There’s this emerging trend that is becoming apparent as apps and infrastructure become more closely tied but also uniquely separate across sophisticated, distributed infrastructures that may be running on a corporate data center or on a cloud service. Binding the app to this new kind of stack is an ecosystem of loosely coupled, adaptive software and service technologies that follow the workload, no matter what the infrastructure may be.
The latest example comes from Illumio, a startup that ties security policy to the app or workload, rather than the infrastructure on which it runs.
“If you look at the computing environment today, the data center and cloud environments, it’s very dynamic, very distributed, very API centric, but the security model is not. Effectively, the security model for the data center and the cloud is failing. That’s what we have set out to address as a company,” said Alan Cohen, Illumio’s chief commercial officer.
Today, the company , which has raised $42.5 million, came out of stealth, showing off an A-list team of investors that include Andreessen Horowitz, which led the company’s initial $8 million funding round. It also has funding from General Catalyst, which led a second $34 million round. Individual investors include Salesforce Founder and CEO Marc Benioff and Yahoo co-founder Jerry Yang.
Engineers from VMware, Cisco, Juniper, McAfee and Nicira built he Illumio platform, appying their expertise virtualization, networking and security. Co-founders Andrew Rubin, now CEO, and CTO PJ Kirner both were previously at cloud security vendor Cymtec Systems; Kirner was distinguished engineer for Juniper.
In announcing the round, Herrod notes that we’re increasingly using applications that are mash-ups of multiple services running in multiple places, meaning the firewall model of security don’t work that well anymore. Virtualization is becoming the norm, and services might be in a public or private cloud – or running across both.
“How an application is protected should be independent of where that application is running or what infrastructure it is running on,” Herrod wrote.
That’s the idea behind Illumio’s technology. There are two parts: the Virtual Enforcement Node, which understands all that’s going on with the workload, and the Policy Compute Engine, which takes that information and creates specific security policies for that workload, with that policy sitting atop the workload’s OS.
The Virtual Enforcement Node is a semantic level that provides visibility into application behavior and topology – “This is Apache, the version level, this is the communications port, this is who I’m communicating with – context, the state as well as the interactions with other workloads,” as Cohen put it.
Meanwhile, the Policy Compute Engine’s policy language is very precise.
“It’s an adaptive white list model. … What we’ve really been able to do is to reduce the attack surface, because in our model the only thing that can communicate is what is orchestrated within that application envelope or container. Everything else is locked down,” Cohen said.
Its model also encrypts data in transit with IPsec connectivity.
Illumio put code in customers’ hands five months after its initial funding, Cohen said, and it’s been working with some useful feedback. For one thing, enterprises want to reduce the complexity of their computing environments. And while the technology was created to be delivered from the cloud, some customers, such as financial services customer Morgan Stanley, prefer to use it on-premise.
This is not a virtual firewall, Cohen stresses.
“When we enforce policy, we instrument IT tables or Windows filtering, the security and communications capabilities that are native to Linux, Microsoft and the VMs, so we are instrumenting at the workload level, turning the knobs in the server to dictate what can communicate with what. The back-end controller, the Policy Compute Engine, is actually based on graph theory, so you might think of it as algorithms and automation. So we’re using distributed computing to secure computing,” he said.
The system is built on eight RESTful APIs, so it can be plugged into existing orchestration systems. It is agnostic to the technology on which the applications run, Cohen said.
“This is a declarative system, not an imperative system. You tell the policy engine what you want it to do, and it translates that semantically, then enforces the policy onto the workload. If something auto-scales up, it takes that policy with it. If something unauthorized tries to communicate with the workload, say it’s a piece of malware sitting on a database and it wakes up in a month, the policy will alert on it. You can even set a policy for auto-quarantine, if you’re really nervous about it.”
While saying he can’t comment specifically about Illumio’s technology, analyst and author Dan Kusnetzky noted the challenge in securing virtualized environments. Modern data centers are using as many as seven different types of virtualization technology, each with their own “attack surface” and mode of operation, he pointed out, adding that there’s a crowded field attacking the problems. The players including the big names as well as a host of startups, including Splunk, Loggly and Sumo Logic that offer monitoring tools, and Bitglass, CipherCloud, Elastica, and Perspecsys, that allow companies to control their cloud-based data as if it were on-premise.
Docker the open-source project focused on application container, has beefed up its own security and teamed up with Microsoft to bring containers to Windows.
Meanwhile an analyst brief from NSS Labs notes the array of new players in cloud security, but warns that the new technologies might complicate integration and might involve other expenses to the organization.
“Bridging the gap between security on-premises and security in the cloud is nontrivial and organizations and vendors alike have yet to deliver an integrated solution,” it states.
That’s the problem Illumio set out to address.
Feature image via Flickr Creative Commons.