Protecting High-Value Applications: A New Approach John Westerman MISSIONFUNDING $142.5M from Andreessen Horowitz, General Catalyst (Steve Herrod, former CTO of VMware), Formation 8, BlackRock, Accel Partners, DCVC, John Thompson, Marc Benioff, Jerry Yang, and others TEAM WE SECURE THE 80% OF THE DATA CENTER AND CLOUD THE PERIMETER MISSES Leadership team from: VMware, Cisco, Nicira, McAfee, Juniper, Riverbed, and Ruckus November 2014: John Thompson (Chairman of MSFT) joins Illumio Board PRODUCTS & CUSTOMERS Pushed 14 versions in 22 months while in stealth (January 2013October 2014) Stealth-mode engagement with 100 global enterprises Launch customers: Strictly Confidential Distributed & Dynamic Firewall Problem # 3 Surface Area of Attack Problem # 1 Anywhere on Anything Problem # 2 Speed, Agility & DevOps Traditional Data Center Todays Security Challenges Strictly Confidential Moving Toward Infinite Attack Surface MAIN FRAME 1M Users MOBILE / CLOUD 200B+ Users PC 1B+ Users INTERNET OF THINGS ? Strictly Confidential Billions have been spent on cyber security over the last 10 years and yet Organized Crime Nation States Retail Financial Healthcare Technology Government todays leading security technologies are failing. Strictly Confidential The Reality 86% of CIOs and execs dont believe they can keep pace with attackers over the next five years. (Source: Wall Street Journal) Strictly Confidential 7 Safeguard high-value applications Meet compliance requirements Secure big data apps Secure big data apps Strictly Confidential 8 Security Today Strictly Confidential Computing is beyond a humans ability to manage Illumination Strictly Confidential 10 Insanity: doing the same thing over and over again and expecting different results. Albert Einstein Are we doing this with our cyber security? Strictly Confidential 11 Enter Adaptive Security Strictly Confidential 12 Strictly Confidential For security to be adaptive 1.Granular Discovery & Visualization 2.Multi-Dimensional Policy Model 3.Continuous Policy Computation & Enforcement 4.API Driven 5.Infrastructure Aware 6.Operationally Sound 13 Strictly Confidential Illumio Adaptive Security Platform (ASP) Security Delivered in Any Environment Virtual Enforcement Node (VEN) Antenna installed or baked in to image Linux & Windows Policy Compute Engine (PCE) Central Brain Consumed via cloud or on premises Security Policy Context & Telemetry WORKLOADS Data Center Strictly Confidential Web Tier App Tier Database Tier Todays Policy = Networks & IPs 15 Firewalls Subnet / VLAN Zone #1 Dev Test Prod Firewalls Subnet / VLAN Zone #2 Firewalls Subnet / VLAN Zone #3 Segmentation Enforcement Security Policy Access Controls (Static Policy Driven by Manual Change) Strictly Confidential Web Tier App Tier Database Tier Step 1: R-A-E-L Labels 16 3 Roles R = Role A = Application E = Environment L = Location / Geo Strictly Confidential ERP Web Tier App Tier Database Tier Step 1: R-A-E-L Labels 17 Application R = Role A = Application E = Environment L = Location / Geo Strictly Confidential ERP / Prod Web Tier App Tier Database Tier Step 1: R-A-E-L Labels 18 Environment R = Role A = Application E = Environment L = Location / Geo Strictly Confidential ERP / Prod / US Web Tier App Tier Database Tier Step 1: R-A-E-L Labels 19 Location R = Role A = Application E = Environment L = Location / Geo Strictly Confidential Web Tier App Tier Database Tier Step 2: Relationships = Policy 20 ERP / Prod / US (Only Two Policy Statements) Web App App DB Whitelist Model Strictly Confidential Computing Security Policy Web Tier App Tier Database Tier Policy for Every Workload 21 WORKLOADS Data Center ERP / Prod / US Strictly Confidential ERP / Prod / US Security Policy Provisioned to Every Workload Web Tier App Tier Database Tier Step 3: First Provision 22 WORKLOADS Data Center Strictly Confidential ERP / Prod / US Web Tier App Tier Database Tier Step 4: Adapts to Change 23 WORKLOADS Data Center (Automatic) Strictly Confidential Abstracting Policy 24 Application Database Web Database Web Application Write policy in natural language Apply policy with a single click Decouple network dependencies Strictly Confidential Illumio ASP: Services Illumination Understand & visualize applications & workload relationships Model & test security policies Identify & alert on threats behind the firewall Enforcement Enforce policy anywhere: data center, private & public cloud Adapt to changes through continuous policy computation Write policies in natural language; labels & relationships SecureConnect Encrypt data-in-motion between any workloads or entire applications Enable policy-driven encryption anywhere Create on-demand IPsec connections Enforcement, Encryption, and Full Visibility Strictly Confidential RINGFENCING HIGH-VALUE APPLICATIONS Back to the Top Strictly Confidential Ringfencing High-Value Applications (HVAs) 27 Securing Big Data Applications Common Challenges of Ringfencing High-Value Applications: Re-segmenting or changing the network (e.g., VLANs, zones) is difficult and takes time Cost of ringfencing with firewalls and network is exorbitant Cannot segment applications in the cloud; no control over the network Meeting Compliance Requirements Mitigating Risk for HVAs ! Strictly Confidential MITIGATING RISK FOR HVAS Illumio Adaptive Security Platform Back to Ringfencing Strictly Confidential Step 1: Install VEN on Workloads 29 Illumio ASP VEN learns all processes, services and flows and gives information to the PCE Illumio ASP PCE takes all VEN information from all workloads and automatically visualizes workload interactions Illumio ASP draws a network map in real time. Strictly Confidential Step 2: Label Application and Workloads 30 Label the application and the individual workloads Traffic lines turn red to show that flows are not currently governed by policies Production Strictly Confidential Step 3: Write Natural-Language Rules 31 Providing EntitiesServiceConsuming Entities WebAll ServicesAny All WorkloadsAll ServicesAll Workloads ApplicationEnvironmentLocation Asset ManagementProductionEU Rules Scope Asset Management Production Policy Strictly Confidential The Application is now Ringfenced 32 Strictly Confidential Thank You