Adaptive Segmentationmicro-segmentation April 29, 2015

Context Is the New Perimeter

Alan S. Cohen,

In the traditional enterprise security model, the network—and particularly the network firewall—provided the demarcation between the trusted and untrusted computing and communications environment. The model was pretty simple: isolate IT resources in a data center/cloud from non-authorized users.


As computing and its threats became more complex, the firewall device and the emerging “add-on” capabilities (IDS, IPS, APT, etc.) also grew in sophistication. All of these services looked at the inbound or outbound data flows through a choke point for authorized users, types of applications being used, and, over time, malware and other advanced threats. (The challenges with network-centric devices is a subject for another time).

This type of firewall solution brought the context of the network to bear in solving security problems. This created two new challenges, both addressed by the Latin phrase in mari multa latent (“in the ocean many things are hidden”):

  1. Perimeter devices ignore the 75% of the computing traffic that stays within the corporate data center.
  2. Enterprise perimeter security does not extend to public cloud infrastructures such as AWS or Azure. 

More importantly, this model does not fully address the context of a workload. By focusing almost entirely on inbound and outbound data flows, it completely misses what the actual computing is and what it does.

Identifying the full context of a workload

So, what is the context of a workload in data center or cloud environments? It comprises three components:

  1. The properties of a workload (e.g., an Apache Server running a specific set of services and communications ports).
  2. The relationships of a group of workloads (e.g., they are part of a three-tier application with database, processing, and web workloads).
  3. The environment in which the workload is running (e.g., in production, in both the North American data center and AWS West).

With this level of context, an application developer or IT administrator can apply the most specific and accurate security policy anywhere a computing instance is running. From a security, speed, operations, and reach perspective, compared to network contextwhich is mostly composed of IP addressesthis is the equivalent of going from a black-and-white silent film like Nosferatu to a 3-D IMAX version of the The Hobbit. In the old model, rich, workload-level çontext is either not available or easy to derive from the network. Moreover, it can be rarely garnered or used in hybrid cloud implementations. 

Illumio makes context the new perimeter

Illumio uses this granular, rich context to help an enterprise build a system that is better suited to the realities of the new computing environment: an n-tier, distributed system that can create new computing power on demand to meet application demand.

We use context not only as a new enforcement pointeffectively a new perimeterbut to adapt to changes in the environment. These changes can be policy or computing moves made by IT or they can be a bad actor attempting to gain entry into the computing stack.

Illumio uses this granular, rich context to help an enterprise build a system that is better suited to the realities of the new computing environment.

Better visibility and understanding of context allows an organization to build a more precise and accurate security policy. And, since Illumio uses a system to understand and manage security—rather than individuals—security can scale in complex environments.

At Illumio, we believe you must be able to apply security to the most granular, atomic level. It is dramatically simpler to spot and remediate errors or unauthorized communication than it is to address the false positives of the perimeter devices.

At the end of the day, you are trying to protect your data. Now your workloads can provide the context you need to do this.

Adaptive Segmentationmicro-segmentation
Share this post: