Adaptive Segmentationmicro-segmentation October 17, 2022

Get Reliable ROI with Illumio Zero Trust Segmentation

Christer Swartz, Principal Technical Marketing Engineer

Illumio delivers a significant, reliable return on your cybersecurity investment compared to traditional, prevention-centric security approaches.

Illumio’s breach containment solution stops the lateral, east-west spread of ransomware and breaches. Once that breach occurs, Illumio will quickly contain it, trapping it in the first workload which it hijacks and preventing any lateral movement.

With Illumio, your security team can ensure continuous uptime and protection against the spread of breaches by focusing on malware behavior rather than on malware intentions.

Traditional security tools that work to prevent breaches are important. Strong barriers are required at any perimeter.

But the assumption needs to be made that, realistically, your network’s perimeter will eventually be breached.

Illumio does not replace prevention-centric security solution – it completes it.

This is why Illumio gives a far more reliable ROI than traditional tools. Keep reading to learn why.

Why traditional security approaches offer little ROI

When designing a security architecture for a data center or cloud, there are essentially two approaches: prevention or containment.

Traditionally, architects have focused on prevention. But today’s hybrid, hyper-connected networks mean prevention isn’t enough – and cause organizations to lose money on their cybersecurity investments.

Here are five of the most popular traditional, prevention-centric security approaches and why they lack reliable ROI.

Perimeter firewalls

The original solution to prevention is perimeter firewalls.

Network firewalls perform various levels of inspection of packets traversing the perimeter. Their goal is to prevent breaches from passing through the perimeter.

Nearly all of the famous breaches of past years have had firewalls at the north-south perimeter.

Many of these breaches have been victims of human error when configuring firewalls, while other breaches have been due to malware hiding within the payload of traffic which appears normal and approved.

Next-generation firewalls can dig deep into such Trojan methods, but the more complexity you introduce the higher the risk of configuration errors.

Some of the most visible security breaches have been due to one-liner errors in firewall configurations.

Learn more about how Illumio outperforms traditional firewalls in our technical brief, Illumio vs. Traditional Firewalls.

Network Functions Virtualization (NFV) architecture

Another option is to find a way to secure the interior network by deploying clusters of firewalls and other network security appliances, either hardware or virtual, in a “common services” core segment inside the network, and then carefully route traffic between hosts out through these core services.

This is often referred to as a Network Functions Virtualization (NFV) architecture.

The NFV approach makes your security architecture very network-dependent and a potential bandwidth bottleneck. It can quickly become complex and difficult to troubleshoot.

Many recent breaches in very large data centers and clouds have had such network-centric security architectures deployed – yet they have failed to prevent breaches.

Hackers only need to hijack the network devices to re-route or turn off this traffic-steering approach with the result being that no traffic is inspected.

Workload-centric, east-west traffic control needs to reside within the workload, not in the network fabric.

Cloud-hosted security tools

The next option is often to rely on cloud-hosted solutions to perform compliance and behavior analytics on traffic across all data centers and cloud fabrics.

These tools will provide a lot of complex, deep-packet inspection analytics information for intelligence into what kind of traffic is present across your hybrid-cloud. This offers many choices to block or allow traffic.

Cloud-hosted tools are essentially the same approach as network-centric security solutions in a data center, only virtualized. But security teams often trust cloud-hosted tools more because they assume the cloud vendor has superior security technology.

This simply isn’t the case.

Many recent cloud breaches have been due to these virtualized security tools left in their default configuration. The weakest link in any security architecture is between the keyboard and the chair, and no cloud-hosted solution can automatically strengthen that weak link.

SASE and ZTNA cloud-edge security tools

With the slow demise of VPNs, SASE and ZTNA tools are now a popular solution for remote access into the cloud, pushing security as close to the remote-access edge as possible.

Much of the underlying infrastructure is maintained for you by the SASE or ZTNA vendor – both a benefit and a risk.

While the underlying operations are taken care of, SASE and ZTNA tools are often perceived as being “secure enough,” with the most common source of breach being related to human error.

But these vendors won’t configure all of the various security options for you. If they are left in default state and breached, none of them will contain the breach.

With an “assume breach” mindset, there needs to be a solution to stop the spread of a breach due to any eventual weakness or configuration error in the SASE or ZTNA toolsets. Illumio enables that security breach safety net.

Workload and endpoint security

Another option is to secure the workloads and endpoints themselves.

There are various agents and sensors which can be deployed directly on a workload, across all platforms: bare metal, VMs, serverless, and containerized workloads, in both data center and cloud environments.

In addition to securing workloads, mobile devices can be secured using EDR/XDR agents that rely on ZTNA or SASE solutions at the north-south perimeter to prevent breaches from hijacking a workload or traversing the fabric entry point.

Many high-profile ransomware attacks on workloads and mobile devices have all had such solutions deployed to try to prevent a breach – and they have failed. This is because these solutions are still focused on prevention.

Deploying prevention solutions directly at the workload doesn’t change the weakness of the prevention approach. When a breach inevitably occurs, there must be a way to contain it.

This is the overall mindset – that prevention must be accompanied by breach containment – that needs to change and one Illumio makes possible.

Shift to breach containment for good security ROI

Preventing breaches is clearly not realistic. In the end, a bad actor will breach even the most robust security solution. The focus must be on containing a breach and stopping its spread throughout the network.

Traditional prevention solutions cannot provide reliable ROI when they’re unable to prevent today’s ransomware and breaches. Your organization’s security isn’t complete until you implement a containment solution that stops the spread of breaches once they enter the network.

