 Welcome back everyone, CUBE's live coverage here. Day two, two sets, three days of CUBE coverage here. VMware Explore, this is our 12th year covering VMware's annual conference, formerly called VMworld. I'm John Furrier with Dave Vellante. We love seeing the progress and we've got great security. I'm Tom Gillis, Senior Vice President, General Manager, Networking and Advanced Security Business Group at VMware. Great to see you, thanks for coming on. Thanks for having me. Yeah, really happy we could have you on. You know, I think this is my sixth edition on theCUBE, is like, do I get freaking flyer points or something? Yeah, yeah, you get them both. First you get the VIP badge, but we'll make that happen. You can start getting credits. Okay, there we go. Yeah. We won't interrupt you. No. Yeah. Seriously, you got a great story in security here. The security story is kind of embedded everywhere. So it's not like called out and blown up and talked specifically about on stage. It's kind of in all the narratives in the VMworld's for this year. But you guys have an amazing security story. So let's just step back and to set context. Tell us the security story for what's going on here at VMware and what that means to this super cloud, multi-cloud and ongoing innovation with VMware. Yeah, sure thing. So probably the first thing I'll point out is that security's not just built in at VMware. It's built differently, right? So we're not just taking existing security controls and cutting pasting them into our software, but we can do things because of our platform, because of the virtualization layer that you really can't do with other security tools. And where we're very, very focused is what we call lateral security or east-west movement of an attacker. Because frankly, that's the name of the game these days, right? Attackers, you got to assume that they're already in your network. Okay, already assume that they're there. Then how do we make it hard for them to get to what the stuff that you really want, which is the data that they're going after, right? And that's where we really should. All right, so we've been talking a lot coming into VMworld, VMware Explorer and here at the event about two things. Security as a state. I'm secure right now. Or I think I'm secure right now, even though someone might be in my network or in my environment, to the notion of being defensible. Meaning I have to defend and be ready at a moment's notice to attack, fight, push back, red team, whatever you want to call it, but something's happening, I got to be able to defend. So what you're talking about is the principle of zero trust. So when I first started doing security, the model was we have a perimeter and everything on one side of the perimeter is dirty, ugly old internet and everything on this side, known, good, trusted, what could possibly go wrong? And I think we've seen that no matter how good you make that perimeter, back guys find a way in. So zero trust says, you know what? Let's just assume they're already in. Let's assume they're there. How do we make it hard for them to move around within the infrastructure and get to the really valuable assets? Because for example, if they bust into your laptop, you click on a link and they get code running on your machine. They might find some interesting things on your machine, but they're not gonna find 250 million credit cards or the script of a new movie or the super secret aircraft plans, right? That lives in a database somewhere. And so it's that movement from your laptop to that database. That's where the damage is done. And that's where VMware shines. So if they don't have the right to get to that database, they're not in. And it's not even just the right. So they're so clever and so sneaky that they'll steal a credential off your machine, go to another machine, steal a credential off of that. So it's like to have the key to unlock each one of these doors. And we've gotten good enough where we can look at that lateral movement even though it has a credential and a key, we're like, wait a minute, that's not a real sysadmin making a change. That's ransomware, right? And that's where we- And you have to earn your way in. That's right, that's right, yeah. And there's all kinds of configuration errors, but also just user problems. I've heard one story where there's so many passwords and username and passwords and systems that the bad guys scour the dark web for passwords that have been exposed and go test them against different accounts. Oh, one hit over here. And people don't change their passwords all the time. Correct, correct. That's a known vector. We just, the idea that users are going to be perfect and never make a mistake, like how long have we been doing this? Like humans are the weakest link, right? So people are going to make mistakes, attackers are going to be in. Here's another way of thinking about it. Remember log4j? Remember that whole fiasco? Remember that was a Christmas time. That was nine months ago. And whoever came up with that vulnerability, they basically had a skeleton key that could access every network on the planet. I don't know if a single customer that was said, oh yeah, it wasn't impacted by log4j. So here's some organized entity had access to every network