What do you think is the biggest roadblock to cloud adoption for Enterprises? Is it the cost? Is it the complexity to deploy workload? Is it the time to market? No of course not, it is generally the same dilemma wherever you go: security.
How am I going to keep my data secure in the clouds of the interwebz? There have been a lot of good ideas and potential solutions but either they are far too complex, overly limit deployment options or they simply do not provide enough control.
Enter one of my favorite vendors from Network Field Day 12: Illumio. Let me start by saying that their solution is rather simple and a technical overview will not blow you away. This is also precisely why I love their solution. It is very simple yet should effectively meet the needs of most organizations.
I can see this solution being fine for almost any workload you would be willing to put in the cloud. I still think long term Enterprises are going to need to own some infrastructure for highest sensitivity of data. But that is normally far and away the minority of the data for most organizations.
How does Illumio work?
In summary it is a centrally controlled but distributed enforcement of host based firewall using IPtables or Windows filtering… yeah, that’s it. No overlays or abstractions or endpoint security products. Just firewall tools that have been available from the beginning.
Now of course that isn’t all there is to the solution. Likely the first problem you will think of is policy. Ok, so I can already use the firewall capabilities right now but we don’t because building a policy for each VM is not only a nightmare, it is virtually impossible.
Enter Illumio PCE (Policy Compute Engine) which is the central brain of the solution and it agent based discovery of communication behavior.
PCE builds enforcement policy based on standard graph theory in which it paints application dependency map which is then exposed in a declarative policy model. Yah … that is a mouth full but we should all understand declarative models by now. This is how Cisco ACI and many other similar solutions work. The declarative model simply describes what an application needs to the infrastructure and allows the distributed intelligence of the fabric to build forwarding elements to meet these requirements.
Now of course this requires an endpoint agent to do the discover and then to interpret the policy into what in this case extrapolates out into a firewall policy. These endpoint agents are known simply as a VEN – Virtual Enforcement Node.
There are a few deployment models for both brownfield installation of the VENs and then of course the recommended long term approach is to bake a VEN into the VM image.
In summary, all in all, the solution appears to be what I would describe as simple elegance. It achieves the key objectives in securing workloads while keeping the actual policy enforcement very simple. The secret sauce is of course how the PCE is able to learn and build the policy elements. This is where the vast majority of effort to tune and optimize the solution is going to concentrated. All in all I was very impressed. For more information please check out Illumio’s website and their NFD 12 presentation: