Zero Trust Security

Zero Trust security segments internal networks and prevents the lateral spread of ransomware and cyber breaches

What is Zero Trust?

A Zero Trust framework eliminates automatic access for any source – internal or external – and assumes that internal network traffic cannot be trusted without prior authorization. As operating models evolve with more employees working remotely, the need for a holistic Zero Trust approach is even more urgent.

To guide organizations in their journey, Forrester Research developed the Zero Trust eXtended (ZTX) framework, comprising seven components of an enterprise ecosystem where Zero Trust principles should be applied.

ZeroTrust_Diagram

Forrester recently found that Zero Trust can reduce an organization’s risk exposure by more than 37%. This reduces security costs by 31%, helping organizations realize millions of dollars in savings in their overall IT security budgets.

Zero Trust is an essential security strategy

Focusing primarily on perimeter security and firewalls is no longer enough. Many organizations are now adopting the Zero Trust security mindset of “never trust, always verify” to segment internal networks and prevent the spread of breaches.

Though endpoint-focused security solutions have evolved, ransomware continues to impact enterprises. Cyberattacks such as WannaCry and NotPetya rely on lateral movement across environments to escalate a containable nuisance to a cataclysmic attack. Zero Trust Segmentation and focused granular internal controls mitigate this problem and must be deployed as part of a Zero Trust framework.​

And as users move away from organizations' private networks to a distributed, remote work model, Zero Trust must be extended to endpoints to reduce the attack surface. As a result, Zero Trust Segmentation has become a key component of the Zero Trust model.

Zero Trust Segmentation follows these core principles:

number-1-dark.svg

Trust nothing inside or outside your perimeter, on, or off your network

number-2-dark.svg

Verify everything – every user and every device – that tries to connect to your systems and applications

number-3-dark.svg

Assume breach and focus on preventing ransomware and bad actors from moving inside environments

This approach shifts the conversation to preventive containment, with a focus on preventing lateral movement between endpoints, between users and data center applications, and inside your data center and cloud environments.

Illumio delivers end-to-end Zero Trust microsegmentation from the data center and cloud to endpoints to stop the spread of ransomware and bad actors. Illumio protects against lateral movement across users, end-user devices, applications and workloads, network devices, servers, and other infrastructure.

graphic-quote.png

Forrester Research

While endpoint-focused security solutions have evolved, ransomware continues to impact enterprises ... Worms such as WannaCry and NotPetya rely on lateral movement to escalate a containable nuisance to a cataclysmic attack. Microsegmentation and focused granular internal controls mitigate this problem and must be deployed as part of a Zero Trust strategy.

Conversations on
mobilizing Zero Trust

Cunningham + Kirner

Dr. Chase Cunningham, VP of Research and Principal Analyst at Forrester, joins Illumio CTO PJ Kirner to discuss strategies for getting started with Zero Trust.

Achieving effective Zero Trust for the new world

Cunningham + Kirner 2

PJ and Chase return to discuss how Zero Trust priorities have evolved to address remote work environments
and ransomware.

Implementing Zero Trust models with Illumio




Data

Network

Workloads

People

Devices

Visibility & Analytics

Automation & Orchestration

Manageability & Usability

APIs

Future State of Infrastructure

Data Security

Isolate, encrypt and control data.

Illumio's capabilities include:

  • Secure data and application with microperimeters
  • Protect data-in-transit
  • Protecting data anywhere it goes

Network Security

Isolate, segment secure the network.

Illumio's capabilities include:

  • Default-deny segmentation
  • Informed, granular policy design and testing
  • Infrastructure-agnostic enforcement
  • Violation alerts

Workload Security

Secure the applications and workloads you use to operate your business.

Illumio's capabilities include:

  • Granular policy control at massive scale
  • Process-level enforcement
  • Protecting the workload anywhere it goes
  • Simplified deployment

People

Users only have access to what they're entitled to in and across your network.

Illumio's capabilities include:

  • User-based segmentation
  • Remote access control (RAC)
  • Lateral movement prevention

Devices

Secure the devices connected to your network.

Illumio's capabilities include:

  • Device-level segmentation
  • Unknown device detection
  • Device quarantine
  • Authenticate machine identity with PKI certificate

With Illumio Edge:

  • Protect remote user devices from the spread of ransomware whether on the organization's network, at home, or using public Wi-Fi
  • Whitelist peer-to-peer application connections across endpoints
  • Complement network access control (NAC), endpoint detection and response (EDR), and endpoint protection platform (EPP) solutions with default containment, even prior to detection
  • Support dynamic and network-location aware endpoint segmentation

Visibility and Analytics

Eliminate the blind spots inside and across high-value systems and infrastructure.

Illumio's capabilities include:

  • Live visibility across environments
  • Painless discovery and classification
  • Thorough auditing

Automation and Orchestration

Automate and orchestrate IT operations and security processes across heterogeneous environments.

Illumio integrates with:

  • Orchestration tools – Chef, Puppet, and Ansible
  • Container platform orchestration – Red Hat OpenShift, Kubernetes, and Docker
  • CMDBs – ServiceNow CMDB and BMC Remedy
  • SIEM and security analytics – Splunk and IBM QRadar
  • Vulnerability management tools – Qualys, Tenable, and Rapid7
  • Public cloud tools – AWS Cloud Formation, AWS GuardDuty, Azure and AWS flow logs
  • Open source integrations including AWS or Azure flow logs

In addition, Illumio has demonstrated visibility and segmentation at scale – over 200,000 OS instances.

Manageability and Usability

Achieving Zero Trust requires a manageable, easy-to-use application.

Illumio's capabilities include:

  • Fast time to Zero Trust – segment your environments in hours to days
  • Leverage existing investments, including host firewalls, switches, and load balancers, to enforce segmentation across legacy and hybrid systems
  • Enable application owners to create and update policies at scale using natural language
  • Streamlined firewall change management process
  • Enterprise-level RBAC to ensure segregation of duties across policy owners, provisioners, security ops, compliance, and auditors
  • Integration with leading security tools to automate and orchestrate security workflows such as incident response, remediation, and vulnerability management

APIs

Leverage APIs to enable Zero Trust policy creation and enforcement across the enterprise.

Illumio's well-documented REST APIs support integration with a wide set of orchestration tools, including:

  • OneOps
  • Chef
  • Puppet
  • Jenkins
  • Docker
  • OpenStack Heat/Murano

Infrastructure

Plan for a future workforce that is remote, bring-your-own-device (BYOD), and less dependent on perimeter-based infrastructure.

Illumio supports this future state with:

  • Proven highly scalable end-to end microsegmentation
  • Independence from the network infrastructure, network design, and underlying data center fabric or SDN architecture
  • End-to-end visibility and control across endpoints, users, networks, data, workloads, and applications
  • Segmentation policies based on user, device authentication, and network location
  • Control applications for remote users in VDI based on user identify and group membership
  • On-demand IPsec encryption secures all data in motion between workloads, agnostic of OS or location
  • Vulnerability-based segmentation to optimize patching or as a compensating control for unpatched devices

Data

Data Security

Isolate, encrypt and control data.

Illumio's capabilities include:

  • Secure data and application with microperimeters
  • Protect data-in-transit
  • Protecting data anywhere it goes

Network

Network Security

Isolate, segment secure the network.

Illumio's capabilities include:

  • Default-deny segmentation
  • Informed, granular policy design and testing
  • Infrastructure-agnostic enforcement
  • Violation alerts

Workloads

Workload Security

Secure the applications and workloads you use to operate your business.

Illumio's capabilities include:

  • Granular policy control at massive scale
  • Process-level enforcement
  • Protecting the workload anywhere it goes
  • Simplified deployment

People

People

Users only have access to what they're entitled to in and across your network.

Illumio's capabilities include:

  • User-based segmentation
  • Remote access control (RAC)
  • Lateral movement prevention

Devices

Devices

Secure the devices connected to your network.

Illumio's capabilities include:

  • Device-level segmentation
  • Unknown device detection
  • Device quarantine
  • Authenticate machine identity with PKI certificate

With Illumio Edge:

  • Protect remote user devices from the spread of ransomware whether on the organization's network, at home, or using public Wi-Fi
  • Whitelist peer-to-peer application connections across endpoints
  • Complement network access control (NAC), endpoint detection and response (EDR), and endpoint protection platform (EPP) solutions with default containment, even prior to detection
  • Support dynamic and network-location aware endpoint segmentation

Visibility & Analytics

Visibility and Analytics

Eliminate the blind spots inside and across high-value systems and infrastructure.

Illumio's capabilities include:

  • Live visibility across environments
  • Painless discovery and classification
  • Thorough auditing

Automation & Orchestration

Automation and Orchestration

Automate and orchestrate IT operations and security processes across heterogeneous environments.

