 Always chatting with Simon Crosby. I'm John Furrier with SiliconANGLE.com. We're here with Simon Crosby, the legend, the myth in person. You know, Simon, great to have you in theCUBE. I think we had our first CUBE interview at Citrix Synergy, where you were an executive over there. What was your official title at Citrix? CTO? I was CTO for Data Center and Cloud. Yeah, exactly. So, you know, we have a shout out to John Barra, my friend who I saw last night at barbecue. You guys worked at Zen together. You know the open source world. You know what's going on in the trenches around virtualization. So, couple things. You left Citrix to work on a startup, Bromium. Okay, I got you plug in at EMC World with Pat Gelsinger. So, share the folks on Simon Crosby, the update on you personally, what you've been up to. And then, let's talk a little bit about some of the tech that you're involved in. Okay, thanks, John. So, myself, Ian Pratt, who's the chairman of Zen.org, who you remember. And Gora Bunga, who was the CTO at Phoenix. We started a company called Bromium. And, so this is, it's virtualization centric, but virtualization, unlike any virtualization you've ever heard of before. The company by now is 50 people in five countries. And we're in beta two with our first product. And we're having an awesome amount of fun. So, obviously, you've been banned from VMworld in the past because you were a competitor, technically. Right. And we got you in here for theCUBE. But now you're now potentially a supplier to the people that you were once competing with. Has that feel for you? You know, what's changed in the marketplace? Yeah, what we're doing is somewhat different. But, you know, now with VMworld having bought Nesira, you know, and Cloud Foundry and being a good open source citizen and everything else, I think you're doing a great job. You know, VMworld is still very much enterprise data center centric. Where I intersect with VMworld is in the area of view. Citrix also with Zen Desktop. And, you know, most large enterprises have got some desktop virtualization going on. But the vast majority of desktops are not. They're like that. And users want awesome devices. And enterprises want awesome productive users who are secure. Right, Dave? So, while you're here, I want to get your commentary on the analysis of the Pat Gelsinger and Muritz Schino. Obviously, both Muritz is highly regarded and deservedly so. He's a great guy, a technologist. You can see he's just kind of punching out to do some cooler things and be the CEO. And most tech geeks don't want to be the CEO because this kind of gets boring. Right. Have to do operational things. And Pat loves the operations side. But, you know, some pricing changes. You saw that coming. So, it's good move for VMware. What's your take on that? No, all good. I think the Nesira acquisition was also very, very strategic. Also the, you know, everything that they've done in general from an orchestration perspective, it's all smart. They're doing a fabulous job. There's no doubt about it. So, obviously Spring Source is now two years old. We saw, what's his name? Rod, leave the company. Also, that's a classic case of, you know, I sold the company, I'm going to fly out of here. Lights are flickering, transformers are blowing, probably from the big screen. So, you know, Open Source is not new to VMware, but they've now two years into the Spring acquisition and the developer community is changing. What do you see in the developer community right now? Obviously, mobile is the hottest thing. You see consumerization of all that stuff. What's your angle on the developers general? I think that the whole world, by the way, this includes Microsoft, is suddenly finally figured out that Open Source is not, you know, it's just another way of developing software that any large company's portfolio should include Open Source software. Even Microsoft now does, you know, got the whole division set up to do it. And so, where it makes sense to embrace and work with communities when it's in your interest to do so. Okay, great. We've got past this, you know, big fuss about everything has to be Open Source for either religious reasons or I want to look at the source code or whatever it is. That's all nonsense. It just turns out that for some things, it's a great way to develop software. Open Source is growing up, too. I mean, you know, we've been around the block, you know, we're old enough to know we've seen all the generations of Open Source now. It's maturing and still, but still growing. Look, the cloud, right, the public cloud is 100% fueled by Open Source software. But, you know, it's Open Source software that's being taken by vendors and turned into proprietary software. Yeah, good for them. And that's their business model. And it's legal. Okay, so let's talk, so again, love it. So, you know, we talked about this about the public cloud and now hybrids, all this stuff. Let's talk about your thing now, your technology. You know, you've got a product announcement coming up in the first week of September, or right after VMworld, you're going to do a product announcement, keep or take it. I think we're going to be under embargo for that. I've heard some specifics, but it's kind of in the sweet spot of what they laid out here as an architecture, some network and security discussions going on in the middle of the stack. Or is it, or is it? I'll just go back to cloud then for a minute. You would never, ever, ever put an enterprise application in a cloud that was not multi-tenant safe, right? You just wouldn't do it. And