When we asked the folks at Illumio what their design goals were for their offering they answered simply, "Anywhere on anything." Their goal is to reduce the attack surface both internally and externally and make sure that users - authorized or not - cannot connect to data for which they are not authorized.
The key to the Adaptive Security Platform (ASP) is to focus on workloads rather than environments. In every computer - virtual or physical - there is a virtual enforcement node. This is a lightweight agent that attaches to workloads and applies policies from the policy compute engine. These policies deliver network security services without the network - in other words, within the workload. Those core services Illumio refers to as illumination, encryption and enforcement - using the native capabilities of the operating system.
Illumination, the company says, is understanding and visualizing application and workload relationships, modeling and testing security policies and identifying and alerting on threats behind the firewall. It defines enforcement as enforcing policy anywhere, adapting to changes through continuous policy computation and writing policies in natural language. Finally, encryption is defined by Illumio's SecureConnect service, which includes encryption that is policy-driven and can be deployed anywhere through IPsec connections.
When ASP starts to secure an environment, it first labels those application groups with which it will be dealing - for example, web, applications and database. Next, it establishes the relationships between these labeled groups. From those relationships, policies may be applied defining the relationships and what is and is not allowed. Using the policy compute engine graphs, dependencies and algorithms are built that apply to the workloads within each group, and those workloads are treated independently. In other words, they carry the security policies with them so it no longer matters where they reside or what they are doing. They still must follow the attached policies.
Once those workloads are defined and their policies applied, they may, using the policy compute engine, be provisioned and put into service. Each device that contains a workload also has a virtual enforcement node that communicates with the workload. The result is that not only are the workloads secure, but the relationships set by policy are maintained. If there is an attempt to violate a policy - by unauthorized access, for example - the attempt will be stopped.
The user interface for this tool is the most interesting and unusual we have seen. It resembles a link analysis tree, but it really isn't that, regardless of what it looks like. Once a set of relationships as described above is created, the tool creates a map of the relationships between the nodes and workloads involved. As long as everything is in compliance with the applicable policies, all of the links (policies) connecting the nodes (workloads or groups) are green. But the moment that something happens to violate a policy - an unauthorized attempt to move laterally through a network, for example - the link changes color and remedial action can be taken. It takes almost no time for the system to recognize that a policy violation has occurred and to display that violation. This is orders of magnitude easier to spot in a hurry than lines in a log.
Understanding the nature of the violation is equally easy. Simply click where it hurts - in other words, click on the place where the violation is being reported - and a detailed drill-down appears. You can drill down to the links for one view of the violation and you can drill down to the nodes for another view. If you want to script your responses, that is easy as well using the RESTful API provided with the system.
While it may appear that this is a manual process, it really isn't. All of this is done by the policy compute engine. You can, of course, perform an analysis and determine what remediation must be done to fix the problem, but all of the initial action is in the automated hands of the system. Also, policies are specified in plain English and apply wherever they are needed regardless of platform or workload. And, of course, the policy follows the application no matter where it resides.
A neat example of how this policy approach works is, suppose a rogue user decides to perform a scan of all of the devices in the enterprise. That would violate a policy and it would show up immediately. The offending workload can be migrated into quarantine and a new set of policies produced that defeats its purpose. Another interesting use of the approach is addressing data sovereignty. Given that an enterprise in one country is covered under different security or privacy rules than another, the consequences of one country's enterprise interacting with the other can be determined and policies written that confine certain types of data - workloads - to their appropriate locations.
Overall, we found this to be an imaginative, incredibly powerful and most unusual way to secure data in an environment that could be physical, virtual, cloud or any combination.
At a glance
Product Illumio Adaptive Security Platform
Price Depends on the number of virtual enforcement nodes.
What it does Stops the spread of attacks with security that enforces precise inbound and outbound communications on every workload based on natural language policies for application interactions.
What we liked Works within individual workloads so is not platform or location dependent.