Federal Solutions

The challenge

When a malicious insider wants to steal your data, they start with the systems they are permitted to use and then move laterally to reach higher value targets. Similarly, most external hacks breach the perimeter at a low-value system, such as a contractor portal, and use that opening to reach a high-value asset. The common denominator of all of these threats is lateral movement.

The Office of Personnel Management (OPM) breach, the breaches of the White House and the State Department, as well as recent breaches of the intelligence community demonstrate that lateral movement is foundational and an enabler to data theft.

Stopping lateral movement is especially challenging for federal security teams because many federal systems rely on:

• Complex infrastructure.
• Applications distributed between data centers and public and federal clouds.
• Ongoing reliance on legacy systems.

Many organizations turn to detection to catch intruders and malicious insiders. Unfortunately, detection solutions increasingly swamp security teams with alerts, raising the risk that threats are buried under the sheer volume.

USing SEGMENTATION TO SECURE CRITICAL FEDERAL ASSETS

If you want to control lateral movement and stop the spread of threats, you have to segment your environments. This is why the NIST Cybersecurity Framework recommends network segregation (NIST PR.AC-5), and the FTC recommends that organizations segment their networks. 

But when most security teams think about segmentation, they think that network segmentation is the only option. Unfortunately, network segmentation – which was originally designed for efficiency, not security – is not well-suited to working effectively in complex federal environments. 

WHY NETWORK SEGMENTATION FALLS SHORT

A common approach for implementing segmentation is to use the network layer. Unfortunately, for today’s increasingly complex, hybrid, and dynamic federal computing environments, implementing segmentation in the network using VLANs, SDN, and firewalls is incredibly difficult.

Challenge #1: Lack Of Visibility

Network segmentation rarely includes visualization tools – security teams are forced to operate blindly inside complex and changing environments. This can be particularly challenging for federal agencies because government infrastructure is often divided into multiple systems under different management.

A view of connections inside of a typical data center

Challenge #2: Firewall Rule Proliferation

Network-based approaches to segmentation require you to manage tens of thousands of firewall wall rules. This process is time consuming, complex, and error-prone.  

Federal organizations need a way to visualize and understand their networks and then use that understanding to isolate high-value enclaves and segment environments. This stops lateral movement and helps catch malicious outsiders and insiders before they can cause serious damage.

The solution: Segmentation for Security

Security segmentation is the process of deploying different types of segmentation throughout your environment to increase your security without impacting your business process. Because it's not tied to the network, you can segment across hybrid environments and customize your segmentation to fit your needs. 

The Illumio Adaptive Security Platform (ASP) enables your team to implement security segmentation across your environments with two key capabilities:

1. Real-Time Application Dependency Mapping

Illumio visualizes the applications in your environment, including AWS GovCloud and Azure Government. It can visualize modern applications as well as legacy systems. This helps your team understand how your applications connect and communicate. 

A live application dependency map

2. Adaptive Micro-Segmentation

Illumio's adaptive micro-segmentation technology lets you choose the level of segmentation that is right for your environment. We offer the widest range of segmentation options available without all the manual work normally associated with traditional segmentation.This enables security policy to be written in the language of your applications, not your network, allowing you to:

• Segment your environments without relying on network infrastructure.
• Radically reduce the number of policies that your team needs to manage.
• Build policy that automatically adapts to changes in your infrastructure (for example, if you shift an application to AWS GovCloud).

The Result

Illumio enables you to rapidly segment your environment, manage your security without excessive overhead, and identify and stop threats before they reach high-value targets. 

Identify threats and quarantine rougue workloads

Illumio ASP benefits:

• Eliminate blind spots inside data centers and FedRAMP provider clouds and regain control of your application environment.
• Detect and prevent the spread of breaches inside your environments.
• Expedite Authority to Operate (ATO) authorizations and eliminate delays by helping you deploy applications with security in hours instead of weeks.
• Decrease the number of firewall rules that you need to manage by over 95 percent.
• Maximize the effectiveness of existing investments by prioritizing your detection where it matters most.
• Secure critical assets in any environment, including bare-metal, virtualized, and containerized environments on premises, in FedRAMP provider clouds, and across hybrid deployments.
• Accelerate projects such as cloud migrations to AWS GovCloud and Azure Government, data center consolidations, and segmentation initiatives.
• FIPS 140-2 compliant – Illumio ASP integrates third-party FIPS validated cryptographic modules that conform to the Federal Information Processing Standards (FIPS) 140-2 standard. Download our third-party affirmation letters for FIPS 140-2 compliance.