SecureConnect
Enterprises have requirements to encrypt in-transit data in many environments, particularly in PCI and other regulated environments. Encrypting in-transit data is straightforward for an enterprise when the data is moving between data centers. An enterprise can deploy dedicated security appliances (such as VPN concentrators) to implement IPsec-based communication across open untrusted networks.
However, what if an enterprise needs to encrypt in-transit data within a VLAN, data center, or PCI environment or from a cloud location to an enterprise data center? Deploying a dedicated security appliance to protect every workload is no longer feasible, especially in public cloud environments. Additionally, configuring and managing IPsec connections becomes more difficult as the number of hosts increases.
SecureConnect Overview
SecureConnect leverages the built-in IPsec subsystem of host operating systems. On Windows hosts, SecureConnect utilizes the Windows IPsec subsystem. On Linux hosts, SecureConnect utilizes StrongSwan and Linux kernel IPsec for traffic encryption.
With SecureConnect, Illumio delivers a feature configuring the Security Policy (SP) necessary to enable traffic encryption between workloads. Once authenticated, encryption and cryptography suites provide confidentiality and data integrity to network traffic between workloads.
The PCE centrally manages all Security Policy (SP) for workloads so that it can be policy-driven. For example, a customer can require that all traffic between their web servers and database servers be encrypted. Selecting the SecureConnect option for these workloads allows the PCE to apply the requisite security policy to your organization to make that happen. SecureConnect reduces the complexity of configuring IPsec encryption and auto-scales per your policy definitions.
SecureConnect Use Cases
Employing SecureConnect is especially beneficial in these common scenarios:
Facilitate PCI compliance by ensuring that confidential data is encrypted over the network.
Secure off-site backup and recovery of data across geographically distributed data centers.
Secure communications across applications and application tiers for regulatory compliance and tighter security.
Enable secure data migration across different public cloud providers.
SecureConnect Features and Enforcement
SecureConnect works for connections between Linux workloads, Windows workloads, and Linux and Windows workloads.
Note
SecureConnect rules are only applied to workloads where the VEN is in a non-idle enforcement state.
However, unlike other rules, SecureConnect requires matching rules to be applied to workloads on BOTH sides of any connection. Therefore, SecureConnect traffic is not supported between two workloads where a VEN on either side is in idle state.