VMware Head Of Security: Our Security Business Run Rate Outpacing Height Of Hypervisor Growth

VMware's Security Strategy

VMware Senior Vice President of Security Products Tom Corn said security is one of the fastest-growing businesses at the company, hitting a $1 billion run rate and as a growth rate outpacing the company's hypervisor business. In a recent interview with CRN, Corn said VMware sees the opportunity to help companies improve their cyber hygiene, acting as a single control plane for applying security technologies and policies. That opens the door for new opportunities for partners to help customers rethink their security strategies, he said, by focusing security conversations around the applications and data that pose the biggest risk to the organization. Take a walk through the VMware security strategy and where it is investing to help partners make the most of bringing together security technologies with virtualization.

What are the benefits of tying security and virtualization together?

It's funny to me – we have so many conversations about the unique properties of cloud, both private and public, and we apply them to building new kinds of applications or new kinds of infrastructure and scaling, except in security. … The natural tendency is to say that no one wants to secure one thing differently from another, so let's just treat it as another operating system and transport whatever we're doing from here to there. What [VMware CEO Pat Gelsinger] has been pushing on, and I like the notion, is if we can take the unique properties of cloud and apply them to rethink how we do security … If I take control of every virtual switch, I could create one control plane for everything. … By controlling the virtual switches, I can give [an application its] own network, own address, completely isolate it, give it your own firewall. … Now, security guys don't have the opportunity to re-architect the whole network, but all you're doing is taking the virtual switches, the software switches and saying I'm going to make a little virtual data center for an application. It's allowing people to align the focus of security back on the application, instead of the infrastructure.

What are the benefits of approaching security this way, instead of in the traditional way?

When you do that, you can do a couple of things. … It means you now have a single egress point into it. It doesn't mean it is completely isolated – stuff can still get in and ou t… but now you have one place and one tenant, so things can get aligned. It starts enabling you to go back to the earliest principle in cyber hygiene, which is least privilege. We started to latch onto that and that kick started this whole micro-segmentation movement, which now other companies are starting to jump into the fray.

How does this approach to security affect the network virtualization market?

It's truly driving three-quarters of the network virtualization market. There are three big use cases right now for network virtualization. One is security with micro-segmentation. Two is disaster recovery. Three is automation, like blueprinting applications and rolling them out. They all center around the same thing: You can treat the application as sort of the new atom. If you're doing disaster recovery, the easy thing to do is bring the machine up. The hard thing to do is bring all those machines up with the right address and talking to each other. But, if you have that thing spelled out in the network virtualization layer when you spin it up, you're bringing up your network as a file. It's the same with blueprinting. But, security is driving the biggest chunk of that. Even just for VMware alone, that has become a big business for us. I think in the fourth quarter we had 2,400 customers. It's like a billion-dollar run-rate business. How many security products have gotten to that size alone, let alone in three years?

With a $1 billion run rate, how big of a percentage is security of VMware's business overall?

VMware's total revenue was about $6 billion. … I'm talking run rate. Still, as a growth rate, that's grown faster than the hypervisor division. The hypervisor didn't get to that run rate until several more years in. This is kind of what's driving a lot of the work that's going on with us in the world of security. We're not a security company, but we have an opportunity I think to solve some of the much more fundamental problems of security that aren't going to be solved by a security company. It's solving these architectural issues. Some of the how you can approach the problem differently I think will end up, in many situations, will be started by us and people will start to see the model and pick up on it.

So is your vision for VMware to sit at the center of a company's security ecosystem? What's the end goal?

I think what we hope to do is be at the foundation of cyber hygiene. The two problems we're trying to solve at the macro level is helping you align security to the application and helping you establish least privilege environments. Now, when you pick your product of choice – next-generation firewalls, web application firewalls, endpoint detection and response – they're all still very applicable. But, now they're solving a narrower problem because they're on a smaller surface, they're dealing with less signal to noise, they're in a position to understand the signals I'm getting that are actually all from this application. I don't think it obviates the need for some of these, but I don't think in the absence of solving some of these hygiene issues I don't think we stand a chance. There's so little black and white inside – there's so little known good or bad – and there's so much gray that if we don't shrink the gray and create some organizing principle to it, I don't see us getting ahead of the curve.

What's the opportunity for partners around security and virtualization?

Don't think of this as just one more market for you to go into – there's opportunities for you to rethink this model. Some of the new things that I'm coming out with on the security side: if we're going to start enabling people to align things around risk, who is there working with the clients to understand how do you have these conversations about risk? If you're starting to introduce new cyber hygiene principles, there's a whole bunch of new things that, frankly, we're going to be highly competitive by being these people who have these conversations regularly. The easiest thing to learn is someone's product. The hardest thing to learn is the environment it's going into and their map of the world. I think we're going to be highly dependent on them and I think it's a huge opportunity for much richer advisory services.

Can you give us a use case example of how security can be applied in this way to network virtualization?

Some of the work that my team is doing now is trying to rethink encryption. Can you make encryption for an application a drag-and-drop exercise by building encryption into the switch and saying I want that application to be encrypted and we just push the policy to the switches to say all communications between these machines is encrypted and authenticated. It doesn't matter if these things are in Amazon or Azure because we cannot only use our hypervisor but we can use their open switches as well. We're doing some things that are starting to use our position where we have visibility into the application itself to add a station on the application, like is the actual software running in the applications, the operating system, the processes. How they are interacting differently from how it was intended or provisioned in the first place? ... There's going to be a lot of pieces that honestly you would be hard-pressed to find a huge business in network encryption. It's features of some infrastructure, or it's not very widely used inside, or it's complicated, or it's considered painful. Whereas if it were a right click [it might be different], and that is best solved by us. … The notion is now we have this software fabric.

How does that approach change how companies spend money around security?

I often hear people talk about security as an insurance model, like there's a small chance of something really bad happening and if you multiply that out it's worth spending this amount. I don't think that's the model. I think the model is you're going to spend what you're going to spend. The only question is what resources, time and attention are being focused on the biggest risks. I don’t think you can talk about risk without focusing that on applications and data. Infrastructure is an abstraction. For an airline, it's your flight operations system, it's your booking system – those are risk areas to the business. … Are we focusing more time and attention on locking those things down? Or, are we spreading our efforts like peanut butter across the infrastructure? I think this affords us more of an opportunity to do that.

What about sales approach – does selling security as a facet of virtualization change how partners are selling security to customers?

I think that it opens up a very new interesting set of new opportunities because this starts creating a new operating model. … When this was a hypervisor company, at some point everyone knows how to do a hypervisor and knows what it is. When you start to do something like what I described [around security], the first team that gets it is the security team and they want it. Then, the operations team has to get it. Now, they have been operating with a pretty consistent model for quite some time. … Now, the rules have changed. Is that a network thing? A software thing? A server thing? It does change the model. It's actually forced us to learn for several hundred customers what is the new runbook. It starts creating opportunities for the integrators and the resellers to start thinking about services about change management: what's the new operating model, the new runtime model.