Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Startup promises to secure data centers, clouds workload by workload

Tim Greene | Nov. 5, 2014
Software platform enables writing and enforcing plain-language security policies, baking them in to applications.

Illumio, a well-funded startup with an impressive list of customers, is wheeling out a data-center/cloud security platform that imposes individual security policies on every workload.

The company has amassed $42.5 million through two funding rounds from Andreessen Horowitz, General Catalyst, Formation 8, Data Collective as well as individual investors including Salesforce founder and CEO Marc Benioff and Yahoo co-founder Jerry Yang.

It boasts Morgan Stanley, Plantronics, Creative Artists Agency, Yahoo and NTT I3 among its initial customers looking to better secure their networks.

Illumio's product is a software platform called Adaptive Security Platform (ASP) that consists of an agent and a policy server. The agent Virtual Enforcement Node (VEN) is installed on every database, Web and application server in the network regardless of whether it's a virtual machine or hardware, says Alan Cohen, the company's Chief Commercial Officer. The policy server, called Policy Compute Engine (PCE), can be deployed on premises or in Illumio's cloud and tells VENs what policies to enforce.

Because the policies are enforced on every machine involved in all workloads, the security can span corporate data centers, private clouds and public clouds. So if a workload requires more computing power and spins up additional virtual machines in a cloud-provider's network, it will be subject to the same policies.

This policy layer is decoupled from the network layer and policies are set using plain language as opposed to defining what ports on what machines at what IP address are allowed to communicate with what ports on machines at other IP addresses.

Each workload is described in terms of its role, application, location and environment, and that abstraction is decoupled from the network itself, says Andrew Rubin, Illumio's CEO.

So a business could define a context that a particular Web server can talk to a specified database but only for those corporate sites in the U.S. and then enforce a rule that all other connections are blocked. Some of these factors are discoverable by the software, but some have to be entered manually, he says.

Rubin says that in working with customers, Illumio found that using ASP just to map the allowed relationships among legacy servers in the network was valuable because over time those relationships have become lost.

Businesses can incorporate the VEN agent as part of the template for making new workloads, ensuring that security is baked in at the start, says Rubin.

The agent uses Windows Filtering Platform (WFP) for filtering TCP/IP packets as an enforcement mechanism, making the agent itself more lightweight because it employs an existing filter platform.

From an overall security perspective, this architecture limits the attack surface should a machine be compromised, Rubin says. If an attacker does manage to compromise a server, the damage is limited to workloads it supports. When malware talks to another workload in violation of policy, ASP would block it and alert.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.