I recently got the chance to attend an analyst briefing held by VMware senior executives, where I learned a lot about the company’s overall strategy and progress. This is a big time for VMware, and the tech industry in general, with more people working remotely than ever before in order to minimize the spread of COVID-19. Unprecedented strain has been put on networks. Certain technology trends, such as the use of VDI and unified communications platforms, are accelerating. As a provider of cloud computing and virtualization software and services, I believe VMware’s portfolio and expertise puts it in a unique position to ensure enterprises’ business continuity. Paramount to this continuity is cybersecurity, as cybercriminals all over are doubtlessly salivating over the buffet of new endpoints to exploit. As such, I was thrilled to see the efforts Sanjay Poonen, VMware’s Chief Operating Office, put into explaining VMware’s bold, broad security strategy. Poonen has been leading and transforming VMware’s Security strategy over the course of the last year. Today I wanted to share some of the things I learned. Let’s dive in.
Figure 1: Momentum
VMware has been making great efforts to expand into the role of a cybersecurity provider, which it considers an “adjacent” space to the areas it has long played in. To explain VMware’s unique security value prop, Poonen referred us to the slide above. The cybersecurity space is extremely fragmented, with around 5,000 different vendors, across many categories. This creates huge headaches for CISOs who are left to stitch together, potentially, 100 disparate offerings from different vendors. In my dealing with CISOs, they explain that integrating different products has become so complex, they are woefully behind on the newer, more secure “bits”.
Figure 2: The old way of doing things (below) versus VMware's vision (above).
Poonen used the helpful analogy of seeing a doctor who prescribes you 5,000 different vitamin supplements to stay healthy. Obviously, nobody is going to do that—instead, we choose to adopt a diet of grains, vegetables, fruit, and proteins that fulfills most of those needs.
In short, the cybersecurity market is fragmented, bolted-on, siloed, and as it traditionally existed, threat-centric—rather than built-in, unified and focused on the context of protecting of apps and data. VMware’s Intrinsic security vision aligns with the latter. Poonen referenced the trend of traditional security vendors getting “stuck” once they reach a certain size and not being able to expand into the other areas of cybersecurity (Symantec, for example, which hit a wall when it hit the $2.5 billion revenue mark, and got sold to Broadcom). I believe VMware’s size and scale gave it an opportunity to move fast and build a security franchise group capable of delivering a more unified vision. And so, VMware set out on a mission to integrate security into all layers of infrastructure, from the cloud layer, to the application layer, to the device layer.
Poonen identified several areas it wanted to “go deep” on and guide its security efforts over a 3 to 5-year roadmap. First, the Network. VMware got into the network game with its acquisition of Nicira back in 2012, and since then has grown its business into a sizable revenue base from around 15,000 customers. Of the various use cases within this business, Poonen said around 40% are “increasingly” becoming about security. He acknowledged Cisco’s overall primacy in the network space, but made the case that VMware’s software-defined, security-focused strategy gives it an opportunity to become the prominent player in network security – across data-center networking, firewalls, load-balancers and SD-WAN —a $30 billion TAM, double what it was 3 years ago. Network security comprises the biggest area of enterprise security spend—which makes it a big opportunity for VMware. This is illustrated in the diagram below.
Figure 3: VMware's strategy in Network Security – to target the full $30B TAM in these four ... [+]
That brought us to the topic of Endpoint Security, the second biggest area of security spend. VMware’s approach separates this into two distinct areas—the endpoints that touch the device, and the endpoints that touch the servers and workloads, both on-prem and in the cloud (e.g. containers). VMware’s Workspace One offering covers endpoint management of all client endpoints, and thanks to the offering’s large footprint, it has become the de facto leader in management of those devices. Another aspect to VMware’s endpoint security strategy is Carbon Black, VMware’s new cloud-native endpoint protection platform, which it acquired (along with the security vendor of the same name) last fall. Dell and Secureworks announced a preferred relationship with Carbon Black, replacing Cylance and CrowdStrike, as its endpoint security solution on Dell client laptops. Recently, VMware also announced the acquisition of Octarine, a startup in container security too, that will be added to the Carbon Black platform.
Figure 4: VMware's recently integrated Carbon Black security cloud and its many capabilities.
In the realm of identity, Poonen says VMware does 20-30% of the area itself (such as single sign-on and some the authentication features), while also partnering heavily with Microsoft Azure AD and Okta, who in turn reciprocate by partnering with VMware’s solutions. OKta recently designated VMware as their preferred endpoint security solution partner.
VMware also partners heavily in cloud security, but it does employ some of its own capabilities like Secure State that is part of CloudHealth. These include cost management and compliance/security solutions in areas like cloud security posture management. Poonen said VMware is experiencing good momentum in this area, with a surge in interest since the big Capital One breach of 2019. For all of this, Poonen says VMware is not seeking to be a web gateway—for that, the company partners with Zscaler and Netskope. These partners, in turn have designated VMware their preferred security partner in areas such as SD-WAN by Velo Cloud and endpoint security.
The last area of security Poonen discussed was analytics, where he said VMware’s large-scale telemetry capabilities gives it an impressive data lake to mine for security insights via AI and behavioral analytics. Poonen cited this data lake as a major differentiator from the other point security players in the industry (another case in which VMware’s scale and size enables it to succeed where others have not). He shared that he expects VMware to partner with software security players such as Splunk, IBM Security, Google Chronicle, Sumo Logic and Exabeam on the analytics side of things, since VMware already closely integrates with them. VMware recently announced a SOC Alliance with these 5 players.
Wrapping up
All in all, I feel very good about VMware’s Intrinsic security strategy as it was laid out in the analyst briefing. I think its holistic approach is right in line with its often-stated overall goal as a company: to enable customers to build, run, manage, connect, and protect any application, on any cloud, on any device.
I believe it has the portfolio to compete directly in network and endpoint security and knows which areas to partner in so that all bases are covered. Of the company’s $10.8 billion in revenue last year, approximately $1 billion was security-related (predominately network security and endpoint security). I expect that share to grow. Time will tell, but I believe that VMware has the scale and size to pull off this, frankly, disruptive vision of a unified, built-in, context-centric security framework. And CISOs and businesses will be all the better for it.
Note: Moor Insights & Strategy writers and editors may have contributed to this article.
Disclosure: Moor Insights & Strategy, like all research and analyst firms, provides or has provided paid research, analysis, advising, or consulting to many high-tech companies in the industry, including Amazon.com, Advanced Micro Devices, Apstra, ARM Holdings, Aruba Networks, AWS, A-10 Strategies, Bitfusion, Cisco Systems, Dell, Dell EMC, Dell Technologies, Diablo Technologies, Digital Optics, Dreamchain, Echelon, Ericsson, Foxconn, Frame, Fujitsu, Gen Z Consortium, Glue Networks, GlobalFoundries, Google, HP Inc., Hewlett Packard Enterprise, Huawei Technologies, IBM, Intel, Interdigital, Jabil Circuit, Konica Minolta, Lattice Semiconductor, Lenovo, Linux Foundation, MACOM (Applied Micro), MapBox, Mavenir, Mesosphere, Microsoft, National Instruments, NetApp, NOKIA, Nortek, NVIDIA, ON Semiconductor, ONUG, OpenStack Foundation, Panasas, Peraso, Pixelworks, Plume Design, Portworx, Pure Storage, Qualcomm, Rackspace, Rambus, Rayvolt E-Bikes, Red Hat, Samsung Electronics, Silver Peak, SONY, Springpath, Sprint, Stratus Technologies, Symantec, Synaptics, Syniverse, TensTorrent, Tobii Technology, Twitter, Unity Technologies, Verizon Communications, Vidyo, Wave Computing, Wellsmith, Xilinx, Zebra, which may be cited in this article.
