The company calls the new capabilities, announced today, Explorer and Policy Generator.
Explorer allows operations and security staff to ask questions about their network traffic in plain English. For example: What traffic has crossed from development to production in the last 60 days?
Policy Generator, as the name implies, uses network traffic to automatically recommend — and then generate — microsegmentation policies for every workload and application, regardless of location. This includes applications running on bare-metal, virtualized platforms, containerized workloads, or behind network devices on premises or deployed in the cloud.
This feature can analyze applications and create security policies in seconds without network details like IP addresses, allowing non-security teams to create policies, said Matt Glenn, VP of products at Illumio.
“As customers try to create policies that protect their applications and push those workflows out to the individual teams, those teams should not have to get a Ph.D. in security to protect their applications,” Glenn said. “We were the first company to have visual application mapping — we call it application dependency mapping. The next step in this process is being able to autosuggest policies. That is what we are showing here.”
Both of the new features within the Illumio Adaptive Security Platform are currently shipping.
The company’s approach to network security involves monitoring and protecting individual workloads through microsegmentation. This enables fine-grained security policies to be assigned to data center applications. The approach improves network security by integrating it directly into a virtualized workload without requiring a hardware-based firewall.
Illumio execs, however, are quick to point out differences between the two. For one, Illumio’s microsegmentation was purpose-built for security, whereas NSX was originally built for network virtualization.
“NSX is really bound to the hypervisor,” Glenn said. “Our product isn’t bound to any form of infrastructure — we mean switches, virtual firewalls, hypervisors. It’s literally decoupled from everything, whether it is running on bare metal or Amazon or Google or whatever. The infrastructure doesn’t matter.”
Earlier this year Illumio expanded its Adaptive Security Platform (ASP), allowing the software to talk directly to some switches and clouds to make policy enforcement more uniform. This included support for Cisco and Arista switches, as well as Amazon Web Services (AWS) and Microsoft Azure.
The platform’s new capabilities are “the logical next steps” for Illumio, said 451 Researcha analyst Eric Hanselman. “Being integrated with the workload gives them some useful views and, more importantly, some context. This gets you that much closer to having a real and meaningful policy automation tool.”
“You’ve got VMware coming from the virtualization environment, heading downward into the control and capabilities, and Cisco coming from the network view heading upward. Illumio has stepped to the side and it is coming from the workload environment,” he said. “It’s a balance between the three different approaches.”