For VMware, the next big frontier is in helping customers guard their apps against hackers and other bad guys.
At this week’s RSA Conference, the premiere conference for the world of cybersecurity, the $69 billion cloud software company announced the VMware Service-defined Firewall — a rethinking of the traditional firewall, aimed at helping companies solve the problem of protecting software when it’s hosted across multiple servers and clouds.
VMware CEO Pat Gelsinger tells Business Insider that this firewall is a big part of the company’s renewed focus on cybersecurity as a central part of its mission — regardless of which clouds or devices customers’ are on.
“We’re the company that makes [cloud infrastructure] okay for our customers, makes it more efficient, scalable, et cetera,” says Gelsinger. “but we’ve never until the last couple of years really said, ‘Hey, we can now start changing the security dialogue in a fundamental way.'”
That means changing the way VMware talks to customers. While the company has long held a good relationship with developers and IT departments, the company has had to learn to talk more directly to the Chief Information Security Officer (CISO) and other decision-makers in the security organization.
“You know, yeah, [IT admins] made their career on us. They believe in us,” says Gelsinger. “But he’s not the guy making the security decisions, right? Right now we have to get him walking down the aisle to the CISO.“
The opportunity is also the challenge, says Gelsinger: It has to learn how to bring that IT admin and the CISO onto the same page — which is not always easy, given their very different priorities.
“We’ve really come to believe that the only way you solve this is by bringing these two worlds together in a fundamentally different way than has been the case,” says Gelsinger.
A new kind of firewall
Take, for example, this new VMware Service-defined firewall, which will compete with the likes of Cisco and Palo Alto Networks in the network security business.
In the old days, a firewall was designed to protect a company’s internal networks from outside intrusion. But things have changed: Any single piece of software might need to connect to the cloud (or multiple clouds), to smartphones, even to industrial robotics or self-driving vehicles. It’s pointless to secure the network’s perimeter, suggests Gelsinger, when a company’s own software is barely within it.
VMware’s new firewall, rather, focuses on protecting an application, no matter where and how it’s running, integrating with the VMware software that its customers are already using to power their cloud infrastructure, Gelsinger says.
That makes it easier for the developer and the CISO to work together, says Gelsinger: It means that the security is already baked in, making life that much easier for the CISO. Plus, Gelsinger says, it means that VMware customers can start cutting down on security products (Gelsinger says this can get up into the hundreds), only using just a few.
Conversely, Gelsinger says that the CISO’s office needs to have a good understanding of modern cybersecurity. He provocatively suggests that companies should “fire” their security teams until they prove that they can build an app, too — as an exercise in demonstrating that modern cybersecurity isn’t quite that easy for developers.
In general, he believes that the whole IT industry, beyond just VMware, needs to shape up on cybersecurity, as hacking attacks and the spread of malware prove that there’s much work to be done. He says that at VMware, getting serious about cybersecurity has meant doubling down on testing, validating, and fixing its software on the fly. It’s worth it, he says, but he likens it to going to the gym — it’s the work you have to do to get stronger.
“Those are new muscles for us to build,” says Gelsinger. “That’s why I think some of it is painful.”