Zero Trust


What is Zero Trust?
 

“Zero Trust” is all in the name. Zero Trust eliminates automatic access for any source – internal or external – and assumes that internal network traffic cannot be trusted without prior authorization. As operating models evolve with more employees working remotely, the need for a holistic Zero Trust approach is even more urgent.

 

To guide organizations in their journey, Forrester Research developed the Zero Trust eXtended (ZTX) framework, comprised of seven components of an enterprise ecosystem where Zero Trust principles should be applied.

 

ZeroTrust_Diagram

Forrester recently concluded that Zero Trust can reduce an organization’s risk exposure by 37% or more. But it also found that organizations deploying Zero Trust can reduce security costs by 31% and realize millions of dollars in savings in their overall IT security budgets.”

Your Zero Trust strategy and micro-segmentation

Focusing primarily on perimeter security and firewalls is no longer enough. Many organizations are now adopting the Zero Trust security mindset of “never trust, always verify” to segment internal networks and prevent the spread of breaches. As users move steadily off the campus network to a distributed work-from-home model, this principle must be extended to endpoints to reduce the attack surface.

Number-1.svg

Trust nothing inside
or outside your
perimeter, on or off
your network.

Number-2.svg

Verify everything – every user and every device – that tries to connect to your systems and applications.

Number-3.svg

Anticipate breach and focus on preventing ransomware and bad actors from moving laterally inside environments.

This approach shifts the conversation to preventive containment, with a focus on preventing lateral movement between endpoints, between users and data center applications, and inside your data center and cloud environments.

As a result, micro-segmentation – a security control to stop lateral movement – has become a foundational component for Zero Trust.

Illumio delivers end-to-end Zero Trust micro-segmentation from the data center and cloud to endpoints to stop the spread of ransomware and bad actors. Illumio protects against lateral movement across users, end-user devices, applications and workloads, network devices, servers, and other infrastructure.

quote image

While endpoint-focused security solutions have evolved, ransomware continues to impact enterprises ... Worms such as WannaCry and NotPetya rely on lateral movement to escalate a containable nuisance to a cataclysmic attack. Microsegmentation and focused granular internal controls mitigate this problem and must be deployed as part of a Zero Trust strategy.

Forrester Research

Conversations on
Mobilizing Zero Trust

Dr. Chase Cunningham, VP of Research and Principal Analyst at Forrester, joins Illumio CTO PJ Kirner to discuss strategies for getting started with Zero Trust.

Achieving Effective Zero Trust for the New World

PJ and Chase return to discuss how Zero Trust priorities have evolved to address remote work environments
and ransomware.

Forrester logo transparent.png

Illumio is a Leader in
The Forrester Wave:
Zero Trust eXtended Ecosystem Platform Providers, Q4 2019
Receives highest score in current offering

ZTX Wave Chart 2019-v2.png

How Illumio aligns with the ZTX framework




Data

Network

Workloads

People

Devices

Visibility & Analytics

Automation & Orchestration

Manageability & Usability

APIs

Future State of Infrastructure

Data Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables data isolation, encryption, and control.

Illumio’s capabilities include:

  • Secure data and application with microperimeters
  • Security follows the data – anywhere
  • Protection for data in transit

Network Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables the principles of network isolation, segmentation, and security.

Illumio’s capabilities include:

  • Default-deny segmentation
  • Informed, granular policy design and testing
  • Infrastructure-agnostic enforcement
  • Violation alerts

Workload Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the applications and workloads you use to operate your business.  

Illumio’s capabilities include:

  • Granular policy control at massive scale
  • Process-level enforcement
  • Security follows the workload – anywhere
  • Simplified deployment

People

The Zero Trust eXtended (ZTX) framework helps you understand how a solution ensures that people only have access to what they’re entitled to in and across your network and business infrastructure.

Illumio’s capabilities include:

  • User-based segmentation
  • Remote access control
  • Lateral movement prevention

Devices

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the devices connected to your network.

Illumio’s capabilities include:

  • Device-level segmentation
  • Unknown device detection
  • Device quarantine
  • Authenticate machine identity with PKI certificate

With Illumio Edge:  

  • Protect remote user devices from the spread of ransomware whether on network, remote, and public wifi.
  • Whitelist peer-to-peer application connections across endpoints laptops.
  • Complement network access control (NAC), endpoint detection and response (EDR), and endpoint protection platform (EPP) solutions with default containment, even prior to detection. 
  • Support dynamic and network-location aware endpoint segmentation.

Visibility and Analytics

The Zero Trust eXtended (ZTX) framework helps you understand how a solution can eliminate the blind spots inside and across high-value systems and infrastructure. 

Illumio’s capabilities include:

  • Live visibility across environments
  • Painless discovery and classification
  • Thorough auditing

Automation and Orchestration

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables you to automate and orchestrate IT operations and security processes across heterogenous environments.

