Illumio added a feature to its segmentation software that lets application teams build software-defined perimeters around individual application instances.

Segmentation, or microsegmenation, enables fine-grained security policies to be assigned to applications. The approach improves network security by integrating it directly into a virtualized or containerized workload without requiring a hardware-based firewall. It reduces a company’s attack surface by essentially sealing off applications from the rest of the network, thus preventing hackers from gaining access to the wider system.

The new feature, called App Owner View (AOV), makes it less costly for organizations to implement microsegmentation, said Matt Glenn, VP of product management at Illumio.

"Customers told us that the real cost of their segmentation wasn’t Illumio,” he said. “The big fear they had was the number of people they were going to have to hire to get the job done — the long-term operational burden.”

AOV reduces that cost because it enables customers “to make zero-trust and segmentation just part of their normal behavior instead of creating this Orwellian ministry of segmentation,” he added. “There is no one person who understand how every application in an organization works, so what we learned over the years of being in the market is the best way and least operationally costly way to build segmentation policy is to push it down into the organization. CISOs came back to us and said we don’t just want to push it down because it drives the cost down, we want to do it in a zero-trust way.”

AOV does this in a zero-trust way because it lets Illumio Policy Compute Engine administrators assign granular permissions to app owners, allowing them to see only their apps and author their respective policies. This means security teams can enforce strong access management parameters for what app owners can read, write, and monitor. Meanwhile, it only gives application teams control where they need it, thus ensuring the principle of least privilege. App owners can see everything related to their application, such as live traffic into and from their applications, and nothing more.

“It pushes traffic visibility down into application teams, whether that’s a service owner or the app team itself, and then lets them author a [segmentation] policy,” Glenn said. “But ultimately it still allows the CISO or whomever owns segmentation to be able to approve and provision those policies.”