Microsegmentation, also called Zero Trust Segmentation (ZTS), is foundational to any modern Zero Trust security strategy – but it’s easy for organizations to get overwhelmed by the challenge of securing complex, hybrid networks with hundreds, if not thousands, of resources and endpoints.
NIBE Group, a global conglomerate of heating solution manufacturers, including nearly 150 companies and over 500 applications to secure, proves that implementing microsegmentation quickly and at scale is more than doable. In just six months, they leveraged Illumio to go from zero microsegmentation to nearly 98 percent enforcement to build their Zero Trust posture and proactively prepare for inevitable breaches.
We sat down with Fredrik Olandersson, Network Administrator at NIBE, to learn the four best practices the NIBE team used. Their success story illustrates that Zero Trust Segmentation doesn't have to be difficult with the right kind of proactive planning and collaboration.
Successful implementation of any cybersecurity initiative hinges on collective understanding and support. NIBE’s strategy started with gaining alignment at all levels for their microsegmentation project, including both between internal teams and with the board.
“My manager let the board members know we wanted to implement Illumio quickly,” Fredrik explained. “He told them that it will inevitably come with problems, but that we'll try to minimize them as much as possible. I think that board discussion is a very important part of implementing a project like this successfully.”
The team made sure to communicate early and often about the risks, benefits, and urgency of microsegmentation required for NIBE’s large, complex network. This laid the foundation for a united, cross-functional approach to their deployment efforts. And the commitment of top-level stakeholders to the cause ensured that the organization moved in unison.
2. Collaborate cross-functionally for shared success
Fredrik emphasized the role of collaboration in NIBE’s microsegmentation deployment. It was pivotal that the security team engaged with application owners and secured their buy-in on enforcement timing.
“Enforcement timing is a choice,” Fredrik said. “Instead of making that choice for everyone, we went to every application owner and set up a time schedule for when it would be best to go into full enforcement for each application. I think it would've been impossible to have full enforcement today if we didn’t do that.”
The active involvement of key stakeholders helped streamline the deployment process, minimizing resistance and disruptions. This collaborative approach fostered a sense of ownership and accountability across the organization. Project wins felt like wins for everyone involved – not just the security team.
3. Emphasize progress, not perfection
Perfectionism can be a roadblock on the path to a successful microsegmentation deployment. Organizations can quickly get caught up in granular details that distract from manageable, incremental enforcement.
NIBE's journey underscored the significance of prioritizing progress over perfection. Fredrik encouraged the entire team to acknowledge that perfection is an ongoing pursuit and shouldn't stall deployment efforts: “If we try to avoid every eventual problem that might come up, we will never go into enforcement mode,” he said.
By embracing the philosophy of iterative enhancement, the NIBE team focused on making consistent strides forward rather than waiting for the perfect plan. To begin the implementation, they started with getting visibility into the network to find and secure their most high-risk resources. This first, quick win built momentum for the project and led to continued progress.
4. Stay responsive to issues to maintain the organization’s confidence
With any significant security transformation, challenges are bound to arise. NIBE’s deployment was no different. But Frederik took a proactive approach to managing any issues that arose during enforcement. He ensured the security team set time aside in the days and weeks following enforcement to prioritize responsive action on any issues that arose.
“It's very important that when you go to enforcement you are available and don't have any other major initiatives planned,” Fredrik recommended. “If there was any problem, we were available.”
“When you press the enforcement button for a different application, server, or system, you need to have the information about how it’s communicating in the environment,” Fredrik said.
Illumio's map allowed them to quickly troubleshoot any issues without having to stop enforcement or disrupt other teams.
“There's always a way to go back to visibility mode with Illumio, but I would say in almost every case, it was just minor changes in the rule sets to get everything up and running again if there was a problem,” he noted.
NIBE's proactive approach ensured that any issues that emerged were tackled swiftly, maintaining buy-in and confidence in the deployment process. This continuous responsiveness further demonstrated their commitment to safeguarding the organization's digital assets.
As NIBE continues to work towards deploying Illumio Endpoint on 6,000 endpoints in the next six months, their Zero Trust Segmentation journey serves as a blueprint for organizations aiming to bolster their cybersecurity posture through microsegmentation. It demonstrates how the intersection of strategic planning, collaboration, and a focus on progress rather than perfection is essential for deployment success.
Defining Metrics to Successfully Manage Your Zero Trust Implementation Plan
The Zero Trust mindset assumes that one’s perimeter defenses have been breached, and priorities pivot to containing the lateral movement of malicious actors. Illumio published the 3-stage Zero Trust Plan, which individuals use to plan and operationalize their Zero Trust journey.