties (OS, processes, etc.) and its relationships with the rest of the distributed system.




An inside-out model for security

Illumio's approach uses the power of math and computing to understand context and to establish and enforce fine-grained security policies.

Most security mechanisms used in data centers today are akin to using body armor to protect the human body from deadly bacteria or viruses—security is not present where it is needed.  To solve the problem, Illumio set out with the view that security needs to start from the inside out We realized that security needs to be granular, yet have broad applicability and the ability to adapt to any infrastructure or environment (VM, Windows server, Linux container, private data center or public and hybrid clouds) on which workloads are deployed.

Illumio uses the context of workloads to understand and graphically map out enterprise applications and all of their internal and external interactions. This visual mapping of applications and their topology—called Illumination—allows administrators to create well-informed security policies.




Illumio ASP has helped a customer dramatically reduce the number of firewall rules from 140,000 to 55 security policies.
Just as the human genome project did, the Illumio approach to security uses the power of math and computing to understand context and to establish and enforce fine-grained security policies. Workload context is used together with security policies to continuously compute and apply security in response to any changes in workloads or their behavior. This continuous computation ensures that security adapts to changes, only permitted interactions occur between workloads, and security works irrespective of the underlying network infrastructure or computing environment. Security no longer treats just the symptoms of problems—it is built into the framework of the computing environment to make it self-adjusting and dynamic. 


Mapping the security genome has allowed Illumio to create a flexible and powerful system architecture for securing dynamic and highly scalable data centers and clouds. Just as mapping the human genome is improving medicine, Illumio’s approach is improving the way that enterprises set and manage security. In one such example, Illumio ASP has helped a customer dramatically reduce the number of firewall rules from 140,000 to 55 security policies.


Adaptive Segmentationmicro-segmentation
Share this post: