ILLUMIO ADAPTIVE SECURITY PLATFORM TM

Transcription

1 ILLUMIO ADAPTIVE SECURITY PLATFORM TM HIGHLIGHTS Security with Intelligence Illumio ASP is powered by the breakthrough PCE. The PCE contextualizes all traffic flows, services, and processes on application workloads to provide visibility, segmentation, and instant traffic encryption. It continuously incorporates changes e.g., auto scaling, workload moves, and IP changes and modifies security policies accordingly. It is like having an additional member of your security team delivering the optimal security for the interior of your data center and cloud 24/7/365. Adaptive Segmentation With Illumio ASP, your segmentation and enforcement is attached to your workloads, allowing you to secure individual applications and processes without changing subnets, firewalls rules, zones, and VLANs or changing any of your infrastructure. Traffic and Policy Visibility Down to the Process Illumination shows all application hosts and their traffic, including the processes being accessed. This visibility lets you create well-informed security policies. From the Illumination map, you can drill down to a workload s processes, ports, and protocols. Works on Anything Illumio ASP gives you the freedom to work on any combination of computing bare metal, virtual machines, and containers. Organizations can now evolve their computing securely. Works Everywhere Illumio decouples security from the network and the hypervisor, allowing your security to work across any combination of data centers and public clouds with no infrastructure requirements. Quarantine Bad Actors in Seconds, Not Months See unauthorized workload communications (policy violations) in real time. Quarantine with one click or through automation. On-Demand, Policy-Based Encryption Implement IPsec connections for applications across environments with a single click. Rich Automation-Compatible APIs Illumio s REST API integrates seamlessly with orchestration tools. All management can be done via API or using Illumio ASP s intuitive management. Enterprise Scale and Reliability Illumio s software is built for distributed scale out with a self-healing, redundant architecture. Enforcement remains consistent, even during system outage. The combination of change, heterogeneity, and scale within data centers and clouds has dramatically increased the complexity of security. It has grown beyond people s ability to manage manually. The Illumio Adaptive Security Platform (ASP) solves this problem by automating security. With its patented Policy Compute Engine (PCE), Illumio ASP delivers the optimal security for every application and workload running in your data center and public or private cloud. It continuously optimizes security by incorporating changes, derived from automation, directly from each host. By creating the most granular segmentation approach for applications, Illumio ASP massively reduces the attack surface compared to traditional network-centric approaches. It s like having an additional member of your security team that never sleeps. The Illumio ASP PCE collects: Processes on application workloads Customers are using Illumio ASP to: Workload information Application context Ringfence Applications: Isolate and protect applications without changes to subnets, zones, and VLANs. Achieve Environmental Separation: Eliminate the need for any complex or fragile network configuration changes. Securely Migrate Applications: Migrate applications within data centers and to or from other data centers and public clouds with security intact. Secure Hybrid Infrastructure: Secure any combination of bare-metal servers, VMs, and containers running in any combination of data centers and private or public clouds. Lock Down User Connectivity: Prevent unauthorized access to applications based on user identity. Discover your data center and cloud computing Illumio ASP s Illumination service provides connection information and workload context to the PCE, where it discovers interactions between workloads and applications. It s like an MRI machine for your data center and public cloud. DS

2 Define the most granular adaptive security through a descriptive policy With Illumio ASP, you can write natural-language policies, and then the PCE marries those policies with the context from each workload. The security policies are manifested into firewall rules that protect each workload running within your data center and public or private cloud. If there is any change (auto scale, scale down, new interfaces, etc.), it updates the policies and enforcement only on impacted hosts. Defend your most trusted assets The key benefit of Illumio ASP is that it dramatically reduces your attack surface by locking down all but the few, necessary communications among workloads. This massively eliminates exposure to bad actors. Compartmentalizing your applications and workloads mitigates the ability of internal threats to move sideways. In addition, if a workload tries to establish a connection that breaks a policy, you are alerted and you can even see what the bad actor was trying to access. ILLUMIO ASP ARCHITECTURE There are two components to Illumio ASP: the centralized Policy Compute Engine and the Virtual Enforcement Node (VEN) that is attached to each operating system instance (workload). WORKLOADS Context & Telemetry Data Center Security Policy Virtual Enforcement Node (VEN) Antenna installed or baked in to image Linux & Windows Policy Compute Engine (PCE) Central Brain Consumed via cloud or on premises VIRTUAL ENFORCEMENT NODE (VEN) Think of the VEN as an antenna. At the direction of the PCE, the VEN activates the stateful firewall available in the compute layer: iptables for Linux or the Windows Firewall Platform. The VEN is not in line, is not a host-based firewall, is not a kernel modification, and does not send packet data to the PCE. This enables your security to work anywhere (private data center, private cloud, or public cloud) on anything (bare-metal server, virtual machine, or container) with no dependency on the infrastructure. POLICY COMPUTE ENGINE (PCE) Think of the PCE as a member of your security staff. At the PCE console, administrators write simple, descriptive security policies. The PCE then processes the context and telemetry from VENs in real time to create actionable security instructions. In addition, the PCE: Visualizes traffic between hosts Determines the optimal security for each application Detects any policy violations Incorporates any changes from hosts into the security instructions 2

3 ILLUMIO ASP SERVICES Illumio ASP includes three key services: Illumination, Enforcement, and SecureConnect. These services enable enterprises to instantiate security policies that work on any combination of infrastructure and bare-metal server, VM, or container. Illumination Enforcement SecureConnect Visualize and understand applications and workload relationships Enforce security with natural-language policies Encrypt data in transit using IPsec connectivity Illumination Illumio ASP monitors traffic flows and provides comprehensive visualization of application topology. Illumination displays all workload communications within and between applications in an interactive, graphical map. This enables administrators to design well-informed security policies and see policy violations in real time. Security policies are built visually and tested before they are enforced to ensure they do not break applications. Enforcement Illumio ASP offers the industry s most granular range of segmentation capabilities based on role (e.g., web server), application (e.g., HRM), environment (e.g., development), location (e.g., Germany), and user identity (e.g., contractor). This industry first is ideal for intra- and inter-application traffic, and for environmental separation within or across data centers, public clouds, and hybrid environments. Illumio users create natural-language policies to describe the relationship among application workloads. These policies also can be extended to include the users that are authorized to connect to the applications. No knowledge of IP addresses, VLANs, subnets, zones, or security groups is required to create a policy. For instance, an Illumio policy might read ERP web servers can 3

4 use ERP postgres databases. The Illumio PCE uses those policies to implement both inbound and outbound rules for each impacted workload or process. Illumio ASP also extends enforcement to additional data center assets, including the F5 BIG-IP Local Traffic Manager (LTM), NGINX, and other open-source load balancers. SecureConnect Illumio ASP provides on-demand IPsec connectivity between workloads running anywhere, with no need to change the network or add hardware. With SecureConnect, administrators can configure and enforce encryption of data in transit with one click. IPsec connections no longer need to be set up manually they can be enabled between any combination of Linux and Windows workloads running anywhere. 4

5 SYSTEM REQUIREMENTS VEN Linux workloads CentOS 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.11 CentOS 6.2, 6.3, 6.4, 6.5, 6.6, 6.7 CentOS 7.0, 7.1, 7.2 Red Hat 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.11 Red Hat 6.2, 6.3, 6.4, 6.5, 6.6, 6.7 Red Hat 7.0, 7.1 SUSE SLES 11 SP3 SUSE SLES12 Amazon , , , , , , Ubuntu (Precise Pangolin), (Trusty Tahr) Debian 7.0 (Wheezy), 8.0 (Jessie) Windows workloads Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows 7 Environments Any hypervisor (e.g., VMware, Hyper-V, KVM, Xen) in any cloud Bare-metal servers Private data centers Any public cloud (e.g., Amazon Web Services, Microsoft Azure, Google Cloud Platform, Rackspace Cloud) PCE Delivery methods Illumio Secure Cloud Virtual Appliance (VMware ESXi 5.0, 5.1, or 5.5) Software (RHEL or CenOS 6.x) Browsers for web console The PCE web console is supported on the most current versions of Chrome and Firefox, and on Internet Explorer 10 or later. ILLUMIO ASP BENEFITS BENEFIT Reduces the threat attack surface by 99% Stops the spread of attacks Delivers security that works anywhere Visualizes real-time traffic inside data centers and clouds Enables compliance Reduces security errors and eliminates up to 90% of firewall rules DESCRIPTION Security is bound to, and moves with, every application workload (VM or physical server) and process. Security adapts as applications change, scale, or migrate. Applications can be nano-segmented down to individual processes on workloads. Security is based on precise inbound and outbound rules for interactions between workloads and processes and the users who are authorized to access them. All other connection attempts are blocked. Security is decoupled from the network or hypervisor and works across any data center, private, and public cloud. Real-time communications between workloads within and across applications are displayed in an interactive graphical map. Policy violations are identified and displays alerts are displayed. PCI, HIPAA, and other compliance requirements are easier to meet with one-click IPsec that encrypts data in transit between workloads running anywhere. Nano-segmentation without network dependencies simplifies the separation of environments. Natural-language security policies eliminate error-prone rules written with IP addresses, ports, VLANs, and zones. API-based integration with orchestration tools like Chef and Puppet helps achieve DevOps speed securely. ABOUT ILLUMIO Illumio delivers adaptive security for every computing environment, protecting the 80 percent of data center and cloud traffic missed by the perimeter. The company s Adaptive Security Platform visualizes application traffic and delivers continuous, scalable, and dynamic policy and enforcement to every bare-metal server, VM, container, and VDI within data centers and public clouds. Using Illumio, enterprises such as Morgan Stanley, Plantronics, NTT, King Entertainment, NetSuite, and Creative Artists Agency have achieved secure application and cloud migration, environmental segmentation, compliance, and high-value application protection from breaches and threats with no changes to applications or infrastructure. For more information, visit www. or 5