so then, let's think about the desktop for a second. How many tenants are there on the desktop? You might say, well, there's me and there's the enterprise. There's two? Uh-uh, it's not two. Every time I click on a URL, I get a blob of JavaScript thrown back at me from some website, which executes locally. So that website is a tenant of my PC, right? So then the question is, well, how good is your desktop at multi-tenancy? How good is it? It's pathetic. It's pathetic. It's pathetic, yeah, start design for that. Right, and so the operating systems that we used today were designed, were not designed to be attacked 24 by 7, right? And the average user is connected 24 by 7. They're out somewhere, not on a wired land. And they're on a SAS or PASS or some platform? There's something, okay. And they're trying to access cloud applications. And so the challenge is for the enterprise, how can you reason about the trustworthiness of anything? That is, if a device has ever gone into Starbucks, whether it's yours or theirs, should you ever allow it on the network again? And the answer is no. So ultimately, if you look at what's going on desktop virtualization, desktop virtualization kind of helps, but it kind of also doesn't solve the problem which say, for example, RSA had last year where the RSA certs were stolen, right? Okay, so somebody clicks on a bad attachment. I know enough about you that I could easily craft an attack that would make you click on it. Okay, and the attacker will do that. In a clever way, more than the, hey, someone's talking about you on the internet, some obvious hack. That's an obvious hack, but you're talking about more clever, more cleverly designed, see these attachments. Yes, so the term the attacker knows enough about you to create an attack, and so you will click on it. And because a human wrote the code, there's always going to be another zero day. Okay, so here's what we just said. Our computer systems are not designed to deal with our humanity because I'm gullible and the guy who wrote the code was fallible. Okay, and this is a major failing. So it's high time we started to build systems that were much more resilient by design. And so Bramium is doing that. So can you give any tease about the product? I can tell you, let me tell you how the system works then. So essentially, given that I'm gullible and that somebody left bugs in the code, what can we do? So what you can do is this. Essentially, we're a magic hypervisor, which means we need Intel VT. Every time you launch a task, you click on a URL, you open a document, open an attachment, whatever it happens to be, we're going to instantly isolate that into a tiny hardware virtualized micro VM. So we're going to use all of the machinery of Intel VT, not for running virtual machines, but for isolating tasks within a running operating system. Okay, this is the bit that I'm sure you heard doesn't work, it's impossible to make it work. Okay, so instead of using VT to run lots of VMs, use it on the fly instantly within 10 milliseconds or so, completely unseen by the user to isolate a task. Okay, so you click on a link in Twitter and I've got to put that thing into a box. And that box is going to be an Intel VT isolated box, which then operates with two additional key properties. One of them is that it executes copy on write. So if the bad guy happens to end up in that micro VM and tries to stomp on the system, then all the changes that he makes will be local to the micro VM only. And the second property is that these micro VMs see the world in a perfect implementation of the principle of least privilege, which basically means this, when you browse to Facebook, what files do you need in your file system? You need one, you need the cookie for Facebook, right? When you open a PDF document, what files do you need in the file system? You need one, you need the PDF document. So basically what you're saying is the web as we know it, the website-centric user experience is fundamentally flawed with the current user behavior of browser-based navigation and interaction. Every time you go anywhere untrustworthy, anytime you plug a USB key and anytime you click on an attachment, anytime you go anywhere on the web, you are interacting with stuff of unknown trustworthiness. That's where virtualization is an example. I'm generally speaking now. I'm oversimplifying just to kind of understand this. You can add value. So what you're saying is you're doing some clever things around that trust point. And wrapping some tech around it to isolate it, where it is, and do something or protect it. But also based on a key assumption, which is that you cannot detect the unknown attack. See the endpoint security industry today says, yeah, put my AV stuff in your operating system, it'll find the bad guys. It doesn't because the attacker is smart enough to evade them, right? So endpoint security is a complete waste of time. And why do you patch your operating systems anyway? You patch them because they're vulnerable. So if you look at, think about the data center before VMware, right? People installed software on servers. They installed applications on top of that. And then they stuck a server in a rack and all that. But now they're all agile, cool, hip, power-sensitive, green, highly available, and dynamic, and therefore strategic. Look at the desktop practices. They are horrible, menial, grungy, male tasks, which are not strategic. They're outdated, outdated. So one of the things that we've been talking about on theCUBE here on SiliconANGLE and on Wikibon is this notion of a