The core of Illumio's Adaptive Security Platform (ASP) is microsegmentation. The ASP performs three functions: Illumination, Enforcement, and SecureConnect. Illumination learns how workloads are communicating with one another, then walks the user through workflows that allow them to model and test their micro-segmentation policies. Those security policies are natural language and have no dependencies on subnets, zones or VLANs.
SecureConnect provisions and configures the native IPSec capabilities on workloads for on-demand policy-driven encryption between workloads using their native IPSec capabilities. Virtual enforcement nodes, which do no enforcement, are installed in your operating systems and they communicate with the Policy Compute Engine. Illumio wants you to think of the policy engine as a 'brain' that sends firewall rules to VENs, which then program the native firewalls on workloads (iptables and the Windows Filtering Platform) to meet policy standards.
This is a very visual tool which makes it much easier to see and understand relationships than traditional columnar displays. We dropped into the application using the application dependency map.
This shows what applications, workloads, and workload components are running as well as how the workloads and their components are communicating within any application. For example, there may be a separate database that communicates with other workloads within the application. Communications between workloads that conform to a security policy show up as green. Red lines indicate traffic that has been detected that does not conform to a security policy or that no policy has been detected yet.
Workloads are auto-discovered by the tool. Drilling down gets you a lot of detail about the workloads and the policy rules that are applicable.
Policy writing for microsegmentation can be a bit tedious so Illumio has created segmentation templates but you can, if you wish, write policies from scratch without using the templates. There is strict role-based access control so not just anyone can write or alter policies. The rules are easy to write and are shown graphically. However, for such users as auditors, the rules may be displayed in spreadsheet format.
Attacker detection - particularly lateral movement - is easy to visualize using the application dependency map. If malicious activity appears it can be moved to temporary isolation with a mouse-click or two. This allows you to place the offending workload into a special segment called quarantine until the problem has been solved. At that point, it can be restored to its proper configuration.
There is a Splunk integration that you can add using an application available from Splunk. Illumio has a very specific deployment path that consists of specific steps that take the customer from establishing an environment all the way to policy generation and, finally, to policy enforcement and response. Once the system is deployed it provides a dynamic picture of the network using its Dynamic Analytics. Outputs from ASP can go to SIEMs for additional analysis and alerting. Finally, Explorer provides other viewing resources such as interactive analysis between the system and analysts and administrators. This includes the functionality for producing reports for various compliance requirements.
The website is clean and comprehensive and support - at 18% - is 24/7 for all customers. Pricing is reasonable but can get a bit heavy for large deployments since it is based on the number of workloads and is an annual subscription. Overall, we found this a very interesting approach and it showed good results in our evaluation. Documentation is clear with lots of diagrams, especially in the deployment guide.
