Illumio named a Leader in The Forrester Wave™: Microsegmentation Solutions, Q3 2024.

GET THE REPORT
Blog
/
Illumio Products

Balancing Security and Operational Resilience: Illumio’s Strategy for Secure and Stable Software Releases

Christer Swartz
Solutions Marketing Director
July 26, 2024
23 min. read

Cybersecurity is all about reducing risk. That’s why it’s so important to consider how your security solutions not only deliver value but also keep you safe if their systems fail.  

At Illumio, our top priorities are staying stable and reliable for our customers. This helps you build a Zero Trust Segmentation architecture that stays resilient even when something fails.

This blog post overviews the design choices we’ve made in the Illumio platform that help keep you secure while reducing the effect of a worst-case scenario.

How Illumio releases new software

When security vendors release new software to customers, it usually happens in one of two ways:

Inline in the data plane: This means the vendor’s software gets put directly into the network infrastructure in the path of network traffic. An inline solution can block malicious traffic. But this means it can also block all traffic if it fails. These solutions also usually need deep access into the operating system, often into kernel space. The deeper it goes, the higher the risk is if something goes wrong.

Out-of-band in the management plane: This means the vendor’s software is separate from the rest of the network infrastructure. It uses existing operating system features and avoids adding redundant solutions. It stays in the user space with little, if any, need to access the kernel space. Failures may temporarily affect the management plane, but they don't affect the data plane. In other words, the customer is still protected and operations aren’t hindered when a failure happens.

Illumio deploys software out-of-band in the management plane.

We use the packet filtering tools already built into major operating systems instead of redundant or inline packet filters. This approach automates these existing tools to segment the workloads directly. Packet filtering is part of the operating system, so Illumio software doesn’t need to be updated as frequently.  

Illumio works with some of the world's largest, most complex enterprises and government agencies. We understand that constant upgrades can be tough on critical systems. Our out-of-band deployment model helps greatly reduce these challenges.

A colorful diagram of the Illumio architecture

How Illumio upgrades its SaaS platform

When we upgrade our SaaS cluster, we use a staggered deployment workflow. This means we use a step-by-step process to upgrade one group of clusters at a time.

First, we test the new updates in several internal, non-production environments. Only after it passes these tests do we start upgrading the SaaS clusters — and we do that using a phased, staggered upgrade workflow. This means upgrades happen in phases, rather than all at once, and only for a few tenants at a time.

If a problem does emerge during the upgrade, we stop the process right away. This way, the issue affects only customers upgraded in the earliest phases. (And we can quickly roll back the last stable Illumio instance.) We never upgrade the SaaS cluster to all customers at the same time.  

How Illumio upgrades segmentation policy

When we make updates to Zero Trust Segmentation policies for workloads, we send them only to the parts of our customers’ environments that need them.

In the Illumio platform, customers create their own intent-based segmentation policy using labels. Role-based access controls (RBAC) prevent creating policies that are too permissive. Illumio updates these policies in the background as IPs change and as workloads are added or removed. Only the workloads affected by specific customer changes get updated policies from Illumio.

For data center and endpoint workloads, Illumio receives and applies policies within the native operating system’s firewall. Customers have full control over this process, deciding when and if they want to upgrade to a new software version.  

When Illumio does have new software versions, the SaaS platform still has backward compatibility. This means it continues to work with older versions of Illumio. Because of this, customers don't have to upgrade often. They can test and roll out upgrades on their own schedule and based on their own change practices.

A simpler architecture means less risk

You can never completely eliminate risk from your security stack. But a simpler architecture means fewer points of failure.

The Illumio platform’s design reduces the number of things that might fail in a worst-case scenario. While no system is completely risk-free, our simpler setup and smaller size make major problems far less likely if something does go wrong.

Contact us today to learn how Illumio helps keep your organization safe and resilient.

Related topics

No items found.

Related articles

Little-Known Features of Illumio Core: Enhanced Data Collection
Illumio Products

Little-Known Features of Illumio Core: Enhanced Data Collection

Learn how Illumio’s Enhanced Data Collection feature helps you monitor your traffic volumes to find anomalies and take action if needed.

Read more
Little-Known Features of Illumio Core: Traffic and Map
Illumio Products

Little-Known Features of Illumio Core: Traffic and Map

Learn how Illumio’s Traffic and Map tools help you quickly and easily understand what’s happening in your network.

Read more
How to Stop a Cloud Attack Chain With Illumio CloudSecure
Illumio Products

How to Stop a Cloud Attack Chain With Illumio CloudSecure

Learn how Zero Trust Segmentation with Illumio CloudSecure could've stopped a real-life cloud attack chain.

Read more
10 Reasons to Choose Illumio for Zero Trust Segmentation
Zero Trust Segmentation

10 Reasons to Choose Illumio for Zero Trust Segmentation

Learn why organizations are adopting Zero Trust Segmentation as a foundational and strategic pillar of any Zero Trust architecture.

Read more
3 Qualities to Look For in a Zero Trust Segmentation Platform
Zero Trust Segmentation

3 Qualities to Look For in a Zero Trust Segmentation Platform

The best way to protect against cyberattacks spreading throughout your network is to deploy Zero Trust Segmentation, enforcing access controls that block the pathways breaches like ransomware depend on.

Read more
Illumio Named Among Notable Vendors in the Forrester Microsegmentation Landscape, Q2 2024
Zero Trust Segmentation

Illumio Named Among Notable Vendors in the Forrester Microsegmentation Landscape, Q2 2024

See how the Illumio Zero Trust Segmentation Platform aligns with all of the Forrester overview's core and extended use cases in our opinion.

Read more

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?

Learn more