modern era. Like modern era baseball, there's no doping, there's no steroids and whatnot. So tell me your definition, your view, I mean there's really no definition yet, we're introducing this concept of data infrastructure and also you've got big data. In the modern era going forward, you're a CTO, you're out doing some cutting edge, redesigning of use cases. What is the modern era need to look like from up and down the stack? Well the modern era needs to be one in which the enterprise can safely empower the user. You see, if you look at the world that I described, the only thing that IT can do is lock things down. But by the way, you still can't protect against the RSA attack, which was an application area. And so, IT becomes the barrier between me and productivity, which means I'm dead set on dragging all their stuff into Dropbox or whatever I can do, right? And so the big problem is to empower users who are more technically savvy, let them get on and do stuff and still protect, right? Now notice that an attack on my PC is an attack on me too, because it's going to send spam to my wife or whatever else it happens to be. So the big challenge is to allow us to walk this line between where we have to legislate, which is IT, and where we can empower, and people want to be empowered, and want to be empowered when they're working. So I've been doing some research around low level virtual machine compiler infrastructure at the University of Illinois, and it's the concept of, I don't want to say memory management, it's kind of like a bad, not a dirt analogy, but back in the old days when you wrote code, whether you were doing assembler or C or the hardcore low level programming, you had to do memory management, right? That deal with that. But now with virtual machines, programs need this. So it's a really cool kind of direction where programs have, in essence, in their own virtual machines to work with each other. So it gets low level. This is kind of a concept that points to what you're talking about, which is as new technologies that are being developed that can actually deploy the kind of security, the kind of orchestration. So, you know, is that something around you thinking you're right? It kind of is. That is another way you could say this, look there are all sorts of application sandboxes out there, right? So the problem with sample, here's a good example of a sandbox, would be Chrome, the browser Chrome, right? The problem is that they have to protect the kernel from a user space process, and that means protecting modern 2000 Windows system calls, which means they've got to hook every one of those and land it somewhere safe. And that's a huge amount of new code that they've got to write. They've got to remain compatible with everything that are ever ran and not introduce any more vulnerabilities. And so anything you can say about Chrome is they're doing a reasonably good job. They've been at it for 14 years and they're still new zero days, okay? So, and it'll only ever work for the browser. The question is what could you use as a general purpose isolation technology that is simple, has a tiny code base and serves any application? Okay, that's the requirement and that's what we're building. So when you're obviously in beta or alpha, I don't know if you're on the product side, but you guys are doing some work talking to customers and suppliers and whatnot. When you walk into that first conversation, hi, I'm Simon, glad to meet you. Bottom line, here's what we do. How do you just, how does that go? I mean, elevator pitch, whatever, that first, here's what we do. How do you describe it? Do you use RSA Hack as an example? Cause it's kind of complex. How do you crystallize it? Actually, every large enterprise is being actively targeted. And right now we are doing the large enterprises, not to- All large enterprises are being targeted, would you say? Every large enterprise is being actively targeted by- Hackers. Pistose to malware, yes. And they all get it. Every single CISO out there gets it in a hot beat. They know that they cannot secure the endpoints. By the way, this applies not only to PCs and Macs and so on, it's got to apply to mobile devices like tablets, right? Otherwise, how can you- This is not a nice to have, this is a strategic imperative on all enterprises. It's the right way to build software, absolutely. Make software in a way which is resilient to the fact that we as humans are going to make mistakes. All right, so talk about the company now. How many people are working there? 50 people. 50, funding, you get around. 36 and a half million in. Like a couple months ago, right? That was our B. Our B round. Yeah, okay, great. Investors are Andreessen Horowitz, Ignition and Highland-Vin. Frank Artali. Yes, Frank. Yeah, Peter Levine. And then Highland. Highland Capital. Yes, and then we also took strategic investment from Intel. Some good investors. Simon Crosby, congratulations. Final comment, I'd like you to just share with the folks the new VMware. As VMware comes out and the torch has passed, Pat Gelsinger, who, you know, he marches to the cadence of Moore's Law. He's going to try to bring that to the application side of the business. Yeah. You known Pat, you said you used to work for him. What's your take on Pat and his, you know, tasks and taking the torch from Paul's? A nice handoff and obvious there was no issues there. It was obviously all part of the family. What's your take on that? Oh, absolutely. Look, Pat, I think the world of Pat, I think he's a fabulous leader. He's a leader who leads from the front. He's a rallying point for anybody. He has bring great vision and great energy to the job. I think he's a terrific guy. And I think VMware is going great. So, you know, I'd say that this whole cloud thing in the enterprise, you know, it hasn't really started yet. Yeah, I agree. You know, people are still doing more serve of it. And that's fine. It's just a process we've got to take people through. And I think we all underestimated the rate at which that would happen. Yeah. And SSDs kind of helped keep things on-prem because you can do stuff with Flash now, that's cooler. Yeah. But I think also that the VMware acquisition in Nassir is very important because, you know, there's a big public cloud out there and Nassir is going to be big in that. Okay, so you're part of the Clouderati, which I think I'm a member of. I don't think I've yet qualified. Sam Jay, if you're out there watching, I think you admin that. Get me on the Clouderati so I can get on there. But to the Clouderati, you obviously are very active. I watch the conversations. OpenStack. Yes. VMware announced they're going to join OpenStack. Nassir, I know, was very much involved in that. So I think they're back-during in through Nassir from what some of my sources tell me. But OpenStack was kind of this land grab. Everyone's jumping in kind of like a big orgy of tech companies trying to put a stake in the ground for cloud. It seems to be changing. What's your take on OpenStack? Just before we get there, I think the big message from VMware starting today is this. Look, they've embraced stuff bigger than VMware, generally, right? They're going to manage infrastructure other than just VMware ESX environments. They're going to manage Hyper-V and Xen and everything else, right? So it's basically VMware saying, hey, we're it. Now we can do all this other stuff too. And part of that is also reaching to other forms of cloud. That is, it's a recognition that there'll be other cloud infrastructures out there. Which I think is- Or multi-cloud as they say. Yeah, multi-cloud. But that's their marketing. Right, and that's fine. So this is VMware growing up, growing up to the point where they say, look, we're kind of it in the enterprise, which is absolutely true. And now we can set our sights on bigger worlds. So thinking bigger, not just myopic VMware centric. And so I think that's natural, that's what you'd expect from them. OpenStack, come along fine. I think the business model for the OpenStack players remains somewhat murky. But nonetheless, it's an extremely strategic piece of software for the entire industry because it can move everybody forward very, very fast. I think- You were involved in a lot of that with Xen. I mean, you were the hypervisor. You were powering Amazon, so you know that game. Yes, but I think it's very important to not ever say OpenStack gets everybody to parity with Amazon. You don't get there, right? For the Amazon, you get 25 plus services. With OpenStack, you're going to get the equivalent of EC2, EBS, and NS3. Okay, great. And maybe a bit more. In other words, you're going to get VMs as a service. You're not going to get DynamoDB and all that stuff. It's a developer kit. It's a developer kit, in a way. It's an open source VMs as a service kit. And that's fine. And that's what they want. That's what they want. Yeah, I think it's a good strategy. I think it's a good strategy. That's TableStack, so it's all good. And I think the OpenStack community is running well. The, you know, there's a new board and it has a lot of energy behind it, so it's all great. All right, we're here with Simon Crosby, legend in the industry. Great guy, always great to chat with him. He goes back to Xen, Citrix, now back on his feet as an entrepreneur, getting his hands dirty, building the company. Leading a set of troops. Final question before we go to break and go to some news from Chris and Nicole is what's your goals for the year? Obviously you've got a product announcement. Just take us through the Simon, you know, 20-mile stare out over the next year. So whenever you do the software at an enterprise, they don't consume it on day one and then suddenly it's all in large volume deployments, right? So when you do at large enterprises, the complexity of their environments is staggering. And so job one is to make sure that what you do works with the way that they work. One of the cool things you've managed to do at Bromium is this, no new management console, no new IT skillset required, just works with what you have. And that was a key requirement. We didn't want to injure you small management stuff. But it's, you know, the process is a process of just working with customers. So we set ourselves a goal of, you know, work with 20 customers this year and get them to be delighted. And then we'll go, then we'll figure it out. And build from there. Okay, Simon Crosby, always great to have you. This is theCUBE. I'm John Furrier with SiliconANGLE.com. Go to SiliconANGLE.com. You'll find that's the reference point for tech innovation. We do some news, but we go deep. We try to go deep on the tech trends. The next big thing we believe is data infrastructure. We're going to break that down and build on that theme. Where data is at the center of the value proposition. Obviously, Cloud Mobile and Social will continue to cover the cloud. And we'll see some new security stuff. Congratulations and look out for Bromium next couple of weeks, big product announcement. Simon Crosby here on theCUBE. We'll be right back after this break with some news from Kristin Nicole. Thanks John.