Introducing Illumio


As CTO at VMware, I witnessed major changes to almost all aspects of IT – apps, compute, security, and networking. However, one critical aspect of IT has fallen farther and farther behind – security. As a technology investor at General Catalyst, I have made attacking this disparity my top focus. As such, I’m incredibly pleased to share news of the public arrival of Illumio and its first products.

What problem does Illumio address?

So many of the recent infrastructure advances have been driven by the need for speed. IT teams are constantly asked to move faster—to be able to respond to changes and push new applications out quicker than ever. But they’re also held accountable for security and governance. And with the nearly daily drumbeat of highly visible security breaches, the latter has become a top priority and even a board-level discussion.

Our industry has delivered outstanding new technologies – public clouds, containers, and virtualization for example – with the promise of lowering costs and increasing agility. But it can be a challenge to securely adopt these technologies. Today’s security approach remains strongly tied to legacy network infrastructure and to enforcing policies at the perimeter of a datacenter. This perimeter is dead — mobile devices wounded it and the cloud finished it off.

Even within a single datacenter, today’s infrastructure-centric security can’t keep up. It was designed for relatively static environments while today’s data centers are far more dynamic and distributed. In an attempt to keep up, security teams must, at best, slow down the rest of IT. In the worse and not uncommon case, they end up omitting potential protections or face misconfiguring a spaghetti bowl of legacy rules and disconnected security implementations.

I constantly see this challenge—everyone knows that there’s this bright computing future out there, but we have to find a way to secure it. What’s more, we’d like to secure it in a simple and consistent way across all deployment destinations. These challenges are the focus of Illumio, a previously stealth-mode company that I’m ecstatic to be involved with. Illumio unveiled today the first-ever software platform that provides granular visibility and security for all data center and cloud computing environments.

What is Illumio’s solution?

Illumio has taken a clean sheet design to security with a very ambitious goal – provide outstanding and easy-to-manage security at the speed of cloud and that consistently applies across today’s and tomorrow’s IT environments. The result of the multi-year effort is Illumio’s Adaptive Security Platform, which provides visibility, security, and encryption for applications, free from dependencies on the network and designed for today’s highly dynamic world.

The solution consists of two primary components:

  • The first is called the Virtual Enforcement Node (VEN). This is a lightweight piece of software that lives with each workload. Its job is to provide visibility and then to enforce protection.
  • The protection instructions come from the Policy Compute Engine (PCE), which constantly analyzes all the relationships between different applications and different nodes, dynamically calculating the security policy and pushing it out to wherever the workload currently resides. What’s more, these security policies are written in natural language rather than the fragile infrastructure-centric languages of today’s tools.

These components work together to create a protective bubble that surrounds an application, moving with it whenever and wherever it runs – whether on bare-metal or virtualization in a private datacenter or in public clouds provided by Amazon, Google, or Microsoft. Slide1

In addition to this protection, Illumio provides granular visibility into application composition and behavior. The company name itself highlights the fantastic “Illumination” that IT receives when it sees exactly how components of the application are talking to one another and to the outside world. The look I’ve seen on customers’ faces when they get their first glimpse of what’s truly going on in their environment is priceless.

Where do we go from here?

Today’s launch is substantial from a product and technology standpoint. Just as exciting is the great list of customers who have been actively involved with Illumio in the product design and implementation and who are actively using the product today. We’re seeing excitement and adoption across a variety of company sizes and industry verticals – a testament to just how critical of a problem this is to IT.

I’m very excited to be part of today’s Illumio launch and to support the company on their “IT Illumination” journey. Illumio has taken an aggressive clean-sheet design to security, unshackling it from static infrastructure and from the fallen perimeter. I believe the end result will be security that is the enabler – not the roadblock – to safer and more agile IT.

Congratulations to the entire Illumio team, and here’s to an outstanding launch!

… Solved by a Layer of Indirection.

I just caught up with an old friend and walked through what I’ve been up to in the (many) years since I departed Texas. This friend isn’t a real techy, so I had to take a higher-level look at the various companies and projects I’ve worked on over the last [number redacted] years.

