The topic of segmentation has always had great appeal to IT and security professionals as it allows an open “everything talks to everything” environment to be shifted to one with secure “zones” where devices can’t see any other unless specifically permitted. Historically, businesses tried using virtual local area networks (VLAN) and access control lists (ACL) and those worked in static environments, but as businesses have become increasingly more dynamic, those methods proved too slow to scale.
Then along came software-based solutions that did two things to make large-scale segmentation possible. First, by doing it in software, segmentation becomes dynamic so policies can follow devices. For example, with VLANs, if the company has a policy to put all medical devices in “Zone A” and the endpoints moves outside of where the zone is defined, the network would need to be reprogrammed. With software segmentation, the policy follows the device so it’s easier to implement segmentation in highly dynamic businesses.
Also, segmentation can now be applied at a more granular level. Instead of only being able to do coarse-grained segmentation, software solutions make it possible to implement fine-grained segmentation and bind it to a hypervisor or even a specific process.
Despite the advancements, there are still a couple of things that hold companies back from adopting micro-level segmentation: automation and visualization. The ability to segment a data center or other environment is based on knowing what to segment with some sort of constant feedback so as things change, the policies can be modified and applied. The more dynamic and distributed the world becomes, the harder this is. Consider what’s happened with servers. Physical servers were easy to identify, virtual ones were a little more difficult, but containers are nearly impossible to stay on top of as they can be created, a workload run and then disappear in a matter of minutes. This period of time is too short for manual configuration of segmentation but not too short for malware.
This week Illumio announced version 2.0 of its solution, which brings greater visibility and automation to micro-segmentation. Illumio currently has an offering called the “adaptive security platform” (ASP) that helps businesses visualize the flows in a data center. Within ASP, the company has added two new capabilities:
- Explorer enables operations and security professional to query the network flows using natural language. As an example, one could ask “What traffic has crossed from the development environment to the production environment in the past week?” or “What flows are going in and out of my medical zone?” The information is shown on a portal in the Illumio solution or exported to a csv file for further analysis. The data from Explorer can be used to create, remove or refine policies.
- Policy Generator is a way of automating micro-segmentation policies for every workload and application running on any compute platform regardless of form factor. It works with virtual, container and physical servers. The feature analyzes application flows and creates segmentation policies in real time without requiring network data to be fed into the system. The topic of intent based networking has become increasingly popular since Cisco’s “Network Intuitive” launch. Security pros should think of what Illumio has as “intent based security” as the closed loop system automatically enforces policies based on intent and keeps it that way as the environment changes.
Software-based segmentation makes it possible to move to a true zero trust security model with granular, fine-grained segments. However, old school, manual configuration and management models won’t work, as they are too slow. Application developers and cloud architects rely heavily on data, analytics and automation to build applications faster. Shouldn’t security teams use the same methodologies to protect their companies? Illumio’s updates makes it possible to run highly segmented data centers at digital speeds.