VMware is making rapid inroads in virtualizing the data center. That doesn't mean there isn't any work remaining for the third parties and startup companies on the margins of VMware's established stronghold, said Steve Herrod, former CTO of VMware, now managing partner of General Catalyst Partners venture capital.
Herrod left VMware in January 2013, a few months before it launched its public cloud. He's familiar with the stakes behind that effort and he's followed the different initiatives designed to capture the enterprise's increasing interest in cloud services.
"The Big Four are all coming at it from a different heritage," he noted. VMware and Microsoft are already inside the enterprise and moving out into the cloud. Google and Amazon are outside and eager to establish both direct cloud relationships and hybrid operations with enterprises.
The interest of public cloud providers in a burgeoning enterprise business seemed evident to Herrod soon after he left VMware. Six months later, Amazon hired VMware's VP of North American sales Mike Clayville to become its VP of commercial worldwide sales. Likewise, Google a year later showed similar interest when it hired Brian Stevens, former CTO of Red Hat, as its VP of cloud platforms. Red Hat is the leading Linux vendor with enterprises
[Want to look at what Steve Herrod was interested in a year ago? See VMware's Former CTO Herrod On Its Future.]
VMware is approaching public cloud computing from its pivot point as manager of virtual machines in the enterprise data center. Microsoft has a different story, as supplier of both the Windows Server operating system and Hyper-V virtualization. All four see having a public cloud offering as a necessity for enticing enterprise business. VMware is having the toughest time convincing customers that enterprise workloads should move into its public cloud, vCloud Air, he said.
Therein lies an opportunity for other companies, he suggested. VMware isn't interested in paving the path to competitors' clouds for its customers so virtualization and container-savvy third parties could step in and do it for them. Some of the activity around highly portable Docker containers suggests that free movement between clouds remains of great interest.
"That's a real space where new companies could be created. They'd have to provide enterprise access with security, availability, audit, root core analysis. … They'd have to convince people, 'We'll be the one to help you.'"
Herrod also thinks there's a rich vein to mine in new approaches to security. Containers and virtual machines open new approaches to security that take advantage of their boundaries and embed security more deeply in the infrastructure.
"I'm obsessed with how security can work in this broader world. Until now, security has been mainly about IT saying 'no' and 'slow down,'" he said.
An example of what he means is Menlo Security, a two-year-old startup in Menlo Park, Calif., that his firm has invested in. The firm produces software that introduces isolation between users and their downloaded content without trying to identify whether something in the content is good or bad. Automated protection systems too often can be gamed into treating malware as if it were good, reducing their value. Menlo's website says it uses "disposable virtual containers," which may be virtual machines, containers, or perhaps both.
Herrod said the firm has found a way to address the security of the browser's document object model (DOM), the standard technique of building a Web page in a browser window. Because all browsers are based on DOM, it offers a place to identify and isolate a common set of security problems.
"Sixty percent of infections come in through the DOM. It works the same on mobile and laptop/desktop devices," he said. Half the Menlo team comes from VMware and the other half from firewall supplier Checkpoint Software Technologies.
General Catalyst lead Menlo’s A-round of financing last November, which raised $10.5 million, and Herrod now sits on its board of directors. Sutter Hill lead a B-round in June, raising another $25 million.
To have effective, embedded security, it must work in a well-defined area. Virtual machines and their boundaries are such a perimeter, Herrod said. The virtual machine sits in a well-defined space between the hardware and operating system. It handles a limited number of commands. It can be watched for any corruption of or deviation from those commands.
Windows, on the other hand, has a large number of APIs, some of them changing frequently and "squishy" in their definitions, making it harder for Microsoft to impose strict security over Windows operations.
Another outfit that General Catalyst backs in the security realm is Illumio, which a year ago was just coming out of stealth. "I wanted one big bet on endpoint security and one on the data center," said Herrod. Illumio is the data center bet -- monitoring application traffic on the data center network, understanding the nature of the applications that are running, and prompting protection levels to adapt to changes. It automatically programs rules for inbound and outbound interactions between workloads based on what they're doing.
Another General Catalyst bet that Herrod is enthusiastic about is Datto, a firm that converts a system into a virtual machine "on the fly," either locally or remotely as a copy for backup purposes. The process takes a few seconds without disrupting other operations.
A company that General Catalyst does not back, but is active in the same space, is Bromium, which supplies a microvisor for end-user activities. Bromium was founded by x86 virtualization experts Simon Crosby, former CTO of XenSource and Citrix Systems, and Ian Pratt, who virtualized the x86 instruction set at Cambridge University shortly after Mendel Rosenblum did at Stanford. Bromium creates micro VMs in which each end-user task is executed under its microvisor, keeping it isolated from other components of the system.
Eric Chiu, president of VMware partner HyTrust, talked about his firm's ability to control access to microsegments of NSX virtualized networks at VMworld last week.
These firms illustrate how VMware can't do everything, particularly on the security front. On the contrary, the conversion of data center servers, storage, and networks to virtualization appears to be opening new ways to impose isolation boundaries as well as "good versus bad" controls. The new security is buried deep in the infrastructure. Hopefully it will detect and contain any malware that is there.
[Editor's note: This article was updated to reflect more accurately Menlo's financing rounds.]