AWS Startups Blog
How Illumio Is Taking Network Security Beyond the Firewall
With everyday life and commerce increasingly taking place online, businesses have found that, regardless of their industry or purpose, they all need to protect the same valuable asset: data. Until recently, enterprise network security was primarily comprised of mechanisms like firewalls and IPS/IDS, which work by establishing a perimeter to keep attackers out. But, as technology grew more complex and interwoven, PJ Kirner and Andrew Rubin saw that those safety measures would were not enough to defend against more sophisticated data breaches. In 2013, the pair founded Illumio with the intention of creating a more nimble, innovative approach to security.
“Early on, we saw some of the trends that were happening. We saw the rise of dynamic workloads. We saw the rise of microservices. Things were more connected than they ever were before,” says Kirner, who is now Illumio’s CTO. “This is risk. We saw the risk.” And the risk was real. These days, most breaches don’t begin with a demolished firewall; they happen in data centers or in the cloud, where attackers can remain undetected for weeks or even months.
Illumio’s software, the Adaptive Security Platform, takes a proactive approach to fighting data breaches. Illumio is a pioneer of micro-segmentation, which is pretty much what it sounds like: the technology creates micro-perimeters around applications, workloads and even processes—by turning every application workload into an opportunity to assess and control security. Illumio ASP displays a real-time map of traffic flow, monitoring the behavior of workloads as they interact across a business’s network. It shows how, where, and with what workloads they are interacting; exposes vulnerabilities; and confirms that policy is enforced. And if a breach is detected, Illumio ASP enables instant encryption of data between workflows, preventing malefactors from snooping on data as it travels through the system. The software functions on all types of servers, in both data centers and in the cloud.
“When you’re trying to protect an asset, the first thing you have to do is think like an attacker. What does an attacker do? How many paths can they follow? Illumio reduces the number of paths that attackers can follow,” says Kirner. “If an attacker can only access 3 workloads vs. 3000, then a data breach can be made immaterial. People are becoming more aware about it.” Traditional network security is like safeguarding a castle with a barricade or moat; micro-segmentation is like outfitting every chamber as a safe room.
While businesses are now more mindful of the dangers of data breaches and the importance of stopping them, explaining the nature of these threats isn’t always a simple task—particularly because, with new technology emerging every day, the threats are changing. Kirner says that when speaking to customers, it’s important to “tell a story about a technology” so that “knowledge about the technology and knowledge about the solution grows.”
“People weren’t really talking about these least privilege principles”—practices aimed at minimizing and reverifying user permissions within an organization and its IT systems—“for the data center six years ago. Because, honestly, they have to do least privilege for humans. You’ve got to start there,” says Kirner. “But then, if you think about the data—like machine-to-machine traffic inside the data center—and there’s the rise of Internet of Things…all of this machine-to-machine traffic is actually growing, and we didn’t realize how fast that was and how much risk there was going to be around it.”
Kirner says that showing organizations how to protect themselves often involves helping them figure out what it is that they’re protecting: “People really need to understand where their crown jewels are, their most important data and assets. One thing that we recommend is having a list of all your applications or where all your data is, and then doing some categorization: these are the critical assets, these are less so. Because there’s money to invest in security, but you want to use it most effectively,” he says. “Another thing we help customers with is providing a map of your data—that’s another way of getting those insights. Which things are highly connected and which things are not all that connected? That’s another way that you can intelligently, effectively apply a control like micro-segmentation.”
He adds: “There is an amount of eye-opening and surprise as people go through this journey. I think that’s a good thing, because that visibility—shining that light on those assets or those connections and seeing that map—it helps people make better decisions. If we’re helping people make better decisions, they’re providing better security for the organization. That makes us feel good.”