VMware’s vShield – Why It’s Such A Pain In the Security Ecosystem’s *aaS…
I’ve become…comfortably numb…
Whilst attending VMworld 2011 last week, I attended a number of VMware presentations, hands-on labs and engaged in quite a few discussions related to VMware’s vShield and overall security strategy.
I spent a ton of time discussing vShield with customers — some who love it, some who don’t — and thought long and hard about writing this blog. I also spent some time on SiliconAngle’s The Cube discussing such, here.
I have dedicated quite a lot of time discussing the benefits of VMware’s security initiatives, so it’s important that you understand that I’m not trying to be overtly negative, nor am I simply pointing fingers as an uneducated, uninterested or uninvolved security blogger intent on poking the bear. I live this stuff…every day, and like many, it’s starting to become messy. (Ed: I’ve highlighted this because many seem to have missed this point. See here for example.)
It’s fair to say that I have enjoyed “up-to-the-neck” status with VMware’s various security adventures since the first marketing inception almost 4 years ago with the introduction of the VMsafe APIs. I’ve implemented products and helped deliver some of the ecosystem’s security offerings. My previous job at Cisco was to provide the engineering interface between the two companies, specifically around the existing and next generation security offerings, and I now enjoy a role at Juniper which also includes this featured partnership.
I’m also personal friends with many of the folks at VMware on the product and engineering teams, so I like to think I have some perspective. Maybe it’s skewed, but I don’t think so.
There are lots of things I cannot and will not say out of respect for obvious reasons pertaining to privileged communications and NDAs, but there are general issues that need to be aired.
Geez, enough with the CYA…get on with it then…
As I stated on The Cube interview, I totally understand VMware’s need to stand-alone and provide security capacities atop their platform; they simply cannot expect to move forward and be successful if they are to depend solely on synchronizing the roadmaps of dozens of security companies with theirs.
However, the continued fumbles and mis-management of the security ecosystem and their partnerships as well as the continued competitive nature of their evolving security suite makes this difficult. Listening to VMware espouse that they are in the business of “security ecosystem enablement” when there are so few actually successful ecosystem partners involved beyond antimalware is disingenuous…or at best, a hopeful prediction of some future state.
Here’s something I wrote on the topic back in 2009: The Cart Before the Virtual Horse: VMware’s vShield/Zones vs. VMsafe APIs that I think illustrates some of the issues related to the perceived “strategy by bumping around in the dark.”
A big point of confusion is that vShield simultaneously describes both an ecosystem program and a set of products that is actually more than just anti-malware capabilities which is where the bulk of integration today is placed.
Analysts and journalists continue to miss the fact that “vShield” is actually made up of 4 components (not counting the VMsafe APIs):
- vShield Edge
- vShield App
- vShield Endpoint
- vShield Manager
What most people often mean when they refer to “vShield” are the last two components, completely missing the point that the first two products — which are now monetized and marketed/sold as core products for vSphere and vCloud Director — basically make it very difficult for the ecosystem to partner effectively since it’s becoming more difficult to exchange vShield solutions for someone else’s.
An important reason for this is that VMware’s sales force is incentivized (and compensated) on selling VMware security products, not the ecosystem’s — unless of course it is in the way of a big deal that only a partnership can overcome. This is the interesting juxtaposition of VMware’s “good enough” versus incumbent security vendors “best-of-breed” product positioning.
VMware is not a security or networking company and ignoring the fact that big companies with decades of security and networking products are not simply going to fade away is silly. This is true of networking as it is security (see software-defined networking as an example.)
Technically, vShield Edge is becoming more and more a critical piece of the overall architecture for VMware’s products — it acts as the perimeter demarcation and multi-tenant boundary in their Cloud offerings and continues to become the technology integration point for acquisitions as well as networking elements such as VXLAN.
As a third party tries to “integrate” a product which is functionally competitive with vShield Edge, the problems start to become much more visible and the partnerships more and more clumsy, especially in the eyes of the most important party privy to this scenario: the customer.
Jon Oltsik wrote a story recently in which he described the state of VMware’s security efforts: “vShield, Cloud Computing, and the Security Industry”
So why aren’t more security vendors jumping on the bandwagon? Many of them look at vShield as a potentially competitive security product, not just a set of APIs.
In a recent Network World interview, Allwyn Sequeira, VMware’s chief technology officer of security and vice president of security and network solutions, admitted that the vShield program in many respects “does represent a challenge to the status quo” … (and) vShield does provide its own security services (firewall, application layer controls, etc.)
Why aren’t more vendors on-board? It’s because this positioning of VMware’s own security products which enjoy privileged and unobstructed access to the platform that ISV’s in the ecosystem do not have. You can’t move beyond the status quo when there’s not a clear plan for doing so and the past and present are littered with the wreckage of prior attempts.
VMware has its own agenda: tightly integrate security services into vSphere and vCloud to continue to advance these platforms. Nevertheless, VMware’s role in virtualization/cloud and its massive market share can’t be ignored. So here’s a compromise I propose:
- Security vendors should become active VMware/vShield partners, integrate their security solutions, and work with VMware to continue to bolster cloud security. Since there is plenty of non-VMware business out there, the best heterogeneous platforms will likely win.
- VMware must make clear distinctions among APIs, platform planning, and its own security products. For example, if a large VMware shop wants to implement vShield for virtual security services but has already decided on Symantec (Vontu) or McAfee DLP, it should have the option for interoperability with no penalties (i.e., loss of functionality, pricing/support premiums, etc.).
Item #1 Sounds easy enough, right? Except it’s not. If the way in which the architecture is designed effectively locks out the ecosystem from equal access to the platform except perhaps for a privileged few, “integrating” security solutions in a manner that makes those solutions competitive and not platform-specific is a tall order. It also limits innovation in the marketplace.
Look how few startups still exist who orbit VMware as a platform. You can count them on less fingers that exist on a single hand. As an interesting side-note, Catbird — a company who used to produce their own security enforcement capabilities along with their strong management and compliance suite — has OEM’d VMware’s vShield App product instead of bothering to compete with it.
Now, item #2 above is right on the money. That’s exactly what should happen; the customer should match his/her requirements against the available options, balance the performance, efficacy, functionality and costs and ultimately be free to choose. However, as they say in Maine…”you can’t get there from here…” at least not unless item #1 gets solved.
In a complimentary piece to Jon’s, Ellen Messmer writes in “VMware strives to expand security partner ecosystem“:
Along with technical issues, there are political implications to the vShield approach for security vendors with a large installed base of customers as the vShield program asks for considerable investment in time and money to develop what are new types of security products under VMware’s oversight, plus sharing of threat-detection information with vShield Manager in a middleware approach.
…and…
The pressure to make vShield and its APIs a success is on VMware in some respects because VMware’s earlier security API , the VMsafe APIs, weren’t that successful. Sequiera candidly acknowledges that, saying, “we got the APIs wrong the first time,” adding that “the major security vendors have found it hard to integrate with VMsafe.”
Once bitten, twice shy…
So where’s the confidence that guarantees it will be easier this time? Basically, besides anti-malware functionality provided by integration with vShield endpoint, there’s not really a well-defined ecosystem-wide option for integration beyond that with VMware now. Even VMware’s own roadmaps for integration are confusing. In the case of vCloud Director, while vShield Edge is available as a bundled (and critical) component, vShield App is not!
Also, forcing integration with security products now to directly integrate with vShield Manager makes for even more challenges.
There are a handful of security products besides anti-malware in the market based on the VMsafe APIs, which are expected to be phased out eventually. VMware is reluctant to pin down an exact date, though some vendors anticipate end of next year.
That’s rather disturbing news for those companies who have invested in the roadmap and certification that VMware has put forth, isn’t it? I can name at least one such company for whom this is a concern. 🙁
Because VMware has so far reserved the role of software-based firewalls and data-loss prevention under vShield to its own products, that has also contributed to unease among security vendors. But Sequiera says VMware is in discussions with Cisco on a firewall role in vShield. And there could be many other changes that could perk vendor interest. VMware insists its vShield APIs are open but in the early days of vShield has taken the approach of working very closely with a few selected vendors.
Firstly, that’s not entirely accurate regarding firewall options. Cisco and Juniper both have VMware-specific “firewalls” on the market for some time; albeit they use different delivery vehicles. Cisco uses the tightly co-engineered effort with the Nexus 1000v to provide access to their VSG offering and Juniper uses the VMsafe APIs for the vGW (nee’ Altor) firewall. The issue is now one of VMware’s architecture for integrating moving forward.
Cisco has announced their forthcoming vASA (virtual ASA) product which will work with the existing Cisco VSG atop the Nexus 1000v, but this isn’t something that is “open” to the ecosystem as a whole, either. To suggest that the existing APIs are “open” is inaccurate and without an API-based capability available to anyone who has the wherewithal to participate, we’ll see more native “integration” in private deals the likes of which we’re already witnessing with the inclusion of RSA’s DLP functionality in vShield/vSphere 5.
Not being able to replace vShield Edge with an ecosystem partner’s “edge” solution is really a problem.
In general, the potential for building a new generation of security products specifically designed for VMware’s virtualization software may be just beginning…
Well, it’s a pretty important step and I’d say that “beginning” still isn’t completely realized!
It’s important to note that these same vendors who have been patiently navigating VMware’s constant changes are also looking to emerging competitive platforms to hedge their bets. Many have already been burned by their experience thus far and see competitive platform offerings from vendors who do not compete with their own security solutions as much more attractive, regardless of how much marketshare they currently enjoy. This includes community and open source initiatives.
Given their druthers, with a stable, open and well-rounded program, those in the security ecosystem would love to continue to produce top-notch solutions for their customers on what is today the dominant enterprise virtualization and cloud platform, but it’s getting more frustrating and difficult to do so.
It’s even worse at the service provider level where the architectural implications make the enterprise use cases described above look like cake.
It doesn’t have to be this way, however.
Jon finished up his piece by describing how the VMware/ecosystem partnership ought to work in a truly cooperative manner:
This seems like a worthwhile “win-win,” as that old tired business cliche goes. Heck, customers would win too as they already have non-VMware security tools in place. VMware will still sell loads of vShield product and the security industry becomes an active champion instead of a suspicious player in another idiotic industry concept, “coopitition.” The sooner that VMware and the security industry pass the peace pipe around, the better for everyone.
The only thing I disagree with is how this seems to paint the security industry as the obstructionist in this arms race. It’s more than a peace pipe that’s needed.
Puff, puff, pass…it’s time for more than blowing smoke.
/Hoff
Related articles
- VMware’s (New) vShield: The (Almost) Bottom Line (rationalsurvivability.com)
- VMware strives to expand security partner ecosystem (infoworld.com)
- VMware preparing data loss prevention features for vShield (infoworld.com)
- Highlights from VMworld 2011 (datacenterknowledge.com)
- Clouds, WAFs, Messaging Buses and API Security… (rationalsurvivability.com)
- AWS’ New Networking Capabilities – Sucking Less (rationalsurvivability.com)
- Sourcefire Enables Application Control Within Virtual Environments (it-sideways.com)
- Using The Cloud To Manage The Cloud (informationweek.com)
- Virtualizing Your Appliance Is Not Cloud Security (securecloudreview.com)
- OpenFlow & SDN – Looking forward to SDNS: Software Defined Network Security(rationalsurvivability.com)
Disclaimer: I work for VCE, and we are funded by both VMware and Cisco.
Two notes. First, the full version of vShield Edge is provided free of charge for all Service Providers with a VSPP contract (as is vCloud Director), so SPs are having to choose against free in order to even consider the ecosystem. Second, with vCloud Director becoming the center of the VMware world,integration with the provisioning and management portal is a must. VMware controls the gates to the kingdom here, and it will be interesting to see how long it takes something that competes with the vShield Edge product (like the vASA) to get certified/integrated with vCD at a feature-parity level.
In a perfect world for VCE (and I'd imagine most of the systems integrators out there), all of the security offerings would be completely interchangable. Optimistically I believe that VMware is genuine in their committment to being open to the entire ecosystem that lives on top of vSphere, and that we'll see companies competing as openly inside a virtualized data center as they do today in physical ones.
Thanks for you comment. Your point regarding the the pricing for SP's brings another dimension to the discussion. For SP's who operate on maximizing ARPU and decreasing costs, weighing good enough as an initial investment and betting on the state you describe is where many are today. At the same time, many SP's are also standing up alternative stacks where OSS and other generic virtual appliance models may flourish from the perspective of security.
Chris, this is Massimo. 😉
You of course you know what you are talking about. No doubt.
You bring up many good points here. I don't think it's a secret that there are a lot of discussions whether VMware should be a "platform" or a "solution". As far as I can say (which doesn't really mean this is the official VMware position) I would like us to to be able to be both.
This has its own challenges and these challenges are multi-dimensional (as usual). I think there is more than one reason for which Edge (today) is so central to the vSphere/vCD integration. You touched on some of them (ie being able to sell more VMware software etc) and while they all make very good sense for a company that is not a charity .. there are other challenges associated to have "choice".
Don't get me wrong.. choice is generally speaking a very good thing for customers but with "choice" also comes complexity. And trying to orchestrate all that complexity has proven to be difficult. In an ideal world you may want to be able to offer (security) choices without increasing the complexity of keeping everything together in a consistent way. In the real world this doesn't happen and what we have seen happening in the past years is the need to deploy enterprise orchestrators to deal with this massive complexity to give this feeling of a degree of automation ("feeling" and "degree" being two key words, if you know what I mean).
So I guess the challenge is.. how can you build something that is as open as possible but doesn't increase the complexity of the stack so that you don't have to spend 2 years and 10M$ for an orchestrator to resemble something that looks like a cloud?
I am obviously not talking on behalf of my employer. This is just my 2 cents.
Massimo.
Thanks Massimo.
The reality for me is that if you're going to build something, consistency is needed in approach; VMware is not the only company involved in having to invest millions in development. When something like the ecosystem integration interfaces consistently change, that's hard on the ecosystem. Very hard.
It's clear this is an evolution, but when you speak to the the functionality vs. complexity issue, APIs (perhaps not the first version of them) can get us there. Look, I know life isn't fair. As much as VMW talks about being "Switzerland," it's clear the relationship they enjoy with Cisco and EMC (both shareholders) are going to put them in a position of better access.
Robust APIs would allow for VMW to develop their vShield solutions with as much openness or proprietary capabilities as they see fit — heck they own the platform — but then the rest of the ecosystem should/could have equal opportunity to innovate and develop solutions that are compelling and solve customer problems.
This isn't a new problem, but it's going to become a bigger one.
I ask you to consider how many truly innovative NEW security solutions built on VMware's platform that we've seen in the last two years…this isn't good for VMware, the ecosystem or the customer.
It's a shame and a missed opportunity. If we want virtualization and cloud to prosper, it can't be only on the back of the platform provider, especially when a blocking item (security) isn't the core competency of said provider.
Again, thanks for the reply…it's sure much more balanced than some of the others I have received privately.
/Hoff
Massimo,
If a platform provider closes access to 3rd parties to favor their own products, that's fine. It does mean that the ecosystem now becomes your enemy, which is fine as well.
The problem arises if you need the ecosystem because they won't be there. And then you better truly deliver a complete working solution. What I see today, is a situation where the ecosystem is making heavy bets against Vmware while vCloud hasn't had the kind of adoption I think was expected.
It is not the year zero. There's a huge amount of investment by SP's and customers that needs to be accounted for. Not just hardware and software, but people and processes. When it comes to network and security, there's a HUGE amount of investment that needs to be considered, orchestrated, automated.
Rodrigo, no one said VMware wants to close access to 3rd parties. It is in fact quite the opposite. There are at the very least a couple of aspects to this. The first one is to find a "stable" way to offer that openness to partners. Sometimes there are challenges, sometimes you need to step back and rethink the way you have dones something etc etc. This obviously causes turbulences in the market and ideally better "stability" is required.
The other problem I was touching on in my previous post is that while there is a ton of reasons for which more choices are a good thing for the customers, there is at least one reason for which is a bad thing: that's complexity.
I used to work for a vendor whose business (well one of them) was to solve complex infrastructure problems due to heavy heterogenous environments: "get what you want we will put everything together for you" (in 2 years and for 10M$ was the always missing part).
I am not advocating for a "monolithic stack" (far from it) but I just want to point out that openness is not synonyms for simplicity and ease of deployment. Our challenge (other than the interface stability mentioned above) is … how can we open it up but yet not force the customer to spend 2years/10M$ to integrate the "choice" we are giving them?
To the point of ecosystem maturity for vSphere and vCloud we can debate that.. this is a chicken and egg problem (as you know for sure). At the very least it demonstrates that while we (vendors) talk about cloud as a given and advocate about the fact that >"IT should transform into a Facebook"< customers run at a pace that is a fraction of how fast our heads are spinning.
I can tell you more in private in front of a beer.
Massimo.
Interesting. Didn't MS get busted for bundling IE for free with Windows? Didn't they get busted for having undocumented APIs they used to make their products better, leaving third-party developers with garbage?
Well spoken dude. 🙂
I think part of the problem is VMware is trading short term bean counting for long term vision. Unfortunately they are reaping the fallout from those decisions. Yes, locking the firewall market into their corner can be lucrative in the short term, but they had to realize that this would make potential future partners extremely leery. A good percentage of the old API partners were focused on firewall (like Altor, which IMHO is/was far superior in its traffic handling capabilities to vShield), and VMware literally pulled the rug out from under their revenue stream. As a potential vShield partner, I would be extremely concerned with them doing it again with whatever security solution I bring to the table.
On the up side, I think the hesitation to get into bed with VMware will help push security vendors into a more agnostic posture. This could be extremely positive for the industry as a whole, as it may help open up portability with other virtualization solutions (Xen, KVM, Hyper-V, etc.). It could even lead to solutions that continue to provide value in a public multitenant environment.
So personally I’m all for VMware’s land grab, as in the long run it will only help to diversify the landscape. 🙂
Chris
You guys are talking about ecosystems in tech, but can you name at least one example of a current ecosystem in tech that is worth using as a model?
The issues between platform providers and ecosystem players are fairly similar in all tech ecosystems (esp. those rooted in software). These issues are nothing new and there are no reasons why these issues should go away any time soon.
To make a long story short – competing against your ecosystem is quite typical in tech when no manufacturing of any sort is involved (software is not manufacturing).
The relative success or failure of the "ecosystem" historically in IT is neither here nor there within the context of this discussion.
VMware asserts that they "…enable the security ecosystem" and as a quote from Allwyn's latest blog suggests, all is well in vLand:
" …we are working very closely with the networking and security ecosystem (we already have working solutions with Cisco, Trend Micro, and RSA for example, with many more to come) to insert purpose-built functionality at logical boundaries, while seamlessly integrating into the management plane via vShield Manager, which in turn enables these services to be available RESTfully. The combination of logical networking and security, with integrated ecosystem offerings and programmable services, should provide the much needed advancement to support virtualization and cloud needs."
…the fact is, it's painful. Virtualization and Cloud *should* enable a rich ecosystem and we've got a chance — VMWARE'S GOT A CHANCE — to help make that a reality.
I'm simply reminding them (and you) of that opportunity, regardless of how things may be.
/Hoff
Hoff,
You should just put your 872 page resume at the beginning of every article you write. I mean – what's the point in rehashing every place you've worked, all the things you've done, and the fact that you use all those technologies daily AND tweet about 500 times. If there's a poster boy for the security industry post-Schneier (hey look you guys both worked for something that is now BT craptastic services) it would definitely be you. Reality check time – you're not God.
Phew! I'm certainly glad you've confirmed I'm not God. The pressure's off!Thanks so much for stopping by!God^H^H^H Hoff
Hi and thanks for this great post.
I also am tracking VMWare security initiative for years, and find it pretty inadequate.
So, honestly, when I decided to go to this virt sec field, I have chosen not VMWare as a first target.
I completely agree that in such situation alternatives are arising, and one of the great ones is MS Hyper-V.
It is much easier to create something groundbreaking there due to more openness (strange but true) of the platform.
So, I foresee that alternatives will develop even more in closest time, in regards of the security as well.
Please do not take it as an ad, but our product Hypertection, which works now for Hyper-V, seems to be one of the signs of coming market diversity.
Simple stuff – I doubt VMWare will ever allow to create true agentless antivirus for virtualization. But Hyper-V allows that already.
Hello there, I love your blog http://www.rationalsurvivability.com . Is there something I can do to receive updates like a subscription or some thing? I am sorry I’m not acquainted with RSS?
Thoughtful post, good comments, just wanted to say thanks.
I hope that the next release of vVD / vShield show signs of movement on this front.
There certainly is no alternative, I have met with a few vendors looking for one! Edge is young and it does enable a great deal when it comes to vCD. Choosing Edge is a compromise at the moment. It has growing up to do and I think there is a real need for other vendors to create products that can drop in place of Edge / Shield.
I am not on the inside so I can not say who is dragging the chain, however the traditional security vendors must see the opportunity.