Security startup Illumio has raised $42.5 million and had a 22-month runway to talk to more than 100 enterprises, revising its product 14 times before launching in October and twice more since.

Clearly, these people think they're onto something.

Having missed Illumio's launch in October, I didn't have much idea what the fuss was about. But a couple of weeks ago, the company brought analysts and reporters to its headquarters on an obscure street in the backwaters of Sunnyvale, Calif., for a deep look at the technology.

I learned that Illumio is complicated. My gut reaction is always negative when a startup needs a long time to explain itself, but I have to concede Illumio might be onto something.

If nothing else, it represents a first step in rethinking network security. Someone had to take that step, because virtualization and the cloud — a world where locations are unpredictable for both user and application, and where endpoints pop up sporadically — have messed up the traditional, firewall-based security model.

"We believe that the model is broken. That's different from, 'You need an incrementally better thing," said Andrew Rubin, Illumio's CEO. "This is not an incremental problem any longer. We have fundamentally disrupted the way we stand up our applications."

Andrew Rubin

Illumio got a lot of publicity for its launch, but I think its executives feel like the coolest parts of the story got overlooked. So, here's my swing at what's unusual about Illumio — including at least one factor that's not necessarily good.

Many companies say their technologies work with all vendors' network infrastructure. In many cases, though, that's because they've done the legwork to make it happen, either through partnerships or by making APIs available.

Illumio is impervious to the network. It's not a distributed firewall and it's not in-line, meaning it doesn't look at packets. It's more like an antenna, Rubin said.

"Every single customer has told us [Illumio's architecture is] going to run in multiple places," Rubin said. "The only way we were going to do an effectively ubiquitous platform was to say, 'Do whatever you want wherever you want.'"

So, here's what happens: Every workload — a job that launches in a virtual machine, for instance — is created with an agent called a virtual enforcement node (VEN), a lightweight piece of code that clings to the workload like a remora. The VEN talks to a central brain called the policy compute engine (PCE).

The key is that the VENs are attached to workloads, not to locations.

"Illumio was designed to move to that distributed model. We have no issue with the network. It's just that the network doesn't bend," said Alan Cohen, the company's chief commercial officer.

Alan Cohen

"There's really no other way to do it. You can't have something that's not attached to [the workload] and really know what's going on," says Michael Howard, an analyst with Infonetics.

The concept of a policy-driven network is gaining steam. The idea is to have operators say what they want from the network, rather than speaking networking lingo. So, an operator would tell the PCE, "Let the web tier talk to the application tier," without even knowing what the network looks like.

We've seen this declarative model in Cisco's Application-Centric Infrastructure (ACI), in the Group-Based Policy initiatives in OpenDaylight and OpenStack, and in the OpenStack Congress project (which is looking beyond just networking). Most recently, a project called Network Intent Composition got added as a candidate for OpenDaylight's Lithium release, due out in June.

The operator tells the PCE what policies to enforce — which parts of the network should be allowed to talk to each other, for instance. In addition to that, the VENs are continually telling the PCE their workloads' state information. That lack of stateful context is a handicap of most security systems, Cohen says.

The PEC then builds a graph of the workloads and all the dependencies among them. From this, it computes policy rules for each workload. The VENs receive those rules and turn them into network actions, such as forwarding-table adjustments.

This VEN/PCE process gets iterated continually. Every change in the network — every birth or death of a virtual machine — triggers a recalculation of the PEC's network graph.

That creates an automated security screen that reacts to what's going on at the application layer. As a side effect, it means obsolete policies get deleted. Large enterprises struggle with that; policies build up over time, and nobody dares delete them because it's not clear which ones are outdated.

"When you go into an enterprise, ask them how many millions of rules they have. Not hundreds, not thousands," Rubin said.

Illumio's VENs are certainly part of its core technology, and so is the way the VENs translate policy into network implementations. But this graph sounds like the hardest part for a competitor to emulate.