Illumio integrates with:

  • Orchestration tools – Chef, Puppet, and Ansible
  • Container platform orchestration – Red Hat OpenShift, Kubernetes, and Docker
  • CMDBs – ServiceNow CMDB and BMC Remedy
  • SIEM and security analytics – Splunk and IBM QRadar
  • Vulnerability management tools – Qualys, Tenable, and Rapid7
  • Public cloud tools – AWS Cloud Formation, AWS GuardDuty, Azure and AWS flow logs
  • Open source integrations including AWS or Azure flow logs

In addition, Illumio has demonstrated visibility and segmentation at scale – over 200,000 OS instances.

Manageability and Usability

The Zero Trust eXtended (ZTX) framework helps you understand the importance of ease of use and manageability for achieving Zero Trust.

Illumio’s capabilities include:

  • Fast time to Zero Trust – segment your environments in hours to days.
  • Leverage existing investments, including host firewalls, switches, and load balancers, to enforce segmentation across legacy and hybrid systems.
  • Enable application owners to create and update policies at scale using natural language.
  • Streamlined firewall change management process.
  • Enterprise-level RBAC to ensure segregation of duties across policy owners, provisioners, security ops, compliance, and auditors.
  • Integration with leading security tools to automate and orchestrate security workflows such as incident response, remediation, and vulnerability management.

APIs

The Zero Trust eXtended (ZTX) framework helps you understand how a solution leverages APIs to enable Zero Trust policy creation and enforcement across the enterprise.

Illumio's well-documented REST APIs support integration with a wide set of orchestration tools including:

  • OneOps
  • Chef
  • Puppet
  • Jenkins
  • Docker
  • OpenStack Heat/Murano

Illumio API documentation can be found here.

Infrastructure

The Zero Trust eXtended (ZTX) framework helps you plan for a future workforce that is remote, BYOD, and less dependent on perimeter-based infrastructure.

Illumio supports this future state with:

  • Proven highly scalable end-to end micro-segmentation.
  • Independence from the network infrastructure, network design, and underlying data center fabric or SDN architecture.
  • End-to-end visibility and control across endpoints, users, networks, data, workloads, and applications. 
  • Segmentation policies based on user, device authentication, and network location.  
  • Control applications for remote users in VDI based on user identify and group membership.
  • On-demand IPsec encryption secures all data in motion between workloads, agnostic of OS or location. 
  • Vulnerability-based segmentation to optimize patching or as a compensating control for unpatched devices.

Data

Data Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables data isolation, encryption, and control.

Illumio’s capabilities include:

  • Secure data and application with microperimeters
  • Security follows the data – anywhere
  • Protection for data in transit

Network

Network Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables the principles of network isolation, segmentation, and security.

Illumio’s capabilities include:

  • Default-deny segmentation
  • Informed, granular policy design and testing
  • Infrastructure-agnostic enforcement
  • Violation alerts

Workloads

Workload Security

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the applications and workloads you use to operate your business.  

Illumio’s capabilities include:

  • Granular policy control at massive scale
  • Process-level enforcement
  • Security follows the workload – anywhere
  • Simplified deployment

People

People

The Zero Trust eXtended (ZTX) framework helps you understand how a solution ensures that people only have access to what they’re entitled to in and across your network and business infrastructure.

Illumio’s capabilities include:

  • User-based segmentation
  • Remote access control
  • Lateral movement prevention

Devices

Devices

The Zero Trust eXtended (ZTX) framework helps you understand how a solution secures the devices connected to your network.

Illumio’s capabilities include:

  • Device-level segmentation
  • Unknown device detection
  • Device quarantine
  • Authenticate machine identity with PKI certificate

With Illumio Edge:  

  • Protect remote user devices from the spread of ransomware whether on network, remote, and public wifi.
  • Whitelist peer-to-peer application connections across endpoints laptops.
  • Complement network access control (NAC), endpoint detection and response (EDR), and endpoint protection platform (EPP) solutions with default containment, even prior to detection. 
  • Support dynamic and network-location aware endpoint segmentation.

Visibility & Analytics

Visibility and Analytics

The Zero Trust eXtended (ZTX) framework helps you understand how a solution can eliminate the blind spots inside and across high-value systems and infrastructure. 

Illumio’s capabilities include:

  • Live visibility across environments
  • Painless discovery and classification
  • Thorough auditing

Automation & Orchestration

Automation and Orchestration

The Zero Trust eXtended (ZTX) framework helps you understand how a solution enables you to automate and orchestrate IT operations and security processes across heterogenous environments.

Illumio integrates with:

  • Orchestration tools – Chef, Puppet, and Ansible
  • Container platform orchestration – Red Hat OpenShift, Kubernetes, and Docker
  • CMDBs – ServiceNow CMDB and BMC Remedy
  • SIEM and security analytics – Splunk and IBM QRadar
  • Vulnerability management tools – Qualys, Tenable, and Rapid7
  • Public cloud tools – AWS Cloud Formation, AWS GuardDuty, Azure and AWS flow logs
  • Open source integrations including AWS or Azure flow logs

In addition, Illumio has demonstrated visibility and segmentation at scale – over 200,000 OS instances.

