Adaptive Segmentationmicro-segmentation September 26, 2019

Divide and Conquer: Why It's Time to Unlock Security From the Network

Katey Wood,

Network segmentation is a well-known approach to network security and has been lauded as a way to improve security and reduce your attack surface. At Illumio, we talk a lot about the value of our product being the best solution for segmentation because our software actually allows network and security teams to “decouple” – that is, allow the security segmentation policy to be independent of network infrastructure and constraints.

But you might ask yourself: why is that important? Here’s your Decoupling 101.

Why decouple from the network 

The answer is that segmentation on the network is painful. It’s operationally complex to re-architect VLANs and zones. Slow-to-impossible to change. Expensive. Plus, it risks breaking your networkgrinding business to a screeching halt. Maybe even affecting your bonus, if you’re graded on uptime. 

For enterprises with no timeline or urgency attached to segmentation, trying to do it through the network may be an allowable “tax” on IT – for nowAfter all, there are long-standing relationships with network vendors that are not going away. Why change the status quo? This can go on until it becomes clear the network won’t scale, and you’ve been kicking the can down the road 

The fact is, most enterprises don’t move slow. They are under constant pressure to do more, go faster, be agile, and adapt quickly. Traditional network segmentation strategies that “bolt on” security to the network will not scale; they cannot be agile; and they'll put your data and your company at risk. 

Challenges of network-based segmentation

The expense of network-based segmentation might not even be obvious at firstInfrastructure vendors sometimes throw in Software-Defined Networking (SDN) at no cost! But how much new hardware acquisition is required to run it? What is the operational burden? There’s no such thing as a free lunchor free segmentation. 

In fact, network segmentation and SDN pose many challenges: 

  • Lack of visibility: Security 101 – you can’t secure what you can’t see. 
  • Complexity: Policy is tied to IP addresses, which are complex to configure and to change.  
  • Risk: Enforcement is tied to routers and switches that are designed for connecting things not for isolating them. Coupling security policy to network end points can break the network and create downtime  
  • Security sprawl: Multiple administration points mean configuration challenges and potential for error – a leading cause of breach according to the 2019 Verizon breach report. 

Add to this that with the growth of cloud and containers, our applications increasingly span data center boundaries the network doesn’t. Why not enforce security policy closer to the most important business drive? The applications.  


There is a better way. host-based segmentation solution like Illumio’s Adaptive Security Platform takes the burden off the network with a software-based approach. Lightweight agents transmit telemetry from the hostA central Policy Compute Engine orchestrates policy. Enforcement happens through the native firewalls of the operating system – closest to what’s being protected 

Decoupling from the network with Illumio offers a number of benefits: 

  • Total visibility: Decouple from the network to understand what’s communicating across environments. 
  • Simplicity: Decouple from IP addresses to draft metadata-based policies in natural language which can easily be tied to business priorities. 
  • Native enforcement: Decouple from hardware firewalls on routers and switches to enforce security through native operating system firewalls, closest to what’s being protected – the application. And exercise a build/test/enforce method to prevent downtime! 
  • Centralized control: Decouple from administering individual switches to administer a single policy across environments from a unified interface.

Why Illumio?  

Once again our customers say it best. Oak Hill Advisors chose Illumio for user, environmental, and application segmentation – without new infrastructure or even learning new skill sets:   

"Illumio is the most frictionless, unified approach to segmentation inside the data center and cloud security that I’ve seen in the market, as it does not require complex network changes, provides complete visibility, and can be implemented from a central control point." 

Want to learn more?

Check out our white paper or register for our upcoming webinar on decoupling from the network.

Adaptive Segmentationmicro-segmentation
Share this post: