 Edward Hledke and I can't hear myself. Hello, this is Edward Hledke and I'm from the virtualization practice. I'm here with Michael Berman and Christopher Hoff and we can all wave, yes. And we're going to talk today about virtualization security. So this is a mini virtualization security podcast with video this time. So we're all on video here. So the question I have is what's, I mean I've seen a lot of new, actually I haven't seen really much new on the show floor when it comes to virtualization security. There's a lot of stuff that's been going on the same way. It's been kind of progressing along and kind of nice even steps of late. At least what I see on the show floor, is there anything that you guys have seen that's different and new? Mike just had an interesting deal happen with VMware. He should talk about that. Yeah, we announced VShield OEM agreement. So we're bringing VShield application controls inside our policy, orchestration and automation framework. So effectively VShield becomes another version of a firewall you can use. It becomes a particular type of, what I would call a policy enforcement point for firewall applications. Do you see a lot more integrations like this happening with other companies? Well this brings to three our integration orchestration in that we're doing the VShield app. We have a relationship with Sourcefire and we're bringing, we have Saint that we use for vulnerability and agent list configuration scanning. So what's happening with Juniper in that area? With who? Well I could have asked you what's happened with Cisco. What's interesting about the question you asked about, it seems to be kind of stalled. It's interesting to me, I kind of noticed the same thing, right? We're really in this, I don't want to say holding pattern, but a lot of what we can and cannot do from an ecosystem perspective is again directly proportional to what the platform allows you to do. So there's a certain point of control that you own the platform, you own how people interoperate. That was exciting. Was that a nurse quick? That was exciting. What did you have for lunch? So I think what we're seeing is as VShield and that architecture VShield manager, VCloud director, all of these kind of machinations around how we're going to do security in a VMware environment, kind of sort themselves out. We're dealing with road maps with vendors, especially larger vendors that get plotted out 12 to 24 months at least in advance. And so being able to turn left on a dime when a platform provider says, oh, we're now going left instead of right, it's hard to bet around. Especially when you have multi-billion dollar lines of business that need to satisfy customer requirements. So a lot of this stall is kind of, okay, what are you doing? How are we playing in this? I was just going to sort out, I mean, I think Mike's move was, frankly, a cap, it was pretty smart, right? I mean, originally you saw an entire segment of the virtual firewalling market go one of two ways. Stay with enforcement, kind of, and the ability to enforce natively. That's Altor and now VGW on the Juniper side. Or trend more towards the compliance, management, monitoring and bringing in through their own sets of APIs and integrations, an ecosystem environment. Because it was just easier, right? You try to manage to the least amount of change that's occurring that will affect your road map. So I think that's where we are. And I think, again, when I saw the news that Capper was doing that, frankly, I thought, given what they were doing, where they were, it was a smart move. And I think we're going to see people trying to build their own ecosystems. But if you're an 800 pound gorilla, that's one thing. If you're a small startup, it's quite another to get people to sign on to your version of the truth. Absolutely. We are able to turn on that dime. And basically, within a few months of an API existing, we've already, here at the show, we're demonstrating some of the integration already today. And that is something that Capper can do, but it's much harder for a bigger scale company to accomplish. So are you also seeing a change in direction for virtual security in such a way that there's more redundancy and availability built into the virtual security appliances that exist today? Because it seemed to be kind of monolithic. Well, I mean, these are just natural kind of, you know, we're emerging out of the adolescent stage of some of these virtual appliances, some of them in their fifth generation. So, you know what, you can't expect, you could not expect today to build a physical appliance, physical security appliance, and go into an enterprise, a Fortune 500, and say, no, I have no high availability. For some reason, we all kind of did that in the virtual space because we just figured, oh, we'll just spin up another instance and, you know, we'll scale out. Well, not really, right? So what we're seeing is customers saying, I'm going to apply the same set of requirements to my virtual security suite as I do to the physical. And in fact, it's more than that. I want to manage them with the same policies. I don't care. I don't make a distinction between physical or virtual. Right. There's also a difference in horizontal scale, right? When you go into the virtual, all applications have to have horizontal scale. So in our case, we have to, we can't think about managing two or three enforcement points. We have to think about managing two or three hundred or two or three thousand enforcement points. And to do that in a reasonable, scalable, efficient way. And, you know, high availability is just another variable in that equation. You truly have to manage, really, an ungodly number of enforcement points that were never, you never conceived the scale that many firewalls, even for a very large enterprise. I was just answering a question from Dave about, you know, what's the biggest challenge? For me, in security