Illumio integrates with:

  • Orchestration tools – Chef, Puppet, and Ansible
  • Container platform orchestration – Red Hat OpenShift, Kubernetes, and Docker
  • CMDBs – ServiceNow CMDB and BMC Remedy
  • SIEM and security analytics – Splunk and IBM QRadar
  • Vulnerability management tools – Qualys, Tenable, and Rapid7
  • Public cloud tools – AWS Cloud Formation, AWS GuardDuty, Azure and AWS flow logs
  • Open source integrations including AWS or Azure flow logs

In addition, Illumio has demonstrated visibility and segmentation at scale – over 200,000 OS instances.

Manageability & Usability

Manageability and Usability

Achieving Zero Trust requires a manageable, easy-to-use application.

Illumio's capabilities include:

  • Fast time to Zero Trust – segment your environments in hours to days
  • Leverage existing investments, including host firewalls, switches, and load balancers, to enforce segmentation across legacy and hybrid systems
  • Enable application owners to create and update policies at scale using natural language
  • Streamlined firewall change management process
  • Enterprise-level RBAC to ensure segregation of duties across policy owners, provisioners, security ops, compliance, and auditors
  • Integration with leading security tools to automate and orchestrate security workflows such as incident response, remediation, and vulnerability management

APIs

APIs

Leverage APIs to enable Zero Trust policy creation and enforcement across the enterprise.

Illumio's well-documented REST APIs support integration with a wide set of orchestration tools, including:

  • OneOps
  • Chef
  • Puppet
  • Jenkins
  • Docker
  • OpenStack Heat/Murano

Future State of Infrastructure

Infrastructure

Plan for a future workforce that is remote, bring-your-own-device (BYOD), and less dependent on perimeter-based infrastructure.

Illumio supports this future state with:

  • Proven highly scalable end-to end microsegmentation
  • Independence from the network infrastructure, network design, and underlying data center fabric or SDN architecture
  • End-to-end visibility and control across endpoints, users, networks, data, workloads, and applications
  • Segmentation policies based on user, device authentication, and network location
  • Control applications for remote users in VDI based on user identify and group membership
  • On-demand IPsec encryption secures all data in motion between workloads, agnostic of OS or location
  • Vulnerability-based segmentation to optimize patching or as a compensating control for unpatched devices

3 steps to achieve Zero Trust

  1. Discover

    A critical first step to a Zero Trust framework is to see how your users, devices and apps are connected by understanding what’s communicating and what shouldn’t be.

    • Use a real-time map to see everything across your endpoints and application flows and identify high-value systems and critical applications.
    • Map the connections of sensitive data across users, devices, networks, workloads, and applications to understand what should be allowed to communicate based on least privilege.
    • Enable a single source of truth to facilitate collaboration and engage business and IT stakeholders in designing Zero Trust microperimeters and security policies.
  2. Define

    The next step towards Zero Trust security is to architect optimal microsegmentation controls with automated policy creation to reduce risk and deployment complexity.

    • Define and automate the right level of Zero Trust segmentation controls (from environmental separation to process level) across endpoints and East-West traffic.
    • Identify and map segmentation policies based on the exploitability of vulnerabilities and use segmentation as a compensating control when you can't patch. 
    • Visualize and test policies before enforcement to ensure you don’t break applications while provisioning security at birth in cloud-native applications.
  3. Enforce

    Enable default-deny policies that are decoupled from your network to enforce effective Zero Trust controls wherever your endpoints and workloads exist.

    • Use an allowlist model to ensure that only authorized connections can take place across users, devices, networks, applications, and workload communications.
    • Secure data in transit without requiring any changes or upgrade to the existing network infrastructure.
    • Continuously monitor and adjust dynamic Zero Trust policies as your environment changes.
    • Seamlessly integrate with third-party IT tools to orchestrate adaptive Zero Trust across your on-premises and multi-cloud environments to reduce security silos.

 

4.5 four-half-stars

89%

Recommend Illumio

based on 89 verified reviews as of April 5, 2022

Write a review
August 16, 2021

“Great tools for implementing microsegmentation in your Zero Trust strategy. Illumio Core is a very impressive tool to allow us to micro-segment our environment. This allows us better control over the current monolithic firewall approach."

Lead Security Engineer

Read more

Discover how Illumio can protect your organization with Zero Trust Segmentation

Take Illumio for a test drive with our hands-on virtual labs.

Try Illumio Edge

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983

Swag Request

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983

Try Illumio Core

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983