Adaptive Segmentationmicro-segmentation July 16, 2021

3 Focus Areas to Reduce Zero Trust Segmentation Complexity

Trevor Dearing, EMEA Director of Technology & Product Marketing

Security and networking products have struggled to keep up with the needs of applications and application developers for many years. When application architectures changed from monolithic to services-based, networks needed to get fast and flat very quickly. From this need, engineers produced network fabrics, virtual networking and segmentation. While this addressed some of the issues for a short time, applications and security requirements quickly moved on.

Traditional firewalls proved to be a great platform for keeping malware and bad actors out, but they prove less effective once those things get in. Recent history has shown us that malware acts like a child in a chocolate factory and will look everywhere for “treats” or high-value assets to steal. If we cannot prevent this movement, then the potential impact will multiply.

So, what are the problems we face in using traditional firewalls that can increase the likelihood of a successful attack?

  1. Segmentation using virtual networks does not provide the agility or scalability required for modern business. The world is just too dynamic and diverse. Allocating workloads into networks using inconsistent and unstructured tagging opens up the opportunity for too many mistakes.
  2. A lack of visibility and insight makes it nearly impossible to understand which rules need to be applied.
  3. Configuring the large number of rules required for a firewall is too complex. The lack of automation, visibility, and modeling makes any configuration high risk.
  4. Managing, adding, and changing rules while worrying about existing rules and the order in which they are listed can cause applications to stop working if they are misconfigured.

To solve these problems, we recently enhanced Illumio Core to simplify and speed up the enforcement of controls in the cloud and data center. These enhancements have focused on three areas:

  • Real-Time Visibility
  • Policy Development
  • Enforcement

Real-Time Visibility

  • Extended visibility options provide detail on communication between workloads. This helps you to understand the flows of traffic between the applications that should be talking. It also shows the systems that you did not know about and how they are communicating with systems they should not be.
  • Enhanced metadata provides details of any connection, including length and volume. Workload data shows which services are running plus details on the system itself.
  • Incremental vulnerability updates dynamically show the changes in risk for each workload based on imported data from leading vulnerability scanners.

Policy Development

  • A point-and-click approach to developing policy means that you do not need to worry about managing a vast number of rules. The rules are generated automatically based on your policy decisions and these can be reviewed in natural language instead of complex addresses and impenetrable tag names.
  • Policies can be tested and modelled against live traffic showing the impact of any changes in real time on a clear map. The Illumination application dependency map will show whether connections are allowed, blocked or potentially blocked with simple colored lines. Also, the new enhanced Explorer function identifies the state of any workload, protocol or port and the potential impact of a security policy. This prevents any errors from impacting the availability of the applications.
  • Application owners can view and configure policies that relate to their application regardless of location or environment. This is managed by role-based access control.

Enforcement

  • Enforcement can scale from being able to enforce policy for individual services on a single workload to multiple services on over 100,000 workloads.
  • Fast enforcement of policies separating environments like production and development can be achieved in minutes without the complexity of rule ordering.
  • Enhanced support for third-party integrations, including Palo Alto Networks and F5.

All of these enhancements reduce the complexity of deploying Zero Trust Segmentation. Ultimately, the simplicity makes it faster to reach a secure environment while reducing the risk of misconfigured firewalls or potential application outages.

To learn more:

Adaptive Segmentationmicro-segmentation
Share this post: