Firewalls and perimeter security will never cut it against a rapidly changing foe, says startup Illumio. It's launching its heart-of-the-data-center approach to security for bare-metal and virtual servers. It will also work with either type of server, whether they're on-premises or in the cloud.
Illumio's Adaptive Security Platform is built around the idea that each application or workload must have its own defenses. Firewalls at the perimeter require too much manual intervention when the nature of the threat changes. The Adaptive Security Platform monitors workloads, builds a graph of their relationships, then applies policies to its operations. If malware or an intruder prompts it to do something outside its normal scope of activity, then policies trigger a halt to the activity.
"We do more than monitor the workloads," said P. J. Kirner, CTO and co-founder of Illumio, in an interview. Its system learns what other applications each workload is meant to talk to and what services it depends on by watching the Internet Protocol (IP) tables of a Linux system and the filtering platform of a Windows system. A "virtual enforcement node" is embedded in each workload's operating system to watch the filtering or IP table use and report on the activity.
The reporting goes to a policy-compute engine on a central server. Illumio will offer the policy engine through two Illumio Secure Cloud data centers. The policy engine may also be installed on an on-premises server.
[Want to learn more about the hypervisor-based security approach? See Why Goldilocks Zone Of Data Center Security Makes Sense.]
Based on what it learns, the policy engine formulates policies for each application, based on the work it's supposed to do and the other parties it's supposed to talk to. Attempted violations of the policies trigger blocking actions, said Kirner.
The policy engine can recognize when an application has been changed and new functionality or connections added to it, and automatically adjust its policies accordingly. It sets up policies and adjusts to changed conditions in minutes, not days as some manual adjustments sometimes require.
Such an approach allows the Adaptive Security Platform to block the spread of malware once it is past the perimeter safeguards. It takes minutes for the policy engine to decide what a workload's policies should be and apply them. "It adapts to changes in applications and stops the lateral spread of attacks, without any changes to applications themselves," Kirner noted.
Martin Casado, former CEO of Nicira and now VMware's CTO for networking, has proposed that the hypervisor is in an ideal location to monitor applications for secure practices. But Kirnen said the adaptive platform's independence from any piece of the infrastructure was one of its strengths. The virtual enforcement node can be made a provisioning step in the Chef or Puppet configuration engines and automatically embedded in a workload before deployment. That node can continue reporting to the Illumio cloud's policy-compute engine, even if the workload is moved out to a public cloud, such as Amazon Web Services.
Illumio has 25 customers, including Morgan Stanley, Plantronics, Creative Artists Agency, UBS, and NTT I3, the research and development arm of the NTT Group.
"Demystifying security in the migration to cloud is a huge obstacle for enterprises," said Mayan Mathen, senior VP and CTO of NTT I3, in the announcement. With the Illumio platform, "development and operations teams can clearly plan, implement, and visualize the security linkages inside a product, not in ad hoc retrospect," Mayan said.
Corey Voo, UBS's CTO of infrastructure and applied innovation, was quoted in the announcement as saying he was interested in "the micro-segmentation and operational agility it brings" to IT security.
Alan Cohen, Illumio chief commercial officer, said the Sunnyvale, Calif., firm was founded by veterans of McAfee, Nicira, Cisco, Riverbed, and VMware. It's received $42.5 million in funding from several venture capital firms, including General Catalyst, whose managing partner, Steven Herrod, former VMware CTO, has taken an interest in the firm's approach.
In addition to General Catalyst, Illumio is backed by Andreessen Horowitz, Formation 8, Data Collective, and angel investors Marc Benioff, Salesforce.com's CEO, and Jerry Yang, co-founder of Yahoo.
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)