Illumio Blog
August 27, 2019

Common Criteria Certified: Securing Federal Agencies with Illumio ASP

Sr. Federal Product Manager

Nearly two years ago, I was lucky enough to join the Illumio team as Federal Product Manager. The first order of business was to acquire the necessary product certifications required by the federal government, including FIPS 140-2 and GSA Section 508 compliance. Recently, the Illumio Adaptive Security Platform (ASP) achieved another important government security certification called Common Criteria. With this certification, Illumio became the first enterprise security vendor to be certified with conformance to the National Information Assurance Partnership (NIAP) Standard Protection Profile for Enterprise Security Management, Policy Management v2.1, which focuses on access control policy definition and management.

Read more »


August 20, 2019

Cyber-Attacks on the Financial Industry are Skyrocketing, But What’s the Real Reason?

Chief Executive Officer and Founder

A thought leader and expert in the areas of network security and compliance management, Andrew is responsible for the overall strategy, vision, and funding of Illumio.

This article was originally published on

Over the past couple years, we’ve all heard of varying degrees of cyber-attacks being carried out on political campaigns, cities and towns, hospitals, and – perhaps not surprisingly – financial institutions. What I find the most interesting about these incidents is two-fold: that organizations are still leveraging traditional or outdated cybersecurity approaches in an era where cyberattacks have become so incredibly complex, and also how people, organizations, and governments respond and learn from them. I believe the former can be addressed much more quickly than we all think, but the latter unfortunately seems to be lagging behind.

Read more »

Illumio News

August 12, 2019

[CTO Perspective] Moving Forward After Capital One

CTO and Founder

PJ is a technologist and architect focused on complex distributed system solutions. He’s responsible for Illumio’s technology vision and platform architecture.

By now we’re all aware of the breach at Capital One, which affected nearly 106 million U.S. and Canadian residents, due to an attacker bypassing a web application firewall (WAF) Capital One was using as part of its operations in the cloud. In a nutshell, the attacker was able to trick the WAF into sharing credentials with access to Capital One’s AWS operations, thus leading to the data breach. The WAF possessed excessive permissions – enough to view and copy information behind it in AWS S3 buckets.

Specifically, consensus has emerged that this is a Server-Side Request Forgery (SSRF) attack. Our aim here is not to conduct an attack post-mortem but rather think about how to best move forward. For a thorough, digestible review of the attack, please read Brian Krebs' excellent write up.

Read more »
July 16, 2019

PCI Compliance Design Considerations

Sr. Product Marketing Manager

PCI DSS compliance has been around for more than 10 years. Networking and firewalls have been in use in corporate data centers for much longer and covered entities have relied on these technologies to segment their PCI environments and reduce their compliance and audit burdens. Today’s data center environments are more complex, abstracted, and distributed. The techniques and technologies utilized by bad actors have also evolved. As a result, we continue to see reports of high-profile data breaches. QSAs continue to issue findings on critical PCI scoping and segmentation errors, on failures to properly isolate the CDE and connected systems traffic, and for having networks that are too flat. 

Read more »


July 11, 2019

PCI Scoping and Segmentation: Challenges and Solutions

Sr. Product Marketing Manager

The ability to accurately scope and segment your PCI environment is a critical first step of an effective and sustainable PCI compliance program. The PCI Standards Council published the "Information Supplement: Guidance for PCI DSS Scoping and Segmentation" to help organizations identify the systems that are in scope for PCI DSS; and also offers considerations for using segmentation to reduce the number of systems in scope for PCI DSS controls. Executing these activities is not always easy for many organizations.

Read more »