Zero Trust Security


Zero Trust security segments internal networks and prevents the lateral spread of ransomware and cyber breaches.
 

“Zero Trust” is all in the name. What is Zero Trust? Zero Trust eliminates automatic access for any source – internal or external – and assumes that internal network traffic cannot be trusted without prior authorization. As operating models evolve with more employees working remotely, the need for a holistic Zero Trust approach is even more urgent.

 

To guide organizations in their journey, Forrester Research developed the Zero Trust eXtended (ZTX) framework, comprised of seven components of an enterprise ecosystem where Zero Trust principles should be applied.

 

ZeroTrust_Diagram

Forrester recently concluded that Zero Trust can reduce an organization’s risk exposure by 37% or more. But it also found that organizations deploying Zero Trust can reduce security costs by 31% and realize millions of dollars in savings in their overall IT security budgets.”

Zero Trust security strategy and micro-segmentation

Focusing primarily on perimeter security and firewalls is no longer enough. Many organizations are now adopting the Zero Trust security mindset of “never trust, always verify” to segment internal networks and prevent the spread of breaches. As users move steadily off the campus network to a distributed work-from-home model, this principle must be extended to endpoints to reduce the attack surface. As a result micro-segmentation — a security control to stop lateral movement—has become a foundational component for Zero Trust. 

Number-1.svg

Trust nothing inside
or outside your
perimeter, on or off
your network.

Number-2.svg

Verify everything – every user and every device – that tries to connect to your systems and applications.

Number-3.svg

Anticipate breach and focus on preventing ransomware and bad actors from moving laterally inside environments.

This approach shifts the conversation to preventive containment, with a focus on preventing lateral movement between endpoints, between users and data center applications, and inside your data center and cloud environments.

Illumio delivers end-to-end Zero Trust micro-segmentation from the data center and cloud to endpoints to stop the spread of ransomware and bad actors. Illumio protects against lateral movement across users, end-user devices, applications and workloads, network devices, servers, and other infrastructure.

quote image

While endpoint-focused security solutions have evolved, ransomware continues to impact enterprises ... Worms such as WannaCry and NotPetya rely on lateral movement to escalate a containable nuisance to a cataclysmic attack. Microsegmentation and focused granular internal controls mitigate this problem and must be deployed as part of a Zero Trust strategy.

Forrester Research

Conversations on
Mobilizing Zero Trust

Dr. Chase Cunningham, VP of Research and Principal Analyst at Forrester, joins Illumio CTO PJ Kirner to discuss strategies for getting started with Zero Trust.

Achieving Effective Zero Trust for the New World

PJ and Chase return to discuss how Zero Trust priorities have evolved to address remote work environments
and ransomware.

Forrester Logo

Illumio Named a Leader in
the Forrester Zero Trust Wave.

Highest scores in the three primary categories.

2020 Zero Trust Graph

Illumio - A Leader in Zero Trust
Why trust something so critical to anyone else?

How Illumio aligns with the ZTX framework




Data

Network

Workloads

People

Devices

Visibility & Analytics

Automation & Orchestration

Manageability & Usability

APIs

Future State of Infrastructure

Data Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables data isolation, encryption, and control.

Illumio’s capabilities include:

  • Secure data and application with microperimeters
  • Security follows the data – anywhere
  • Protection for data in transit

Network Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables the principles of network isolation, segmentation, and security.

Illumio’s capabilities include:

  • Default-deny segmentation
  • Informed, granular policy design and testing
  • Infrastructure-agnostic enforcement
  • Violation alerts

Workload Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the applications and workloads you use to operate your business.  

Illumio’s capabilities include:

  • Granular policy control at massive scale
  • Process-level enforcement
  • Security follows the workload – anywhere
  • Simplified deployment

People

The Zero Trust eXtended (ZTX) framework helps you understand how a solution ensures that people only have access to what they’re entitled to in and across your network and business infrastructure.

Illumio’s capabilities include:

  • User-based segmentation
  • Remote access control
  • Lateral movement prevention

Devices

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the devices connected to your network.

Illumio’s capabilities include:

  • Device-level segmentation
  • Unknown device detection
  • Device quarantine
  • Authenticate machine identity with PKI certificate

With Illumio Edge:  

  • Protect remote user devices from the spread of ransomware whether on network, remote, and public wifi.
  • Whitelist peer-to-peer application connections across endpoints laptops.
  • Complement network access control (NAC), endpoint detection and response (EDR), and endpoint protection platform (EPP) solutions with default containment, even prior to detection. 
  • Support dynamic and network-location aware endpoint segmentation.

Visibility and Analytics

The Zero Trust eXtended (ZTX) framework helps you understand how a solution can eliminate the blind spots inside and across high-value systems and infrastructure. 

Illumio’s capabilities include:

  • Live visibility across environments
  • Painless discovery and classification
  • Thorough auditing

Automation and Orchestration

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables you to automate and orchestrate IT operations and security processes across heterogenous environments.

Illumio integrates with:

  • Orchestration tools – Chef, Puppet, and Ansible
  • Container platform orchestration – Red Hat OpenShift, Kubernetes, and Docker
  • CMDBs – ServiceNow CMDB and BMC Remedy
  • SIEM and security analytics – Splunk and IBM QRadar
  • Vulnerability management tools – Qualys, Tenable, and Rapid7
  • Public cloud tools – AWS Cloud Formation, AWS GuardDuty, Azure and AWS flow logs
  • Open source integrations including AWS or Azure flow logs

In addition, Illumio has demonstrated visibility and segmentation at scale – over 200,000 OS instances.

Manageability and Usability

The Zero Trust eXtended (ZTX) framework helps you understand the importance of ease of use and manageability for achieving Zero Trust.

Illumio’s capabilities include:

  • Fast time to Zero Trust – segment your environments in hours to days.
  • Leverage existing investments, including host firewalls, switches, and load balancers, to enforce segmentation across legacy and hybrid systems.
  • Enable application owners to create and update policies at scale using natural language.
  • Streamlined firewall change management process.
  • Enterprise-level RBAC to ensure segregation of duties across policy owners, provisioners, security ops, compliance, and auditors.
  • Integration with leading security tools to automate and orchestrate security workflows such as incident response, remediation, and vulnerability management.

APIs

The Zero Trust eXtended (ZTX) framework helps you understand how a solution leverages APIs to enable Zero Trust policy creation and enforcement across the enterprise.

Illumio's well-documented REST APIs support integration with a wide set of orchestration tools including:

  • OneOps
  • Chef
  • Puppet
  • Jenkins
  • Docker
  • OpenStack Heat/Murano

Illumio API documentation can be found here.

Infrastructure

The Zero Trust eXtended (ZTX) framework helps you plan for a future workforce that is remote, BYOD, and less dependent on perimeter-based infrastructure.

Illumio supports this future state with:

  • Proven highly scalable end-to end micro-segmentation.
  • Independence from the network infrastructure, network design, and underlying data center fabric or SDN architecture.
  • End-to-end visibility and control across endpoints, users, networks, data, workloads, and applications. 
  • Segmentation policies based on user, device authentication, and network location.  
  • Control applications for remote users in VDI based on user identify and group membership.
  • On-demand IPsec encryption secures all data in motion between workloads, agnostic of OS or location. 
  • Vulnerability-based segmentation to optimize patching or as a compensating control for unpatched devices.

Data

Data Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables data isolation, encryption, and control.

Illumio’s capabilities include:

  • Secure data and application with microperimeters
  • Security follows the data – anywhere
  • Protection for data in transit

Network

Network Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables the principles of network isolation, segmentation, and security.

Illumio’s capabilities include:

  • Default-deny segmentation
  • Informed, granular policy design and testing
  • Infrastructure-agnostic enforcement
  • Violation alerts

Workloads

Workload Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the applications and workloads you use to operate your business.  

Illumio’s capabilities include:

  • Granular policy control at massive scale
  • Process-level enforcement
  • Security follows the workload – anywhere
  • Simplified deployment

People

People

The Zero Trust eXtended (ZTX) framework helps you understand how a solution ensures that people only have access to what they’re entitled to in and across your network and business infrastructure.

Illumio’s capabilities include:

  • User-based segmentation
  • Remote access control
  • Lateral movement prevention

Devices

Devices

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the devices connected to your network.

Illumio’s capabilities include:

  • Device-level segmentation
  • Unknown device detection
  • Device quarantine
  • Authenticate machine identity with PKI certificate

With Illumio Edge:  

  • Protect remote user devices from the spread of ransomware whether on network, remote, and public wifi.
  • Whitelist peer-to-peer application connections across endpoints laptops.
  • Complement network access control (NAC), endpoint detection and response (EDR), and endpoint protection platform (EPP) solutions with default containment, even prior to detection. 
  • Support dynamic and network-location aware endpoint segmentation.

Visibility & Analytics

Visibility and Analytics

The Zero Trust eXtended (ZTX) framework helps you understand how a solution can eliminate the blind spots inside and across high-value systems and infrastructure. 

Illumio’s capabilities include:

  • Live visibility across environments
  • Painless discovery and classification
  • Thorough auditing

Automation & Orchestration

Automation and Orchestration

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables you to automate and orchestrate IT operations and security processes across heterogenous environments.

