You can reliably deliver microsegmentation projects — but only with the right approach. In this blog series, we have provided guidance proven to deliver real-world projects that bring great benefits while being straightforward and cost-effective.
In part one, we explored the three top ways to ensure microsegmentation projects succeed.
In part two, we outlined three strategic principles that increase project success rates.
In part three, we shared the six biggest risks to projects and how to mitigate them.
In this final article, we’ll discuss the one factor that often separates microsegmentation projects that succeed from those that fail — the tools they use.
This article will explore:
- Why legacy tools fail to deliver microsegmentation in modern environments.
- What to look for when evaluating a modern microsegmentation tool.
- How organizations have used Illumio to reliably deliver successful microsegmentation projects across complex and challenging modern networks.
The problem with using legacy tools for microsegmentation
Your microsegmentation strategy can only do so much.
You can build a strategy that incorporates every proven strategic principle and best practice. You can design a bullet-proof roadmap that accounts for and mitigates common project risks. You can identify your high-value assets, prioritize their security, and break your microsegmentation projects into logical, achievable, bite-size chunks.
But eventually, you will need to use a segmentation tool to bring your strategy to life. And if you rely on the wrong tool for the job, then your thoughtful strategy will most likely fail to come to life. Here’s why.
Most existing segmentation tools were not designed to create scalable, granular microsegmentation between the systems inside of large, constantly changing IT environments.
These legacy tools tend to fall into one of two categories:
- Internal firewalls, private VLANs, switch ACLs, NAC, and the like
- Somewhat newer software-based networking platforms, including VMware NSX, Cisco ACI and Cisco DNA
These tools share many of the same shortcomings:
- They require you re-architect your network to use them
- They require a forklift upgrade of your networking equipment.
- They are tied to the physical network.
- They create significant disruption and require extensive staff time or professional services help.
- They are either unmanageable across multiple clients, or they force you to learn complicated overlay networks to operate them.
These tools are restricted by traditional network and firewall constructs. This means that the potential for error is high, given the extensive manual processes required to build and maintain these firewalls. Beyond enforcing a few broad segments, this approach becomes impractical and increases the risk of a successful breach.
Trying to implement granular segmentation with traditional tools is expensive, complex, time-consuming, and ultimately impossible for most organizations. When security and IT teams attempt to segment their networks with traditional tools, they typically expend a lot of resources just to maintain very broad segmentation that does little to constrain the lateral movement of cyberattackers.
Clearly, organizations need new technologies to implement an effective microsegmentation strategy across their digital infrastructure.
What to look for in a modern microsegmentation tool
Not every modern microsegmentation tool delivers the same results. When evaluating new tools to drive your microsegmentation project, there are a few qualities you should look for. Any tool with these qualities will address the fundamental limitations of legacy network and security tools and make microsegmentation practical and straightforward.
A modern, effective microsegmentation tool must:
- Rethink the segmentation problem from the ground up. Some legacy microsegmentation tools are trying to update their functionality to adapt to modern environments. This is a step in the right direction, but it’s not enough. Networks have changed too much at a fundamental level. You need a microsegmentation tool that was designed specifically to solve the new and unique security challenges that modern networks create.
- Have proof that it can scale in the real-world. Some modern microsegmentation tools sound good on paper but have not yet solved the complex and subtle problems that appear in real-world microsegmentation projects. Most of these tools are limited to supporting a few hundred workloads. Look for tools that have segmented tens of thousands or hundreds of thousands of workloads, applications, servers and systems.
- Offer support teams with industry-leading implementation expertise. Many organizations can’t design and implement large-scale microsegmentation strategies on their own. They simply don’t have the experienced internal resources required to work through these projects without outside assistance. Any microsegmentation tool provider must also offer ample support to help assist customers throughout their project.
- Utilize host-based segmentation. Network-based segmentation — layering external tools over your network to manage your segmentation policies — no longer works. This approach was designed to segment environments that were on-premises and largely static. It fails when applied to modern networks. Look for tools that perform host-based segmentation by configuring the native firewall controls that exist in operating systems and networking assets.
- Provide real-time, centralized traffic maps. Most legacy tools — and some modern tools — create a siloed, fragmented view of your network. They force you to collect, centralize and normalize their different data sources into a single authoritative view of your network. That process is high-effort, time-consuming, and error-prone. Look for tools that automatically give you a unified, “single source of truth” for your network traffic.
- Perform end-to-end segmentation from one console. Finally, look for tools that make it quick and easy to create and manage microsegmentation policies for any size network. That means from one console, you can segment across clouds, on-premises data centers, and distributed, remote endpoint devices. The best tools can segment workloads across your IT environment while automatically updating policy as your digital infrastructure changes.