Half-way through the list I realized that almost every project revolved around some form of virtualization. And not just the ”virtual machine” version of this term, but the more general english definition of “separating out a logical view from its physical implementation”. The list runs something like:

  • MPEG hardware: My undergraduate research thesis focused on building hardware to accelerate the decode of video streams (yes, the early MPEG-1 days!). The data stream had to always stay the same, it was just up to the hardware to more efficiently convert it to useful video.
  • Ada compiler: I also spent a summer at Convex Computers (now part of HP) working on a compiler that could unroll loops and optimize unmodified Ada code to utilize the company’s vector hardware. It sure would have been simpler if we were able to add hints to the source code, but that wasn’t allowed. The challenger (against Cray in this case) often doesn’t have the luxury of asking for changes specifically on their behalf.
  • SimOS: My dissertation focused on a complete machine simulator capable of running unmodified IRIX and IRIX binaries. This was a major pain to get right (and fast), but allowed us to study real life applications and get previously unseen visibility into system performance.
  • MIPS R10000: While at the tail end of graduate school, I worked at SGI for the MIPS architecture group to help design their newest processor. While MIPs has one of the simplest instruction set, backward compatibility still was a pain that restricted several possible optimizations.
  • VMware: Don’t need to say much more here. Whether for servers, storage, networking, or desktops, the engineering obsession was always about allowing completely unmodified applications to work seamlessly in a more agile, portable, and efficient environment. Early attempts to simplify this challenge (paravirtualization, for example) sure sounded nice, but we knew that they created a barrier to adoption that would be hard to swallow early on.
  • Recent Investments: And my early investments at General Catalyst have all focused upon this as well. The two that most exemplify this passion are still in stealth mode, so stay tuned for a proper unveiling. Both of them work with existing workloads and user behavior, surreptitiously doing things behind the scenes for dramatic improvements.

I meet so many startups that offer IT Nirvana if you just ignore existing hardware and software. At the end of the day, the requirement of working with existing applications, code, or environments is a pain. It’s always easier to have a completely “greenfield” and no compatibility requirements… which reminds me of this quotation of unknown origin:

“God created the world in seven days — because he had no legacy infrastructure”

But today’s businesses do have legacy infrastructure and a slew of existing applications, processes, and user behaviors. While always keeping an eye out for great clean-slate solutions, I suspect I’ll continually come back to those that also try to fit in!

Just a little retrospective navel-gazing for a sunny Tuesday…

“BuiltWith”: what powers that site?

I was talking with some startup folks last week and heard one of them ask “why doesn’t someone track and publish how all of the other web companies build their sites?”. I assumed this site was pretty well-known, but in case it isn’t, check it out:

Pretty nice way to track all sorts of interesting tool usage including:

Weekly trends


Market share


They also break them down by different cohorts… such as YCombinator classes:


The above sort of data is free. They have a pro version with more reporting, lead generation, etc.

I have no ties to the site… I’ve just used it a lot and the past and hope it’s helpful to others.



Mobile-First Infrastructure: Investing in Runscope


Today I’m happy to announce our investment in Runscope, a developer-centric API-focused company based in San Francisco. Co-founded by CEO John Shehan (Twilio, IFTTT) and Frank Stratton (Twilio), Runscope creates tools that help app developers test, debug, support, and maintain their integrations with public and private APIs.

As first discussed in the “Time for Mobile First Infrastructure” blog, formal APIs are sprouting up everywhere. They are already the backbone of the cloud economy, and are increasingly marching into inter- and intra-enterprise use. In many enterprises that I speak with, formal APIs are often first launched to enable a company’s own mobile applications. From there they evolve to be the core plumbing for the web or thick client versions of these apps. And the next step is often publishing the APIs for external uses enabling new sources of revenue, better customer support, or a previously non-existent partner ecosystem.

However, they also can be a challenge to work with, maintain, and support. That’s where Runscope comes in! This team knows developers as well as any team that I’ve met, and they’ve spent much of their lives helping companies deal with the challenges of APIs. As a result, the early feedback on their Runscope Radar, API Traffic Inspector, and Passageway tools often looks like this:

tweet 2

They are also supporters of several popular community projects (including, which I personally love to kick around).  And you can certainly imagine why I’m excited about their announcement today of Runscope Enterprise, extending these great capabilities behind the firewall.

