Adaptive Segmentationmicro-segmentation June 23, 2021

The Key to Simple, Fast Zero Trust Segmentation: Enforce and Expand

Nathanael Iversen, Chief Evangelist

Most organizations make a distinction between systems used by development teams and the production environment used to host the servers the business relies on. This separation has both administrative and security value. The trouble is that both environments are in a constant state of flux. Often, the development environment relies on production servers for many management and essential data center services. So, while there is a general desire to deny all connectivity between the two environments, there is also a reality that exceptions exist. Manually adjusting firewall rules to accommodate these changes simply isn’t keeping up with the pace of business. Organizations need a simple, fast way to separate environments, deal with the exceptions and lock down critical services so they can’t be exploited between environments.

Illumio Core simplifies rolling out segmentation with an 'enforce and expand' policy approach that is perfectly tailored to environmental separation. Organizations can easily create and enforce broad policies or start by isolating Production and end-user systems from Development systems and expand over time – all without the need to rewrite or reprioritize existing rules. Policies can be staged against real-time traffic to assess impact prior to enforcement, and rich integrations with F5 and Palo Alto Networks simplify the mapping of security policy.

How Does it Work?

Defining an enforcement boundary is as simple as saying, “DEV systems can’t talk to PROD systems.” Once stated, every Production system simply refuses connections from Development systems.

So far, so easy. But what about the management and control communications for the systems in the Development environment? Very often, they are located inside the same data center – right next to important assets. Illumio Core ensures that these central management systems will only receive data from the Development systems on the proper ports and refuse all other connections.

The rest of the systems in the Production environment will never accept communication from the Development systems. It’s really that easy – Illumio’s Policy Compute Engine (PCE) automates the rest.

If you want to go further, the Production systems can easily be told not to accept any core service connections except from the designated management servers. It’s simple, fast, and easy to do – Zero Trust separation for DEV/PROD systems, including the back-end management and control functions.

Intelligent Visibility and Control

Illumio Core processes data from network devices and OS connection tables to build a rich topology map of every interaction between Development systems and their control elements in the data center. Once visualized, it is easy to see that the Development systems require very limited communications within the Production environment and should essentially be denied all access except their necessary control and management needs. Illumio provides the ability to specify a broad enforcement boundary like “Development systems cannot talk to Production systems” while confirming it must be accompanied by “except for the management controller for that Development network.” This combination of intelligent visibility and control drives clear decision-making and reduces enforcement concerns by building policies progressively and safely. Illumio eliminates painful rule ordering from policy development and makes it easier to deploy policies by automatically placing them in the right location, ensuring no rule conflicts. Each policy can be fully tested to make sure that the integrity of the whole system is maintained.

Automated Security Enforcement

The best approach to separating Production and Development systems must include full automation from policy development to enforcement. Production systems are constantly being added and removed, and the same is true for Development systems. In some industries, like medical facilities, systems are often mobile and constantly changing, powering on and off and otherwise presenting a dynamic communication profile. Once the policy is defined, you must automate the path to a Zero Trust posture by immediately enforcing policy across an entire organization or choosing to selectively and progressively enforce policy one service at a time. This cuts the time to achieve effective segmentation. By simplifying the policy process, organizations can now get to initial enforcement in minutes as they progress towards achieving Zero Trust Segmentation.

Resilient Policy

Separating Production and Development systems can never be a one-time event. Both device populations are ever-changing, making it imperative that defined policy is continuously re-calculated and applied as systems come and go. Illumio’s approach to Zero Trust Segmentation uses as many of the available enforcement points as possible. This includes the OS firewalls built into Windows, Linux, AIX, Solaris and even mainframes. It extends to network switches, load balancers and hardware firewalls. With Production/Development separation policy enforcement distributed across so many systems, protection is completely resilient to changes, and every device has the protection it needs at all times. This constant protection ensures that the desired separation remains in place, regardless of what systems come and go from the environment – and it even works in the public cloud and container environments.


Production and Development separation doesn’t have to be hard. Illumio’s policy engine is designed to help isolate Production systems from Development-borne threats. Development devices may have an inherently higher threat profile than other Production-managed systems, but they can be contained. With Illumio Core, you can keep Development systems from talking to anything but their central management function and to keep that central function from having any access to Production systems. Illumio provides the intelligent visibility and control to accomplish this with a few simple lines of policy, backed by the best segmentation automation available. The final result is resilient Zero Trust separation of Production and Development environments.

Ready to segment in minutes on your path to Zero Trust? Learn more today.

Adaptive Segmentationmicro-segmentation
Share this post: