Illumio Brings Active Directory To Dynamic Security - InformationWeek
IoT
IoT
IT Leadership // Security & Risk Strategy
News
2/19/2016
10:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
7 Key Cloud Security Trends Shaping 2017 & Beyond
Dec 15, 2016
Cloud computing is enabling business transformation as organizations accelerate time to market and ...Read More>>

Illumio Brings Active Directory To Dynamic Security

Startup Illumio can apply individual security policies to application users on premises and in the cloud.

8 Ways To Secure Data During US-EU Privacy Fight
8 Ways To Secure Data During US-EU Privacy Fight
(Click image for larger view and slideshow.)

Sophisticated thinking about facility security recommends that protections exist not only at the perimeter of Fort Knox but also in its core, where the gold is stored. In modern data center terms, that would mean not only protections in perimeter firewalls but also near the core where the applications are running.

Young security firm Illumio is taking that idea and running with it, using an approach it calls Adaptive Security Platform. ASP watches application operations and formulates rules to govern what types of traffic it can receive based on what it learns.

Illumio is extending that approach more deeply into the organization through a concept it calls Adaptive User Segmentation, an abstract term for the process of drawing up rules that fit profiles of individual users of an application. To do so, it has integrated the ASP platform with the information in Active Directory and equipped its core rules engine to make use of that information, the company announced Feb. 17.

The security platform was launched in October 2014.

One of the parties that's paying attention to the results is financial services firm Morgan Stanley, an early adopter of ASP.

(Image: maxkabakov/iStockphoto)

(Image: maxkabakov/iStockphoto)

Others taking a venture capital stake in Illumio's position include Accel Partners, Andreessen Horowitz, BlackRock, Data Collective, Formation 8, and General Catalyst Partners, as well as individual investors such as Salesforce CEO Marc Benioff, Virtual Instruments CEO John Thompson, and Yahoo founder Jerry Yang. They're backing the company with $142.5 million.

The heart of the platform is a Policy Compute Engine, explained CTO P.J. Kimer, co-founder of Illumio, in an interview with InformationWeek. The Policy Compute Engine collects context from the operation of a running application, develops an understanding of how it should operate, and formulates rules governing what types of traffic can access it.

[ Want to see how Illumio would fit into a VMware environment? Read VMware Moves Open Door For Security Partners. ]

In the past, the traffic governed was the traffic coming from other applications and outside systems. With the integration of Active Directory, the engine is generating policies for groups of users. In its ability to seek out information about application operations, the engine functions more like a search engine than a firewall, Kimer said. And its ability to detect changing conditions and automatically create rules to match the new environment makes it more dynamic than a rules-governed firewall.

The policy engine can get a target application to honor the rules because its server's operating system has had a software package, a Virtual Enforcement Node, embedded in it. If the application is handling sensitive healthcare data, then the policy engine will have a rule that forbids the application from being installed in a new location across the Canadian border, for example. Canada has a law against exporting private healthcare data to servers in the United States.

The policy engine formulates policies that govern Active Directory groups based on their permissions and roles. The Virtual Enforcement Node enforces the policy on the user's traffic by detecting in which group the current user resides. Policies governing the user can match the sensitivity of the application and represent finer-grained restrictions and controls than the general purpose classification in Active Directory.

The approach reduces the attack surface of an application, eliminating many of the seemingly obvious avenues that are exploited by hackers and intruders or internal employees going astray. An employee with access to three of four applications on a server can be barred from accessing the fourth, even if the members of his group, according to Active Directory, are supposed to have access to all four.

Illumio is moving security away from perimeter infrastructure and closer to the application compute layer, Kimer said. "We're taking the user entitlement in Active Directory and making it part of the security graph," he noted.

Are you an IT Hero? Do you know someone who is? Submit your entry now for InformationWeek's IT Hero Award. Full details and a submission form can be found here.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
2/19/2016 | 9:37:31 PM
Making security much more granular
The Illumio approach is interesting because it takes the idea of formulating security policies and makes it much more granular. Policies are based on a connection of two things that were previously unconnected: the changing nature of the application and the profile and role of the user.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll