Published: 21 Dec 2015
Illumio is the latest winner of this month's Network Innovation Award, in recognition of its Adaptive Security Platform. According to Illumio, security in the modern data center requires a whitelist approach based on what is -- and isn't -- normal behavior inside the network and among workloads.
To say Illumio's Adaptive Security Platform (ASP) takes a granular approach is an understatement. It can segment traffic and enforce policies down to the level of what happens among virtual machines or even with individual processes in one VM. Because it's not tied to the network, the platform can protect private data centers and public cloud environments -- without requiring any changes to subnets, zones and VLANs.
SearchNetworking editor Jessica Scarpati spoke with Illumio security gurus PJ Kirner, the company's co-founder and CTO, and Alan Cohen, its chief commercial officer. The following interview has been edited for length and clarity.
What problem are you trying to solve with Illumio's ASP?
PJ Kirner: Data centers evolved to become much more dynamic, distributed and heterogeneous. Traditional security platforms were designed at a point when those traits were not part of the nature of the data center, and as it evolved, we needed a new security platform to address those things. It had to be designed from scratch.
Alan Cohen: If you look at the way security has been built, it's traditionally been around the network. There are certain things the network knows, but what the network doesn't know is the context and what is really going on in the host and workload itself.
It's like one of those Reese's Peanut Butter Cup commercials. Somebody figured out how to smash peanut butter and chocolate together; we figured out how to smash the capabilities of the network and the capabilities of the host and application together. Without both of them, you're going to have a half-baked security solution. The way we did it didn't introduce any complexity because we're instrumenting the native firewall and visibility capabilities that are already set in the host.
Kirner: And it significantly reduces the complexity. More information, better data and better context can lead to better decisions. We brought together these two things that have never been brought together before.
How does Illumio's security platform improve on a network-centric approach?
Cohen: For the most part, the network has provided access control and that security layer between the untrusted environment -- the Internet -- and the trusted environment, the data center. However, as that dissolved because of cloud computing, microservices and multi-tier applications, it can no longer really play that role.
We complement the network security model you see in the perimeter. Say you're a Web server sitting in Amazon's cloud. A piece of malware gets past Amazon's security defenses and said, "Hey, I'm the HR database. Can you please send me all the payroll information?" The network won't know that occurred. Our software knows it occurred because [the malware] pretended to be something it wasn't and communicated with devices it wasn't allowed to.
Kirner: The perimeter is still a necessary boundary, but people designed data centers in a 100% trust model. Once you were in the data center, you could go wherever you wanted. And the network's role in the data center was to make that possible. We reduce the attack surface and start thinking about the data center as more of an untrusted environment. We have a policy compute engine whose job it is to make sure those high-level instructions you have communicated to it are always enforced, independent of what's happening inside of the network.
Cohen: Networks are built basically under the theory of do no harm; you build a network, and then you want as little change as possible. But since VMware created vMotion, workloads spin up and down and move, or you have tools like vSphere doing resource allocation. It's even worse now with containers, where it's much more temporal. I could set up a container that runs a process for 42 seconds and then spins down. You can't really reconfigure your network that rapidly, or you may not own the network [because it's a public cloud]. So you have to take an approach like ours to keep up with the dynamic change that's been built into computing.
The Internet was built to route packets from one place to another even if all the other links break. Networks were built for nuclear survivability, so nature will always find a way to network. In our world, it's always no until it's yes. Unless you're allowed to talk, you can't do it.
So what are the benefits of looking at the workloads?
Alan: Let's say there are a hundred workloads in a zone like a VLAN. If one of those workloads gets compromised, it can still talk to the other 99 workloads that are in that network segmentation group. That is too much attack surface. In the Illumio world, if one workload is taken over and tries to do something it's not supposed to, we allow you to quarantine it away from those other 99 workloads. If it's trying to go somewhere it's not supposed to, we will stop it and know about it much earlier than a firewall or traditional perimeter technology.
Kirner: There are two distinct capabilities we have: segmentation plus detection and visibility. It's being able to prevent things from happening and, if they are happening, being able to see, react to and contain them.
Cohen: Imagine you check into a hotel. They usher you to the front desk, they ask you for your driver's license or passport and a credit card. It's like walking into a data center and going through a firewall. Now imagine all of the hotel rooms and all the elevators are wide open. You probably wouldn't stay there, but that's what most data centers actually look like.
How is this different from an intrusion detection system (IDS)?
Cohen: An IDS is a chokepoint in the network. You push your traffic through the system, before it can get into your data center, and it's looking for signatures. It's looking for a certain set of behaviors in that traffic flow. If it sees one, it says, "Uh oh. Bad apple here." That's not what we're trying to do. We're not looking into the packet stream to do this. What we are doing is actually doing a behavioral analysis of how an application is supposed to operate inside your data center.
Kirner: It's about visualizing and understanding the normal relationships that occur in a data center environment. Illumio security policies are just making sure those relationships, as they've been defined or discovered, stay in place.
What was the most challenging part of this technology to develop?
Kirner: The data center is a large-scale environment, which means everything you build has to be built to accommodate that scale. We talk about being built for cloud scale, and that was part of how we started with the design. That was one of the biggest challenges we had and it continues to be a challenge, because as we add new features and functionality, they all have to meet that high bar of being able to meet the scale requirements.
Cohen: One of our customers is Morgan Stanley, and they're in the process of deploying Illumio on 100,000 servers. An environment of 10,000 servers, which was what we deployed with them months ago, had 300,000 objects in the database. So in 100,000 servers, that may be as many as 3 or 5 million objects.
What's been the biggest surprise since launching the product last year?
Kirner: What I didn't realize when I started the company was how fast these changes were actually happening inside these data centers. You've got containers coming and you've got the rise of the DevOps movement. There are all these things that are aligned to accelerate that need [for a new approach] and are causing more and more pain for enterprises because the systems couldn't keep up. I knew it was occurring -- that's why I started the company -- but I didn't realize how fast it was occurring and how acute the pain was for these enterprise IT teams. That's been the biggest revelation over the past few years.
Context-aware security makes networks smarter but often adds complexity
Survey: Cybersecurity strategy needs to be more responsive
Investors flock to Illumio for startup funding