Zero Trust security is great in theory, but how does it work in practice – especially in the new world of working from home? To find out, we asked Illumio IT Director Matt Parsons about deploying Illumio Edge as part of Illumio’s Zero Trust security strategy.
Matt’s field experience includes managing teams controlling endpoint services for a clientele of the Fortune 100 at Accenture, including endpoint security and BYOD initiatives. Matt later entered endpoint engineering at an elite West Coast healthcare provider before joining Illumio.
KW: Matt, how does Illumio Edge help secure Illumio’s remote workforce?
MP: With shelter-in-place, the home office has effectively become a local, unmonitored extension of the corporate network – with no IT knowledge or control of what’s going in or out of it. It’s not just the one computer at risk, it’s the entire network. With default containment of ransomware and malware through Illumio Edge, we just need to worry about a single infected computer, not the whole network going down.
KW: What’s the biggest concern with WFH during shelter-in-place?
MP: People who work from home don’t often have the best security, especially with shelter-in-place. Their guard is down, it’s not like at an office. If a user is VPNed in and doesn’t have Illumio Edge, you have no idea what traffic is occurring inside those home networks. This is risky. With Illumio Edge, you can control unnecessary open ports as needed. There’s peace of mind when you can guarantee employee traffic is only what you intend to allow.
KW: What did you think of when you first heard “micro-segmentation at the endpoint?”
MP: At previous jobs, it gave me the chills. I would clash with the network team over that sort of thing. They would want to turn on Cisco ISE and forbid P2P communications. It would be terrifying. We can't just do that without interrupting business. There are a ton of systems out there communicating with each other. The network team would say they would just turn on segmentation in a “build” mode without enforcement, but since they couldn’t visualize all the traffic communications, it was ineffective.
KW: Is Zero Trust security at the endpoint too good to be true?
MP: Well, it used to sound too good to be true. Before Illumio Edge was available, we had to rely on open networks, and firewall management on endpoints was pretty weak. A lot of businesses have already been hit by ransomware or some type of propagating malware. Vendors out there can protect and mitigate it through the network, but now, with host-based controls through Illumio Edge, we can just put the walls up and prevent it entirely at the endpoint – only allowing the traffic you want to allow.
KW: What made it easier with Illumio Edge?
MP: One of the great things about Edge is the ability to see, definitively, what is communicating, what needs to communicate, and what is pure noise. To have an understanding around what we’re allowing, at the bare minimum, is brilliant. I would have had a hard time using it if I couldn’t see that from build to enforcement. The transparency and visibility of Edge gave such a clear picture of what would be blocked.
KW: What was the time to value?
MP: The time to value is quick because you instantaneously see that you're not going to be harming your network by stopping lateral traffic. We put it on in enforce mode without incident. Nobody stopped printing to their home printer. There was no loss of VPN connectivity. It was easy to see and identify any traffic potentially being blocked. But also, with build-test-enforce, we had the confidence of knowing the traffic would not be blocked in the first place.
KW: How confident were you with flipping the switch to enforcement?
MP: Very confident. From the workload area, it's super easy to change the policy state. Other products can't even identify the issue easily. You just find the system, there's a checkbox, then a policy state. With Illumio Edge, if you find something broken, move it to test or build to figure out the breaking point.
KW: What were the results? Were there blocked communications and IT tickets?
MP: Not one. We got one unrelated ticket immediately when we announced it had already been deployed. Usually, whenever you put a security policy in place for any entity, you get a lot of tickets. Whenever there is a deployment, that is the problem. Two members of our executive team got blue screens, but we quickly realized that this wasn't due to Illumio Edge – there were memory errors based on something else.
KW: How easy is it to build Zero Trust security policy with Edge?
MP: You know pretty quickly from visualizing your environment and understanding your own business needs whether you want a ruleset to be part of a specific group. The policy model allows you to set a rule in “plain English”, which is helpful for ease of use. Then, you just add a system to that group. After that, the rule takes over and everything starts to work.
KW: How easy is it to assign policy and how granular was it?
MP: Illumio is more intuitive and does the canned stuff better – it’s easier to automate policy for a group of live endpoints on a specific network that need non-P2P communications. Being able to turn it on and off for just a few systems, to “grab and group,” is valuable. Other endpoint security solutions are usually global and you can't chop out the part of your environment in a specific way.
There’s also the ability to see what’s going on with remote endpoints VPNed in. You can create rules on the fly to allow communications if you need to – we just haven’t needed to because the visibility is so effective. There haven’t been any surprises.
KW: How was deployment?
MP: Deployment itself is relatively quick - we are heavily SaaS-based, so there's not a lot of reliance on communications from the data center pushing out into open ports on our workstations. We were able to shut off all external access and have no fallout to endpoints.
I was initially cautious about configuration management and endpoint communications, but there was no need. The way Illumio Edge works with windows filtering platform flips the model on its head. Instead of working from the network out to the edge, you can secure the endpoint from the endpoint’s perspective and it lets you get very granular very quickly. You don’t start at the switch or the router, you jump right to the endpoint.
For more information on how Illumio Edge works: