VMware's Casado talks about evolving SDN use cases, including a prominent role for security

The company's Networking and Security Business Unit is taking off, reaching $100m in just nine months

Martin Casado, who helped launch the Software Defined Networking concept in the labs at Stanford, was recently elevated to the top business slot in VMware's Networking and Security Business Unit, giving him the rare opportunity to see the technology through from the incubator to the data center. Network World Editor in Chief John Dix sat down with Casado for an update on the company and his thoughts on how the technology is maturing. 

NW:     Let's start with your new role. Why the management shift?

MC:      I hired Steve (Mullaney) as CEO of Nicira two years after we started and he was with me for three years, then we came here. We were never a traditional business/technical mix. I did a lot of the business and design and technical and go-to-market work. He was more internal, I was more external, but there was no clear delineation between business and technical. He was here for two years and grew it to a $100 million run rate business, and I think he just wanted to reshape his career so he decided to take off. Since I'd already been deeply involved in the business for seven years now, I was a natural person to take over.

So now I'm more inbound than I've been before. Last year I did 320,000 miles in the air, and I'm delighted to say I haven't traveled in the past month.

NW:     So a $100m run rate, over how much time?

MC:      The product has been in market just over nine months. I'll give you a quick retrospective. Nicira was started in 2007 and it took us about three years to get a network virtualization product to market. The product came out in 2010, an incredibly immature product for an incredibly immature market. Over the next two years, we matured the product and we matured the market.

We were able to launch the company with five of the largest companies in the world: AT&T, NTT, Fidelity, eBay and Rackspace. By the time 2012 rolled around we had proven we could take on these large accounts, we'd proven we could get big deals. But we didn't have VMware ESX support, so we we're locked into a small portion of the market.

Later in 2012 we got acquired by VMware and it took us about a year and a quarter to create a VMware compatible version of that product. We announced the full network virtualization version of NSX nine months ago and since then we have a $100 million business. So the ramp has been extremely quick.

Honestly, if you ask me why I'm so excited about his role, it's because I've seen every stage of this saga from the "That's-a-stupid-idea" phase to where we are now, and now the critical challenge for changing the world and getting this technology into people's hands is about scaling sales. It's a business challenge now. The technology is proven, the architecture is largely proven, the use cases are understood and now it's a question of, "How do you enable a sales force to sell this stuff to get to a billion-dollar business?"

[Soon after our talk, Casado fleshed out his executive ranks by hiring Guido Appenzeller, former co-founder and CTO of BigSwitch Networks, as his Chief Technology Strategy Officer, and Dominick Delfino, who was vice president of worldwide data center and virtualization systems engineering at Cisco, to head his worldwide Systems Engineering team.]

NW:     Let's talk about use cases a bit. It seems they have morphed with time.

MC:      Yeah, they have. The original use case is still probably the dominant case, which is reducing provisioning times. I walk up to a customer and ask, "Does network provisioning get between you and getting something done, whether that's innovation, onboarding a new employee or deploying an application or some business process?" If the answer is yes, there's a discussion to have. If the answer is no, I leave and I go to the next customer. For the people for whom the answer is yes, I say, "Okay, I will take that provisioning time to zero."

But the problem is that's a nuanced operational savings type discussion, so the value isn't immediately obvious and it's more of a complex sales cycle. It's a new kind of architecture that will impact processes so you need very sophisticated sales guys.

I would say that's still about 50% of our sales. But the use case that's really taken off is security. It's just a much easier thing to enable someone to sell. The security pitch is as follows: As we consolidate more workloads in the data center, more and more traffic stays within the data center. We call this east-west traffic. So in an average data center about 80% of the traffic never leaves. It turns out, Mr. Customer, that 80% of your security spend is on the north-south border, so you're spending 80% percent of your dollars on 20% of your traffic.

So if an attacker is able to get beyond that, let's call it a Maginot Wall, they have unfettered access to all of your code and all of your data and you've got no security controls, or very few. What we can do is provide security controls within the data center to address that 80% of traffic. And, by the way, if you tried to do this with physical appliances, there's so much traffic and so much bandwidth it would cost you hundreds of millions of dollars, and for us it's fractions of pennies on the dollar.

I think if you do the numbers you would need something like five appliances per top-of-rack switch, and you have hundreds of top-of-rack switches. It's just ridiculous. But if you distribute that functionality along the edge in the software it just becomes part of the operating model at the servers and you get all of the protection you want.

A more general purpose sales force can focus on this message. They walk in, they say, "Hey, if you try to solve this problem with appliances it would be $100 million. I'll do it for you for $1 million."

NW:     Isn't that what companies like Vyatta's (now owned by Brocade) were promising with virtualized appliances?

MC:      Yeah. But I don't think the virtual appliance model actually works. We're running within the ESX kernel in a separate trust domain. We're already detecting every packet in software and can give you distributed functionality within that kernel. So it's operating at line speed, the traffic isn't going through another appliance, and you don't have to manage independent appliances separately.

If you put in virtual appliances they may work, but you still have a bunch of independent appliances to manage. And I don't think this is a problem you can solve by just adding some management layer on top. We offer a distributed service that you can think of as one big appliance, and it's running in the kernel throughout.

NW:     Are you talking about a full suite of security tools or just firewalls?

MC:      Actually, distributing a service is very difficult, so we started with firewalling, and we're going to be extending that through partner ecosystems and through our own products. The network firewall business is a $10 billion business. We can add a lot of value and do it in a way that doesn't piss off the partner ecosystem, because they build appliances for North/South traffic and that's not something we'll ever do because those code bases have been around for 20 years. It's not like we're eroding an existing market. We're going after a new one.

But getting back to use cases. The first reason people buy is operational speed. The second reason is security. The third reason is actually on cost, which for me is a sign of a maturing market. The reason it's a sign of a maturing market is because in the early days customers have no idea how to evaluate the risk of a new technology. You've heard that startups never sell on price. It's true because you go in with dials hanging out and sparks coming out of the box, and customers are like, "You could save me all the money you want, but I have no idea if this thing is going to work longterm. This is my business and my career at risk."

So once you start seeing customers buy on price you know you're entering a mature market. There's trust in the solution. There's trust in the product and also in the architectural approach. So we do see customers buying on cost, whether that's CapEx, so they don't have to upgrade switches as much, or it's on OpEx, like they don't need as many heads.

So those are the three primary value drivers.

NW:     I want to go back to the difference between virtual appliances and being in the kernel. Can you elaborate on that.

MC:      One very simple difference thing is, if you're running something in the kernel it's just faster. You don't have the overhead of having a virtual appliance. Now depending on what you're doing, that may or may not matter. Something like a firewall, that really matters because you touch every packet and you have to do this at 10 or more gigs. That's purely a performance issue.

But there's another issue, which is more nuanced and not well understood. If I take a physical appliance and turn it into a virtual appliance I haven't distributed it. If I deploy 10 of these it's just like deploying 10 physical appliances. There's no difference. My background is distributive programming. That's what I did before all this stuff. To distribute you have to rewrite the code so it's distributed, so you can have one view and it looks like one thing, which means you have to share all sorts of state, you have to rewrite the control plane, and you have to rewrite the way the application works.

A lot of companies do this sleight of hand where they'll take a physical appliance and move it to a virtual appliance and deploy them and then put a management layer on top and say, "Oh, look, it's distributed." But the reality is there's no global view. There's only a management side.

There are many problems for which appliances are just fine. For example, on the North/South border you might use virtual and physical appliances, but if you want to scale a service with a global view to handle all of the traffic within the data center, which is terabytes, you need to distribute it.

What we do is create this notion of a distributed firewall. This is a purely logical notion. It's a fully stateful firewall that has one port per VM. So if you have 10,000 VMs you have 10,000 ports in a distributed firewall. And then you take this distributed firewall and chop it into little, little pieces and you run those pieces in the hypervisor kernel, so there's a logical view of this 10,000 port firewall but the reality is only a little piece is running in the kernel.

So every packet still goes at wire speed, but we can also synchronize state if we need to because we're running it as a distributed application. For example, if a VM moves, the state moves with it, or you can share that state and so forth. It's actually written as a distributed application within the kernel. So every kernel has a little piece of this.

NW:     Didn't VMware have a distributed firewalling capability?

MC:      They had the stateless firewall capability before.

NW:     Did you leverage some of that?

MC:      Absolutely. When we came in there was an enormous team here with this set of assets. We came in with another set. That's why it took us a year and a half to integrate these things.

NW:     I presume you add other security services in time?

MC:      I think you can do load balancing, you could probably do WAN optimization, I think you can do it for IPS, but there are some tradeoffs we're going to have to make. Web application firewalling, I'm not sure. It would be interesting to see.

But we can also start getting into things like vulnerability assessment. Vulnerability assessment is normally a box that sits on the network and scans things and it's like, "Oh, my database says this is vulnerable based on the responses given me from the network." Instead, we can actually run a little bit of code that looks directly into the applications, at the files in the memory so they can't be tricked by, and then mitigate the problem so it can't reach the network. Which is exciting because, wow, now we have an entirely new approach to address security concerns.

NW:     How much of this security work will you do internally versus with partners?

MC:      Ours is very much an ecosystem approach. We're really good at building distributed services, but I'm not an expert in IDS, I'm not an expert in virus detection. So we want to provide a platform that will provide context that others can't get, and even provide native distribution capabilities, but otherwise it's very much an ecosystem play.

NW:     But the firewall was home built?

MC:      The firewall was home built. But again, it's fully distributed. We're going to have to lead with a few core products that demonstrate this capability in order to drive the ecosystem because nobody wants to invest money speculatively if they're in a growing business.

Palo Alto Networks is a good example. They provide a next-generation firewall and are a huge partner. They run a virtual appliance with integration in the kernel and we handle the operational side of distribution and provide additional context by allowing them to peer into the hypervisor. So there's quid pro quo here. For us, our platform gets more attractive and we get to sell a layer that adds value, and for them, they get an insertion vehicle and the insertion vehicle to a large market.

NW:     They're not threatened by your own firewall?

MC:      We're not a next-generation firewall. They're a $600 million company, or something like that. We're focused on kind of a minimum thing internally. It's very difficult to have absolutely zero overlap in partnerships. But we're not going after their core business at all. We're partnering as much as we can as best as we can. The only time we've built up functionality is to kind of lead the space and to address our customer demand.

NW:     So how do you see customers adopting your firewall tool? They have 20 security tools already, so is this a bolt-on that complements what they already have or does it enable them to unplug something?

MC:      By and large this is a net add, meaning customers today are unprotected within the data center and we add a layer of protection.

NW:    Were you surprised to see this security functionality emerge given you started out looking to solve another problem?

MC:      When you start with a new technology you're throwing it against the world and seeing how people find it useful. It's very non-obvious, actually. As a technologist you're always like, "I created this thing and the value is implicit and it carries its own destiny. "

That's totally false. It's the wrong way to think about it. What carries the destiny of the thing you created is the person that carries it to the customer. It's the sales guy. You give the guy that's carrying it to the customer a story that he pitches, but so much of how people view what you have is the guy that carried it in there.

This has been probably my number one lesson from the business side in the last seven years: the person who's presenting your technology is actually going to impact how it gets adopted and how it gets viewed.

NW:     Going back to original mission of the company, speeding up provisioning, which you said still represents half of the business, has adoption happened as you would have expected?

MC:      The market matures at the rate the market matures, and now we're starting to cross the chasm. We're building out our sales force and growing with the market. The market was like one customer seven years ago, and then it was two, and then it was ten and it takes time.

But the operational stuff, yes, I think there's huge value there.

My sense is we're going to see the operational use case and the security use case move in parallel for a while and then bifurcate. They will both be healthy businesses. I feel like with security we're selling to a more mature market because people know how to think about it and acquire it. The operational use case addresses a much less mature market because it's a larger departure from the way we're used to thinking of things.

NW:     How many sales folks do you have? And do some specialize on security and the others on the operations pitch?

MC:      My direct sales force is about 100 people and we only have one SKU, so it is up to them to position the product for the customer. But then, of course, we've got thousands of channel partners we sell through.

NW:     Do you have to call on different people, or is this still a network sale?

MC:      That's a great question. Originally, in the days of Nicira, we'd go to the networking guys and it was so hard. It was like we were fighting against the Cisco sales force. It was a very difficult, long sales cycles, very technical. With VMware the discussion is very different. We talk to virtual admins who have shown enormous value to their company and used to working with us, and we say, "We touch everyone you've impacted today in software already. We have for ten years and things are great. Let us go ahead now and tackle some networking problems."

So we're entering on a much more friendly foot through the virtual admin, and then have the discussion with the security guys and the network guys, but normally the procurement goes through the virtual admin guys.

NW:     Given that, who you most often stack up against competition wise?

MC:      Through some stroke of serendipity we have become the number one competitor to Cisco. John Chambers said it on an earnings call, and we've heard this many times. I don't know how these things happen, and I actually don't believe it's true. We'll never sell physical gear, ever. Our technologies are very complementary. We'd love to cooperate with ACI. I totally don't see us as competitive. But somehow there's this perception that we're competitive, and the number one competitor at that.

Again, I'll be very clear with you. I don't believe we're competitive. But the result has been we're now part of every network procurement discussion. Two years ago, if you had a guy at some bank buying network kit, which companies would he call? Cisco and HP and Extreme or Juniper or whatever. Today they have to call us because of this positioning, just for basic procurement due diligence. And this is a conversation we would never been a part of a year ago. Never.

But we've been brought into every one of these discussions and that's 100% upside for us. Let's say I convert just 2% of those. That's a billion dollar business. This is unbelievably serendipitous. Basically it's created an enormous sourcing funnel for us. A year ago it was about going out and hunting and finding leads, and now it's just qualify, qualify, qualify, because we've got this huge pipeline of people.

NW:     Are most of the sales still coming from the VMware customer base?

MC:      No. We get it from all over. We sell to a lot of non-VMware accounts. Those sales deals are more difficult for us because we don't have an established relationship, we don't have an established procurement structure, we're not the incumbent, but we convert them. It's just a much more difficult motion.

NW:     How many customers do you have today?

MC:      We've quoted the number as being over a 150 paying customers. Medtronic is one we just announced recently, which is a Midwest manufacturing company. USDA, which is federal. We've got a number of financial customers, including four of the five top banks. We've got beverage companies, telcos, service providers, SaaS providers. It's pretty much all the verticals.

And why not? I mean, to see the future all we have to do is look under the covers of existing data centers. One of the most significant things in networking that nobody talks about is, if you look at modern third generation data centers, which are typified by the mega data centers run by the Yahoos and Googles and Facebooks, but not just them, anybody that's building a new data center, and you look at the network architectures, they all look the same. They're all generic Layer 3 fabrics. They do almost nothing. They just pass packets, and all the functionally is in software. These are the most scalable, most successful businesses on the planet. So in many ways Darwin has already spoken.

NW:     But those folks have the luxury of having a very small mix of applications, right?

MC:      Yeah. And they have control so they can rewrite security and performance as part of the application, and most people don't have that luxury. But the people that do have proven that is a better way to build a data center. The CapEx is lower, the OpEx is lower, the innovation speeds are much faster. There's just no argument there. This happened organically. And if you look, the traditional vendors don't have the same representation in these data centers as they do in the traditional enterprise, and that's the future.

Large customers can do the same thing. There's no reason for me to buy networking kit with all the bells and whistles from the top vendor and pay top dollar for that if all I need to do is pass packets. I can go to the same vendor and buy a lower dollar SKU that does less, or I can go to another vendor and do price comparison between the two. So this pretty much unifies the acquisition discussion across all vendors. All I need is the cheapest L3.

NW:     So you expect to see more folks reaching for white box alternatives to the name brands?

MC:    White box is somewhat of a different discussion. The cheapest we can ever get is white box, so it's sexy to talk about that, but there's a lot of complicated logistics in procurement. ODMs aren't really set up for onesies, twosies and those are still very niche and very rare.

But look at the announcements from like Cisco and Arista over the last two years. Almost all of them are around price.  Which, to me, is a sign of a healthy market. And I don't think there's any need to predict who will win. Let's see what happens. Here's the one prediction I will make: Networks are going to be much simpler and cheaper in the future.

NW:     Awfully hard to lever out that installed base.

MC:      The power of incumbency is unbelievable. And it's not just that people have invested money in something. It's the channel which is used to carrying the products and has those relationships. It's the people that are trained on those products. There's just so much there. It's amazing to me we've made as much progress as we have. But our pace is accelerating.

NW:     What's up next on the security front. Do you just keep adding services?MC:      There's pretty much all of networking and security to redo in ways that give you global views and let you apply big data analytics and take advantage of all this context. There's so much stuff to do. But the real job now is focusing on scaling the business. That's why I'm in this role. This is profoundly non-technical stuff, actually.


Join the Computerworld newsletter!

Error: Please check your email address.

Tags SDNNetwork Virtualizationbusiness managementVMware

More about AristaeBayHPIPSJohn DixJuniperMedtronicNSXPalo Alto NetworksRackspaceTechnology

Show Comments

Market Place