Illumio Automates Enforcement for Cloud Security

Security is no longer static. The cloud presents a rapidly changing and dynamic environment that security teams must stay on top of. Shift left, security automation, segmentation and zero-trust strategies all rose to address the breadth and depth of our technology stacks and environments. PJ Kirner, CTO and founder of Illumio talks with Mitch Ashley about Illumio’s announcement on July 14, 2021, about their automated enforcement advancements that enable organizations to gain more intelligent insights from app data and operate at a greater scale in the cloud. The video is below, followed by a transcript of the conversation.

Announcer: This is Digital Anarchist.

Mitch Ashley: I have the privilege of being joined by P.J. Kirner. P.J. is CTO and Co-founder at Illumio. Great to be talking with you, P.J.

P.J. Kirner: Thank you. Good to be here.

Mitch Ashley: Always fun to talk with a fellow CTO person. Well, tell us a little bit—would you introduce yourself, tell us a little bit about you and tell us a little bit about Illumio?

P.J. Kirner: Yeah, no, as you said, I’m the CTO and one of the Co-founders of Illumio. I’ve been in the security software industry my entire career, you know, 20 plus years. I’ve done endpoint software, networking software, I was at Juniper Networks before when Andrew and I started Illumio. And so, I’ve always been focused on this area, and I enjoyed security, and that balance between security and kind of operationally making things work for people.

Mitch Ashley: It’s, a lot of things have happened in 20 plus years, right? We’ve both been in the industry about the same amount of time. Yeah, it’s a different world, but a lot of the same challenges, if you will.

Well, we’re really interested, you just had an announcement here a few days ago, not too long ago that was just on the heels of some funding announcement. Tell us a little bit about the announcement that you made on the 14th of July.

P.J. Kirner: Yeah, I mean, I think—let me tell you a little bit about why. So, fundamentally, we started Illumio back in 2013 to help people stop lateral movement in dynamic environments, right? And we did that with what now people are calling zero trust segmentation, right? And we always believed that we needed to provide intelligent—to do this kind of segmentation, you needed to have the visibility, you needed to be able to see what was going on first, right? So, you needed some intelligent visibility, and then you needed to be—because the world is becoming more and more dynamic, you needed to have a highly automated set of security enforcement to make those things.

So, those two things are what we sort of built the technology around. And so—again, the security industry has changed, the attacks have sort of changed, and now we’re sort of looking at how can this help stop cyber attacks and specifically ransomware, right? Ransomware is definitely on the rise recently.

And so, that’s where we’re focused. We’re focused on how can we help people, again, stop those cyber attacks and help them before any become large problems for our customers.

Mitch Ashley: Mm-hmm. You know, it’s interesting, segmentation—not a new idea, right? We’ve done that in different ways over time, certainly applying a lot more in a zero trust kind of model.

It is a bit of a network-centric view of the world, and the software world doesn’t think about segmentation the same way that we might from a network world. As you intersect cloud and infrastructure as cloud and software with network and security and security on the software side of it, how does all that mesh for you with Illumio?

How do you think about that problem in this very—because you mentioned dynamic environment. I mean, infrastructure as code right there will, you know, sort of upheaval your, “Don’t change anything because it’s working” mentality, right?

P.J. Kirner: Yeah. So, some of that is—so you’re absolutely right about, the combination of zero trust and the more and more dynamic infrastructure are there in the industry. I mean, if you think about zero trust for a second, zero trust is, actually, in some ways, not a new concept, right? We’ve been, we’ve seen—we’ve had lease privilege as a principal since the very early kind of Unix days and even before that.

And so, we all know that lease privilege was the right thing to do. On the other hand, what we built in the past was, we built a firewall at the perimeter and we sort of said, “Here’s the untrusted, big, bad Internet world, and then here’s this fully, implicitly trusted environment behind this, you know, ________.” We didn’t really follow that lease privilege model, and part of that was because we didn’t have the tools to do it, right? So, that’s one thing, right—being able to have the tools and the automation, and the other thing Illumio allows is us to put policy enforcement points in all the places you need them as opposed to, you know, it was easy to insert a firewall at the edge. But being able to put things in more places to orchestrate policy enforcement points all across your environment helps you sort of achieve those goals.

So, that’s one thing, but I think your other point is valuable. There is this—so, this trend now about, we’re gonna call it security shift left or DevSecOps. There’s a few kind of words that sort of represent the same thing, which I think is really powerful because it turns what—you know, security being the department of no, right, who got brought in at the last minute and sort of, you know, like, the business built this wonderful thing and security is now supposed to bless it and yes, there are challenges, and they gotta be the bad guys, too. How can they insert security earlier in the process, right? How can you involve the developers and the business with doing that?

And that’s an important thing that’s happening in our industry, and we do need tools to sort of make that happen. And so, one thing we’ve invested in in Illumio is this thing called App Owner View. It’s a way to involve the app owners in that process early as opposed to sort of waiting for the end for it to happen there or not successfully happen there at the end.

So, it is about tools and it is about the right approach and understanding those philosophies.

Mitch Ashley: It’s interesting, you know, I can remember back to trusted, non-trusted hosts. [Laughter] A long time ago, but to me, that was sort of like—well, that’s not working very well; let’s rethink this.

But I think what you’re representing, Illumio is representing with this recent announcement, too, is thinking of security not as a static thing anymore. It’s got to be dynamic. As you talked about, the environment’s dynamic, so security has to be as well, and it can’t just be sort of throw everything out there and see what it does. But you’ve got to be able to sort of roll with the flow and also where it makes sense to segment, you know, control things in a more enforcement kind of way, but the automated security enforcement seems to be a pretty big deal about what you announced.

P.J. Kirner: Yeah, and you can’t have a human—you can’t be waiting for the ticket, for the human to add the new thing to have this container spin up, for example. Containers come and go at instance and everything that has to be metadata and tag based and then you need the automation to go along with that to support not just container environments, but VMware environments and public cloud environments and all of these places we’re doing all these good dynamic things. And it needs to hook into those and be able to be automated with those. And that’s something we’ve done for a while.

I think what’s new—and I think this is, what’s new about what we’ve released and what we’re talking about is, so, zero trust is kind of a journey, right? It is—it’s something that the organization needs to adopt, and it doesn’t happen in five minutes, right? It’s gonna happen over a longer period of time. However, you can achieve some early zero trust goals with not that much effort, right? We had a customer who was a pharmaceutical customer and they had a pharmaceutical factory floor where they had a bunch of OT devices, right, and they knew that they did not want—those machines were not supposed to talk to each other, they were just supposed to actually talk up to the, I think they had an Azure public cloud environment where the control systems were.

So, it was basically this. The OT systems would talk to those, you know, IT control systems, and they knowledge that was the traffic they needed, and they built a policy—so, they installed their software, built that policy and were from, you know, the purchase order to enforcement for that simple policy in three days, right? So, again, that’s not perfect zero trust, but they knew that they had a goal and they were able to achieve something small in a short amount of time.

Mitch Ashley: Yeah, it does apply sort of the segmentation approach, if you will—zero trust segmentation to it. I’m curious, as you’re rolling out this announcement, what do you feel that customers are most connecting with? This is the thing that’s gonna help us in the ________ time frame, what are they sort of chomping at the bit to get ahold of, I guess is the way to say it.

P.J. Kirner: Yeah, I think what people need, so, I think what it is that people need to realize is that there are some low hanging fruit that—and they might not know. They might come in and sort of say, “Well, the board told us that we have to go to zero trust and, you know, Illumio, you know, we saw this Forrester thing that Illumio Trust is leader in zero trust and Illumio, please tell us what to do,” right?

Mitch Ashley: Mm-hmm.

P.J. Kirner: And, you know, and we can tell a story about—and again, the zero trust journey is a long journey, but, how can you get some quick wins, right? You know, so, for example, you can remove unwanted traffic in your environment. Maybe there’s not a use for unencrypted protocols in your environment. And so, can we take a small, little step on that journey to the ultimate zero trust goal and sort of remove some unwanted traffic or unnecessary traffic or prevent potential ransomware from cutting in there and using something that you don’t need from an operational point of view and just stop that from happening.

So, a lot of it is having a conversation, we have some recommendations around those things, and getting to a quick win, being able to tell your boss, your CEO, your board, “Okay, yes, we’ve started that journey, we’ve done some enforcement, we’ve actually prevented these kind of attacks, these kind of ransomware attacks, and we’re gonna continue that journey, but we’ve done something and we’ve done it quickly.” And that’s kind the thing that I think people need to understand and be able to do.

Mitch Ashley: It is a very common thing that I hear, which is, we’re having trouble just getting started, getting our hands round what zero trust—it doesn’t mean no trust, but you know, it doesn’t mean turn on the light switch and we’ll be at zero trust, how do we get there? And like a lot of things, you can even say this about DevOps or DevSecOps. It’s not like it has one definition and you have to kinda figure it out for your business, your industry, your policies, et cetera.

And I do like the idea of what are some immediate quick wins that you can get, because now you can demonstrate value quickly. It’s not that we install—it’s not an ERP package that’s gonna take five years to install, right, [Laughter] it’s not one of those kind of projects. Because not only do you get access to be able to segment and apply policies, but I think you give some additional visibility into what’s happening within those environments as well. Is that not the case?

P.J. Kirner: Absolutely, absolutely. Because, I mean, we’ve had customers who have, you know, there was the SolarWinds attack, right? And so, because they had network telemetry everywhere, they were able to figure out, “Was I impacted by the SolarWinds attack? Where did this SolarWinds server necessarily talk to, right, so they could sort of direct their incident response?” And in fact, if you think about it, there’s a pure cost savings point of view. It’s like, okay, if I could eliminate—so, if I didn’t know where this system talked to, I’d have to go investigate all of my systems. Well, now I have proof that it didn’t talk to this environment, it didn’t go this direction, and I can sort of focus my incident response. So, there’s a cost savings and also, they have customers who are asking them, “Were you impacted by this?” Being able to get them to a quick and confident resolution was valuable.

So, the visibility has other side effects, right, and primarily, we help people with that visibility to get them to enforcement goals, right? That is the primary use for it. But yes, you’re right, it has other benefits as well in the cyber security environment.

Mitch Ashley: How has the last 12 to 18 months or so—sorry, I’ve got a garbage truck arriving outside my door [Laughter]—how is that period where we’ve seen so much acceleration, and it’s validated by a lot of data. I run an analyst firm and we have a lot of information that shows how much more quickly people advance their move to the cloud, accelerated their plans.

How has that changed, or has it just accelerated their own conversations with you about security across cloud, cross multi-cloud hybrid environments?

P.J. Kirner: I think what has changed—so, there’s one significant change, right? And so, we had the Executive Order on ransomware, right? On zero trust, right? And then we’ve had some other kind of executive movement on the ransomware attack. And I think what’s happened is, if you sort of think about it like the—yeah, the Colonial Pipeline breach was something that, it was a different kind of attack in that the world really knew about it. Everybody knew about it. You saw some of those crazy photos of people hoarding gasoline because they didn’t know what was happening.

So, it’s not that it’s just in the cyber security industry that we know about these attacks and you had to be in IT to know this was happening. This is where everyone in America sort of knew this was occurring, so it’s come into the general population about ransomware. Which means more and more enterprises are taking this seriously.

The second thing that’s sort of happened—so, that’s one thing. The second thing that’s sort of happened, I believe, is, if you think about it, I know the part of the Colonial Pipeline, they actually got, they potentially paid the ransom. I think they got some of the money back, that’s what some of the reporting has been. What was really impactful and what people are worried about is not—and people have backed up their data and, you know, there haven’t been too many kinda data breaches associated with this; most of the people get the dollars, the attackers wanna get the dollars.

But what hasn’t been impacted is the operational—there’s an operational impact, right? So, for example, if you were an airline, right, and you were down because of a ransomware attack, again, that would be a significant outage to the world. And again, this pharmaceutical could not be producing—you know, they would have an operational impact of not being Bailey to produce the pharmaceuticals they need for the world.

So, these operational impacts, which are kind of independent of the dollars, are actually what people are focused on, and why this ransomware thing, you know, the need—well, and zero trust is a way to sort of help people avoid ransomware spreading and becoming a massive issue in these environments really has changed dramatically over the past six months. So, that’s the big—actually, that’s the big thing that’s driving a lot of interest and a lot of business for us.

Mitch Ashley: We’ve gone from the credit card breach stolen information, you know, how many users, how many customers’ data has been compromised and taken by someone to either getting into—using one vector to get into multiple companies’ environment, but also, of course, impacting services. Like you said, whether it’s the pipeline breach, whatever it might be, that’s for—you had the airline example, guess what would be on CNN and every other news channel and five minutes later we’d all know, right, whichever airline had some kind of an impacting ransomware type breach.

In a way, this has become more tangible, I think, to the everyday person—certainly, a business person who’s involved in it, but you know, pipelines and gas lines and all that, you may not understand the complexity of all of it, but you’re gonna probably hear, “Well, this happened because they had ransomware or they got hacked or something.” So, it is changing our world.

P.J. Kirner: Yeah, and so, it’s gone from just, again, a cyber security geeky thing to actually—to something that is business impacting, right? And so, when—and that’s where the sweet spot with security is, is when there’s a significant business impact, a lot of people sort of take action to sort of improve the security of their environments and all across the board.

And you’re right, I’d say any company that provides a critical service to the world is gonna—those CEOs are gonna be thinking about this. And again, that’s why, back to getting quick wins, right? You need to be able—you need to have tools that allow you to sort of insert in your environment, solve some risks, some real risks, right? And then make quick—you know, be able to sort of repeat that process over and over again. And that’s where, you know, kinda, all of our focus in terms of, we have new features called enforcement boundaries that are coming out and selective enforcement and all these other policy model improvements that we’ve been innovating on help people get in, solve some real things, and then continue on that journey. Because, you know, solving this completely is gonna be a long-term thing, but you gotta have some early wins.

Mitch Ashley: Mm-hmm, absolutely. Well, congratulations on the announcement and I wish you the best, and hopefully, we’ll be seeing a lot of quick wins from customers of yours and people that are taking this to the next level, and hopefully, those things are also helping all of us with ransomware and some of the other challenges that we have.

P.J., where can folks find out more about Illumio, about the products that you have, the new capabilities that you’ve announced?

P.J. Kirner: Yeah, I mean, everything is available on the website, www.Illumio.com is the place to sort of go to get all that information.

Mitch Ashley: Okay, excellent. Well, thanks, P.J., great talking to you today. Thanks for joining me.

P.J. Kirner: Alright. I appreciate it. Good talking with you as well.

Mitch Ashley: You bet.

[End of Audio]