It’s one of those trite bits of corporate-speak that everyone loves to hate. The thirty-thousand-foot view is right up there with leveraging synergies and picking low-hanging fruit. But from the cramped window seat of this small Embraer 140, with a literal thirty-thousand-foot view to my left, I’m thinking about this expression and what it means for our customers.
I’m returning from a two-day workshop with a new customer, a big one whose workload count approaches six figures. They’re at the beginning of their segmentation journey, looking ahead to how they’ll use Illumio’s software to reduce risk in their environment. Like most of our customers, they have many goals: protecting critical services, guarding against ransomware and data breaches, getting better visibility into their network traffic flows and application dependencies, supporting the migration of legacy applications to new data centers, and more. They have an aggressive schedule and they expect results.
This particular customer is a strong adherent to the Agile process. This workshop was the kickoff to the next Program Increment, a ten-week interval with a set of well-defined tasks and goals, many of them scheduled down to the day. Not many of our customers follow such a strict process-based approach to their segmentation programs. So what’s the alternative, and is it better or worse?
Defining Short- and Long-Term Goals
There’s a common saying when it comes to IT projects: the completion of your five-year plan will always be five years away. If you have a set of long-term goals but haven’t identified short-term actions that are moving you toward those goals, then you’ll never get any closer. Is this the thirty-thousand-foot view of segmentation programs? Is it possible to know exactly what you want to achieve, but not have a viable plan to get there?
Of course, the answer is a resounding yes. Some Illumio customers embark on well-intentioned journeys with a destination in mind, but no vehicle to get them there. Some of our customers will define targets, such as attack surface area reduction, and be very crisp on their desired end-state, but have no visibility into what anyone is doing today, tomorrow, next week, or next month to make it a reality. These customers only have a thirty-thousand-foot view and nothing else.
On the opposite end of the spectrum are the action-oriented customers. These are the customers whose views are measured in feet or inches. What am I going to do today? What is that going to enable me to do tomorrow? Everything else is in the future. We’ve had customers install the Illumio software and put thousands of workloads into full enforcement in a matter of days or weeks, without regard for long-term goals.
Which approach is better? The answer is an unsatisfying “it depends” … but we can do better than that.
Customers come to us for a variety of reasons: response to a breach or incident that already occurred; failure of an audit or regulatory requirement; general desire to improve security posture and reduce risk; overwhelming need to NOT be the next boldface name on the front page of the newspaper for failing to protect its customer data. Each of these drivers comes with its own success criteria and often its own timeline, which dictates the height from which you have the luxury of viewing your program.
An Example: Writing Rules for Security Segmentation
For starters, let’s look at Illumio’s recommended approach to writing rules for security segmentation. It starts with our FIRST principles, a clever backronym for the following five steps:
- FIND metadata sources. Illumio’s policy engine doesn’t use IP addresses to write security policies. Instead, we use metadata, like the application that runs on each workload, or whether it’s production or development. This lets you write security policies in terms that everyone understands, policies that adapt easily to change in your environment.
- IDENTIFY a label design. Labels are the building blocks of Illumio’s security policies. Is your Location label going to hold a physical location like a street address, or a data residency jurisdiction? A good label design is the bedrock on which your security policies rest.
- REACH OUT to service owners early. Most segmentation programs have many stakeholders and lots of touch points within your organization. A thoughtful communication plan will help your program go smoothly.
- START with core service policy. Your core services are the infrastructure or “dial-tone” components that keep all of your services running, like Active Directory or NetBackup. Having foundational security policies for your core services will let your application teams focus on the connections that matter to them.
- TARGET ringfencing for business applications. Security policies aren’t one-size-fits-all, and there’s always a balance between control and operational complexity. Application ringfencing is a common pattern that focuses more on the connections in and out of each application, and less on the connections between components within the application. You can always dial the level up for down, but most of our customers find this to be a good default for most of their applications.
With this plan in mind, the key questions you need to answer are: How long do I spend on each step? Do I need to wait for each step to finish before going on to the next, or can I do them in parallel?
This brings us back to the thirty-thousand-foot view. A risk-averse organization might follow a more deliberative process, choosing to fully integrate their CMDB and write comprehensive core service policies before engaging application owners. If you’re under pressure to deliver results quickly, you might start writing application security policies while still refining on the back-end. The most important thing is to make an informed choice about which process to follow, balancing your deadlines and your organization’s risk tolerance against your security objectives. Go ahead and adjust the order and the time you spend on each step to suit your needs. Just don’t skip any!
The ground outside my window is slowly getting closer as this small plane begins its descent. If your segmentation goals are still on the horizon, we at Illumio are excited to help you reach them!
If you’re interested in reading more about these planning and design considerations for your security segmentation journey, check out our Design Guide – a great primer that just so happens to be prime reading material from 30K feet (or below).