Adaptive Segmentationmicro-segmentation October 14, 2016

Finally, Reducing Risk and Accelerating Security Are Compatible

Alan S. Cohen,

Earlier today we announced the availability of Illumio Security Templates, a somewhat mild — in the hothouse of tech hyperbole nomenclature — yet clear title for a new set of capabilities we have brought to market that:

Reducing Risk and Accelerating Security are Compatible

  • Provide pre-packaged, tested segmentation policy rules; and
  • Reduce the time and risk involved in protecting crown jewel computing assets.

Traditionally, writing segmentation rules in switching ACLs or configuring firewall rules at scale has been the equivalent of filing a complicated Federal tax return: it takes an army of experts and they frequently make mistakes (to say nothing of audits).

Imagine if you had a series of critical applications and services your business runs on top of such as Active Directory, Exchange, SharePoint, MongoDB, and MySQL. The traditional firewall would require you to write blacklist rules for each server, flow, and application, again and again from scratch. One IP rule at a time, and often times, order dependent.   

Hence the paradox: highly interconnected fast networks are making every IT asset more accessible. However, the productivity gains are also a potential attack surface for base actors to gain access to critical information. This drives an increased need to protect assets in the interior of the data center (vs. the perimeter), as evidenced by the increased use of micro-segmentation across organizations.

What does this create?  Policy sprawl, policy debt, and enormous repetition of mundane, error-prone tasks. 

To create powerful segmentation capabilities for critical applications, a security admin needs to understand:

  1. The properties of workloads (e.g., domain controller running a specific set of services and processes over a range of communications ports).
  2. The relationships of a group of workloads (e.g., they are part of a three-tier application with database, processing, and web workloads).
  3. The environments in which a workload is running (e.g., headquarters data center and Azure).

Based on extensive deployments with customers across industries, geographies, and company sizes, we learned that much of the “human middleware” invested in security rules could be eliminated by creating tested rulesets that can simply be applied to well-understood applications (internally, we call these “pre-shrunk rules for pre-canned applications”). We built and tested the first ones on our own and increasingly customers are creating these capabilities and are eager to share them with the broader Illumio family.

These security templates are especially useful in Microsoft environments, where the requirement to account for a range of dynamically used ports for RPC puts traditional network-based technology in a bind. Rather than narrowly opening the current ports in use, network-based solutions must leave open the entire range of ports, effectively jamming the security equivalent of the doggie door wide open for the raccoon to sneak into your house (other solutions require dynamic port ranges (e.g., Active Directory) also requires opening the entire port range (i.e., 10K+ ports). 

Having been along for almost all of the Illumio journey, I am particularly gratified to see this advancement. The ability to stamp out repeatable, tested policies is the further evolution of our journey to protect attack surfaces inside the data center and the cloud and remove the cost and complexity of security.

See the product demo:

Adaptive Segmentationmicro-segmentation
Share this post: