 We're going on one with Chris and then he's going to come up, Edward's going to do a panel with Chris and they're going to get down and dirty in this queue but we wanted to kind of up level it, keep a high level overview because we're talking about some security. So I'm John Furrier with silkenangle.com and I'm here with my co-host. I am Dave Vellante of wikibon.org and Chris Hoff is our guest and we're going to talk. Welcome to theCUBE. Yeah, industry, networking, the whole thing. So Chris holds no punches, he can pull any punch with anybody. So we don't want to make a cage match, but we want you to address and help us understand the security around cloud and particular VMware. Steve, Harry was just up. We asked all the, every single VMware executives about security and it gives great answers. So we want to kind of unpack that a little bit with you. So first question is, you got to have security. What's VMware doing? Take us to some history of VMware security and where we are, where they are today. Yeah, so I think we've seen the evolution of VMware's security strategy over time. Three or four years ago, the guys from Determina and Blue Lane, well Determina specifically came on board and introduced the concept to the world of exposing security capabilities outside the hypervisor to an ecosystem of security partners. Didn't really have much in the way of security technology themselves at the time. And that sounded like a great idea, right? It was kind of in genesis, it blogged along and then ultimately kind of fell over. Implementation issues as VMware themselves were growing and maturing, the technology was improving, it became an interesting challenge to battle kind of core competency versus security. Over time, that's through acquisition as well as in the Blue Lane acquisition that team and the folks that head up now, networking and security. We've seen the kind of full blown effort towards both monetizing and more specifically dealing with that one of the chief complaints and blocking items that folks have in implementing heavily virtualized infrastructure in cloud, which is what are you doing in security? But actually more specifically, what are you doing to help me be compliant? And they're really two separate issues, right? So in many cases, you'll have discussions as both the partner and customer of the VMware and a lot of what the V-Shield product line is becoming is less about security, more about compliance, but more specifically architecturally, if you look at V-Cloud director, V-Shield Edge is the perimeterized demarcation point for multi-tenancy in their cloud. So one of the challenges in enabling the ecosystem is how you balance their need, want, desire to monetize as well as solve that problem and then how we integrate 20 plus years of best of great security technology. So that's actually, I think really astute and I'm no expert in this field, but the fact that you're saying that essentially, and one of our guys and I were talking about this the other day, he said the same thing that essentially it's the emphasis on compliance, but that make a Mac a fee better doesn't solve the problem, is it? No, and I mean, this is in a friendly way, and I love my VMware brethren, but in many cases the partner ecosystem is in co-optition here, right? We have a series of products that as companies are starting to evolve, taking their hardware-based appliances and software-based appliances and virtualizing them and making them scale and designing around architectures, the simple fact is that so is VMware. And so fundamentally, when you look at this kind of collision course of trying to sort out who does what, why and better, if you're a customer, at the end of the day, if I have my virtual firewall product from company A, and VMware has theirs, and they do the same thing, then it comes down to an issue of cost and support and efficacy, whether your network guys are involved, whether the security guys are involved in the decision of who purchases what, who operationalizes it, it's messy. It seems simple in an all VMware stack, when you're dealing with multi-vendor, large segmented organizations, it's a pain in the... Mainly because you and I were talking earlier, and security shouldn't be a co-engineering, co-development initiative, right? I mean, ultimately you want to get to a state where there's standards or an approach where a company doesn't have to engineer a solution. I mean, is it where are they at? That's still staged now or is it still in that phase? No, I mean, I think quite frankly, if you look at what they're developing and what they've delivered in the latest version of eShield, they can legitimately stand up and say, we have a set of security solutions that delivers in many cases, good enough sets of security functionality, and they've engineered that very well, and they, from the ecosystem enablement perspective, certainly do have ways that partners can integrate, but they've changed over time, right? We hear messages of which direction we should go. In terms of do you use VM-safe APIs? Do you develop and build around new and emerging point offerings within their product line? Quite frankly, it's difficult, but understandable to be in a position of, VM or needs to be able to stand alone and say that they operate together. They got to get their act together. I mean, they got to get their act together, but they can't be sending mixed signals to the ecosystem that they're trying to build. Well, and their customers, quite frankly, right? I mean, if you go into large enterprise organizations who are heavily virtualizing and also trying to essentially make their way to cloud computing, public or private, what ultimately you want is the customer to be able to make the best choice based on their requirements over time as possible, and right now that's a confusing proposition. It's not, I'm not casting stones at VMware. I mean, if I was in the position, I'd probably do the same thing. What I would do, however, is understand and listen to how customers and how partners are reacting to a lot of these announcements as they relate to actually operationalizing some of these solutions. It's really hard. So that is actually an interesting discussion that we just had about how the ecosystem works together. I wonder, Chris, if you could address the fundamental architecture. Why is security in the cloud so difficult? So really it comes down to scale, quite frankly. In many cases, historically, security by design does not scale. We kind of expect a meat cloud to be in the middle, some sort of guy or set of people operating the security consoles. The traditional physical appliance with one gizenta cable, one gizata cable. I know where those devices are. I know where the outside and the inside is. Completely turned inside out, right? With virtualization in cloud. And so the problem is a lot of what you have to do in order to essentially gain visibility and transparency and the ability to affect compensating controls in cloud is to distribute and build scale-out architecture from a security perspective the same way you do your workloads. And that you kind of, it's a squeezing the balloon problem. You go from very, very good state-of-the-art understandable, ASIC assisted kind of predictable performance to I've got a bunch of software. I may have gone from 10 firewalls, now I've got 10,000 because I've moved from the network to the host, right? Or the guest, or the application stack layer. Or better yet, it's been pushed up to my past or SaaS provider. So fundamentally, it's an issue of understanding how we deal with multi-tenancy beyond just business constituents in your own enterprise and management and scale. Those three things are incredibly difficult. So Chris Hoff here is with Juniper Networks formerly with Cisco Systems. His Twitter handle is at beaker and we know each other over the years. Tell us what's new at Juniper and your role there. Share with the audience what's going on in your life right now. Yeah, so I'm the Chief Security Architect for our enterprise business at Juniper. We've got a bunch of very interesting stuff that we have been working on for quite some time as well as some new emerging things. So I actually have a talk coming up today which is focused on making people aware that a good majority of our security capabilities are actually already virtualized. So besides our VGW, virtual gateway from the Altor acquisition, which is virtual firewall, we have things like virtual UAC, admission control, we have virtual SSL appliances, we have a whole suite of virtual products that then tie into our new networking architecture of QFabric, which is kind of an interesting fundamental shift in the way in which people design networks which is especially well attuned to this need for flat any connectivity on virtualized and cloud network. So a lot of great stuff focused on security, next generation networking, and really good stuff. What's impressive about Juniper is I've been close to and they were a client of mine for a while in the past. They have a technical founder who's still around. Yeah, he's awesome. And he's really smart. I've interviewed him a few times. Pre-Q, I've done some sit-downs with him on a podcast. Pradeep. Pradeep, Pradeep. Pradeep, Pradeep. Yes, Pradeep. That's the last name. Anyway, so he's actively involved and he's for the mobile trend coming. He's for the flattening of the network. Junos was a bit of a, but that's evolved. Well, yeah, I think, you know, it's a long-term project, right? When you think about fundamentally developing applications on top of a platform, the first thing that comes to mind is usually not a switch or a router. So it's a fundamental kind of departure point. And I think for any company that's looking to really turn your platform into a service delivery mechanism, whether it's in the enterprise or a service provider environment, yeah, it's going to take a while, right? So the bumps along the road ultimately get sorted when you look at being able to fail fast, look at where our core competency is and then start adding value. And I think the timing is really interesting now with Cloud and heavily virtualized networks. You're dealing with the need to deliver service in an incredibly flexible way. So hopefully, you know, look forward to it. Steve Herrod in his keynote, and I didn't go back and check the tape. So I'm going by memory, but I believe he said that security in VMware is better. I think that's what he said. Better than what? Better than non-virtualized environments. Oh, okay. And on theCUBE today, he said ultimately, it's going to be better. I think that, and I've talked to my good friend, Mike Versace, out in the audience about this a lot. I don't think many of us believe that today it's where it needs to be, but ultimately can cloud security be better and why? Yeah, you know, this is one of those funny, that's why I answered your question, better than what, right? In generalized state, if we have to look at the delivery model, the deployment model, what do we mean by cloud? It gets someone who's really boring. Are you talking about software as a service, platform infrastructure? I think ultimately what virtualization and cloud does is really drive our attention and our focus back on protecting things that matter most, which is information, data, which is why if you see the value of the things being added to VShield and other people's products, it's focusing on protecting information. Yeah, most important first. Yeah. Get the most important things right first. Yeah, and so really if you look at virtualization, what it's been doing over time is kind of collapsing the diameter of these perimeters we build. So everything's kind of a bunch of micro-perimeters. We can do awesome stuff with VMs, awesome stuff at pass and staff level because we ultimately have more control over those environments. But it's dependent upon clearly, still how you operationalize and what you do. So everybody talks about the software mainframe, right? And you're younger than I am. So guys who are older, remember mainframe security. I remember mainframes, I just shuddered, yeah, sure. So fundamentally what they did is they said, if I recall correctly, was a security event is a number one priority. Boom, it's treated that way architecturally. Is that the way that you guys think about it that the industry is thinking about it today? Well, you know, I think it's interesting. If we go back and look at the history of modern x86 virtualization, one of the reasons that it came to the forefront of people's purchasing and investment initiatives is that we had from a process and resource utilization, terrible utilization of most of the resources on our corporate enterprises. The second thing is that we really had trouble when we moved from mainframes with mandatory access control to multi-user systems with discretionary access control with horrible kernel and user space isolation and poor process control. So what virtualization did was essentially squeeze the balloon to make that problem more manageable by isolating the things that cause us pain in bubbles that you could ultimately control better. Which when you look at old mainframe virtualization and Alpars and the way we used to separate resources, you know, either physically or logically, it's a variation on a theme, right? So, you know, when we look at, it's funny, when you say how do we look at virtualization and security, it depends on, again, the types of information, the types of data you're trafficking, what you do, what you care about, some, you know, with your inside, outside. This is why these models and the mappings to my delivery and deployment models become so critical. Right, okay, but I mean, good enough is not good enough. Well, no, it could be. Well, for some people it is. Some stuff, but I mean, but that's the high watermark that it's not good enough. Well, so we'll go back to what we said before, there's a difference between security and compliance. Compliance is, what do I need to do at the minimum to satisfy some ape with a pen, checking off a bunch of boxes? We don't actually get paid in security to be secure. We get paid to be compliant. If you can happen to milk enough additional budget out of compliance, because there's a new threat and a new vulnerability, so you can basically satisfy compliance, but invest in new architectures, that's awesome, right? But that's generally a byproduct. That's hard to do. It's hard to do, it's horrible. It's a horrible business, right? I was a CISO of a $27 billion financial services company and it was absolutely painful to try to do the right thing, right? And so these platforms, when you ask, is security going to get better? In many cases, one of the things that virtualization does and cloud does, is it kind of enables me to think about security as a service and think differently about how I spend my security dollar, which I think will ultimately lead to better security. But it's not necessarily a technology decision. But the pain when you were in your practitioner role was, are you suggesting lack of funding? Oh, well, certainly. Essentially, that was the gate. Well, that's one of the biggest ones. I mean, there's only so many firewalls you can buy with no dollars. That's true, it's a security change. Oh, there's open source. Chris Hoff, expert in security, chief security architect at now Juniper Networks, I'm bullish on Juniper. They're smaller than Cisco, nipping at the heels at Cisco. We love disruptors. Yeah, disruptors. Now you're on the other side of the fence, Chris Hoff, very active on Twitter. From the whale to the barracuda. I like that analogy. Follow him on Twitter at beaker. So don't follow me on Twitter. That would be a terrible idea. Tsunami. Okay, stay up. Chris Gustave, we're gonna get Edward up here. Be creative. Thanks a lot.