with cloud virtualization, it's scale and that's management, right? I mean, I've subjected you two to my security hamster sine wave of pain multiple times, right? Absolutely. About how we trend and where we invest over time based on disruption, right? We post to the application, to the information, to the user and to the network. And we flip-flop over time, depending on the intersection of, you know, disruptive technology, Moore's law, Metcalf's law, and well, just plain, you know... News events. Yes. So this becomes Hofslaw. No, no, I just needed Hofslaw. I like the hamster sine wave of pain. It's better. But the point is, right now, we're in a mode where the abstraction and the so-called coming down of the physical and virtual networks to the point that they are kind of, you know, very flat, very featureless. The whole thing is very flat. Right. Almost means that you push many more of these control and endpoints and policy enforcement points back into the guest and the host and up the stack. So you go from managing, like I said, maybe 10 perimeter physical firewalls or 100 to then, you know, several dozen or a couple of hundred of virtual firewalls and then a couple of thousand potentially endpoint or more, right? Right. So it's a squeezing the bloom problem. Goes back to that four horsemen of the virtualization security apocalypse talk I gave where, you know, I claim that, you know, virtualizing security will not cost you less. Ultimately, it will be a net zero will cost you more because of the operational issues. No, but see, this is where I'm finding disagreement with that excellent talk at the time. But where I'm seeing now is that the APIs are allowing me to deployment and policy automation. So from a security operator point of view, I can take a lot of these things that were very complicated and not only make them easy, I can make them go away. Sure. If I do my job right. If I'm using IP chains, sure. If I am trying to use checkpoint Juniper, Cisco, any of the kind of best of breed security products where you expect to be able to deploy and automate, that's not accurate. If you are embracing and able to take a control point that I don't say, I don't say this in a bad way, but good enough or or. Well, no, this is the point, right? You actually said this in your last talk about is it good enough for regulations? This is a conversation I was just having about the whole best of breed horse race that everybody was in an IT security. I'm going to buy the best firewall. I'm going to buy the best ideas IPS. I'm going to buy the best vulnerability scanner. In fact, I'm going to rely on Gartner to tell me who's in the magic quadrant. I'm going to buy that, right? That's great. You now have the best whatever, but how do you make it all work together? How do you make sure you don't have holes in your perimeter? How do you make sure you don't have holes in your defense and depth? In fact, you have no way of knowing. And that was a completely broken model. And we can either repeat that model in the cloud or we can decide these are the this is the building code. Anything I deploy has to have an API. The API has to look and smell and taste like this so that I can integrate. And whether you call that a your framework that you worked on with the cloud second, the audit a six right cloud audit or a security content automation protocol or it's some other beast. I don't care really. I just want one and then I can start to automate and take the TCO and squeeze it down. So let me clarify my point, right? Yeah, technically I don't disagree, but it takes a rather enlightened set of folks that are not afraid to essentially look at what cloud and virtualization bring to them and escape the notion that automation is their friend. For most security people, automation is an anathema because what they are terribly afraid of is they commit through automation some rule set change, which then disconnects me upstream from 6000 firewalls, right? And so what we are dealing with is... I've only done that, I haven't done that. Yeah, me too. In fact, I flew to Hong Kong once because of it. So I don't argue with you technically. What I argue with you is we are in that messy state I alluded to where people are coming to terms and grips with the fact that regardless of whether... It's not even a best of breed versus good enough issue. It's the comfort in the maturity of the automation, the fact that you are now making a transition from CLI and GUI to API and that's a wholesale shift for most guys that can't even spell XML, right? And REST is something they hope to achieve at the end of a workday. So I think we're on the same page. I think ultimately though, when I take a snapshot of where we are now, I think my theorem of for a large enterprise with a sunk cost investment and a set of processes that have been mature over a period of time, as they try to virtualize security, they will continue to depend on everything physically they have unless it's a green field environment and then they'll seek out new ways of doing things, but that's a new operational model. So you kind of double stacking sets of... I agree with what you're saying and that's been the evolution, but I'm meeting more and more people today who've realized that what I now call their legacy security doesn't work. And the more they virtualize, the more they realize it doesn't work. That whole areas of their network have gone dark, right? From a physical security point of view, they can't see the packets, they can't see the controls, they can't audit a darn thing. And it's because these solutions, the 800 pound vendors, have been slow to make their stuff virtualization aware, or even when they have made it virtualization aware, for one element of their product line, but not the whole product line. And that creates a real opportunity for me and the guys like me to innovate ahead of them, maybe eventually be absorbed, but to innovate ahead of them for now and try to address this problem. My new tenant is, if you're virtualizing your data center, virtualize your security. It's just like an axiom. I don't think that's a bad axiom. And in fact, if you look at exactly that gap you indicated, I mean, Juniper, the company I work for now, bought Altor to fill that void. They happen to have an exposed set of APIs that allow us with things like Junos and Space and JunoSphere and the SDKs to ultimately automate security. Are we as nimble and agile as a small startup? No. I think we're more so than larger companies. But at the same point in time, one of the fundamental things that we didn't really discuss, we kind of alluded to it, is much of the automation we're talking about is actually kind of network automation also, very topology-dependent, at least today. And what's interesting is that we see the emergence of protocols being invented to deal with the need to claw back and make kind of up to the, extend the reach of the virtualized edge to the, right? Because ultimately what's happening and what you see in the networking space is networking vendors like Juniper, like Cisco, they're still that disconnect. They're still not the ability for a VM or an orchestration or provisioning engine to request and subscribe an end-to-end set of quality of service, differentiated service paths, service insertion mechanisms, even through the end-to-end of their entire network. You know, you can do it up to the physical D-Mark, right? You've got tons of protocols and ways of extending that edge. I mean, even legacy, and we call it legacy, but legacy protocols like MPLS, right? Right up to the point of that router. But then there's absolutely this giant sucking sound. People say we have existing protocols. We don't need new ones. You could weigh the pros and cons, but I think it goes to, you know, we've got, you know, two sets of teams dealing with this need for automation, the network side, and that's a whole other stack of problems and the security side, but they're, they're inextricably linked at some point. They have to be completely intermatched or it can't be done right. So, one other, thank you. Co-moderating for us. Yeah, I want to say something as I eat the microphone. The other thing is that I see a lot more of this as network-centric. A lot of virtualization security seems to be very network-centric, but that's not the only part of the virtualization security story. So how are we addressing that? I mean, is there anything that anybody knows of, like for VM escape protection or storage protection or things like that? Ultimately, your security has to be data-centric. Yeah, data-centric. You're protecting the data. Now, because of the way the world works, a lot of that data protection has to be in the network, but we have to start really thinking about how we reach the data, label the data, classify the data, protect the data, and this is where I find there are still a lot of gaps everywhere, right? So, witness the DLP integration from RSA into VCHILD 5. Right, hands up. Right now, well, yeah, right now it crawls VMs. Right. I'm going to guess that it's going to do more stuff of data in flight as it matures. Right. This has been needed for a very, very long time. The other interesting thing here is we talk a lot about the network-centric, so there's a bridge between information-centric and network-centric and it's app-centric, which is where a lot of these work, you know, as we start to bundle things not around a VM but an application. And those are the next-gen firewalls, so to speak, right? Exactly. So, yeah, so what we ultimately need to do is kind of enable, remember, making giant leaps is hard for IT, even, you know, I mean, for enterprises. So being able to set forward a path, and if you look at best practice guides from VMware, right, they say, look, you should deploy web application firewalls in front of all your critical information. I'm like, that's great. Do you have any? Well, no. Are they really any available? Well, kind of. You know, but they're not very virtualization friendly. So then we've got entire SaaS offerings now that have sprung up to offer that in the cloud. But wait a second. I'm still virtualizing my private cloud, right? So, you know, what we're going to see next is ultimately that gap fill where we'll see, you know, products like probably Imperva and database activity monitoring and WAF products start to really aggressively enter that virtualized space. They're doing it on the SaaS side, clearly, to offer as a service, because it's good revenue and is easier. But they're going to be forced to start delivering, you know, product and service insertion layers either as, you know, as virtual appliances or even offload to hardware. Because a lot of what, you know, what VMware at least understands is that in many cases, certain things require offloading, whether it's virtual or physical. So the point is, in many cases, they're going to, and they're already working to kind of allow outside of what VCO Edge does a certain amount of interaction. The problem is, you know, again, from an architectural perspective, the industry has to rotate around understanding what that means to their platforms. Absolutely. I think that we're actually out of time here. I didn't see the five minutes. Sorry. We got one minute. So I think we're seeing a turn in the cycle where Moore's law is dominant again. We've seen this generation of processors, everybody here is selling how many cores they've got. So I think at the moment, there's more and more we can do in the host, in the hypervisor, right, that does not require A6 anymore, that does not require custom hardware to offer the same level of protection. There were also some new announcements around file integrity on the VShield endpoint that I saw this week as well. Thank you very much, gentlemen, for joining me. Thank you. Have a good show.