The Zkast video series showcases analyst Zeus Kerravala interviewing top tech industry leaders about trends and thought leadership topics. Zeus recently had insightful conversations with executives who are driving VMware’s SASE and edge strategy. In this episode, Zeus sat down with Craig Connors, VP and GM of the VMware SASE business.
Craig and Zeus delved into these points and more:
- SD-WAN and SASE have evolved from branch transformation use cases to cover wider security needs and edge networking
- The upcoming VMware SD-WAN Client brings SD-WAN principles—simplified connectivity, management, visibility, seamless integration of security, an on-ramp to any application anywhere it’s running—to client users
- Business reasons are preventing enterprises from moving to single-vendor SASE, but they can be overcome
Watch the video to see the full-length talk with Craig Connors, or scroll down for highlights.
Get the highlights and full video of the Zkast about multi-cloud and edge
with Sanjay Uppal, SVP and GM of the VMware Service Provider and Edge business unit.
Below are highlights from Zeus and Craig’s conversation, edited for length and clarity.
Zeus: In the discussion with Sanjay, we talked about both multi-cloud and edge. I do believe businesses want to have freedom of where they put their content and to put more data in more places. Edge has a lot of obvious benefits, but what are some of the challenges that creates from an access perspective?
Craig: One of the problems that SD-WAN set out to solve originally was this notion of being able to access your applications wherever they live. Applications were moving from the data center to the cloud, from the data center to SaaS, and SD-WAN was the way that we were connecting all those users to all those applications. Edge follows along logically from that. I think the big difference now with SASE, is that everyone’s not sitting in a branch office behind an SD-WAN Edge anymore.
Zeus: That’s true. From all the data, it looks like it’s going to continue that way. The first wave of SD-WAN was driven by branch transformation without thinking about what was coming next. The state that we’re in now with hybrid work was going to come sooner or later, and it certainly got accelerated, but now SASE is playing an entirely different role. In fact, in the early days, and correct me if I’m wrong, a lot of SASE was driven by connectivity to a branch first, and then you thought about security later. Today, what I’m seeing is flipped around. There’s a lot more thought about security first and connectivity later. Is that what you’re seeing?
Craig: Definitely. People are all over the place, that adds new security challenges. We also live in a world where security compromises are becoming more and more common—geopolitical issues, things like cryptocurrency that have created ways of incentivizing attacks, ransomware, things that didn’t exist before. Security is on people’s minds a lot more. For example, a large financial company might always have had security as a first priority. A small business or a retail shop first thought, “How do I secure my PCI transactions?” But they didn’t really think, “How do I make sure my users are safe and secure?”
Zeus: Historically security has been a game of point products. You deploy your underlay network and then you attach all these security devices to it. I remember at a past VMworld, your CEO at the time, Pat Gelsinger, introduced the concept of intrinsic security. You couldn’t just bolt security on any longer, but it had to be integrated and almost become a network service.
Craig: I remember that keynote from Pat and the slide with the 600 security company logos on it. How can you possibly be secure when you’ve got such a fragmented environment? SASE certainly embodies that. Some of the new announcements that we’ve made are taking that a step further. How do we continue to integrate networking and security in that intrinsic fashion?
Zeus: Let’s talk about some of those new announcements. VMware was one of the pioneers of SD-WAN. As I mentioned before, it was a really a branch solution, small offices maybe. But now you have introduced an SD-WAN client, which creates a much bigger addressable market for SD-WAN. Can you talk about what exactly that is?
Craig: With the advent of SASE, and with the shift to remote work post-pandemic, we saw a huge adoption of zero trust network access as a way to connect remote users securely. But most of those ZTNA solutions are point solutions. Most companies that build ZTNA solutions really set out to solve some of the flaws of VPN. And not to say that those aren’t noble and important things to solve—least privilege, building user identity, and user-based policies.
But think about the problems SD-WAN set out to solve: How do I manage at scale? How do I get visibility into what’s happening for an end user? How do I improve the quality of last-mile connectivity?
Moving VMware’s 35,000 employees from the office to home, our IT team says those problems didn’t go away. Those problems are amplified because now I essentially have 35,000 little branch offices. I can’t guarantee the quality of service. Zero-trust principles are important for securing those users, but I still have all the problems that SD-WAN set out to solve. How do you translate those benefits that I get when a user is sitting in the office, to when they’re out on the road? That’s what our VMware SD-WAN Client sets out to do. It brings those same SD-WAN principles—simplified connectivity, management, visibility, seamless integration of security, an on-ramp to any application anywhere it’s running—in a tightly integrated fashion alongside your SD-WAN branch footprint, now for your client users as well.
Zeus: Can you talk about some of the features of the client? Does it have feature parity with what I might get in the appliance? How do I deploy it?
Craig: Think about any market-leading remote access ZTNA solution. You might get Zscaler private access, that same feature set. That’s obviously the building block for any remote access solution that you’re going to build in the market today. And then, on top of that, we layer on profile-based automation, similar to what we have in the VMware SD-WAN Edges, built into a single pane of glass alongside your SD-WAN policy management. I can manage my user policies the same way, whether they’re in the branch or on the road. It’s integrated with VMware Edge Network Intelligence, which is our AIOps solution, to give you visibility into Wi-Fi performance, application performance, and provide proactive notifications about what’s going on with the user.
We’ve also layered forward error correction on top. Now, when I’m sitting on the road in a coffee shop, having a Zoom call like this, and the quality of connectivity is not very good, my employer can get a view into these issues. Why is the quality of connectivity not very good? Is it a Zoom problem? Is a Wi-Fi problem? It arms the user with the technology to improve that connectivity and make the performance better. Again, it’s really bringing those same benefits that we brought to the branch office to that person on the road, on top of the security features that are required to be competitive in a remote access market.
Zeus: From a user perspective, if I have a corporate issued laptop, I’m probably running a VPN client, some agent for monitoring, and a whole bunch of security stacks. Do all those go away, and I can replace them with the one client?
Craig: That’s the idea, absolutely. Not only is it simpler for your team to manage, but you’ve also given them all that data in a single pane of glass, instead of having SD-WAN visibility going to one place and VPN management going to a different place.
Zeus: It’s interesting that more and more, security is becoming a game of analytics based on the quality of the data that you have. A lot of vendors throw around the term data lake. In fact, because their portfolios are built through acquisition, I describe it as a set of data ponds that I can see on one map, but they’re not connected ponds. From an analytics standpoint, I have a bunch of fragmented insights that I then have to try and correlate in my head. In this perspective, you can tile those things together, correct? Some of the benefits you would get would be faster threat identification, but what are some of the other ones?
Craig: That’s absolutely correct. The old approach to security was: I know what attacks look like, I have signatures for those attacks, and I’m going to load them into my database and check your traffic against those. The world’s moving pretty fast, and that doesn’t necessarily work anymore.
Now, with user behavioral analytics and application analytics, it’s not just about, what does an attack look like? It’s more about: How does Zeus work when he’s using his corporate device? What sites does he visit? What places does he travel? Being able to detect anomalies automatically, flag them, and remediate them, prevents security compromises. It’s something we’ve been doing with IoT devices and other applications because it’s a little bit simpler. IoT devices are a little bit more predictable. But now we’re taking it to the next level, which is ultimately to secure users, learn how users behave, and make sure that you’re looking for anomalies in that behavior. It doesn’t necessarily mean you block them right away, but it gives you the ability to flag them as suspicious and have someone investigate further.
Zeus: While you said IoT devices are pretty predictable, I think most users are pretty predictable. 90% of users do the same things day after day after day. You may have one user that perhaps changed jobs within a company, and the behavior would be different. But to your point, just being able to quarantine the user and start the investigative process certainly gives you a leg up over trying to do it the old way.
Zeus: I want to ask you about single-vendor versus multi-vendor SASE. SASE is a funny term, like edge and like multi-cloud, which tends to get overused. Is SASE something a single vendor can deliver? Or is this something that’s likely to be multi-vendor, and how do you handle all the partnerships now?
Craig: But there are two sides to this argument. People focus a lot on the technical side of the argument, saying VMware was a networking vendor that’s becoming a security vendor. Or security vendors are becoming networking vendors. But we know how to solve those technical problems.
The flip side is that there are generations and generations of SOC and NOC being different teams. The network and security teams are in different buying centers, on different billing cycles, with different relationships they’ve built. While we see the need to bring network and security closer and closer together as we look ahead, just because of the way these threats and challenges are emerging, it’s not just about building a product that can serve those needs, but it’s also about the buyers, customers, service providers, and everyone evolving to this model where network and security converge.
I think, for the foreseeable future, we’ll still have both single-vendor and dual vendor approaches to delivering SASE. VMware has always said we’re like Switzerland, we’ll play with anyone. We’ve continued that approach throughout our SD-WAN and SASE evolution. We have partnerships with vendors where we bring the solutions together, we certify them together, we deliver dual-vendor solutions to our customers.
The reality is that dual-vendor SASE is not going away overnight. I do think single-vendor SASE is the future. But when you’re looking at either side, if you’re looking at SD-WAN and security services edge, you should be looking at a vendor who’s willing to accept that both approaches are valid ways of doing things and isn’t trying to lock you into their one unique ecosystem. Because the flexibility is very important.
Zeus: People have asked me, when is single-vendor going to happen? I’ll probably be long retired by the time that happens. Single-ecosystem is more an accurate descriptor. At VMware Explore you see the size of the exhibit hall and all the security partners, even connectivity partners, that you have there. I do think most network or security vendors are either big N and little S, or big S and little N. VMware is one of the few companies that has strengthened both. Your ability to create this ecosystem approach, which in effect masks the complexity of multi-vendor, achieves the benefits of single-vendor while allowing customers to be multi-vendor. And that’s probably the best way that I can describe it.
Craig: With SASE, it’s very important that we collaborate not just on integrations, but also the meaning of SASE and security. I’ve said before, the fact that SD-WAN didn’t have a strict definition from one SD-WAN vendor to another means it might look very different in practice when you deploy it. While it might be confusing for users, it’s not posing a risk to your ecosystem. If you’re buying security solutions, and you don’t know exactly what you’re buying, I think that introduces big risk. That’s why Metro Ethernet Forum, Cisco, Fortinet, Versa, and VMware have all joined to work together on standards for interoperability, educating customers on what exactly they are buying, and how you know, if you’re putting two vendors together, that you’re really getting what you need to get to secure your network.
Zeus: That standardization is certainly long overdue, and kudos to all the companies who are trying to do that. VMware has a lot of networking solutions. You’ve got a bunch of different connectivity options, including SD-WAN. how does the client fit into that? Does it complement it? Can it replace some of the products? Can I manage them together? How does it fit into the overall portfolio?
Craig: The SD-WAN client sits alongside the SD-WAN branch solution inside that single pane of glass, which is part of our broader SASE orchestration layer. There will be customers that only deploy clients. There may be customers that have deployed SD-WAN appliances in a SOHO use case and decide to shift to a software solution. There will also be customers that are replacing their VPN or their ZTNA solution with the SD-WAN client and bringing those two sides of the connectivity puzzle together into that single pane of glass. There are a lot of different ways that the VMware SD-WAN client may fit in, depending on the size of the company and the use case they have, and what their work style looks like in this new post-pandemic world where some companies are fully remote, some companies are hybrid, and some have gone back to in-office.
Zeus: The point here is that you’re giving customers options. If I’m a branch office of one, I can use the client or an appliance. If I’m three or four people that come together, they could put up an appliance or they could all work off a client. What you’re saying is that it’s really up to them and the way they work.
Craig: That’s right.