on the planet. What was the big breach? What was that movie script that got stolen? There wasn't one, right? We haven't heard anything. So the point is the goal of attackers is to get in and stay in. Imagine someone breaks into your house, steals your laptop and runs, that's a breach. Imagine someone breaks into your house and stays for nine months. It's untenable in the real world, right? They're hiding in the closet. They're still in there watching everything. They're hiding in your closet exactly. Moving around, nibbling on your cookies. You know what I mean? Drinking your beer, yeah. So let's talk about how this translates into the new reality of cloud native. Because now, you hear about automated pen testing is a new hop thing right now. You got antivirus on data. It's hot within APIs, for instance, API security. So all kinds of new hot areas. Cloud native is very iterative. You can't do a pen test every week. You got to do it every second. So this is where it's going. It's not so much simulation. It's actually real testing. How do you view that? How does that fit into this? Because that seems like a good direction to me. Yeah, if it's right in and you were talking to my buddy Ajay earlier about what VMware can do to help our customers build cloud native applications with Tanzu, my team is focused on how do we secure those applications? So where VMware wants to be the best in the world is securing these applications from within. Looking at the individual piece parts and how they talk to each other and figuring out, wait a minute, that should never happen by like almost having an x-ray machine on the innards of the application. So we do it for both for VMs and for container-based applications. So traditional apps are VM-based. Modern apps are container-based. And we have a slightly different insertion mechanism but it's the same idea. So for VMs, we do it with a hypervisor, NSX. We see all the inner workings. In a container world, we have this thing called a service mesh that lets us look at each little snippet of code and how they talk to each other. Once you can see that stuff, then you can actually apply, it's almost like common sense logic. I'll be like, wait a minute, this API is giving back credit card numbers and it gives five an hour. All of a sudden it's now asking for 20,000 or a million credit card, that doesn't make any sense. You normally stick out like a sore thumb if you can see them. And VMware, our unique focus in the infrastructure is that we can see each one of these little transactions and understand the conversation. That's what makes us so good at that east-west or lateral security. You don't belong in this room, get out. Or that's some weird call from an in-memory database to something over here. Yeah, exactly. Other security solutions won't even see that, right? It's not like their algorithms aren't as good as ours or better or worse. It's the access to the data. We see the inner plumbing of the app and therefore we can protect the app from something. And there's another dimension that I want to get in the table here because to my knowledge, only AWS, Google, I believe Microsoft and Alibaba and VMware have this. It's Nitro, the equivalent of a Nitro, project Monterey. That's unique. It's the future of computing architectures. Everybody needs a Nitro, I've written about this. So explain your version, it's now real. It's now in the market, or soon will be. What are the salient aspects? Yeah, here's our mission at VMware is that we want to make every one of our enterprise customers, we want their private cloud to be as nimble, as agile, as efficient, as the public cloud. And secure. And secure. In fact, I'll argue we can make it actually more secure because we're thinking about putting security everywhere in this infrastructure, right? Not just on the edges of it. So okay, how do we go on that journey? As you pointed out, the public cloud providers realized five years ago that the right way to build computers was not just a CPU and a GPU, graphics processing unit, GPU, but there's this third thing that the industry is calling a DPU, data processing unit. And so there's kind of three pieces of a computer. And the DPU is sometimes called a SmartNIC. It's the network interface card. It does all that network handling and analytics and it takes it off the CPU. So they've been building and deploying those systems themselves, that's what Nitro is. And so we have been working with the major Silicon vendors to bring that architecture to everybody. So with vSphere 8, we have the ability to take the network processing that East-West inspection that I talked about, take it off of the CPU and put it into this dedicated processing element called the DPU and free up the CPU to run the applications that Ajay and team are building. So no performance degradation at all. Correct. To CPU off of it. Even the opposite, right? I mean, you're running at basically bare metal speeds. Yes, yes, and yes. And you're also isolating the storage, right? From the security, the management. There's an isolation angle to this, which is that firewall that we're putting everywhere. Not just at the perimeter, but we put it in each little piece of the server is running, when it runs on one of these DPUs, it's a different memory space. So even if an attacker gets to root in the OS, it's very, very, never say never, but it's very difficult. So who has access to that resource? It's pretty much just the infrastructure layer, the cloud provider. So it's on Google, Microsoft, you know, and the enterprise. The application can't get in. Can't get in there. Because you have to literally bridge from one memory space to another. Never say never, but it would be very, very difficult. But it hasn't earned the trust to get in. It's more than Bob Weyer, it's multiple walls. Yes, it's like an air gap. It puts an air gap in the server itself so that if the server is compromised, it's not going to get into the network. Really powerful. What's the big thing that you're seeing with this super cloud transition we're seeing? You know, multi-cloud and this new, not just SaaS hosted on the cloud. You're seeing a much different dynamic of combination of large-scale CapEx cloud native, and then now cloud native is on-premises and edge, kind of changing what a cloud looks like if the cloud's on a cloud. So I'm a customer, I'm building on a cloud, and I have on-premise stuff. So I'm getting scale, CapEx relief from the, from the hyperscalers. I think there's an important nuance of what you're talking about, which is in the early days of the cloud, customers, remember those first skepticism, oh, it'll never work. Oh, that's consumer grade. Oh, that's not really going to work. I don't know if some people realize. It's not secure. Yeah, it's not secure. That one's like, no, no, no. It's secure, it works, and it's good. So then there was this sort of overrushed, like let's put everything on the cloud. I had a lot of customers that took VM-based applications and I'm going to move those onto the cloud. You got to take them all apart, put them on the cloud, and put them all back together again. And little tiny details, like changing an IP address, it's actually much harder than it looks. So my argument is for existing workloads, for VM-based workloads, we are VMware. We're so good at running VM-based workloads, and now we run them on anybody's cloud. So whether it's your East Coast data center, your West Coast data center, Amazon, Google, Microsoft, Alibaba, IBM, keep going, right? We pretty much every... And the benefit of the customer is what? You can literally VMotion and just pick it up and move it from private to public, public to private, private to public, public back and forth. Remember when we called VMotion BS years ago? Yeah, yeah, yeah, yeah. We were really... VMotion's powerful. We were very skeptical, we're like, that'll never happen. I mean, we were. I mean, we're supposed to be pat ourselves on the back. Well, because it's alchemy. It seems like, wait, you can't possibly do that, right? And so, and now we do it across clouds, right? So we can, you know, it's not quite VMotion, but it's the same idea. You can just move these things over. I have one customer that had a production data center in the Ukraine. Things got super tense, super fast, and they had to go from their private cloud data center in the Ukraine to a public cloud data center out of harm's way. They did it over a weekend, 48 hours. If you've ever migrated to Denison, that's usually six months, right? And a lot of hardware and a lot of angst. Boom, they just drag and drop and moved it on over. That's the power of what we call the cloud operating model. And you can only do this when all your infrastructure is defined in software. If you're relying on hardware load balancers, hardware firewalls, you can't move those. They're like a boat anchor, you're stuck with them. And by the way, they're really, really expensive. And by the way, they eat a lot of power, right? So that was an architecture from the 90s. In the cloud operating model, your data center, and just goes back to what you were talking about, is just racks and racks of x86 with these magic DPUs or smartNICs to make any individual node go blisteringly fast and do all the functions that you used to do in network appliances. We just had AJ taking us to school and everyone else to school on applications, middleware, abstraction layer. And Kit Colbert was also talking about this across cloud. We're talking about super cloud, super pass. If this continues to happen, which we would think it will happen, what does the security posture look like? It feels to me, and again, this is your wheelhouse, if super cloud happens with this kind of pass layer, with this V motion going on, all kinds of spanning applications and data across environments, assume there's an operating system working on behind the scenes. What's the security posture in all this? Yeah, so remember my narrative about, like the bad guys are getting in and they're moving around and they're so sneaky that they're using legitimate pathways. The only way to stop that stuff is you've got to understand it at what we call layer seven, at the application layer. Trying to do security, the infrastructure layer, it was interesting 20 years ago, kind of less interesting 10 years ago, and now it's becoming irrelevant because the infrastructure is oftentimes not even visible, right? It's buried in some cloud provider. So layer seven understanding, application awareness, understanding the APIs and reading the content, that's the name of the game and security. That's what we've been focused on, right? Nothing to do with the infrastructure. And where's the progress bar on that paradigm? Early one to 10, 10 being everyone's doing it. Right now, well, okay, so we as a vendor can do this today. All the stuff I talked about, reading APIs, understanding the individual services, looking at, hey, wait a minute, this credit card anomalies, that's all shipping production code. Where is it in customer adoption lifecycle? Early days, 10%. So there's a whole lot of headroom we hear for people to understand, hey, I can put these controls in place. They're software-based. They don't require appliances. It's layer seven, so it has contextual awareness and it's worked on every single cloud. You know, we talked about the pandemic being an accelerator. It really was like a catalyst to really rethink, remember we used to talk about PAD, is security a do-over. He's like, yes, if it's the last thing I'm doing, I'm going to fix security. Well, you decided to go try to fix Intel instead. And he's getting help from the government, too. But it seems like, you know, CISOs have totally rethought, you know, their security strategy, and at least in part as a function of the pandemic. When I started at VMware four years ago, Pat sat me down in his office and he said to me what he said to you, which he's like, Tom, he said, I feel like we have fundamentally changed servers. We've fundamentally changed storage. We've fundamentally changed networking, the last piece of the puzzle of security. I want you to go fundamentally change it. And I'll argue that the work that we're doing with this horizontal security, understanding the lateral movement, east-west inspection, it fundamentally changes how security works. It's got nothing to do with firewalls. It's got nothing to do with endpoint. It's a unique capability that VMware is uniquely suited to deliver on it. So Pat, thanks for the mission. We delivered it, and it's available now. Well, I mean, those, those wet, like web application firewall, for instance, are around. I mean, but to your point, the perimeter's gone. Exactly. And so you got to get, there's no perimeter, so it's a surface area problem. Correct. And access and entry. Correct. They're entering here easy from some manual error or misconfiguration or bad password that shouldn't be there, they're in. Think about it this way. You put the front door of your house, you put a big, strong door and a big lock, that's a firewall. Bad guys come in the window, right? And then- The window's open. There's a ladder right there. Oh my God, because it's hot. Bad user behavior, Trump's good security every time. And then they move around room to room. We're the room to room people. We see each little piece of the thing. Wait, wait, that shouldn't happen, right? I want to get you a question that we've been seeing and maybe we're early on this, or it might be just a false data point. A lot of CSOS, and we're talking to, and people in industry, in the customer environment, are looking at CSOS and CSOS, two roles. Chief Information Security Officer and then Chief Security Officer. Amazon, if actually, Stephen Schmidt is now a CSO at Reinforce, they actually called that out. And the interesting point that he made, we had some other situations that verified this, is that physical security is now tied to online. To your point about the surface area, if I get a password, I still got the keys to the physical goods too. So physical security, whether it's warehouse for them, or store or retail, digital is coming in there. So is there a CSO anymore, is it just CSO? What's the role, or are there two roles, do you see that evolving, or is that just circumstance? I think it's just one, and I think that the stakes are incredibly high in security. Just look at the impact that these security attacks are having on, companies get taken down. Equifax, market cap was cut 80% with a security breach. So security's gone from being sort of a nuisance to being something that can impact your whole kind of business operation, and then there's a whole nother domain where politics get involved. It determines the fate of nations. I know that sounds grand, but it's true. And so companies care so much about it. They're looking for one leader, one throat to choke, one person that's going to lead security in the virtual domain, in the physical domain, in the cyber domain, and in the actual business. Well, you mentioned that, but look at Ukraine. I mean, the cyber is a component of that war. I mean, it's very clear. I mean, that's new. We've never seen this. And in my opinion, the stuff that we see happening in the Ukraine is small potatoes compared to what could happen, right? So the US, we have a policy of strategic deterrence where we develop some of the most sophisticated cyber weapons in the world. We don't use them, and we hope never to use them, because our adversaries who could do stuff like, oh, I don't know, wipe out every bank account in North America, or turn off the lights in New York City, they know that if they were to do something like that, we could do something bad. I had this discussion with. This is the red line conversation. I want to go there. Well, I