Security startup Illumio raises $100m, extends Adaptive Security Platform

Having emerged from stealth mode late last year, Illumio is wasting no time making a name for itself as an innovator in the security space. We talk to the company's CEO and cofounder Andrew Rubin.

illumio-rubin.jpg
Andrew Rubin, CEO and cofounder of Illumio. Image: Illumio
Security startup Illumio's profile has steadily increased since it emerged from stealth mode in October last year with a seasoned executive team, $42.5 million of venture capital funding and an innovative Adaptive Security Platform (ASP) under its belt.

The company's CEO and co-founder Andrew Rubin recently caught up with ZDNet while visiting London to bang the ASP drum and announce some new developments ahead of the RSA Conference in San Francisco next week.

Why is Illumio attracting attention and investment (one of today's announcements is a cool $100m in series C funding)? According to the company, traditional perimeter- and network-centric security products are no longer sufficient in a world where applications and workloads increasingly need to work dynamically across on-premise data centres and public cloud services. Firewalls, intrusion protection systems and advanced threat protection appliances are widely deployed to secure interactions at the perimeter - but, says Illumio, these tools offer little protection within enterprise data centres and in the public cloud, where much of today's traffic flow and data resides.

"We've had a model for delivering IT security for the last 20 or 25 years, and it seems like the infrastructure and applications have been completely rethought, rearchitected, and in most cases are operating completely differently today than they were even five or ten years ago - and yet, for some reason, the security story hasn't changed at all," says Rubin.

He describes Illumio's niche in the new security landscape with a version of the 80/20 rule: "80 percent of the money, the time and the effort that goes into security is now only looking at 20 percent of the traffic that we need to protect - the other 80 percent of the traffic is inside the firewall or in the public cloud, where there is no perimeter."

Illumio's Adaptive Security Platform addresses the problem by taking a granular approach to security.

There are two elements to the ASP: an agent (the Virtual Enforcement Node, or VEN) that attaches to Linux or Windows workloads running on physical and virtual machines, be they in on-premise data centres or in the cloud; and a centralised (on-premise or cloud-based) server, the Policy Compute Engine (PCE), which receives telemetry from the VENs to build a map of the dependencies between classified workloads in multi-tiered applications (see below). This map can then be used to build application-specific security policies based on explicitly allowed interactions between the constituent workloads.

illumio-policy-f5.jpg
Image: Illumio

The ASP's advantages include: policies are written in natural language (and translated into network actions by the VENs) rather than arcane firewall rules; PCE policies are continually and automatically updated as VMs and their attached VENs spin up and down; the VEN/PCE combination is agnostic as regards the network, infrastructure, hypervisor or cloud provider on which the workloads are running; and secure IPsec connectivity is available on demand between workloads with a click on the dependency map.

"We knew when we launched back in October that we had done something that was not incremental to the way that the [security] model has worked for a long time. We knew we had built something that very much took a different approach," says Rubin. "And we were lucky; we had four customers - Morgan Stanley being the most notable - that were willing to say exactly that, so we got a little credibility on day one."

Mention of agents running on every workload may well trigger concerns about application performance degradation. No problem, says Rubin: "The only thing that the VEN really does is send information to the PCE about that workload and receive a policy instruction, instrumenting enforcement in iptables or the Windows equivalent, WFP."

"This is the first time in a decade or more that the enterprise is truly willing to rethink everything in the infrastructure and security stack."

— Andrew Rubin, CEO/cofounder, Illumio

"The net effect is that the VEN is like a lightweight antenna within the operating system: yes there's a performance impact, but the impact is incredibly low because it's not doing any heavy lifting - that's done by the PCE, while the enforcement is done by what is natively part of the operating system instance."

VEN support extends to all modern versions of Linux and Windows. For workloads running on unsupported platforms, Illumio uses whitelisting: "We call it an 'IP list model'," says Rubin. "We give you the ability to write policy between something with a VEN on it - part of the Illumio world - and anything that has an IP address or an IP range, so you can instrument policy between the two. In a perfect world we'd have a VEN for everything, but there may be things on the other side of a policy that we're still talking to -- and we still label them using the natural language of our policy model."

Illumio's granular approach to security should greatly reduce an enterprise's 'attack surface' if - or rather, when - its perimeter defences are breached.

But cybersecurity is an ongoing arms race, and the PCE in particular, is a critical piece of infrastructure - "the central brain of our operation", as Rubin puts it - that will need heavy protection. The PCE can be hosted in Illumio's Secure Cloud or, if required, run in a customer's own data centre. Customers can also set reactions to any form of 'tampering' or 'misbehaviour' detected on a workload's VEN or associated iptables - failing to the current state, for example, or if necessary quarantining the workload.

As Rubin acknowledges: "As with every form of infrastructure or security, we have to acknowledge that there's always the potential that something could go wrong - including with us. Like all good security, it's as much about the reaction as it is about when it's working properly."

Recent developments

Today's news from Illumio is two-fold: $100m of series C funding from new investors BlackRock Funds and Accel Partners, plus existing investors Formation 8, Andreesen Horowitz and General Catalyst; and the extension of ASP policy support to the F5 BIG-IP Local Traffic Manager and Nginx product lines - popular enterprise and open-source load balancers respectively.

The new VC investment brings Illumio's funding to a total of $142.5m since its launch 27 months ago, which highlights just how 'hot' the security space is right now.

"This is the first time in a decade or more that the enterprise is truly willing to rethink everything in the infrastructure and security stack," says Rubin. "As a result, you can argue that some very large opportunities have been created to build new and different companies that could end up becoming very very big and very influential in terms of how enterprise thinks about security moving forward."

Illumio intends to invest the $100m in three areas: first, R&D, expanding the engineering team in order to further develop the Adaptive Security Platform; second, an increased field presence in the US, plus new offices in the UK (and probably Europe) and Asia by the end of the year; and third, a major brand-building investment, starting at the RSA Conference next week.

As far as the F5 tie-up is concerned, Rubin declares this to be "one of the most exciting things so far in the company's history." Why? "Because you can't walk into an enterprise data centre, almost anywhere, without finding an F5 load balancer...What we're doing is giving it second job, turning it into a point of enforcement instead of just a traffic load balancer."

Rubin highlights he is serious about growing Illumio from a startup to a publicly-quoted company, rather than pursuing an opportunistic exit strategy.

"We are in this to build the leader in the security space going forward. We know it's early, we have a lot of work to do, but we believe that we're well positioned and we certainly believe we've got the right assets to try and make a run at doing it. We hope this is the inflection point where other people start to recognise that as well."

A genuinely disruptive platform in a key IT sector, plenty of venture capital investment, a growing number of high-profile customers and some key industry partnerships all adds up to a very good start. We'll be watching the next phase - the fruits of that extra R&D budget, expansion to the UK, Europe and beyond, the brand-building excercise - and the reaction of incumbent infrastructure security vendors (VMware with NSX in particular) with interest.