Adaptive Segmentationmicro-segmentation June 2, 2022

Zero Trust Segmentation: A Decade in the Making

Peter Krass, Contributing Writer

Since its founding in 2013, Illumio has been on quite a journey. Today the company is pioneering the new era of Zero Trust Segmentation for securing applications, workloads, cloud-native architectures, and endpoint devices.

But leading the industry in innovating a revolutionary approach to cybersecurity has been no easy task. Just ask Nathanael Iversen, Illumio's chief evangelist. He's witnessed first-hand the evolution of Illumio and the security market over the last decade.

We spoke with him to get his account of how Illumio and the market have advanced in the quest to help organizations better protect against ransomware and other modern digital threats.
 

What were the top cybersecurity issues when Illumio was founded?

Nathanael Iversen: I’d actually go back to 2012, which was the year before the company’s founding. That year we saw several huge hacks.

Before 2012, if you were a chief information security officer (CISO), you’d tell the world, “Hire me, and I’ll keep you from being hacked.”

But after 2012, CISOs were losing their jobs every 18 months. Their companies would get hacked, and they’d get fired.

In response, over the next year or two, the message changed. Now CISOs were saying, “Hire me, and I’ll help you manage your risk.”

That was a big change. Also, CISOs who had previously been hacked were now perceived as more valuable, not less. The thinking was that because they’d been through an actual attack, they understood the risks better than others. And knew how to repair the inevitable damages.

This is also when boards of directors started to understand that breaches were inevitable. And by 2014, most senior managers at big companies understood this too.
 

What impact did this shift have on how organizations approached cybersecurity?

Nathanael Iversen: It’s when Zero Trust started to gain a foothold. Though the principles of Zero Trust had been around since the 1970s, the concept started to come into the general consciousness of security pros.

A few voices were saying, “It’s no longer about just installing a perimeter firewall and hoping for the best.” Something new was needed, and that something was Zero Trust.
 

What were the challenges with perimeter firewalls? Why weren't they adequate for defending against the new types of cyber threats?

Nathanael Iversen: Firewalls create what we call a zone. And between those zones, the firewall can control what goes from one output port to another.

But a lot of data traffic doesn’t go through those ports, and so the firewall can’t control it. For example, I might build an application where the database is in one location, its web servers are somewhere else, and its application servers are somewhere else again. How do I protect this application in a unified way?

It’s super hard; in fact, I may not be able to do it at all. Maybe I don’t have a firewall between these things. Or maybe two of the elements are behind the firewall, but a third is not. That’s what I call a granularity problem. The firewall is good for things that are coarse, not fine-grained.

Not incidentally, this realization that breaches were inevitable led to a lot of industry regulation. The rules started in banking, then quickly spread to other industries, including law, healthcare and insurance.
 

Why couldn't organization implement finer-grained firewalling?

Nathanael Iversen: One big issue was the complexity of mapping dependencies manually. Larger organizations can have millions of communication flows across applications, services and endpoint devices.

For example, one of Illumio’s early customers had acquired another company that owned some 770 servers. We did a proof-of-concept that basically took the flow data from those 770 servers, and we identified no fewer than 1.2 million data flows.

Can you imagine manually writing firewall rules for 1.2 million flows, and without errors? That’s what I mean by complexity.
 

Did Zero Trust take hold when organizations realized breaches were inevitable?

Nathanael Iversen: Yes, but not all at once. Different industries became aware of the need at different rates. The money people were first: banks and payment systems, as well as their regulators. West Coast technology companies were another group of early adopters.

What happened is that more and more industries felt the pain of disruption. At first, the hackers went where the money is: financial services.

But then, as their doors were shut, the hackers moved on to other industries. And now we’re seeing them attack the least sophisticated, smaller companies which of course are the last to implement protections.
 

When does Zero Trust Segmentation come into the picture, and why?

Nathanael Iversen: If you go back to 2014, many company audits were identifying the problem of poor segmentation. But hardly anyone was addressing it.

In fact, it wasn’t really until 2018 that organizations start putting segmentation on the CISO’s to-do list. That changed because companies realized they needed something that would actually stop the spread of attacks when they got hacked.

Once again, the CISO’s message changed. Now the message was, “There is no safety, but with me, we’ll be prepared.”

And being prepared meant segmenting off your key computing resources and data to only authorized sources, so you can stop attackers from moving laterally across your hybrid IT infrastructure.

That's when the market really started taking note of Illumio's innovative approach that makes it fast and easy for any kind of organization to implement fine-grained traffic segmentation down to the workload level.
 

In the past decade, the IT landscape has gone through dramatic transformation with the pandemic (remote work) and cloud computing. How does Illumio help address these new security challenges for CISOs and their organizations?

Nathanael Iversen: If you go back to 2014, Illumio was all about the data center. Because that’s where 99% of all the workloads were. Sure, we had the cloud, and some people were starting to move there. But at that point, very few organizations had a cloud-first mentality.

By 2017, that was changing. Companies were actively building all-new IT infrastructure in the cloud. And with that came a move to containers. So Illumio responded. Around 2018 we offered our first solutions for protecting containers with segmentation.

Another big shift was to remote and highly distributed computing architectures (thanks to the pandemic). That brought with it the accompanying need of IT to control remote users, authenticating their identities and managing their access to core applications and data.

Remember, the main security problem is people, not machines. They’re the ones who click on those bad links. So starting in 2016, Illumio had the first deployments of our software on endpoint devices, e.g. laptops. And by 2020, we had a complete offering that brought the power of Illumio segmentation to laptops and other remote devices.

And, of course, cloud security has now become a major issue with the widespread adoption of cloud computing platforms and hybrid IT. More and more companies have been getting hacked through the cloud, in some form or another.

So last year Illumio introduced CloudSecure, which brings all the key benefits of Illumio to the cloud through agentless technology.

Now organizations can use Illumio to gain a unified view and 24/7 control of their application communications across clouds, data centers and endpoint devices. No other security platform can offer this.

Our thinking is that once you know you need Zero Trust security, you want it to be everywhere. And now with Illumio you can do just that.

Meet Us at RSA Conference

If your RSA checklists include learning about new technologies for stopping ransomware, please drop by the Illumio booth (#5555, Moscone North) and ask for a demo.

We’ll be glad to show you how we make Zero Trust Segmentation fast and easy to implement for companies of all sizes.

Adaptive Segmentationmicro-segmentation
Share this post: