 From Las Vegas, it's theCUBE. Covering VMworld 2018. Brought to you by VMware and its ecosystem partners. Hey, welcome back everyone. We are live here in the broadcast booths presented by theCUBE. I'm John Furrier, co-host with Dave Vellantes. VMworld 2018, day three of three days of wall-to-wall coverage. Our ninth year covering VMworld and the VMware ecosystem. It's great to have on theCUBE Tom Corn who's the senior vice president general manager of the security products from VMware. Welcome to theCUBE, good to see you. Thank you. We're just bantering before we came on that you are part of building app defense, one-year-old products. Yes, yeah. So you're in the nerd nation, if you will. Yes. And VMware. I say that with all due respect. I take it. I had to stand for it since the football opening day is Friday, so it would be tailgating at Stanford. But, you know, Palo Alto, VMware. Tons of technology in VMware. We covered the radio event which was first opened to the press this year. We were there. Security number one, Pat Gelsinger said on theCUBE so many times, even four years ago, he said security's a do-over. But it's more than a do-over. It's central to how the cloud and on-premises are working. Hybrid cloud validated by Andy Jassy this week with RDS on VMware, on-premises. Pretty major industry milestone there. You're in the middle of the security leading the team. What's the update for VMware? Still pumping on all cylinders? I think this is actually we're making some of the biggest strides forward in security right now. I think there is such a huge opportunity to not make the mistakes we made in the past and start with a clean slate. Do security the way it really ultimately makes sense. At the end of the day, we're really not trying to protect servers or networks or we're trying to protect data and applications. And being able to see things through, look at the infrastructure through the lens of the application, through the lens of the data and align security to that is a huge opportunity to fundamentally make cloud more secure than a traditional sort of physical environment. So I got a staff from Trend Micro just came by theCUBE today for a briefing. They said one in $6 are being spent outside the organization in buying other SaaS platforms. Cloud certainly, the shadow IT has caused that. Whether it's Dropbox, AWS instances, just stuff flying up there, opening up, potential vulnerabilities. Virtual networking is clearly a part of the architecture with virtual machines. So security is really under a lot of pressure and micro segmentation seems to be a hot topic. This is driving a lot of new value as the architecture shifts to hybrid cloud which essentially cloud operations. Infosec teams, NetOps are all working together now but it seems more confusing than ever. Can you clarify how companies are organizing around the cloud, hybrid cloud operating model in multi-cloud with security? Yeah, so first it's important to understand the central idea behind micro segmentation is to provide a mechanism to compartmentalize all the elements that compose an application, a regulatory scope so that if one thing falls, everything doesn't fall, right? The reality is a perimeter of a data center is so porous in so many dimensions that you cannot, your security strategy can't be predicated on anything inside my data center is just fundamentally secure. I think we live in a state of compromise, deal with it, right? And so the notion of compartmentalizing an application allows for a limited lateral movement of attacks. It also provides a policy boundary to say, I can place controls on the boundaries of an application and that boundary may not exist in the physical world but it does in the virtual world. The best analogy I came up for this is imagine you had an entire company in a skyscraper. All the employees were in that skyscraper. You could put guards in the front door of that building and the instructions for them, but who gets in and who gets out or what looks weird in the lobby? Pretty straightforward, okay? Now take the employees and spread them out into parts of floors of different buildings all over the city. Fill the building that you had with employees from lots of different companies. Now there's a bank, a TGI Fridays, a bowling alley, and an FBI. No, now tell those guards what looks weird in the lobby. Like now tell those guards who should get in. Now suddenly it's really confusing. And the ability to say I'll create a virtual skyscraper that'll put all the employees in one place, that's the idea behind microsegmentation. Tom, you talked about the cloud, the potential for the cloud to be more secure than the traditional environment. In June, John and I were at the Public Sector Summit and we heard the CIO of the CIA say, cloud on our worst day from a security standpoint is better than my client server. Because the first time I heard client server in about 10 years, but nonetheless. Yeah, that's the government. So my question for you is, in terms of, so his implication was it's already there. What has to be done to bring that level of security to that hybrid world? Yeah, so at first I would be careful with that statement. I think they're probably right for the average company, the way a cloud provider would secure the infrastructure on down, it's actually very solid. The application's your problem. The data that's running on it is your problem. And that's not quite the same thing. There's a different set of things about what can get access, how that's isolated for other things. So some of it. Let me make sure I understand that. So you're saying, okay, the infrastructure, check. Yeah. But that's not the story. What's above the operating system? My applications and how the data is flowing on that. And there's no good excuse that, well it was running on such and such, infrastructure as a service is not my problem. It's still the company's problem. Right, right. So a lot of the basic things of access control, alignment of controls, policy, those are still ultimately in the hands of the customer. Now I do agree that the opportunity is to make the simpler, less misalignment, less misconfigurations. Those are tremendous opportunities in the cloud. But there's some conventional wisdom in the industry that says, you know what, it's a fatal complaint, you're going to get hacked. So it's all about how you respond. I'm inferring from you that, no, that's not the case, that you can actually protect the data if you take an application view. Yeah. Of course, response is important. Yeah, look, there's no perfect solution. I guess maybe the best way to think of security is a risk management exercise. You're going to spend whatever you're going to spend. The question is, are you spreading that like peanut butter and a bunch of stuff? Or are you investing your time, money, and capital in the things that will have the most material reduction in risk? There's a wonderful framework that Gartner came up with. I like that Neil McDonald from Gartner came up with it, which is a, he calls it the cloud workload protection framework. He stack ranked all the things you could do to protect the workload in order how much risk it gets rid of. The things at the bottom that the big risks, patching, segmentation, application control, protect the memory, encryption. Those are all things that have to do with reducing attack surface as opposed to finding the attack of the day. The stuff at the top, you know, antivirus running for a server inside the data center behind all these walls is marginal residual risk. So the focus of VMware in the security realm has been we can not only bake security in, so you're not adding boxes, you're not managing agents. More importantly, we're in this unique position to understand what things were supposed to be. For example, the app defense product that we launched last year you had mentioned and that we have a bunch of new stuff here, we're leveraging the hypervisor itself to understand the intention of the applications you loaded on it and then use the hypervisor to say that's all it can do, nothing else. It flips the model completely from saying, I'm going to try to find bad things too. I'm going to really understand what good is supposed to be and that's all it's allowed. So you're narrowing the scope with policy basically. 100%. I mean, so this comes up with IoT. I heard a guy saying, you know, these light bulbs that are Wi-Fi enabled have full multi-processed threads. We don't need it. There's a light bulb, these go on and off. So by bounding the apps, that's what you're saying. They're using virtualization mechanisms to do that. Exactly right. We've never used it for this before but the hypervisor kernel does a bunch of pretty amazing things. It can see what's running. It can see what you provisioned in the first place. It can do that without adding an agent. It can do that in a way that can't be turned off without a lot of overhead and it can do almost anything in response. So the central idea behind app defense was, let's use it. It'll tell you what all your VMs are for. Now you have an application view that says, here's the applications in your infrastructure divided into services, divided into machines. Here's what they're supposed to be. Tell us what you want to have happen if what's running doesn't match what you intended. That's it. Well, the technology is perfectly positioned for that and Pat was mentioning NSX. Well, I want to ask that in a second about NSX. I want to put you in the spot and ask the question that comes up all the time. Two factors in security that's hard to get your arms around. One is patching, which you said, you got to patch stuff so you don't patch it, this whole surface area. Two, social engineering. Because you get human error, whether you're patched or not, did I configure the bounding proper? That's a human error. Batching, I call human error and social engineering. Those are two factors that are still prevalent in security. Your thoughts on that. No, look, you can't patch humans. So that is almost in a week and the only really thing that we can really advance there is to move increasingly to automation and do things that candidly are not, humans probably aren't the best at doing that. But you can't just automate old, unreliable processes. That just makes them faster. It doesn't necessarily make them better. And I think the key to a lot of this is again. Automating a bad process still makes it a bad process. It's just faster. It's more efficient. An efficiently bad process. Exactly, exactly right. So I think a lot of the automation and the ability to compartmentalize things and candidly a lot of the policies, whether it's for patching, et cetera. When thought of through the lens of an application as opposed to like what's our policy for patching the patient care system? How often is my patient care system unpatched? Is different than saying I've got thousands of machines and some of them are patched, some of them are not and how do I prioritize which ones I should get? It really does not only simplify things but align things to a business outcome which is really goes back to a risk management decision of business. Ransomware is a great example to your point earlier. I think you said that on off camera as well is that you don't want to attack the same treadmill of problems. So Ransomware, one guy said that in the cube here at another event said, Ransomware's easy. Just patch and back up and you're good. It sounds simple, doesn't it? It's surface area, patch it, back it up. Now sometimes there's reasons why the patch that people just don't roll out the updates to an absolute critical surter on the trading floor. Sometimes they have challenges but interesting enough yesterday we were showing we had a live, we did a live attack on stage with Petra, with a live strain of Ransomware throwing it in this machine. We showed