had this discussion with Robert Gates in 2016, and he said, we have a lot more to lose, which is really your point. So I agree that to have freedom and liberty, you got to strike back with the force, and that's been our way to balance things out. But with cyber, the red line, people are already in banks, so their adversaries are operating below the red line, before we know you're in there. So do we move the red line down, because hey, Sony got hacked, the movie, because they don't have their own militia. If they were physical troops on the shores of LA, breaking into the file cabinets, the government would have intervened. I agree with you that it creates tension for us in the US because our adversaries don't have the clear delineation between public and private sector. Here, you're very, very clear if you're working for the government or you work for a private entity. There's no ambiguity on that. So we have different missions in each department. Other countries will use the same cyber capabilities to steal intellectual, a car design, as they would to penetrate a military network. And that creates a huge hazard for us in the US because we don't know how to respond. Is that a civil issue? Is that a military issue? And so it creates policy ambiguity. I still love the clarity of separation of sort of various branches of government, separation of government from- But if you're a multinational corporation, you then have to, your cyber is a defensible. You have to build the defenses. 100%. And I will also say that even though there's a clear demarc between government and private sector, there's an awful lot of cooperation. So our CISO, Alex Toshef, is actively involved in the whole intelligence community. He's on boards and standards and we're sharing, because we have a common objective. We're all working together to fight these bad guys. And that's one of the things I love about cyber is that even direct competitors, two big banks that are rivals on the street are working together to share security information and try to keep these guys out. Is there enough collaboration, Tom, in the vendor community? I mean, we've seen efforts to try to- That's a good question. Sort of monetize private data, you know, and private reports and- You know, like, so at VMware, we, I'm very proud of the security capabilities we've built, but we also partner with people that I think of as direct competitors. We've got firewall vendors and endpoint vendors that we work with and integrate. And so, co-operation is something that exists. It's hard, you know, because when you have these kind of competing, you know, so could we do more? Of course, we probably could, but I do think we've done a fair amount of cooperation, data sharing, product integration, et cetera, you know, and, you know, as the threats get worse, you'll probably see us continue to do more. And the government's just going to, trying to force that too. And the government also drives standards. So let's talk about crypto, okay? So there's a new form of encryption coming out called Quantum. Processing calling on Quantum. Quantum computers have the potential to crack any crypto cipher we have today. That's bad, okay, right? That's not good at all. Because our whole system is built around these private communications. So the industry is having conversations about crypto agility. How can we put in place the ability to rapidly iterate the ciphers in encryption? So when the day Quantum becomes available, we can change them and stay ahead of these Quantum computers. Didn't NIST just put out a Quantum proof algo that's being tested right now by the community? There's a lot of work around that, correct? And NIST is taking the lead on this. But, you know, Google's working on it, VMware's working on it. We're very, very active in how do we keep ahead of the attackers and the bad guys? Because this Quantum thing is like a, it's an x-ray machine. You know, it's like a dilithium crystal that can power a whole ship, right? It's a really, really, really powerful tool. Bad things will happen. Bad things could happen. Well, Tom, great to have you on theCUBE. Thanks for coming on. Take it the last minute to just give a plug for what's going on for you here at VMworld this year. VMworld, explore this year. Yeah, we announced a bunch of exciting things. We announced enhancements to our NSX family with our advanced load balancer, with our edge firewall, and they're all in service of one thing, which is helping our customers make their private cloud like the public cloud. So I have to say, zero, zero, zero. If you are in the cloud operating model, you have zero proprietary appliances. You have zero tickets to launch a workload. You have zero network taps and zero trust built into everything you do. And that's what we're working on and pushing that further and further. Tom Gil, Senior Vice President, Head of the Networking at VMware. Thanks for coming on. Do you appreciate it? Thanks for having me, guys. Always getting the security data. That's killer data and security of the two ops that get the most conversations around DevOps and cloud native. This is theCUBE bringing you all the action here in San Francisco for VMware. Explore 2022. I'm John Furrier with Dave Vellante. Thanks for watching.