Illumio ASP significantly simplifies the process of defining and enforcing security policy while improving control and delivering consistent, up-to-date protection of applications running on bare-metal, virtualized platforms, containerized workloads, or behind network devices on premises or deployed in the cloud.
The Illumio ASP patented architecture is built to scale, adapt to changes in real time, and protect applications with centralized policy and coordinated enforcement of adaptive segmentation policy in the workload, network, and through cloud security controls. The Illumio platform is comprised of the following components:
The PCE is the central point of visibility and policy that is deployed on premises or available as a SaaS service hosted by Illumio.
The PCE continually collects and aggregates workload context (IP addresses, services, ports, traffic flows) from all VENs across application environments and uses it to build and display the live Illumination application map.
The PCE translates declarative, natural language policy into instructions used to program pre-existing firewalls on the workloads, Access Control Lists (ACLs) in data center switches, or cloud security groups in cloud services for enforcement – eliminating the need for administrators to use network constructs such as IP addresses or VLANs in the creation of adaptive segmentation policy.
The PCE adapts to changes across the application environment by updating the Illumination view and automatically recalculating policy to ensure consistent and continuous protection.
The VEN is a lightweight agent deployed in a workload (a.k.a. operating system) or on a networking device. The operating system (e.g., Linux, Windows) could be running on bare-metal servers, virtual machines on any hypervisor, or container platforms in a private data center or any public cloud.
The VEN is in continuous contact with the Illumio PCE to provide up-to-date workload context across the application environment.
The VEN receives up-to-date instructions from the PCE to program the pre-existing local firewall on the workloads (iptables or Windows Filtering Platform), or ACLs in data center switches to enforce the adaptive segmentation policy at every enforcement point in or across private data centers or the cloud.
Labels allow for classification of workloads in four dimensions using Role, Application, Environment, and Location.
With labels, the application environment can now be organized and visualized with more context showing a view of applications and their components.
Labels become the foundation of policy for a model that is both simple to define and adaptable to changes while eliminating dependencies on the infrastructure.
Illumio policy is defined using declarative, natural language and without network constructs, such as VLANs, zones, and IP addresses, for a model that is easy to create and easy for all security, infrastructure, or application teams to understand.
Write once and enforce everywhere with policy that adapts automatically to changes in the application environment.
Auto recommendation of policy helps teams quickly determine the best policy for the environment and enforce protection quickly.