VMware announces its intent to buy Kubernetes Security startup Octarine

VMware has been shopping again, this time they’ve put a deposit on a DevSecOps startup called Octarine to fill a monitoring gap in their Kubenetes platform.

VMware has been out shopping in the Silicon Valley Mall again.  They have given notice of their intent to purchase Octarine a small Venture-backed startup based out of Sunnyvale and Tel Aviv.

Octarine

So what to do know about Octarine?

Well to be fair, prior to the announcement the only thing I knew about Octarine was that is it part of Terry Pratchett’s  Discworld lore and is the Color of Magic and the founders may have been fans.

octarine

OK, let’s be serious.  Octarine is actually a small start-up with offices in Sunnyvale and Tel Aviv, that has during its time as an independent raised at least $9m from various Venture funds and other investors who backed their vision of DevSecOps and to provide a continuous security and compliance lifecycle for the protections of Kubernetes deployments from nasty black hat hackers and other nefarious folks of the criminal fraternity.

How do Optarine approach this?

Octarine Secret Sauce

Anyone who has attempted to deploy Kubernetes or even just containers in general know and understand that traditional monitoring and security products do not provide adequate protection for the types of applications deployed on the underlying container hosts, this is not a limitation of Containers or Kubernetes, but the fact that monitoring and compliance tools were not set up to deal with the complexities of containers. Therefore a new approach was needed,  this is not just a benefit of Octarine, other vendors like Amazic’s Sysdig have answered these questions too, and the answer is to bake in security and compliance from the initial build, all the way through to the final deployed runtime, and then to continually improve on the baselines.

Why is VMware interested in Octarine?

But the real question is, why are VMware interested in this particular startup?  This question is in actuality quite a simple one to answer.  The purchase of Octarine allowed VMware to very succinctly fill a glaring gap in their current security product portfolio,  Carbon Black and AppDefence protect VMs and Native containers but their Kubernetes coverage is woefully lacking and this is a massive gap. Actually, it was a glaring 6 lane freeway of a gap for potential vulnerabilities!

Freeway sized gaps

Especially considering their hype and bluster about Kubernetes at their vSphere 7 and Tanzu product launches coupled with their statement about Containers being first-class citizens on their platforms and Kubernetes being the deployment methodology of choice.

The financial figure for the purchase has not been released but in the grand scheme of how these things are counted, I cannot believe the purchase price was significant, not small by any means but not eye-watering painful to the pocket.

As already stated this acquisition neatly fills a gap in their growing security portfolio, and as such VMware intends for this to be combined with their Carbon Black Endpoint protection which they recently acquired for $1.2B and their more generic AppDefense products that protect Virtual machines and containers.  VMware also intends to bring the functionality of the Octarine platform to Tanzu Service Mesh to provide real-time alerts via their network-based IDS to prevent any attempts at breaching microservices.

Octarine’s ability to report on unencrypted connections, internal lateral movements, and many other types of malicious threats will enable Tanzu users to create finely grained and dynamic policies to automatically protect environments by restricting or isolating compromised micro-services thereby alleviating the risk of a cascading failure of your working clusters.

Obvious the ability of Octarine to protect both containers and Virtual machines is another feather in their cap as far as VMware is concerned.  This all ties into Pat Gelsinger’s (CEO VMware) vision which he elucidated on in March at the release of vSphere7 when he stated that [VMware] is “out to change the security Industry, [as] it’s broken and fragmented with too many vendors. We’re going to make it possible for applications to be born secure, live secure, and die secure”.

Summary

Summary

VMware has been very acquisitive in the last year or so. However, unlike the Maritz Period,  Gelsinger has been very focused on redefining VMware as a company.  Moving into new market sectors, taking the Nicira acquisition that could have been a big mistake, as it damaged what was at the time a very good relationship with Cisco, and turning the fledgling Network Services Business Unit into a $2B a year revenue generator from a standing start by FY 2019. To redefining their Cloud business Unit by off-loading vCloud Air to OVH, sell off other none core products, Zimbra anyone? and redefining the redefinition of the Cloud Business unit when he brought back Pivoal in-house.

But the Security division is his baby.  VMware has never been seen as poor on security like Microsoft, but they traditionally relied on Third-Party products to protect their environments and any security products they had brought, we badly integrated into VMware, remember vShield. Over the last 5 years or so they have been quietly building up quite a decent portfolio of products, they now cover a large proportion of infrastructure with services that can easily slot in and are integrated into a common framework.  Octarine is just the latest in a long line of security product acquisitions that is helping to secure VMware’s position as a vendor that cares about physical security.  Pat Gelsinger joined a company that many were writing off as past its best, and in its twilight years, however, during his time at the helm, it can be argued that VMware has never been more relevant.

The Cloud Act and What it means for you, or more importantly, me!

The CLOUD Act, or to give it full nomenclature, the Clarifying Lawful Overseas Use of Data Act, has been passed into law by POTUS 45. This little act has been touted as an update to the ECPA, or Electronic Communications Privacy Act, and ostensibly, this is the case. What is worrying, though, is the way that it has been signed into law as a part of the Omnibus Spending Bill, without the oversight that a base privacy law should have been given. It feels like it has been smuggled through.

The Cloud Act: it’s MAD (Mutually Assured Data Access)
THE CLOUD ACT: IT’S MAD (MUTUAL ASSURED DATA ACCESS)

This is an act that has been praised by technology companies. The below is an outtake from a joint letter from Apple, Google, Facebook, Microsoft, and Oath (the new name for Yahoo).

The new Clarifying Lawful Overseas Use of Data (CLOUD) Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data. Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.

And vilified by privacy and civil rights organizations. This is an outtake of what the ACLU thinks of the law.

The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people.

The Electronic Frontier Foundation also had a list of objections:

  • Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
  • Fails to require foreign law enforcement to seek individualized and prior judicial review.
  • Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
  • Fails to place adequate limits on the category and severity of crimes for this type of agreement.
  • Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
  • The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.

It seems that there are two sides to this story, and they are diametrically opposed. Why would the technology companies be on one side of the fence, and the civil rights organisations on the other? Especially considering Google’s mantra of “Do no Evil.” The wordings of legal documents often cause this type of result. Their intention is to be clear and leave little to no wriggle room for interpretation, but as you can see, the act has been read completely differently.

This post was previously published on http://www.tvpstrategy.com

—– Read More —–

Is Traditional IaaS Cloud a Dead Man Walking

Traditional IaaS cloud—whether AWS’s EC2, Azure’s offering, or even a private IaaS cloud running vCloud Director, vRA, or OpenStack, to name a few—is in trouble. Now, that sounds like quite a contentious statement to make, but I feel the writing is on the wall. “What?” you may ask. “How can you say that? There are many companies that have not even started their cloud journey, and surely IaaS is the first baby step in their travails.” Well, the answer to this is “yes and no.”

Early movers headed out on their journey unprepared, bright-eyed and bushy tailed, walking into their cloud migrations thinking only of up-front cost savings and believing the patter of the snake-oil salesmen. What is worrying is that, according to an IDG and Datalink survey in 2016, up to 40% of those early adopters have had buyer’s remorse and returned to their cozy data centers or colo sites. Why? Traditional IaaS is expensive. Moving to an infrastructure only–based cloud is very expensive, and companies are used to being always on. They are comfortable with instant access to their data from anyplace, at any time, from effectively anywhere. You really can not move to a subscription-based cost model on that basis.

Previously Published on TVP Strategy (The Virtualization Practice)

 

—– Read More —–

PERTH IS LOVELY TO VISIT, BUT IT’S NOT CLOUDY: SD-WAN TO THE RESCU

On February 19, my colleague Edward Haletky wrote a piece on scale. In it, he highlights that scale is not just about 20,000 desktops and 3,000 virtual hosts. Rather, there are many other metrics that could and should be considered with regard to scale.

I am currently living in Perth in Western Australia. Perth holds a rather dubious record in that is it is the most remote capital city in the world. “Wait, Canberra is the capital of Australia,” you might say, and you would be correct. However, Australia operates in a federal manner and is made up of states and territories, and Perth is the capital of Western Australia. Why am I saying all this? One word, really: cloud. Living in Perth, our nearest AWSAzure, and GCP zones are in Sydney, 3,300 kilometers (2,000 miles) away on the east coast. Oracle Cloud? Again, Sydney. OVH? Yes, Sydney. Softlayer? Wait, it has a zone in Melbourne, but that is still 2,700 kilometers (1,700 miles) from Perth. As you can see, we are quite isolated. Physics rather than doctrine limits Perth’s access to public cloud.

Previously Published on TVP Strategy (The Virtualization Practice)

—– Read More —–

PURE STORAGE DOUBLES DOWN ON VVOLS AND A FEW OTHER THINGS

For a long time, VVols have appeared to be a solution looking for a problem. For the uninitiated, we will first give a brief outline of what VVols are and identify the problem that they purport to solve. On the face of it, it is nothing more than the ability to do one VM to one datastore. However, it is much more than that. VVols are the logical extension of this paradigm in a modern environment. VVols allow for policy-based metrics to be applied to individual virtual machines rather than at a datastore level. Why could this not be done with traditional datastores? Quite simply, the ESXi is limited to 256 LUNs per host. Now, this might sound like a lot, but consider that this would limit you to 256 guests per cluster if you wished to utilize vMotion or Storage vMotion. Not exactly optimal.

Previously Published on TVP STrategy (The Virtualization Practice)

—– Read More —–

BIG SWITCH NETWORKS EXPAND THEIR REACH, NOW WITH HCI INTEGRATION

Big Switch Networks, the Santa Clara–based software-defined networking company, has just released a new version of the Big Cloud Fabric product. Big Cloud Fabric, a software-defined networking product that has been on the market for over four years, is heavily integrated into VMware. For the uninitiated, its core pitch is that with its product, you can cut out proprietary networking gear, and that by using its software-based controller, coupled with low-cost white-box servers and switches, networks can be provisioned, orchestrated, and configured programmatically.

Out of the box, it has many advanced features. Unlike NSX, it has a real physical presence. Unlike ACI, it has a real virtual presence. It plays nicely with both. Its data layer can be deployed on Open Networking Dell EMC Edgecore white boxes and the HPE Altoline family of equipment. Its Big Monitoring Fabric product is a Womble product; it monitors “overlay, underlay—so your packets roam free.”

Role-based access can give VM admins and storage admins the ability to push VMs directly on the network. Yes, you can do this with other products, but there are no Band-Aids™ or shoehorning of square pegs into round holes.

Previously Published on TVP Strategy (The Virtualization Practice)

—– Read More —–

 

Managing a Multicloud

There is no denying that the future of cloud is not just with a single provider, capable as AzureAWS and the other public providers are. For true data protection, your information needs to be in three separate locations, and with the rise of data sovereignty, there is a need for data to be kept within the boundaries of a nation-state. GDPR will place other obligations on companies and their data compliance. Smaller countries will suffer more than larger ones, with their multiple regions and zones per country per cloud provider. Smaller countries like the UK will have problems, as a single provider will not have three regions for true resiliency. Microsoft, for example, will have two regions in the UK for Azure (London and Cardiff) and two for Office 365 (Durham and London). Amazon will only have a single AWS zone: London. (Europe retains Frankfurt, Ireland, and Paris.) The other public cloud providers do not fare much better. Post-GDPR, data sovereignty will be front and center. So, what exactly can you do if you want, need, or desire to be totally in the public cloud: sell your customers in Europe and the world and not fall foul of transnational data-protection laws? A multicloud may be the answer.

Multicloud Puppet Master

Let’s look quickly at the main market providers: India, China, and the US. How they can remain compliant?

Previously Published on TVP Strategy (The Virtualization Practice)

—– Read More —–

WHAT EXACTLY IS ARTIFICIAL INTELLIGENCE?

The world is abuzz with rhetoric about artificial intelligence and machine learning. These terms appear to be used interchangeably, and the perception that they are both the same side of the coin can lead to confusion. So, what are the differences?

First, let’s consider what AI is not. It is not Skynet (yet), and it is not HAL 9000 (yet), although sometimes IBM Watson appears to be getting there.

Will you take the Red pill or the Blue Pill

Will you take the Red Pill or the Blue PillIn the broader sense of the term, artificial intelligence is the concept of computers dealing with situations related to data and figuring out for themselves the best way to do something or improving on a method for undertaking a task. Machine learning is the current top of the pile in AI techniques.

So, basically, AI is an all-encompassing term for algorithms that look at data. However, this is too simplistic an idea.

Previously Published on TVP Strategy (The Virtualization Practice)

—– Read More —–

OVERLY, UNDERLAY, PACKETS FLOW FREE. IS SDN GOING TO TAKE OVER THE WORLD?

A software-defined network: is it an evolution or a revolution in networking? The hype of SDN has been around for several years, but as yet it doesn’t seem to have managed to get much traction outside of the MSPs and Fortune 500 companies with regard to SDN, and telcos with regard to SD-WAN. When, if ever, will the SDN meltwater reach the fertile plains of the LME?

VERLAY, UNDERLAY, PACKETS ROAM FREE. IS SDN GOING TO TAKE OVER THE WORLD?

For this, we really need to look to history.

Previously Published on TVP Stragegy (The Virtualization Practice)

—– Read More —–

Are We Ready for SDN?

SDN, or software-defined networking, is taking over the world—or at least if you listened to the marketers for the main purveyors of SDN and its cousin SD-WAN, you would think so. In fact, if you just listened to the marketers, you would be feeling pretty inadequate with your local data center; your physical network with its physical firewalls, load balancers, and VPN endpoints; and the rest of the vast plethora of networking tools that keep your corporate IT running smoothly. OK, maybe not smoothly, but well enough to make sure that your company can keep the lights on and pay your salary at the end of the month.

There is no denying that SDN products like NSX from VMware, ACI from Cisco, and those from Big Switch Networks are fully capable of delivering value and simplifying administration, but the fact remains that SDN is not ubiquitous in the networks of businesses around the world.

Previously Published on TVP Strategy (The Virtualization Practice)

—– Read More —–