50 Best Workplaces of the Year 2019

Illumio, the Leader in Micro-Segmentation,Prevents the Spread of Breaches Inside Data Center and Cloud Environments

thesiliconreview-andrew-rubin-ceo-illumio-19“Illumio has developed adaptive micro-segmentation technology that prevents the spread of breaches inside any data center and cloud.”

Segmentation is the best way to prevent the spread of breaches inside data centers and cloud environments. Traditional network segmentation, well understood by security and infrastructure teams, was designed to subdivide the network into smaller network segments through VLANs, subnets, and zones. Although these constructs can provide some isolation, their primary function is to boost network performance and requires control of the infrastructure, which is often a challenge in the public cloud.

In contrast, Illumio’s adaptive micro-segmentation technology enforces security policies – what should and should not be allowed to communicate among various points on the network – by filtering traffic. If networking supports how things can communicate, security dictates if they should.

Illumio provides cloud solutions. It specializes in virtualization, networking, and security hailing services.

The company was incorporated in 2013 and is headquartered in Sunnyvale, California.

Illumio: Synopsis


Founded by successful security industry pros, Illumio started with the mission that security should be the enabler — not the roadblock — to agile computing in both traditional data centers and public clouds. To build the most comprehensive and continuous security platform for the world’s most demanding organizations, the company’smanagement team was recruited from industry leaders in the security and computing world including Cisco, Juniper, VMware, Nicira, McAfee, Fortify, and Riverbed. They bring with them the knowledge and well-earned track record to make Illumio the new foundation for cloud and data center security.

Factors that Make Illumio Stand Out

Illumio prevents the spread of breaches inside the data center and cloud environments. Enterprises such as Morgan Stanley, BNP Paribas, Salesforce, and Oracle NetSuite use Illumio to reduce cyber risk and achieve regulatory compliance. The Illumio Adaptive Security Platform® uniquely protects critical information with real-time application dependency and vulnerability mapping coupled with micro-segmentation that works across any data center, public cloud, or hybrid cloud deployment on bare-metal, virtual machines, and containers.

Products that Make a Difference


Overview: The Illumio Adaptive Security Platform® (ASP) helps you prevent the spread of breaches inside your data center and cloud with a real-time application dependency map, vulnerability exposure insights, and micro-segmentation that works on anything (bare-metal, virtual machines, and containers): One platform to protect your business critical “crown jewel” applications.

Architecture Overview: Illumio ASP is uniquely designed to enable you to use the enforcement points that already exist in your infrastructure to improve your data center and cloud security. No additional hardware or re-architecting your network.

Virtual Enforcement Node (VEN): Not just any lightweight agent – acting more like an antenna than an agent, the VEN is a core component of Illumio ASP. It sends and receives information, programs pre-existing enforcement points, and detects policy violations.

Policy Compute Engine (PCE): The “brain” of Illumio ASP. The PCE builds a live map using the information shared from the VEN showing how applications are communicating and creates optimal security policies based on those insights.

Features –

Illumination: Illumination® is a real-time application dependency map that visualizes communications between workloads and applications. It delivers insights on the connectivity within data centers and cloud environments and is the basis for building and testing micro-segmentation policy.

Illumination takes live telemetry data provided by Virtual Enforcement Nodes (VENs) to visually display traffic flows between applications and workloads and the processes that comprise them. It baselines an application’s connectivity so that security teams can enforce micro-segmentation policy for their organization’s applications and detect anomalous behavior.

Policy Generator: Policy Generator ensures the process of creating optimal micro-segmentation policies for any type of workload (bare-metal, virtual machines, containers) is simple—regardless of where it’s running.

Policy Generator is a simple workflow built into the Adaptive Security Platform® (ASP). It pairs with Illumio ASP's labelling and policy modeling capabilities to provide an easy-to-use interface for creating micro-segmentation policies. It matches historical connections, the processes these flows communicate with, and workload labels to automatically suggest policies for controlling intra- and inter-application traffic.

Explorer: Explorer enables security, application, operations, compliance, and audit teams to search and analyze historical records of all observed traffic between workloads for planning, auditing, reporting, and troubleshooting.

Explorer gives you the ability to query the Policy Compute Engine (PCE) traffic database for historical data that can be used for compliance and audit as well as policy development. With an easy-to-use interface, Explorer does not require you to be familiar with networking constructs like VLANs, subnets, and IP addresses to run searches. You simply type your search parameters using plain-text language and filter results by specific time period; specific ports, protocols, or processes; and actions that were taken on that traffic based on policies (for example, “allowed” vs. “potentially blocked” vs. “blocked”).

Via Role-Based Access Control (RBAC), authorized users among security, IT operations, compliance, and audit teams can also query for traffic information, which they can then use for troubleshooting, security incident response, forensic investigations, compliance, and audit reporting. Authorized users can also query the PCE traffic database for any traffic flows across segmented environments and validate their organization’s micro-segmentation strategy.

SecureConnect: SecureConnect enables you to protect data in motion and execute workload-to-workload encryption via the built-in encryption capabilities of the workloads’ operating systems.

Many compliance regimens and risk frameworks compel organizations to encrypt data in motion. For data moving between data centers, you can deploy dedicated security appliances, such as VPN concentrators, to implement IPsec-based communication across open untrusted networks. However, encrypting data in motion within a public cloud, or between the data center and public cloud, is not straightforward. Deploying dedicated security appliances to protect workloads will not scale in those scenarios, especially across public clouds. Managing IPsec connections becomes more complex as the number of host increases.

SecureConnect enables instant host-to-host traffic encryption between workloads by leveraging built-in host-based encryption capabilities. The Policy Compute Engine (PCE) centrally manages all traffic encryption for workloads so that it can be policy driven. SecureConnect reduces the complexity of configuring IPsec encryption and auto-scales per your organization’s policy definitions.

The Adaptive Security Platform® (ASP) uses the most secure encryption supported natively by the operating system. Both the pre-shared key and certificate-based IPsec are supported.

Examples of SecureConnect’s most common use cases include:

  • Encrypting confidential data in motion for PCI compliance.
  • Off-site backup and recovery of data across geographically distributed data centers.
  • Compliance requirements to secure communications across applications and application tiers.
  • Secure data migration across public cloud providers.

Vulnerability maps: Vulnerability maps overlay third-party vulnerability information with Illumio ASP's real-time application dependency map for a risk-based approach to patch prioritization.

The East-West workload-to-workload traffic within your data center and cloud environments represents a massive attack surface. Organizations are adopting a Zero Trust strategy—essentially operating as if they have already been breached and taking steps to inhibit bad actors from moving laterally within an environment.

Vulnerability maps incorporate data from third-party vulnerability scanning tools like Qualys to provide insights to the exposure of vulnerabilities and attack pathways within your environment.

Vulnerability maps help security and IT operations teams prioritize security and patching decisions; if you cannot patch, micro-segmentation can be quickly mobilized to act as a compensating control.

Segmentation Templates: Instantly secure critical off-the-shelf applications with tried-and-tested Segmentation Templates.

These templates are pre-tested and validated policies that provide all the segmentation rules needed for common enterprise applications.

Segmentation Templates eliminate the need to build your own policies—instead, you can use tried-and-tested policies for well-known existing applications.

Andrew Rubin: A Formidable Leader

As Chief Executive Officer and founder, Andrew Rubin is responsible for the overall strategy, vision, and funding of Illumio. With expertise in the areas of network security and compliance management, Andrew is a frequent participant in panels, articles, and podcasts for leading industry events and publications. Goldman Sachs has named Andrew as one of the ‘100 Most Intriguing Entrepreneurs’ in 2015, 2016, and 2017 as part of the Builders & Innovators program.

Prior to Illumio, Andrew was president of Cymtec and led Business Development for VoiceNet, where he was responsible for sales strategy, business development activities, and customer relationship management.

Andrew graduated from Washington University in St. Louis with a BSBA in Finance.

“We just kept coming back to the idea that it shouldn’t be so hard to prevent the spread of breaches inside data centers and as technologists, we had the opportunity to solve it – so we did.”