Achieving web-scale security compliance – without hardware firewalls.
Industry: Higher Education
Environment: Online student portal with VDI and systems across data centers and Azure
Challenge: Web-scale PII ringfencing, plus environmental separation
Solution: Illumio Core (formerly ASP) for dynamic visibility and control
Results: Gaining granular, compliance-grade segmentation – without network-based firewalling
Being the IT organization at a top healthcare career school offering online education to a user body of 15,000 students and faculty is no small task. All users provide Personally Identifiable Information (PII) protected under regulation and subject to security compliance – at cloud scale.
To comply with standard regulations on securing PII, the school’s Senior Security Director sought to tighten up ringfencing of protected systems beyond perimeter firewalling to comply with standard regulations on securing PII. A dynamic user population demands dynamic user segmentation to databases. But the degree of granularity needed was not possible to maintain when bound to firewalls on the infrastructure. Also, the change management and operational burden of using firewalls didn’t scale to the needs of the business.
“Being able to efficiently and safely enforce policy rules was paramount because we have so many people and systems. With firewalls, it could take months,” he explained. “You have to use change control. If hardware goes down, you jeopardize the whole data center. It creates points of failure and complexity, and puts a strain on the network staff. Every new database requires coordination.”
Security on the network with internal firewalling couldn’t keep up with cloud-based demand.
The tall order of finding the right segmentation solution that the team would be able to operationalize landed in the hands of their Advisory Systems Engineer who would ultimately operate it. He chose a software-based approach with Illumio.
“I was interested in micro-segmentation but did not want to use ACLs on network infrastructure, which would require a testing environment and outage windows. At the same time, our security team wanted to start using the native security capabilities of our Windows servers. Illumio Core checked all of the boxes for both implementations – it was my first and final choice. It allows us to see all of the communication flows in our live production environment and to test firewall rules without facing outages.”
Using Illumio Core's orchestration of the Windows Filtering Platform at the server level for enforcement prevents any network disruption – versus the outage risk of rules breaking applications introduced by using production firewalls.
Within the same day of deploying Illumio’s real-time application dependency map, the team could visualize traffic flows across their data estate. Illumio allows them to create logical policies, test them before enforcement, secure their systems from breach – at cloud scale and without re-architecting the network.
No re-architecting
Illumio’s host-based solution allows the team to test and enforce policy with no impact on the network and no downtime.
Total visibility
From visualizing traffic flowing across their data estate with the application dependency map, the team discovered “unknown unknowns” on day one of deployment.
Proven segmentation
They gained the dynamic visibility and control needed to secure PII with granular, compliance-grade segmentation.
Flexible granularity
Beyond user segmentation, the team is working towards environmental separation to prevent developers from working in a production environment – a risk no web-scale business can take.
