SOLUTION BRIEF

Adaptive User
Segmentation
with Illumio Core
 SOLUTION BRIEF

Illumio Core™ integrates with Microsoft Active Directory group memberships to control which applications a VDI user
can communicate with, thereby massively reducing the surface area of attack available to bad actors and internal threats.
Organizations have deployed desktop virtualization for a variety of reasons including security, IT costs, and application
control. Many of these organizations have deployed their VDI plants within their data center. User access of applications
from VDI is typically unrestricted, which exposes data center applications to internal threats.

Before Illumio After Illumio

Adaptive User Segmentation adds a layer of

VDI users are allowed to connect to any
protection before a user can even log in to an
application within the data center—relying on
application. It does this by blocking connectivity
authentication as the only means of protecting
to unauthorized applications based on a user’s
against unauthorized access.
identity—and without the network.

If a user relies on a weak password, or a Enterprises gain an added layer of control before
malicious actor gets access to a user’s authentication, thereby reducing exposure of key
credentials, then the application is compromised. business assets and applications to bad actors.

Adaptive User Segmentation relies on Microsoft

Active Directory as the source of truth
Controlling user access to applications requires around what applications a user is allowed to
significant network reconfigurations. access, but rather than solely being used for
authentication, Active Directory is also used to
determine connectivity entitlements.

Active Directory Illumio Core

Adaptive User Segmentation

• Uses the user’s identity, not IP address. By • Integrates with VDI. Ensures that connectivity
examining who the user is at the time that he or restrictions can be enforced in the VDI plant, a
she logs in, policies can be dynamically created and level of control that was previously unavailable.
enforced without any reliance on the underlying
network while still allowing administrators
to use dynamic IP address assignment.

• Integrates with Microsoft Active Directory. As

users are added to existing groups, or new groups
are added into Active Directory, policies are
dynamically updated. This ensures that there is a
single source of truth around user entitlements.

2
 SOLUTION BRIEF

Feature Benefit

• Does not rely on changing the underlying network

Enforcement at the host • Provides real-time feedback if a user changes IP
addresses or moves

• Does not rely on changing the underlying network

Active Directory integration • Provides real-time feedback if a user changes IP
addresses or moves

• Massively reduces the opportunities for bad actors

Reduced attack surface
to access sensitive applications

The Illumio Core architecture consists of lightweight their applications and computes precise security policies
Virtual Enforcement Nodes (VENs) installed on that are instrumented into the native security capabilities
workloads residing in any data center or cloud. The VENs (iptables or Windows Filtering Platform) in every
act as antennas and send telemetry information about workload. Anytime applications or environments change,
the workloads to a Policy Compute Engine (PCE) that Illumio Core automatically adapts by recomputing and
acts as the central brain of the platform. The PCE builds updating the policies.
a graph of all dependencies between workloads and

ILLUMIO CORE ARCHITECTURE

Context &
Telemetry

Application
Dependency Map
Natural
Language Policy
Public Cloud

Virtual
Policy Compute
Enforcement
Security Node (VEN)
Engine (PCE)
Instructions
Data Center

3
 SOLUTION BRIEF

For Adaptive User Segmentation, a script is run against The VEN is installed into the guest Operating System and
one of the Active Directory servers within the customer’s enforces the default policy. If a user were to look at
infrastructure, which imports the organization’s Active the policy on any given VDI host, it would show that the
Directory groups into the PCE via its REST API. (Note: host was allowed to talk to the IP address(es) of domain
Nothing needs to be installed on the Active controllers, DNS servers, DHCP servers and proxies.
Directory server.)
When a user logs in to the host, the VEN checks his or
Assets like domain controllers, DNS servers, and DHCP her group membership, then requests the specific policy
servers can have VENs installed on them, or they can be for that user from the PCE. The PCE then sends the
added into the PCE as unmanaged workloads. additional, user-specific policies back down to the host
where they are received by the VEN and added into
Administrators define a set of default policies such as: the workload.
“VDI hosts can use domain controllers, DNS, DHCP, and
Internet proxies.” The PCE turns that natural-language Whenever a user locks or logs out of the workstation, the
policy into a set of instructions that are used on default policy is restored.
every VDI host.

Get Started Today

Technical resources on Illumio’s architecture and quick start guides for deployment in a range of environments are
available at www.illumio.com/resources. Illumio offers a wide range of services around design, deployment, and
optimization, as well as custom services tailored to customer requirements. For more information about Illumio
Core and how it can be used to control user-to-application connectivity, email us at [email protected] or call
855-426-3983 to speak to an Illumio representative.

4
 S O LW
UHT II O
TEN PBARPI E R
F

About Us

Illumio enables organizations to realize a future without high-profile breaches by preventing the lateral movement of attackers
across any organization. Founded on the principle of least privilege in 2013, Illumio provides visibility and segmentation for
endpoints, data centers or clouds. The world’s leading organizations, including Morgan Stanley, BNP Paribas, Salesforce, and
Oracle NetSuite, trust Illumio to reduce cyber risk. For more information, visit www.illumio.com/what-we-do.

See what customers have to say about Illumio.

The GARTNER PEER INSIGHTS Logo is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights
reserved. Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the
views of Gartner or its affiliates.

Illumio, Inc. 920 De Guigne Drive, Sunnyvale, CA 94085, Tel (669) 800-5000, www.illumio.com. Copyright © 2020 Illumio, Inc. All rights reserved. This
document is protected by U.S. and international copyright and intellectual property laws. Illumio’s products and services are protected by one or more U.S.
and international patents listed at https://www.illumio.com/patents. Illumio® is a trademark or registered trademark of Illumio, Inc. or its affiliates in the U.S.
and other countries. To review a list of Illumio’s trademarks, go to https://www.illumio.com/trademarks. Third-party trademarks mentioned in this document
are the property of their respective owners.

Follow us on: 5