Adaptive Segmentationmicro-segmentation August 23, 2022

Get Zero Trust for Converged Networks with Illumio + Armis

Trevor Dearing, EMEA Director of Technology & Product Marketing

Nothing is constant except change. This has been especially true in the last few years. 

New technological innovation has enabled new business models, the way we live has changed the way we consume services, and the pandemic has changed everything else. 

Since 2019, we have seen changes like: 

However, we have also seen: 

CISOs must balance these factors while building cyber resilience, and there are several aspects that influence their resulting plan. These boil down to the potential that a certain system will be attacked versus the impact of that system being attacked.  

Industry 4.0: IT/OT convergence  

There are two major changes driving the convergence of technology known as Industry 4.0

  • The integration of technology into more business processes. 
  • The integration of control systems into existing enterprise resource management (ERP) platforms.  

While these changes optimize business processes, they also create new cybersecurity challenges as operational technology (OT) and information technology (IT) become more integrated.  

Security teams often protect OT systems by implementing a security structure called the Purdue Model, illustrated below. This multi-layer model identifies functions within the OT environment and separates them either physically or via a demilitarized zone (DMZ) using firewalls. 


Purdue Model diagram by Dale Peterson.

Starting at level 5 and gradually working down, security teams are including these layers as part of their organization's IT function. This is driving the need to converge IT and OT security and implement a different type of security.

IT/OT convergence requires new cybersecurity strategies

Many international regulators and standards bodies are publishing guidelines and frameworks on deploying security across hybrid IT/OT environments. It is likely that along with many other guides and frameworks most will be based on recommendations issued by the U.S. National Institute of Standards and Technology (NIST).  

Ransomware and other malware exploit lateral movement to spread throughout a network and target organizations’ highest-value assets. This creates two challenges: 

  • Preserving the confidentiality of data. 
  • Maintaining service while under attack. 

The ways these cyberattacks move through the network allow them to evade traditional detection and remediation methods. Consequently, too many critical infrastructure networks are being crippled and forced to shut down completely.   

Challenges to securing the converged infrastructure 

Without visibility across the combined environment, security teams struggle to understand the connectivity between devices and the potential cybersecurity threats. This makes putting the appropriate security policies in place on the network nearly impossible. 

Most plans to combat cyberattacks, especially ransomware, include several steps: 

  1. Identify the highest-risk assets, both IT and OT. 
  2. Identify services running on the network. 
  3. Map all connections between devices on the network. 
  4. Map the vulnerabilities to understand the exposure of each asset. 

Traditionally, the tools for carrying out this process in IT and OT environments have been separate and disconnected. This made seeing and securing these environments challenging, if not impossible.  

Illumio and Armis have teamed up to deliver a combined solution that addresses this challenge across the converged infrastructure. 

Illumio + Armis: Unprecedented protection for IT, OT and IoT 

The integration of Illumio and Armis technology provides unprecedented protection for IT, OT, and IoT applications, data, and devices.  

With Illumio and Armis, you can: 

  • Discover, categorize, and map all IoT, OT, and IT systems and communications in a single view, regardless of location: in the cloud, data centers, hospital networks, or remote locations with providers on laptops.  
  • Identify and ringfence high-value systems to protect them from the spread of breaches. Zero Trust Segmentation means only verified communications will be allowed, preventing the movement of any malware. 
  • Build an automated incident response system to apply extra restrictions should an attack be detected. 

By integrating Armis with Illumio, it is now possible to see the flow of communications among your entire estate of operational systems, IT systems, and applications — all in a single, interactive map. 

Illumio uses compute workload metadata and flow information to map communications between workloads. Using your existing naming structure, you can apply simple labels to each workload to display the entire infrastructure. These IT systems could be traditional Linux and Windows systems, AIX, IBM Z Series, containers, and cloud platforms.  

You can import the combined contextual data of Illumio-labeled systems and Armis systems into Illumio’s application dependency map to display it in a single view.  

Then, you can identify and prioritize vulnerabilities, imported from industry-leading scanners, that indicate points of higher risk within the infrastructure and put appropriate measures in place. 

For example, with only a few simple clicks on the map, your team can implement Zero Trust Segmentation policies to protect IT systems and OT devices. All the devices and systems within a function can be compartmentalized to isolate them from potential threats in other areas of the infrastructure.  

Improve availability with Illumio + Armis 

Illumio's mapping and Zero Trust Segmentation capabilities powered by Armis gives organizations the comprehensive visibility and control needed to reduce risk and increase cyber resilience.  

When a breach occurs, the Illumio and Armis integrated solution can help you quickly identify and contain its spread, avoiding a major shutdown of critical systems. 

Learn more about about the joint solution between Illumio and Armis.

Adaptive Segmentationmicro-segmentation
Share this post: