Zero trust startup Illumio raises $225M to protect multicloud and edge

Illumio today announced it has raised $225 million in a Series F funding round led by Thoma Bravo, with Franklin Templeton, Hamilton Lane, and Blue Owl Capital also investing in the developer of zero trust security software. Illumio’s latest funding round sets the company’s valuation at $2.8 billion.

Illumio, headquartered in Sunnyvale, Calif., plans to spend its newfound riches in two main areas, go-to-market activities and product innovation, CEO and co-founder Andrew Rubin told VentureBeat on Wednesday. Rubin said the new funds would help plans to expand Illumio’s presence in more global markets and to build its partner channel.

The company aims to conduct more joint go-to-market activities with system integrator partners and to begin working with managed security service providers (MSSPs), a solution provider category the company has not yet tapped into, he said.

“We’ve spent a lot of time thinking about how to put these resources to work and go-to-market is definitely bucket no. 1 for us, while innovation is also something we’re always going to do as a technology company. We want to see a significant uptick with our channel, where we want to have a stronger voice, a market-leading voice in zero trust segmentation,” Rubin said.

Founded in 2013, Illumio has gained notability  for its approach to zero trust security, which promises real-time detection, mitigation, and containment of cyberthreats before they can spread and take down entire networks. Illumio was listed among the top-rated zero trust software developers in the latest Forrester Zero Trust Wave rankings alongside companies like Akamai Technologies, Cisco, and Palo Alto Networks.

Rubin said Illumio had just closed its strongest-ever quarter and brought on the most new customers per annum in company history in its just-completed fiscal year. The company’s core products are Illumio Core and Illumio Edge, which provide a cloud-native method of segmenting hybrid, multi-cloud IT estates in the data center and at the network edge.

Illumio’s approach is to quickly inoculate workloads and data repositories against cyberattacks to minimize the damage of a breach across applications, containers, clouds, data centers, and endpoints.

Stop a leak — Stop a flood

Illumio holds that the old, detection-based methods of protecting against cyberthreats aren’t enough to mitigate risk in today’s more dangerous and complex security climate. Rubin pointed to a rash of recent high-profile cyberattacks, including Colonial Pipeline, the SolarWinds breach, and JBS USA, as evidence that the danger and impact of such incidents is graver than ever before.

“We’ve had a security model based on layering on more and more levels of detection for decades. But look at the past 180 days—when things go wrong in security, the results are catastrophic. Detection is still a part of a strong security posture, but it’s no longer enough and these recent breaches are the evidence of it,” Rubin said.

Rather than waiting for a threat to be detected, zero trust security treats networks and systems and people as if they are always under attack, he said. This means users and systems are continuously required to authenticate themselves and prove they belong in the digital spaces they have access to, like a network or file storage repository, and are allowed to do the activities they are attempting.

Illumio’s segmentation approach to zero trust further bolsters this cybersecurity technique by enabling different parts of a network to be shut off from each other when a contagion like ransomware is trying to spread. Rubin described Illumio’s segmentation methods as similar to the way a submarine has compartments that can be sealed when a leak occurs to prevent the entire vessel from being flooded.

Buy-in at the top

Rubin said decision-makers in IT organizations are prioritizing cybersecurity more than ever and this extends to the C-suite and the highest levels of government.

“Adopting zero trust strategies has never been more important for organizations across all
industries, as the Biden Administration’s recent cybersecurity Executive Order demonstrates,” he said, referring to last month’s executive order setting new software standards for government agencies and creating a cybersecurity review board that will probe major breaches similarly to how the Federal Aviation Administration (FAA) conducts air accident investigations.

“In the past when a breach occurred, we asked, ‘How much data was stolen?’ We were still sort of removed from the real-world impact of these incidents. But now, we’re asking about that real world impact—for example, will a breach mean fuel shortages and gas lines that affect our daily lives, immediately?” Rubin said.

Illumio has seen a shift in how people think about security during customer calls, he said. CIOs, CISOs, and even CEOs are “finally asking the right questions” about strategic risk mitigation and even driving conversations toward zero trust and “working on the assumption that we’re getting breached even when we do everything right.”