I have admired VMware’s technology for many years. I currently have a multi-node 5.5 vSphere deployment at home, and in my free time I love running benchmarks to marvel at what years of optimization by VMware has gotten us. So, it was with great interest that I followed the unfolding vision and roadmap that Martin Casado laid out on behalf of VMware two and a half years ago. This vision regarding why security applied at the virtualization layer was the true answer to building a secure infrastructure, was especially exciting for me. I had just co-founded Skyport Systems a year earlier on a dovetailed premise that we need a fundamentally new approach to security as built-in secure infrastructure, and that the virtualization layer is key component.
However based on the update at VMworld 2016 (“How Virtualization Will Transform Security”), it is clear that VMware has lost their way in execution of the eloquent vision Martin laid out for them. They have become distracted from delivering on an MVP (Minimum Viable Product) for secure virtualization that the IT industry desperately needs to secure an aging architecture that VMware introduced in a prior IT era.
When Martin Casado explained the Goldilocks vision of security years ago, the core concepts were solid and meshed very well with the view that we had when we founded Skyport Systems. The classic debate of Network Vs Host based security is a false dichotomy. Neither are the answer. Here’s why:
- Host based security puts controls into the attack zone, and so any agent based solutions are architecturally flawed.
- The network does not have any real context as to intent and so specifying policy is simply broken.
The answer is placing security controls in the hypervisor which supports alignment of policy with workload intent, and unique location to apply isolation and enforcement of that policy.
Fast forward to this year. At VMworld 2016 we saw VMware checkpoint on Goldilocks with a clear lack of execution due to distraction by cloud and containers as evidenced by the contrived demos. The biggest architecture issue with their update is that they avoid addressing many serious threat vectors because of the constraints imposed by their ecosystem and their unwillingness to take any risks in redefinition of the ecosystem boundaries. Perhaps VMware is simply entering that phase of maturity where maintaining relevance for investors, pleasing partners, and squeezing customers on licensing costs is more important than serving their customers. Or maybe they have lost too much talent, including Martin Casado’s departure to join Andreessen Horowitz.
VMware went from having the right message for the right reasons to having a prototype that tries to satisfy their business interests. They are serious about vCenter and other cash cows but not really serious about security. If you have a project that needs serious security and you want to solve it today, contact me at Skyport Systems. I would love to help.
Founder, VP of Engineering