why it worked and we were just using app defense to say, all right, let's assume you didn't patch it. App defense is going to make sure that application can't do anything you didn't intend it to do. The ransomware doesn't work and it's not because we understand what malware you had there. It's because the malware to work has to change. I'm thinking about security strategies in general for organization. Given that credential theft is still such a huge problem, are the things that you can do with analytics because you may have visibility on certain parts from the infrastructure standpoint that you can do to maybe not stop credential theft, that's bad human behavior, but to identify some anomalous behavior. What's happening with analytics and what role, if any, does VMware play? Yeah, so again, if the central theme, I suppose, is summed up is we're trying to say, here's your applications and data, what is intended? On the network with NSX, on the compute stack with app defense, Workspace One is trying to address that from a user and a device perspective. And the questions one asks for what you're discussing is, is this who they say they are? Are they on the list of invites and are they on a trusted device? And those were traditionally siloed decisions separately. And what we're saying is, it's about answering those things in concert that allow to spot the stuff that doesn't make sense. It's the ability to answer them in concert that allows you to make that less intrusive into the daily activity of the users. So the work that's happening on Workspace One Intelligence to do analytics, looking at the device and how the device is behaving, the user and how the user is, what indication, what risk do we see? This may not be the person or the risk that they're working from a device I might not trust, even if I trust who it is. Either of those might tip me off to say, you know what, I might want to limit what they have access to or this is the place I need to look at first. Again, I think that starts to clarify and put things in context. We're talking off camera about the InfoSec team and the IT team and often they're in silos and not talking to each other. What's the right regime in terms of what you see in the marketplace of best practice to approach this problem? Well, it sort of depends on the size of scope, but the InfoSec team, often led by the Chief Security Officer, often in most organizations I deal with own the Security Operations Center, security architecture and governance risk and compliance. They're mostly looking at setting overall policy and seeing when things are breaking down and reacting to it. But as you point out, there's a lot of security happening in the infrastructure teams, whether it's firewalling, segmentation, locking down the compute stack, even things like AV running by end user services teams. They're looking to set policy and things that are getting in the data path that are about locking things down and they need to collaborate. They need to, if to be effective, they have to each know the roles and operate from a single source of truth. And that's where it's breaking down. In fact, I would take it a step further. The other group that needs to be part of this conversation is the application team. And as we move to DevOps and the applications change very rapidly, it's going to be increasingly important that they collaborate and not ignore each other as silos. I want to ask you, I know we got one more question left, but I want to get out there. You mentioned adaptive segmentation is an extension of where micro segmentation is going. A lot of buzz here at VMworld on micro segmentation. What is adaptive segmentation? So it's really the next logical evolution, we've taken some of the technology we built with app defense that can figure out and map out the applications. Now that we have manifests that say what these things are for and we know the patient care system is actually all these machines and how they interact, it's basically saying, why don't we have the system program the micro segment and do it in an automated way? Now you have a micro segment that is automatically and perfectly aligned driven from the application itself. And the other beauty is the adaptive portion which says if the application changes, that's pushed down through Puppet or Chef or something is modified through patching to have the system be smart enough to see that's an update and then automatically change the actual segment and lock the network and compute down. That's what we're doing there. It's a- What's the impact of the customer? And what's the impact of that? It's simpler, they'll much faster time to actually go in. It's simpler and it's a much more accurate representation of the application. You lock things down both from lateral and direct attacks. So it's a big deal. Okay, final, final question. I always like to get the final question in here. Tom, tell us about a prediction for 2019. Next year at VMworld, we want to, what are we going to be talking about? What are going to be the security issues on the table? More of the same rinse and repeat issues. What is your prediction for 2019 and security? Well, you know what? I think security is going to get more complicated before it gets simpler. I think we're on the right path but there are so many moving parts. I think one thing, I think you're going to start to see people increasingly open to security being delivered as SaaS. Because there's too many benefits of machine learning across populations of users. I think we're going to start to see security models that are, to fool one of us, you got to fool all of us. I think those are the kind of things that are going to be the needle mover. Sounds like great service. Security is a service. The Cube is a service bringing us three days of wall-to-wall coverage. We'll be back with more on day three coverage. I'm John Furrier, Dave Vellante. Stay with us for more after this short break.