Manageability & Usability

Manageability and Usability

The Zero Trust eXtended (ZTX) framework helps you understand the importance of ease of use and manageability for achieving Zero Trust.

Illumio’s capabilities include:

  • Fast time to Zero Trust – segment your environments in hours to days.
  • Leverage existing investments, including host firewalls, switches, and load balancers, to enforce segmentation across legacy and hybrid systems.
  • Enable application owners to create and update policies at scale using natural language.
  • Streamlined firewall change management process.
  • Enterprise-level RBAC to ensure segregation of duties across policy owners, provisioners, security ops, compliance, and auditors.
  • Integration with leading security tools to automate and orchestrate security workflows such as incident response, remediation, and vulnerability management.

APIs

APIs

The Zero Trust eXtended (ZTX) framework helps you understand how a solution leverages APIs to enable Zero Trust policy creation and enforcement across the enterprise.

Illumio's well-documented REST APIs support integration with a wide set of orchestration tools including:

  • OneOps
  • Chef
  • Puppet
  • Jenkins
  • Docker
  • OpenStack Heat/Murano

Illumio API documentation can be found here.

Future State of Infrastructure

Infrastructure

The Zero Trust eXtended (ZTX) framework helps you plan for a future workforce that is remote, BYOD, and less dependent on perimeter-based infrastructure.

Illumio supports this future state with:

  • Proven highly scalable end-to end micro-segmentation.
  • Independence from the network infrastructure, network design, and underlying data center fabric or SDN architecture.
  • End-to-end visibility and control across endpoints, users, networks, data, workloads, and applications. 
  • Segmentation policies based on user, device authentication, and network location.  
  • Control applications for remote users in VDI based on user identify and group membership.
  • On-demand IPsec encryption secures all data in motion between workloads, agnostic of OS or location. 
  • Vulnerability-based segmentation to optimize patching or as a compensating control for unpatched devices.

5 practical steps to enable Zero Trust security

  1. Use a real-time map to identify your high-value systems, connections, and dependencies

    Gaining deep visibility into users, devices, applications, and more is a critical first step of Zero Trust. Illumio ASP enables you to identify and visualize high-value systems and critical applications with an interactive, real-time map.

    • Map the connections and flows of sensitive data across networks, workloads, and applications.
    • Use the insights you gain from application dependency mapping to break down organizational silos and engage business and IT stakeholders and application owners in designing Zero Trust microperimeters.

  2. Architect and test your Zero Trust security policies

    Zero Trust requires coordinating policies governing all of your internal defenses. Illumio ASP allows you to model and test those policies to ensure security and business continuity once it’s enforcement time.

    • Architect the optimal micro-segmentation strategy for Zero Trust security.
    • Visualize and test policies before enforcement without breaking applications.
    • Select and apply the right level of segmentation across heterogeneous compute environments.

  3. Enforce Zero Trust with segmentation that's decoupled from your network

    Effective segmentation is a core capability of Zero Trust. The key to segmenting down to a microperimeter level and maintaining policy consistently across your heterogenous environments? Illumio decouples segmentation from your network and underlying infrastructure – for a fast, safe, and effective approach to Zero Trust segmentation.

    • Use a whitelisting model to define the authorized connections between workloads and ensure policy
      implementation is always default-deny.
    • Ensure security policies always follow the workloads and adapt as the workload environment changes.
    • Secure data in transit without requiring any changes or upgrade to the existing network infrastructure.

  4. Use vulnerability mapping for a risk-based approach to patching

    Zero Trust is aimed at reducing your organization’s risk exposure. Illumio can help security teams prioritize patching strategies with a vulnerability map that enables you to measure – and mitigate – the risk and exposure of unpatched vulnerabilities.

    • Overlay third-party vulnerability scan data with the application dependency map to visualize and identify an attacker’s potential pathways.
    • Identify highest-risk workloads and applications based on vulnerability and East-West exposure and prioritize patching accordingly.
    • Use micro-segmentation as a compensating control for open vulnerabilities when patching is not possible.

  5. Orchestrate IT operations and security processes to accelerate remediation and recovery 

    Automation and orchestration are key components of Zero Trust. Illumio publishes and maintains a rich set of REST APIs so you can interface with Illumio ASP and orchestrate IT operations, security incident responses, and security operations workflows.

    • Integration with orchestration tools bakes in security in the provisioning and remediation process.
    • Quickly identify orphaned and mislabeled workloads to clean up configuration management databases (CMDBs).
    • Integration with security information and event management (SIEM) tools to orchestrate a security incident response.
October 16, 2019

“We did a security audit due to HIPAA. When we saw how much was involved in setting up traditional firewalls between our applications /servers...we discovered micro-segmentation. Illumio was by far the best choice."

- Sr. Network Administrator

Read More

Featured resources

Product Datasheet

Illumio Edge: Endpoint Zero Trust

Download datasheet

Customer Story

Ixom Achieves Secure Segmentation Across Environments with Illumio

Download customer story

Video

Zero Trust and the Human Element

Watch video

Try Illumio Edge

Swag Request

Try Illumio ASP