Illumio ASP is a software solution that secures any computing platform (bare-metal servers, virtual machines, and containers) in any environment (data center, private cloud, public cloud – like Amazon Web Services, Google Compute Engine, Microsoft Azure, OpenStack – or hybrid cloud) without any dependency on the underlying network.
It does this by providing:
Illumio ASP understands all the ports, processes, and connections among an application’s workloads including their interrelationships and potential vulnerabilities and uses this information to compute and enforce accurate security. Illumio ASP adapts to computing environment changes, the movement of workloads across data centers and clouds, and IP address changes. It also adapts to application and infrastructure changes and prevents the lateral spread of attacks.
Illumio ASP user segmentation capabilities can control the communications between desktops and applications running in the data center.
Key benefits include:
Without adaptive security, businesses are slowed down due to the overwhelming number of firewall rules, manual changes required to policies, and the possibility of errors leading to outages or serious vulnerabilities and breaches. Adaptive security automatically accounts for moves, scale, and changes to applications and infrastructure that are typical of modern data centers.
Illumio ASP is a software solution built around the specific and accurate context of the workload and application. Illumio listens to and understands the services and active network connections that are running on a workload.
Illumio ASP constantly computes workload relationships and adapts to any changes in context. Administrators specify the desired interactions between workloads using natural-language terms. Then, Illumio ASP computes and enforces the precise security for each workload in the application by combining workload context with the defined policies. As workload context changes (moves, scale up, scale down, IP address changes, etc.), Illumio ASP computes and distributes the incremental policy changes to the impacted workloads.
Illumio ASP enforces security policies for workloads running in any bare-metal server, virtual machine, or containerized host without any dependencies on the underlying network (VLANs, subnets, zones, physical or software defined, etc.), hypervisor, or environment (data centers and private, public, or hybrid clouds). Illumio does not simply automate or repurpose existing security capabilities, it applies security in a unique and innovative way.
Illumio ASP enables IT to write policies in natural language based on the role, application, environment, and location of the workload. These policies are then translated into granular security rules, without the need to specify IP addresses, subnets, VLANs, or zones.
Policy Generator can be used to automate segmentation policy creation and includes inputs such as requested policy granularity and exposure of workloads and vulnerabilities. This saves time, accelerates security workflows, and reduces the risk of human errors.
Illumio micro-segmentation policies can be applied at the beginning of the application life cycle by integrating with configuration management and orchestration tools such as Chef, Puppet, Ansible, and ElasticBox – or they can be applied to an existing environment.
Organizations are using Illumio ASP to prevent the spread of breaches, improve understanding of risk, and simplify security operations for applications inside and across data center and cloud environments.
Here are the primary ways organizations are improving security and IT efficiencies with Illumio.
Our customers span organization of all sizes, verticals, and geographies, including nine of the largest 15 financial institutions in the US and four of the top seven global Software-as-a-Service companies. Our customers include the likes of Morgan Stanley, Salesforce, BNP Paribas, Oracle NetSuite, Plantronics, NTT, Creative Artists Agency, and Oak Hill Advisors.
Learn more about the customers using Illumio.
There are two main components to Illumio ASP:
Illumio offers three core services to protect applications inside and across the data center and cloud environments:
Watch these videos for an Illumio ASP deep dive.
Vulnerability maps combine third party vulnerability and threat insights from companies like Qualys with Illumio’s application dependency map to help teams see which applications are connecting into vulnerable ports in real time. This enables application security teams, vulnerability management teams, and segmentation teams to understand not only the vulnerability of a workload but, more importantly, the paths that bad actors can leverage to exploit vulnerabilities.
See this video for a demo of Illumio ASP vulnerability maps.
Vulnerability management and micro-segmentation are both foundational security controls and critical to a successful cybersecurity strategy. The combination of vulnerability data and the application dependency map shows how an attacker looks at exploiting vulnerabilities in the data center. This insight helps teams to prioritize patching efforts and the application of compensating controls like micro-segmentation.
Illumio vulnerability maps include an East-West exposure score that is shown per workload and is a calculation of how many workloads can potentially exploit the individual vulnerabilities on any given workload that has a VEN. The lower the score, the lower the chance that a bad actor can exploit vulnerabilities on a given workload. This insight can be used to prioritize and generate precise micro-segmentation policies as a compensating control and to help prioritize patching efforts.
Vulnerability-based micro-segmentation can be used as a compensating control to reduce East-West exposure by reducing or eliminating unnecessary pathways that may be used to take advantage of vulnerabilities. Compensating controls are used when patching cannot be performed, such as in the case where a patch is not available or patching would impact the availability of a critical application.
Illumio vulnerability-based micro-segmentation quantifies risk reduction before and after policy is deployed. When vulnerability-based micro-segmentation is used as a compensating control, Illumio provides detailed reports on the reduction of vulnerability exposure.
Yes. Illumio ASP works alongside existing firewall and network security solutions. No changes to the network technology or topology are required to integrate Illumio ASP into a data center or cloud environment.
No. Illumio ASP secures a broad range of operating systems on bare-metal servers, virtualized servers, or containerized hosts in private data centers or private, public, or hybrid clouds.
Read our datasheet for details on supported platforms.
No. Illumio ASP does not require any changes to standard OS or VM configurations.
Illumio ASP performs enforcement using the native capabilities within the host operating system – iptables in Linux servers, Windows Filtering Platform in Windows servers, and IPFilter in AIX and Solaris. If the Illumio VEN is tampered with, an alert is sent to the PCE. The PCE will attempt to re-establish control of the VEN. If attempts to re-establish control of the VEN are unsuccessful, the PCE can update security rules to instruct all other workloads in the environment to shun the workload in question.
A workload equates to a discrete operating system instance. It can run on a bare-metal server, in a virtual machine, on a containerized host, or in a cloud environment.
Workload context includes system properties (operating system, IP address, ports, running processes, etc.), relationships and dependencies to other workloads within the application and beyond, and the ecosystem (location, application details, life cycle, environment, etc.). The context of a workload changes as the application that the workload is a part of moves, changes, and scales up or down.
No. The VEN can be installed in a mode that allows you to gain live visibility of the application environment without having to enforce any rules. You can use this option to model/build policy and move to enforcement after you are confident of the results.
Watch this video for more details on the VEN.
Illumination provides live insights to help you visualize application dependencies, view how exposed vulnerabilities are, and automatically recommend optimized policies for applications running across data centers and clouds. With Illumination, you will gain live visibility into the Layer 4 connections between workloads, including details about the flows – source, destination IPs, port protocol, and process names. In addition, vulnerability maps provide a view into potentially vulnerable workloads and connections.
Watch this video for the four reasons why visibility is critical to adaptive segmentation.
Illumio ASP allows administrators to assign four dimensional labels to workloads to identify their role, application, environment, and location. These labels can then be used to apply security policies to specific parts of the application environment. The PCE converts these label-based policies into rules that can be applied to the OS level firewall of the workload.
Once you define a label-based policy, the PCE dynamically computes the appropriate rules for each workload in the environment. The PCE also dynamically re-computes a policy when new workloads are added to or removed from an environment or when workload IP addresses change. This enables the freedom and flexibility to design security policies without relying on networking details that may change. This also helps to drastically reduce the complexity of rules, the number of rules created, and the number of rules managed.
Watch this video to learn more about why labels are important to adaptive segmentation.
Illumio ASP is built on a whitelist enforcement model where only connections that are explicitly defined by policy are accepted and allowed. All other connections are inherently blocked. Policy can be defined at various levels of granularity including environment, application, and port/process level allowing for the right level of policy to be defined and applied for the use case. With this model policy might protect an environment like development by controlling the connections into and out of that environment but allowing all workloads in development to communicate.
Illumio ASP is available in three deployment types:
Workloads in the customer data center or in any cloud environment are secured by installing the VEN software agent on the workload and establishing a connection to the PCE. Most customers are up and running in hours.
User segmentation builds on Illumio’s earlier capabilities of workload- and process-level segmentation to control which data center applications a user can see and connect to. It extends VEN coverage to include Windows 7 workloads and creates new user-based policies within the PCE.
Organizations are worried about the “inside man” problem where a laptop can connect to a range of unauthorized servers/applications in a data center or public cloud.
For example, a company that has its VDI implementation located in its data centers would like to control what a user can connect to, thereby limiting the ability of a bad actor to steal credentials or leverage weak passwords to gain access to sensitive applications and data.
Illumio is offered as an annual subscription.