How Illumio Lowers ACH Group’s Cyber Risk — With Nearly Zero Overhead

Business goals

When you’re a not-for-profit organization, a cyberattack isn’t just a business problem. It’s also a threat to your societal mission.

Take ACH Group. Its 1,800 employees provide housing and other related services for some 20,000 older people in South Australia.

ACH’s tagline is “good lives for older people.” But if the organization’s IT systems are breached by ransomware, its ability to support those good lives could be compromised.

“For us, cybersecurity is less about getting hacked and more about the availability and integrity of our services,” according to an ACH security executive. “So when we commit funding to technology, it needs to clearly help us serve our customers more effectively.”

Technology challenges

To lower ACH’s cyber risk, ACH’s security team set out to establish an efficient, central way to manage segmentation and firewalling policies. They wanted to be able to tag a workload, then have a security policy automatically assigned to it, instantly protecting that workload and blocking unnecessary communications.

This represented a big change from ACH’s previous technology policy, which focused on network firewalls. But that approach wasn’t working well with its hyper-converged infrastructure.

For example, because the company’s development, test and production environments all ran on the same server chassis, the security team didn’t have a way to segment those environments.

Further complicating matters, the organization operates an array of legacy hardware applications, due for retirement.

With limited budget and a small operations team, ACH Group needed a technology that added key defensive capabilities while still being simple to learn and easy to manage.

How Illumio helped

To reduce the cyber risk from an attack or malware that could impair ACH’s ability to serve its customers, the security team focused on “pragmatic” Zero Trust security that embodies a “sometimes trust, always verify” approach.

To implement this pared-back Zero Trust strategy, the team needed a platform that made it easy to implement microsegmentation down to the workload level.

Once we decided this was the problem we were going to solve, choosing Illumio was a no-brainer. There’s really no other product that can do what Illumio does. Information Security Manager ACH Group

All roads led to Illumio.

“Once we decided this was the problem to solve, choosing Illumio was a no-brainer,” the ACH security executive says. “There’s really no other product that can do what Illumio does.”

By using Illumio Core, the security team at ACH can now easily enforce segmentation access policies down to the workload, across the entire IT infrastructure. Security managers simply tag a given workload, then Illumio automatically assigns the right policy to each workload.

“With Illumio, we just set it and forget it,” the executive says. “It’s ridiculously simple.”

Results and benefits

The visibility Illumio provides into application communications has been revolutionary and the key to its effectiveness for the ACH Group, the security executive says.

“In one view, we can see everything that is going on. We know exactly what is talking to what. And that has been eye-opening.”

With Illumio, the security team can map application dependencies, then use that information to set policy. Previously, they had to reference scattershot documentation that was incomplete at best.

Illumio also helps ACH define polices for blocking all but essential traffic, creating “deny lists.”

By switching on enforcement one application at a time, the security team can easily segment ACH Group’s development, testing and production environments, something that was impossible previously.

The best part about Illumio is how it is supporting the ACH Group’s mission to focus resources on its customers. Maintaining segmentation policies with Illumio only requires about 2 hours of staff time a week. “Our overhead has been nearly zero,” the executive says.