The Jedi Mind Trick: Originally from the movie "Star Wars." In it, Jedi master Obi-Wan Kenobi displays how the Force can have an influence over people. It’s generally used when one causes another to perform a totally uncharacteristic action – like someone trying to protect the network when they really want to protect their applications.
I was recently visiting a company who clearly had been dealing with a visit from the dark side of the Force. Here is how I could tell: they were concerned about bad actors within their network – not just from a malware perspective, but literally being infiltrated by people posing as workers. Then, to add to their concerns, the team I was visiting was under pressure from their CIO and CFO to move more assets to the public cloud.
As we did a deeper dive into the team's concerns about security, it was said (not in a quiet, let’s examine this kind of way, but blurted out with urgency and a bit of panic)...
"But we must protect our network!"
I had to hold back from saying, “You’ve had the oldest Jedi mind trick in the book played on you!"
Me: “Aren’t you moving more to public cloud?”
Me: “If that’s the case, then what is your network?”
I could see the dark side of the Force receding from him, and he looked a bit struck by the logic.
Me: "Besides which, is the network there to serve your applications and data, or are the applications there to serve the network?"
Him: “Network serves our applications.”
Me: “Then aren’t the applications what you should be protecting?”
Then, he turned to me and said, “When I met you, I was but the learner, now I am the Ma...” Okay...he didn’t say that, but that would have been cool.
The point of this post is really about mindset.
Mindset frequently dictates approach. I’m not against the network or perimeter firewalls.
But I think the data center zone firewall is the jedi mind trick that is working against security teams.
Frequently, organizations that pursue the protect-the-network strategy have to buy more data center firewalls, as they need to force more and more traffic through the firewall. A better way to look at it is like the boy bending spoons in The Matrix: the key to protecting the network is to understand that there is no network. Then you can figure out what is important to protect.
I just did a mashup of Star Wars and The Matrix. Now let me throw a little Inception on y’all.
The reason why Illumio goes to the workload for enforcement is that it is the simplest form of the idea. Illumio goes to where the compute is – it is a simple approach that does not require any changes to the network, and is ultimately very powerful.
Here’s the truth.
I totally understand it when people say that they must protect their network. After all, the data center firewall (not the perimeter one, but the super expensive beefy one) was the gateway between your network and the ugly bad world. But, actually, it is the perimeter firewall. The data center firewall is your most expensive firewall, but with it comes lack of flexibility because it is tied to the network. Meanwhile...
Applications are moving super fast, and the data center firewall – while beefy – wasn’t really created to deal with change.
That’s where the Illumio ASP comes in. It provides visibility and east-west segmentation, but it isn’t tied to the network in any way. What’s more, it scales with every workload, so you don’t have to upgrade that firewall or ‘over-zone’ your data center...and, oh yeah, the same performance that you enjoy in your existing data center is the exact same performance you enjoy in public cloud.
What’s more, before even getting to segmentation, you get to see all of the connections between the workloads – sort of like when Han Solo makes the jump to light speed, but with a lot more context.
...I’ve done it. Inception, Star Wars, and The Matrix. Mic drop.