ILLUMIO ADAPTIVE SECURITY PLATFORM

DATA SHEET
ILLUMIO ADAPTIVE SECURITY PLATFORM
HIGHLIGHTS
No network dependencies
Enterprises can secure workloads
running anywhere–private
anywhere – privatedata
data
centers, public, or hybrid clouds.
Computed security policies
Fine-grained, accurate security is
continuously computed and
enforced in real time.
Context awareness
Security adapts to changes
through awareness of workload
context.
Visibility behind the firewall
Provides an interactive graphical
map of all application traffic
before and after security is
enforced.
The concept of the data center has shifted significantly. Enterprises now run
their applications on virtual machines (VMs) and physical servers across
private data centers and public or hybrid cloud environments.
Perimeter- or network-based solutions were designed to “guard the fortress”
at the boundary, keeping trusted entities inside and untrusted entities
outside. These choke-point solutions have since been adopted to secure
east-west traffic within a data center, but they lack visibility into what’s
actually happening inside the perimeter. The industry also lacks a practical
solution for public cloud environments, when an enterprise does not own the
network.
The Illumio Adaptive Security Platform (ASP) delivers accurate security
along with unprecedented visibility and control over workloads running in
any data center or cloud environment. It can secure enterprise applications
running on any VM or physical server in any data center or cloud,
independent of the network or hypervisor. When workloads that comprise an
application scale up or down, migrate, or change, Illumio ASP automatically
computes and enforces security.
HOW ILLUMIO ASP WORKS
On-demand IPsec
Enables one-click IPsec connections between applications or
between workloads within an
application.
Illumio ASP begins with security attached to the most fine-grained
enforcement point—the individual application workload. The distributed
architecture of Illumio ASP consists of Virtual Enforcement Nodes (VENs)
installed on any VM or physical server residing in any data center or cloud
environment.
Natural-language policies
Security policies are written in
natural language, based on a
workload’s context, rather than
using IP addresses, ports, zones,
and subnets.
Each VEN examines the workload with which it is paired—determining
operating system information, the processes listening on ports, protocols,
and IP address information—and sends that context to a centralized Policy
Compute Engine (PCE). The PCE then determines the graph of
dependencies between workloads and computes accurate security policies
for each workload. The PCE and VENs work together to continuously
monitor and adapt security to changes without the need to steer traffic to a
choke point. Instead, the enforcement is done using iptables in Linux
workloads and Windows Filtering Platform, which are available in the
operating system. This architecture allows Illumio ASP to apply precise
security policies that follow each workload and enforce security based on
explicitly allowed interactions between those workloads.
No rip and replace
Works alongside existing network
and perimeter security solutions.
illumio.com
1
DATA SHEET
Illumio Adaptive Security Platform
Workload
context
DATA CENTER/
PRIVATE CLOUD
REST API
Policy Compute
Engine (PCE)
Virtual
Enforcement
Node (VEN)
Policy
provisioning
KEY SERVICES WITHIN ILLUMIO ASP
Illumio ASP includes the Illumination, Enforcement, and SecureConnect services, enabling workflow-driven policy
decisions to apply security to enterprise applications running anywhere.
Illumination
Enforcement
SecureConnect
Understand applications
and workload relationships
Enforce security anywhere with
natural-language policies
Encrypt data in transit with
IPsec connectivity
Illumination
Illumio ASP monitors traffic flows,
learns the application topology,
and displays all communications
within and between applications in
an intuitive graphical map.
With Illumination, administrators
can write well-informed,
workflow-driven security policies.
Security policies written with
Illumination can be tested before
they are implemented to ensure
security rules do not break the
applications.
illumio.com
2
DATA SHEET
Illumio Adaptive Security Platform
Enforcement
Illumio ASP uses flexible,
multidimensional labeling to
classify workloads based on role
(e.g., web, database), application,
environment (e.g. production, QA,
PCI, staging), and location.
With Enforcement, security
administrators can use those
labels to write natural-language
security policies to describe
desired communications between
workloads. The PCE uses these
policies and the workload context
from VENs to compute
Enforcement rules.
SecureConnect
Illumio ASP provides on-demand
IPsec connectivity between
workloads running anywhere, with
no need to change the network or
add hardware.
With SecureConnect,
administrators can configure and
enforce encryption of data in
transit with one click. IPsec
connections no longer need to be
set up manually—they can be
enabled between any combination
of Linux and Windows workloads
running anywhere.
illumio.com
3
DATA SHEET
Illumio Adaptive Security Platform
System requirements
Illumio ASP benefits
VEN
Linux workloads
n
n
n
n
n
CentOS 5.5, 5.6, 5.7, 5.8, 5.9,
5.10, 6.3, 6.4, 6.5
n
n
DESCRIPTION
Adapt security to
application changes
Security adapts in real time with continuous
computation using the context of workloads along
with security policies written in natural language.
Administrators don’t need to rewrite policies when
applications change, scale, or migrate.
Improve security with
accurate policies
Security is attached to the most accurate
enforcement point—the individual workload. Precise
security policies follow the workload and enforce
security based on explicitly permitted interactions.
This reduces errors, improves security, and prevents
the lateral spread of attacks.
Secure applications—
anywhere
Secures enterprise applications without any
dependency on the underlying network or hypervisor.
Protects workloads running on any VM or physical
server and deployed across any cloud or data center
environment.
See behind your
firewall
All communications within and across applications
are visualized in an intuitive graphical map. Displaying
application behavior makes it possible to assess
potential security gaps and make well-informed policy
decisions.
Set up IPsec
connections instantly
IPsec connectivity is available on demand between
workloads running anywhere, without requiring
changes to the network or adding hardware.
Encrypted communications can be established with
one click between specific workloads—or groups of
workloads—across applications. This eliminates the
need to manually set up IPsec connections.
Drive efficient IT
operations
IT and DevOps can automate security through
standardized APIs. Improves operational efficiency
and reduces errors through integration with IT
orchestration tools like Chef and Puppet.
Amazon 2012.09, 2013.03,
2013.09, 2014.03, 2014.09
Red Hat 5.5, 5.6, 5.7, 5.8, 5.9,
5.10, 6.3, 6.4, 6.5
Ubuntu 12.04 (Precise
Pangolin), 14.04 (Trusty Tahr)
Debian 7.0 (Wheezy)
Windows workloads
n
BENEFIT
Windows Server 2008 R2
Datacenter Edition
Windows Server 2012
Datacenter Edition
Windows Server 2012 R2
Datacenter Edition
Environments
n
Any hypervisor (e.g., VMware,
Hyper-V, KVM, Xen) in any
cloud
n
Bare-metal servers
n
Private data centers
n
Any public cloud (e.g.,
Amazon Web Services,
Microsoft Azure, Google
Cloud Platform, Rackspace
Cloud)
PCE
n
Illumio Secure Cloud
n
Customer Data Center
Browsers for web console
USE CASES
Illumio has identified several common security or IT operations use cases, including:
n
Google Chrome 34 or above
n
n
Mozilla Firefox 28 or above
n
n
Microsoft Internet Explorer 10
or above
n
n
n
Auto scaling applications securely
Micro-segmentation
Enforcing data residency
Visibility behind the firewall
Firewall rule reduction
n
n
n
n
Environmental separation
Secure public cloud migration
Securing data in transit
Automating security with DevOps
ABOUT ILLUMIO
Illumio eliminates the gap between the dynamic data center and the static, perimeter-centric security model. Illumio’s Adaptive
Security Platform (ASP) delivers visibility and control over workloads running in any data center or cloud environment. It
computes security policies and ensures they are provisioned accurately by understanding and continuously adapting to
changes in infrastructure and applications. Innovative organizations are using Illumio ASP to operate at speed, while ensuring
that security keeps pace. For more information, visit www.illumio.com or follow us on Twitter @Illumio.
4