Illumio ASP is a software system that secures any computing platform (bare-metal servers, virtual
machines, and containers) in any environment (enterprise data center, private cloud, public cloud
– like Amazon Web Services, Google Compute Engine, Microsoft Azure, OpenStack – or hybrid
cloud) without any dependency on the underlying network.
It does this by providing:
Illumio ASP understands all the ports, processes, and connections among an application’s workloads and their interrelationships, and uses this information to compute and enforce accurate security. Illumio ASP adapts to computing environment changes, the movement of workloads across data centers and clouds, and IP address changes. It also adapts to application and infrastructure changes and prevents the lateral spread of attacks.
Illumio ASP User Segmentation capabilities can control the communications between desktops and applications running in the data center.
Illumio key benefits include:
Without adaptive security, businesses are slowed down due to the overwhelming number of firewall rules, manual changes required to policies, and the possibility of errors leading to outages or serious vulnerabilities and breaches. Adaptive security automatically accounts for moves, scale, and changes to applications and infrastructure that are typical of modern data centers.
Illumio ASP is a software solution built around the specific and accurate context of the workload and application. Illumio listens to and understands the services and active network connections that are running on a workload.
Illumio ASP constantly computes workload relationships and adapts to any changes in context. Administrators specify the desired interactions between workloads using natural-language terms. Then, Illumio ASP computes and enforces the precise security for each workload in the application by combining workload context with the defined policies. As workload context changes (moves, scale up, scale down, IP address changes, etc.), Illumio ASP computes and distributes the incremental policy changes to the impacted workloads.
Illumio ASP enforces security policies for workloads running in any bare-metal server, virtual machine, or containerized host without any dependencies on the underlying network (VLANs, subnets, zones, physical or software defined, etc.), hypervisor, or environment (data centers and private, public, or hybrid clouds). Illumio does not simply automate or repurpose existing security capabilities, it applies security in a unique and innovative way.
Illumio ASP enables IT to write policies in natural language based on the Role, Application, Environment, and Location of the workload. These policies are then translated into granular security rules, without the need to specify IP addresses, subnets, VLANs, or zones. The security policies can be applied at the beginning of the application life cycle by integrating with configuration management and orchestration tools such as Chef, Puppet, Ansible, and ElasticBox—or they can be applied to an existing environment.
Organizations are using Illumio ASP to stop cyber threats, improve understanding of risk, and simplify security operations for applications in and across data center and cloud environments.
Here are the seven primary ways organizations are improving security and IT efficiencies with Illumio.
Our customers span organization of all sizes, verticals, and geographies. This includes nine of the largest 15 financial institutions in the US, and four of the top seven global Software-as-a-Service companies. Our customers include the likes of Morgan Stanley, Salesforce, NetSuite, Plantronics, NTT, Creative Artists Agency, King Entertainment, and Oak Hill Advisors.
Learn more about the customers using Illumio.
There are two main components to Illumio ASP:
Illumio offers three core services to protect applications inside and across the data center and
Watch these videos for an Illumio ASP deep dive.
Yes. Illumio ASP works alongside existing firewall and network security solutions. No changes to the network technology or topology are required to integrate Illumio ASP into a data center or cloud environment.
No. Illumio ASP secures a broad range of operating systems on bare-metal servers, virtualized servers, or containerized hosts in private data centers or private, public, or hybrid clouds.
Read our datasheet for details on supported platforms.
No. Illumio ASP does not require any changes to standard OS or VM configurations.
Illumio ASP performs enforcement using the native capabilities within the host operating system – iptables in Linux servers, Windows Filtering Platform in Windows servers, and IPFilter in AIX and Solaris. If the Illumio VEN is tampered with, an alert is sent to the PCE. The PCE will attempt to re-establish control of the VEN. If attempts to re-establish control of the VEN are unsuccessful, the PCE can update security rules to instruct all other workloads in the environment to shun the workload in question.
A workload equates to a discrete operating system instance. It can run on a bare-metal server, in a virtual machine, on a containerized host, or in a cloud environment.
Workload context includes system properties (operating system, IP address, ports, running processes, etc.), relationships and dependencies to other workloads within the application and beyond, and the ecosystem (location, application details, life cycle, environment, etc.). The context of a workload changes as the application that the workload is a part of moves, changes, and scales up or down.
The VEN resides in the guest OS. Linux, Windows, AIX, and Solaris workloads are supported.
Watch this video for more details on the VEN.
No. The VEN can be installed in a mode that allows you to gain live visibility of the application environment without having to enforce any rules. You can use this option to model/build policy and move to enforcement after you are confident of the results.
Watch this video for more details on the VEN.
Illumination enables administrators to visualize communications within and between applications in data centers and clouds. With Illumination you will gain live visibility into the layer-4 connections between workloads, including details about the flows – source, destination IPs, port protocol, and process names.
Watch this video for the four reasons why visibility is critical to adaptive segmentation.
Illumio ASP allows administrators to assign four dimensional labels to workloads to identify their Role, Application, Environment, and Location. These labels can then be used to apply security policies to specific parts of the application environment. The Illumio PCE converts these labelbased policies into rules that can be applied to the OS level firewall of the workload.
Once you define a label-based policy, the PCE dynamically computes the appropriate rules for each workload in the environment. The PCE also dynamically re-computes a policy when new workloads are added to or removed from an environment or when workload IP addresses change. This enables the freedom and flexibility to design security policies without relying on networking details that may change. This also helps to drastically reduce the complexity of rules, the number of rules created, and the number of rules managed.
Watch this video to learn more about why labels are important to adaptive segmentation.
Illumio ASP is built on a whitelist enforcement model where only connections that are explicitly defined by policy are accepted and allowed. All other connections are inherently blocked. Policy can be defined at various levels of granularity including environment, application, and port/process level allowing for the right level of policy to be defined and applied for the use case. With this model policy might protect an environment like development by controlling the connections into and out of that environment but allowing all workloads in development to communicate.
The Illumio ASP is available in three deployment types:
Workloads in the customer data center, or in any cloud environment, are secured by installing the VEN software agent on the workload and establishing a connection to the PCE. Most customers are up and running in hours.
User Segmentation builds on Illumio’s earlier capabilities of workload- and process-level segmentation to control which data center applications a user can see and connect to. It extends VEN coverage to include Windows 7 workloads and creates new user-based policies within the PCE.
Organizations are worried about the “inside man” problem where a laptop can connect to a range of unauthorized servers/applications in a data center or public cloud.
For example, a company that has its VDI implementation located in its data centers would like to control what a user can connect to, thereby limiting the ability of a bad actor to steal credentials or leverage weak passwords to gain access to sensitive applications and data.
Illumio is offered as an annual subscription.