To learn even more about Runscope and why I’m so excited about them, please read John’s post. So here’s to Runscope and their efforts to help developers in this brave new world of APIs. Or as Runscope proudly proclaims on their famous T-shirts:

runscope_t-shirt 2


Mobile-First Infrastructure: Staying Synchronized!

Really nice interview of Bret Taylor by Robert Scoble. It has reminded me to add the following to the core “mobile-first infrastructure” characteristics:

Staying in Sync: The majority of enterprise mobile applications are required to keep data consistent across multiple instances. This includes synchronization between users collaborating on some project,  between a user’s online- and offline- document stores, and between a company’s master data sources and the version available on a users mobile device.   We see this capability in several in SaaS/Mobile offerings (Box, Dropbox, Google Docs, Quip) and it’s a core offering in many Mobile Backend-as-a-Service (MBaaS) offerings (e.g. Parse, StackMob,  FeedHenry, and many others). I’d claim that mobile alerting and notification systems are a very specific instance of this general synchronization trend. And while these synchronization services are widely deployed in the consumer world, they must evolve to support the needs of the enterprise. This includes:

  • integration with enterprise identity management solutions (individual- and group-based policies)
  • fine-grained data control policies (what data can and can’t move to the mobile device, who can share with whom)
  • auditing reports (tell me what data was accessed in certain places and by certain people)
  • other data security offerings (data leakage prevention, encryption policies)

Lots of work to do, but it’s clear that enterprise-class synchronization capabilities will be a core capability of the mobile-first infrastructure headed our way.

P.S. Kudos to Bret for calling out how we are having to return to many of the lessons taught in computer science departments. To summarize his argument, we have had 5-10 web-centric years  where so many developers treated the always-on, high speed internet as the norm. Mobile devices have required today’s developers to dust off those lessons about coping with highly variable network speeds as well as times when the app is completely offline (gasp!).


Mobile-First Infrastructure: My Thoughts on BoxDev 2014

[As first posted at:]

Today I had the pleasure of participating in the BoxDev 2014 event in San Francisco along with ~1600 registrants – very impressive numbers. I’ve long been a fan and user of Box and have several friends and former colleagues working there. I’ve certainly enjoyed getting to know Aaron Levie as well and am pleased to have him as a co-investor in stealth start-up Illumio.


I was on the VC panel with Christine Herron, Mamoon Hamid, Jerry Chen, and moderator Sam Schillace (above courtesy of Oxygen PR). There were lots of attendees looking to create the next big enterprise startup and with plenty of questions – what should the salesforce look like, what metrics are key for fundraising, what are the opportunities in healthcare/retail/oil&gas/etc. Quite an engaged audience!


This was part of the one day event held at Fort Mason and with two tracks:

  1. Build Track: These talks focused on the APIs for Box’s platform and how startups can integrate with and build upon Box. The APIs are pretty straightforward and you can learn more about them here.

  2. Innovate Track: These talks focused on insights and lessons learned from various folks in the enterprise software space – VCs, big company CIOs, and CEOs of promising startups (including GC-backed CEOs Andrew Rubin of Illumio and Josh Reeves of ZenPayroll).

Box fits squarely into the mobile-first infrastructure theme that I’m focusing on (think I can make an ex post facto A-round investment?). In fact, it fits many of the categories core to satisfying this next stage of IT.

  • APIs before apps: This whole event has been about offering API access to users’ files and content stored in Box. These APIs allow a rich set of tools and collaboration services to be built around the core content (with the mandatory marketplace), but also allows Box to more easily integrate into the existing enterprise infrastructure – key to adoption by bigger companies.

  • Porous perimeters: This is a core value of enterprise-ready cloud services such as Box. In a world where employees access their apps and files from inside and outside of their own firewall, you need to put protection around the most important asset (content) and this is most easily done by centralizing said content. This is the modern equivalent of enterprises pushing all data off of PCs and laptops and onto NFS and CIFS shares so more easily enable proper permissions, backup, and reporting. The big difference is that now the content needs to be ubiquitously accessible from any device and any location.

  • Identity crises: And of course core to all of this is ensuring that the right person is accessing the content under the right policy. As with all mobile-first infrastructure, single sign-on, AD/LDAP integration, group policies, and audit trails are requirements and a core part of the Box offering (and surely an area they are quizzed on regularly).

Congrats on the great event, Box!



The Modern Icebreaker – Show me your… Home screen!

If you’re ever at some kind of social event and in desperate need of a conversation starter, ask a bystander to show you their phone’s home screen and tell you all about it. This seemingly shallow question often turns into a fairly deep conversation! And what’s nice is that it works across almost every age group, nationality, and personality type. Sound goofy? Probably so, but I’ll walk you through my own home screen and suspect you’ll know me a little bit better as a result. First, the obligatory picture:

Let’s walk through the choices I’ve made and, using some pop psychology, what those choices may mean about me.

  • Android vs. iPhone (vs. Blackberry vs. Windows Phone): Obviously this is the top-level insight – and the first opportunity to get to know someone. This is a well-covered area with plenty of articles, geographical studies, and even cartoons. Each person you meet will certainly have an opinion on why they’ve chosen their way-of-life! I’m personally an iPhone guy and my 14-year old is an Android-er.

  • Wallpaper: This often gives you the most obvious insight into someone. Is it an island scene, an abstract pattern, some special event, or maybe someone they care about? I personally choose to rotate it every week or so. This week’s wallpaper happens to be of my two pets – Milo the Labradoodle and Soaker the Bearded Dragon. Each of them have plenty of their own stories, but I’ll save those for a future blog! When I’m on a longer business trip, pictures of the kids replace those of the pets.

  • Bottom Row Icons: Ahh yes… the goto spot for most frequently-accessed apps. You can learn a surprising amount about someone by what’s in the pole position. Most of my phone time is for work, so that drives placement of my goto communications and scheduling apps. I’m currently experimenting with Tempo as my calendar and find I can’t get a great feel for how good a calendar will be unless I fully immerse myself in it – thus the pole position. And you may find that less technical acquaintences didn’t know they can change the bottom icons, so check whether they still have the default icons and wow them with your customization skills.

  • Top Row Icons: Don’t know about you, but I actually find this top line to be even more of a pole position than the bottom row and keep my other most frequently-accessed apps right there on top. In my case, it’s Google Search, Chrome (I like my history and bookmarks to be sync’ed across all my devices), Evernote (my goto note-taker), and Reminders (I’m a big todo-lister and have rotated between the default and Wunderlist). I’m quite sure this all says something about me… not sure what though.

  • Mail: Whether in the pole position or elsewhere, ask them to show you their inbox and tell you about their policy. How many unread mails do they have? As someone who strives for Inbox Zero, I get very suspicious when I meet people with more than 50! In fact, the 5 I have on my screenshot is making me a bit antsy. Ask if them how often they send mail to themselves and whether they use their email for TODO lists. Here’s where you quickly learn about the organizational level (or current chaos level) in a person’s life.

  • Folder Strategy: Beyond the goto-apps, are you someone who likes their applications strewn out for one touch access or carefully folder-ized for more of a Feng Shui feel? Clearly I’m the latter. And you can definitely learn about people by their top-level folder names. You can see the way I categorize my life here… and that I love Lake Tahoe. You can also see that I’m not much of a gamer, too. While I have just one folder for all games, my son has 15 different game folders (like eskimos having so many words for snow?). I like a sandbox folder for those recently downloaded-apps that are in limbo, hoping to make the cut for permanent phone residency. And I don’t know about you, but I can’t fathom having nested folders… those people always seem a bit suspicious to me.

  • To Swipe or not to Swipe: This question always reminds me of Dora. Yikes. This question is directly tied into folder strategy. Do you like your world of apps to fit on one screen or can you think multi-dimensionally at this level. I’m clearly a uni-homescreen kind of person and think it’s rooted into the chaos of raising kids and wanting more simplicity in my phone life. Others I’ve met really like to partition their own life via different homescreens – work is the default, but swipe right to get to their wilder side and apps used strictly for their personal life! This often becomes a surprisingly deep discussion topic.

And the list goes on… Ask people about the oldest app on their device and you’ll often get some nostalgic tales. Ask them how often they delete apps to get a sense as to whether they are modern day hoarders. Query which other family members use their device and you’ll often hear horror stories of in-app purchases gone wild.

So there you have it. The modern icebreaker and a chance to learn more about a person from their device than you’ll get through the go-to weather and politics discussions. Any other great questions to add to the list? And I’d love to hear more about your own device-driven psychological profile in the comments.