Security teams need to make a major shift to breach containment to realize a reliable ROI on cybersecurity.

All data centers and clouds will still need firewalls at their perimeters. But trying to deploy additional firewalls inside a network for visibility and enforcement between workloads will quickly become cost prohibitive – and ROI will be difficult to achieve.

Illumio’s solution can quickly detect malware by its behavior: workloads attempting to use open ports to move throughout the network.

When Illumio sees this, it can quickly shut down all ports between all workloads with microsegmentation, also called Zero Trust Segmentation, at any scale.

This results in a breach being quickly contained without the need for deep-packet inspection and network intelligence – and means saving $20.1 million by avoiding application downtime.

Reliable ROI with Illumio Zero Trust Segmentation: What our customers say

Customers who have deployed Illumio’s breach containment solution have quickly seen a return on their investment.

Their ROI results from these four main advantages of the Illumio Zero Trust Segmentation Platform.

Illumio is agnostic to the underlying environment

Customers benefit from Illumio being agnostic to segmentation solutions in the underlying environment:

“We couldn’t keep up with the number of VLANs and firewall rules needed to properly segment network. Illumio enables the team to work on microsegmentation initiatives much more efficiently than they could with VLANs and firewalls."
AFA Försäkring

“Since Illumio policies are independent of underlying infrastructure, we have realized greater and granular security and performance. Policy can now follow the workload, so avoid recreating policies or re-architecting the network.”
QBE

 

Illumio allows policy testing before it’s deployed

Firewalls often require a deploy-and-pray approach. When a new policy gets deployed, the security admin hopes the phone doesn’t ring.

New policy needs to be tested and simulated before deployment to avoid risking production downtime – further risking seeing an ROI on the solution.

Illumio enables policy to be tested before it’s deployed, ensuring production uptime for customer environments:

“The alternative route for this compliance initiative was installing tens of data center firewalls to shore up their call center offices, amounting to an estimated $5M. The ability to test the impact of new policies without any changes to the network gives them much-needed confidence that enforcement will never break applications.”
Cathay Pacific

 

Testing policy before deployment ensures production uptime, avoids complexity and soaring deployment costs, and ensures a very real return on investment in cybersecurity.

Illumio reduces workflow complexity across operational teams

Part of seeing a return on investment in cybersecurity is reducing the operational complexity of the solution.

While security is often perceived as a complex problem, it should not result in a complex solution.

  • Maintaining production uptime requires:
  • Centralized operations
  • Not being reliant on other operational teams to implement policy
  • Enabling a quick DevOps model towards breach containment and resolution.

Illumio customers experience the benefits of this approach:

“It was important to us that we could distribute access across the teams who were actually deploying services. This helps to support our continuous-delivery model. We’re no longer reliant on one person or a small team in order to make firewall configuration changes for which they don't really know the context.”
CAA

“Operational efficiencies streamlined across application, infrastructure, and security teams. Faster traffic flow analysis and easier access control with automated mapping and policy generation. NetSuite was able to significantly increase uptime thanks to Illumio’s rich visibility and the ability to model and test policies before enforcement. The company has achieved more ‘five nines’ – or 99.999% availability – in services running Illumio than ever before.”
NetSuite

“Applications are now deployed faster, with self-service for the DevOps team, and no need to involve the firewall team. Policies update dynamically without the security team’s involvement, to avoid slowing down deployment with overloaded change management when an application needs to scale. This dramatically reduces the time required to get security policies downloaded and converged on pods and services within Kubernetes clusters, eliminating delays in application delivery previously caused by using perimeter firewalls for container security.”
Global 50 FinServ Company

Streamlining operational workflows ensures that your multi-cloud compute environment can scale without encountering roadblocks in delivering services quickly and securely.

Illumio increases secure application delivery times

Another requirement to seeing a very real return on your security investment is ensuring continuous application availability.

Illumio enables customers to significantly increase their production uptime with the ability to visualize traffic patterns and then model Policy enforcement based on that visibility.

These customers have experienced this benefit:

“It took us only three hours to perform an initial analysis of our network traffic, which is extremely efficient. We previously spent years trying to obtain this information and process it in such a way that it is useful to us, without success. In comparison with a conventional firewall system, the cost-benefit analysis demonstrates the enormous advantage of Illumio’s solution.”
Mondi Group

“Visual feedback and automated policy creation have reduced operational effort by 25 percent – eliminating time previously spent trawling through firewall logs. HGC segmented all of its high-value assets within four months, replacing ten firewalls and dramatically reducing hardware costs in the meantime.”
HGC

“Designing traditional firewall policies to provide the same level of protection would have been far more complicated and time-consuming.”
Investa

Illumio ensures security ROI

Cybersecurity is the challenge that never dies.

The deployment of either a data center or a cloud fabric is a complex effort. Adding a reliable and scalable security solution to the architecture is almost as complex as the overall environment itself.

An all-too-common approach is to deploy security only at the perimeter of the network, defining the trust boundary between the “inside” and “outside.” This then leaves internal, host-to-host, east-west traffic unsecured.

Complete your organization’s security with Illumio Zero Trust Segmentation. Get visibility into your network, stop the spread of ransomware and breaches when they inevitably happen, and maintain cyber resilience.

Schedule a free consultation and demo with our Zero Trust Segmentation experts to see how Illumio can:

  • Deliver measurable ROI
  • Build cyber resilience
  • Stop the spread of ransomware and breaches
Adaptive Segmentationmicro-segmentation
Share this post: