Katya: Let’s start by evaluating the state of online security in general. Where are we standing right now? Are we doing well, or do you think we’re miles apart from where we could be?
Andrew: I think there are certain areas that we’re doing very well in and others where there is an opportunity to improve. There’s a phenomenon we see repeatedly, we call it the paradox of the perimeter; where organizations spend 80% of their security dollars to secure 20% of the traffic. I think that is one area where we’re going to see improvement. Organizations are thinking about their security differently as a result of things like virtualization and cloud. I think that we’re going to find that there are a new set of problems that we’re all trying to face and deal with effectively and we’re going to have to have a new set of tools in order to do that.
Katya: What is the biggest technological challenge in security that your customers face?
Andrew: The biggest issue is that there has been a security model that organizations have used for many years, and that model was based on a static infrastructure. The traditional security model of a data center with a chokepoint to let the good guys in and keep the bad guys out, doesn’t work when applications and computing are distributed and dynamic. The problem is, as we all know, this singular model no longer exists. Organizations now do things like putting assets in the public cloud; they run private clouds; they use tools like orchestration and automation which allow them to speed up the way in which they deploy things. As a result of that, the technical challenge, from a security perspective, is that there hasn't been a tool, product or platform that has been built in security that understood all of these new things; the challenge becomes, “How do I take advantage of all these new environments and tools that are available to me today as an enterprise and yet do it securely?” That is a very serious problem. You hear comments, for instance, like, “I want to move more aggressively to a public cloud, but I don't have the ability to secure my assets there the way that I do in my data center.” I think that’s a perfect example in a very real way that a customer would express a technical challenge that they're having, but it’s also holding the business of the enterprise back as well.
Katya: What led you to start your company, Illumio? Why security?
Andrew: For PJ (Illumio’s CTO and co-founder) and I it’s this space we’ve been in for our entire careers, and the demand for Illumio’s approach to security was really driven by the customers. Even before we started the company, we were out talking to them about their technical challenges. One of the things that we consistently heard was, “The security approach that we have today doesn’t enable us to do all the things that we want to do now and tomorrow.” As a result of that, it felt like there was a very big opportunity to rethink security from a blank page, to actually start with an understanding that the world has changed very dramatically for infrastructure, IT and applications, and therefore maybe it’s time to rethink the way that security is provided from top to bottom.
Katya: So what is Illumio right now? I have noticed that you use “adaptive” a lot in your descriptions. Why does that specific term matter?
Andrew: There are three challenges our customers are trying to solve and that leads to what Illumio is. One challenge is simply the ability to run things anywhere, so that could be a data center or a public cloud provider (Amazon, Microsoft Azure), and security hasn’t done a very good job of allowing organizations to go wherever they want. As customers become more distributed, security needs be able to adapt with it.
The second thing is what we call a “speed problem,” but this is very much the adaptive problem; you need to be able to change quickly with application demands. Every organization can do that with their infrastructure and applications, but their security doesn’t follow. In security, understanding the changes in the infrastructure and being able to adapt to those changes is critically important.
The third problem is one that you see every day and yet at the same time it’s amazing because it requires rethinking security from the very beginning. We’ve had a security model where we really effectively put a lot of things behind a firewall, for instance, and then the protection is effectively trying to keep bad things out of that environment.
Our approach is to reduce the surface area of attack to a single workload. By taking your policy and applying it to a smaller and smaller surface, when something goes wrong or something is breached, there’s much less potential risk or potential damage. The reason we use the word adaptive is because everything in the infrastructure and application world is constantly changing today. If your security is not adaptive, if it’s not dynamic, then it can’t possibly keep up with those changes. What Illumio builds is a software-based platform that allows you to run on anything, anywhere you want, that allows you to have uniform policies that can change and adapt to the speed of the environment, and allows you to reduce the surface area of attack down to a very small group of assets or even a single workload.
Katya: Do you think there is something we could have done differently that would have changed the way the security is structured today so that we’d actually be in a much more secure environment? Do you think anything was overlooked in the development of secure networks?
Andrew: No, not necessarily. I think what’s happened is that you’ve had a number of things that actually have nothing to do with security that have all come together at a certain point in time – a perfect storm. We’ve digitized things that ten years ago were not digital. We have accelerated the rate of change of things by introducing tools like cloud and virtualization. If you think about it, it isn’t a single day or a moment in time when these things happened, but a lot of them have gained critical mass very recently. One of the things we see is that security is now a boardroom issue and the fact that people say that security budgets seem to be going up quickly--those are just leading indicators of how important security has become. So I don’t necessarily look at it in terms of the history or what could have been done differently; I just feel very strongly that a number of things have come together recently that have significantly changed people’s view, the level of importance they have put on security, and certainly their willingness to look at a different approach going forward. That’s probably the most important part: people are actually now talking about approaching security differently going forward.
Katya: Have there been any other major shifts in how we view security today?
Andrew: One thing that I’ve heard more and more from customers and others in the industry is that security operated for a very long time from the premise that its job was to keep things safe; the underlying assumption of that comment is that you can keep something safe. One thing that impresses me more and more is how frequently people are saying that although they will continue to strive to keep environments safe, there is a recognition that problems will occur and that breaches will happen, and that there has to be a shift, a significant change in mindset, in budget and in tools, to make sure there is a significant priority put on, “What do we do when something goes wrong?” We say, “How do you shrink the surface area of attack?” But it’s really about acknowledging that there’s actually a separate piece of work to be done, which is, “How do we contain threats when something happens? How do we ensure that the damage inflicted is as small as possible?” I think that is a fascinating shift in mindset. It aligns very much with our view of the world in terms of part of what Illumio can deliver. It’s also a recognition that there is a shift in the way in which organizations are approaching the problem.
Katya: And one last question that I ask everyone. Do you think there is a product that is not in the market right now that’s going to blow up in the next two years?
Andrew: That’s easy, 3D FaceTime so that I can really ‘see’ my wife and daughter when I’m on the road visiting customers.