Illumio integrates with:

  • Orchestration tools – Chef, Puppet, and Ansible
  • Container platform orchestration – Red Hat OpenShift, Kubernetes, and Docker
  • CMDBs – ServiceNow CMDB and BMC Remedy
  • SIEM and security analytics – Splunk and IBM QRadar
  • Vulnerability management tools – Qualys, Tenable, and Rapid7
  • Public cloud tools – AWS Cloud Formation, AWS GuardDuty, Azure and AWS flow logs
  • Open source integrations including AWS or Azure flow logs

In addition, Illumio has demonstrated visibility and segmentation at scale – over 200,000 OS instances.

Manageability & Usability

Manageability and Usability

The Zero Trust eXtended (ZTX) framework helps you understand the importance of ease of use and manageability for achieving Zero Trust.

Illumio’s capabilities include:

  • Fast time to Zero Trust – segment your environments in hours to days.
  • Leverage existing investments, including host firewalls, switches, and load balancers, to enforce segmentation across legacy and hybrid systems.
  • Enable application owners to create and update policies at scale using natural language.
  • Streamlined firewall change management process.
  • Enterprise-level RBAC to ensure segregation of duties across policy owners, provisioners, security ops, compliance, and auditors.
  • Integration with leading security tools to automate and orchestrate security workflows such as incident response, remediation, and vulnerability management.

APIs

APIs

The Zero Trust eXtended (ZTX) framework helps you understand how a solution leverages APIs to enable Zero Trust policy creation and enforcement across the enterprise.

Illumio's well-documented REST APIs support integration with a wide set of orchestration tools including:

  • OneOps
  • Chef
  • Puppet
  • Jenkins
  • Docker
  • OpenStack Heat/Murano

Illumio API documentation can be found here.

Future State of Infrastructure

Infrastructure

The Zero Trust eXtended (ZTX) framework helps you plan for a future workforce that is remote, BYOD, and less dependent on perimeter-based infrastructure.

Illumio supports this future state with:

  • Proven highly scalable end-to end micro-segmentation.
  • Independence from the network infrastructure, network design, and underlying data center fabric or SDN architecture.
  • End-to-end visibility and control across endpoints, users, networks, data, workloads, and applications. 
  • Segmentation policies based on user, device authentication, and network location.  
  • Control applications for remote users in VDI based on user identify and group membership.
  • On-demand IPsec encryption secures all data in motion between workloads, agnostic of OS or location. 
  • Vulnerability-based segmentation to optimize patching or as a compensating control for unpatched devices.

3 practical steps to enable Zero Trust security

  1. Discover

    Seeing how your users, devices, and apps are connected is a critical first step to understand what’s communicating and what shouldn’t be.

    • Use a real-time map to see everything across your endpoints and application flows and identify high-value systems and critical applications.
    • Map the connections of sensitive data across users, devices, networks, workloads, and applications to understand what should be allowed to communicate based on least privilege.
    • Enable a single source of truth to facilitate collaboration and engage business and IT stakeholders in designing Zero Trust microperimeters and security policies.

  2. Define

    Architect optimal micro-segmentation controls with automated policy creation to reduce risk and deployment complexity.

    • Define and automate the right level of Zero Trust segmentation controls (from environmental separation to process level) across endpoints and East-West traffic.
    • Identify and map segmentation policies based on the exploitability of vulnerabilities and use segmentation as a compensating control when you can't patch. 
    • Visualize and test policies before enforcement to ensure you don’t break applications while provisioning security at birth in cloud-native applications.

  3. Enforce

    Enable default-deny policies that are decoupled from your network to enforce effective Zero Trust controls wherever your endpoints and workloads exist.

    • Use an allowlist model to ensure that only authorized connections can take place across users, devices, networks, applications, and workload communications.
    • Secure data in transit without requiring any changes or upgrade to the existing network infrastructure.
    • Continuously monitor and adjust dynamic Zero Trust policies as your environment changes.
    • Seamlessly integrate with third-party IT tools to orchestrate adaptive Zero Trust across your on-premises and multi-cloud environments to reduce security silos.
October 16, 2019

“We did a security audit due to HIPAA. When we saw how much was involved in setting up traditional firewalls between our applications /servers...we discovered micro-segmentation. Illumio was by far the best choice."

- Sr. Network Administrator

Read More

Featured resources

Product Datasheet

Illumio Edge: Endpoint Zero Trust

Download datasheet

Research Report

The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020

Download report

Video

Zero Trust and the Human Element

Watch video

Try Illumio Edge

Swag Request

Try Illumio Core