Any tool that meets these criteria will provide the fundamental capabilities you need to drive a successful microsegmentation program. Illumio provides these capabilities.
How Illumio is pioneering microsegmentation
Illumio is a unified platform designed to make it quick and easy to enforce microsegmentation across modern, hybrid computing environments. Illumio addresses the limitations of traditional network tools and provides a new approach to rapidly segment at both broad and granular levels, at any scale. It works equally well for start-ups to Fortune 500 companies.
Illumio meets, or exceeds, each of the criteria necessary for driving successful microsegmentation projects.
- Illumio rethinks the segmentation problem. Illumio was founded in 2013 to address the limitations of legacy networking and security tools, which were failing to effectively support the security requirements of modern networks. Illumio was specifically designed to deliver microsegmentation projects across modern distributed, virtual and dynamic networks.
- Illumio is proven to scale in the real world. Since 2013, organizations have used Illumio to effectively implement microsegmentation projects that were previously impossible. Illumio has documented case studies where customers used our platform to segment tens or hundreds of thousands of applications and assets, with no significant impact on network performance or application availability.
- Illumio supports strategy formation and implementation. Illumio provides hands-on support services at every stage of delivering successful microsegmentation projects. Illumio can help with designing the right strategy, as well as authoring, enforcing and evolving the right policies.
- Illumio creates real-time, centralized network visibility. Within minutes of launch, Illumio creates a comprehensive application dependency map and real-time picture of the traffic flows within your IT environment. This visibility makes it simple to see what policies you must implement for any project.
- Illumio performs host-based segmentation. Illumio does not layer external tools over your network. Instead, Illumio configures the native firewall controls that already exist in nearly every operating system. You don’t have to touch your underlying computing architecture. This makes it straightforward to rapidly segment environments at any scale.
- Illumio performs end-to-end segmentation. Illumio creates microsegmentation across multi-cloud, hybrid, and on-premises networks. It segments workloads, endpoints and cloud platforms. And it simplifies, streamlines and automates every stage of policy management and ongoing maintenance.
By taking this new approach, Illumio makes microsegmentation achievable for organizations of any size.
Real-world examples of microsegmentation with Illumio
Illumio is proven in the real world. Many of the most innovative organizations use Illumio to segment their networks. Illumio is used by:
- More than 15% of the Fortune 100
- 6 of the 10 largest global banks
- 5 of the leading insurance companies
- 3 of the 5 largest enterprise SaaS companies
Our customers have used Illumio to protect modern enterprise-scale networks. A few recent examples include:
- An e-commerce site used Illumio to secure 11,000 systems in 3 months — and successfully pass a critical audit.
- A leading SaaS platform implemented Illumio to secure 40,000 systems under full DevOps automation, including policy and enforcement.
- A large custodial bank relies on Illumio to secure $1 trillion per day of financial transactions under federal regulatory scrutiny.
Here’s what customers have said about using Illumio for microsegmentation:
“Illumio has filled a gap for which there was previously no solution. In addition to meeting compliance regulations, we have seen drastic improvements in our overall security posture.”
– Steffen Nagel, Head of Information Technology, Frankfurter Volksbank
“Gaining live visibility into flows between workloads down to the paths of protocols provided immediate value. The ability to use the map to easily allow-list traffic and achieve the level of segmentation needed will be a tremendous time-saver over manually programming firewall rules.”
– Mikael Karlsson, Head of IT Infrastructure, AFA Försäkring
“The initial attraction [to Illumio] was really the simplicity. Having the ability to span the physical and virtual and present insights in a highly resolved fashion is a game-changer.”
– Andrew Dell, CISO, QBE Insurance
Illumio named the microsegmentation leader by Forrester
Forrester named Illumio a Leader in both The Forrester New Wave: Microsegmentation, Q1 2022 and The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020.
We believe our leadership in these two Forrester Wave reports confirms what our rapidly growing list of customers already knows: Illumio sets the standard for predictable, scalable microsegmentation that supports a unified and disciplined approach to Zero Trust security.
We call this Zero Trust Segmentation.
According to Forrester: “Implicit trust on the network must end, and microsegmentation is the key.”
Make your microsegmentation project a success, starting today
In this four-part series, we have outlined a proven, practical approach to delivering microsegmentation projects that succeed where others fail. We covered the major reasons why microsegmentation projects fail, the major sources of risk these projects carry, the strategic principles that guide projects to success, and, finally, the tools that can reliably bring microsegmentation to life.
Take the next step to see if Illumio is the right partner as you design and implement your next segmentation project: