Sophisticated thinking about facility security recommends that protections exist not only at the perimeter of Fort Knox but also in its core, where the gold is stored. In modern data center terms, that would mean not only protections in perimeter firewalls but also near the core where the applications are running.
Young security firm Illumio is taking that idea and running with it, using an approach it calls Adaptive Security Platform. ASP watches application operations and formulates rules to govern what types of traffic it can receive based on what it learns.
Illumio is extending that approach more deeply into the organization through a concept it calls Adaptive User Segmentation, an abstract term for the process of drawing up rules that fit profiles of individual users of an application. To do so, it has integrated the ASP platform with the information in Active Directory and equipped its core rules engine to make use of that information, the company announced Feb. 17.
The security platform was launched in October 2014.
One of the parties that's paying attention to the results is financial services firm Morgan Stanley, an early adopter of ASP.
Others taking a venture capital stake in Illumio's position include Accel Partners, Andreessen Horowitz, BlackRock, Data Collective, Formation 8, and General Catalyst Partners, as well as individual investors such as Salesforce CEO Marc Benioff, Virtual Instruments CEO John Thompson, and Yahoo founder Jerry Yang. They're backing the company with $142.5 million.
The heart of the platform is a Policy Compute Engine, explained CTO P.J. Kimer, co-founder of Illumio, in an interview with InformationWeek. The Policy Compute Engine collects context from the operation of a running application, develops an understanding of how it should operate, and formulates rules governing what types of traffic can access it.
[ Want to see how Illumio would fit into a VMware environment? Read VMware Moves Open Door For Security Partners. ]
In the past, the traffic governed was the traffic coming from other applications and outside systems. With the integration of Active Directory, the engine is generating policies for groups of users. In its ability to seek out information about application operations, the engine functions more like a search engine than a firewall, Kimer said. And its ability to detect changing conditions and automatically create rules to match the new environment makes it more dynamic than a rules-governed firewall.
The policy engine can get a target application to honor the rules because its server's operating system has had a software package, a Virtual Enforcement Node, embedded in it. If the application is handling sensitive healthcare data, then the policy engine will have a rule that forbids the application from being installed in a new location across the Canadian border, for example. Canada has a law against exporting private healthcare data to servers in the United States.
The policy engine formulates policies that govern Active Directory groups based on their permissions and roles. The Virtual Enforcement Node enforces the policy on the user's traffic by detecting in which group the current user resides. Policies governing the user can match the sensitivity of the application and represent finer-grained restrictions and controls than the general purpose classification in Active Directory.
The approach reduces the attack surface of an application, eliminating many of the seemingly obvious avenues that are exploited by hackers and intruders or internal employees going astray. An employee with access to three of four applications on a server can be barred from accessing the fourth, even if the members of his group, according to Active Directory, are supposed to have access to all four.
Illumio is moving security away from perimeter infrastructure and closer to the application compute layer, Kimer said. "We're taking the user entitlement in Active Directory and making it part of the security graph," he noted.