In my last blog, I wrote about what I was anticipating as far as cybersecurity for VMworld. Now that I’m back from Vegas, it’s time for me to report on how reality aligned with my expectations.
- NSX penetration. It seems like VMware has made progress in terms of NSX market penetration over the past year. At VMworld 2015, VMware talked about around 1,000 production environments for NSX while at VMworld 2016, VMware mentioned somewhere between 1,700 to 2,000 production NSX customers. Still a small percentage of the total VMware installed base but at least 70% growth year-over-year. Yes, some of these customers are likely just getting started or are using NSX on an extremely limited basis, but I still see good progress happening as more and more organizations begin playing with and using NSX. VMware describes three primary uses for NSX: Disaster recovery, security, and network operations automation. It is worth noting that around 60% to 70% of NSX deployment is skewed toward security use cases.
- NSX+? VMware intends to extend NSX support to non-VMware environments like AWS and Azure. Good for VMware but I’m not at all convinced that this strategy will gain market traction. Of course, organizations that anchor their IT infrastructure with VMware and only dabble with public cloud services may find a VMware-centric management plane attractive, but many large enterprises I speak with are approaching cloud computing in a decentralized fashion with different groups using different cloud platforms. I’m finding that organizations with this type of cloud heterogeneity prefer to rely on their current security vendors (i.e., Check Point, Fortinet, Palo Alto Networks, etc.) for end-to-end security across physical, virtual, and cloud IT infrastructure, or choose a third-party software-based security technology (i.e., Guardicore, Illumio, vArmour, etc.) for the whole enchilada. In my humble opinion, this means that heterogeneous NSX security support will be a tough sell for VMware regardless of the strength of its underlying technology.
- VMware security relationships. The good news is that VMware’s security relationships seem quite strong as the cybersecurity industry was well represented at VMworld and the vendors I spoke with said that they are seeing growing demand and new opportunities for NSX security. The bad news (for VMware, anyway) is that most if not all of these vendors have no real allegiance to VMware and will gladly sell their wares on KVM, OpenStack, or SoftLayer. So VMware is kind of on its own to evangelize NSX security. On another note, a number of pure-play security vendors complained that VMworld doesn’t draw a security crowd so they wonder whether it was a worthwhile marketing investment in the future.
- VMware NSX security sales and marketing. I spoke to a number of organizations using NSX for security. While still pricey and somewhat complex, cybersecurity professionals whose organizations have adopted NSX remain extremely positive as NSX security can help them do extremely efficient and effective network segmentation. Sophisticated shops also understand how to use NSX for data center defense in depth that also includes virtual network controls for threat management (i.e., firewalls and gateways from the vendors mentioned above), along with NSX/ESX friendly endpoint security controls from vendors like Kaspersky Lab and Trend Micro.
In spite of this goodness, there is still way too much confusion in the market about what NSX does and doesn’t do. Many users complain that VMware still pitches NSX as a “boil the ocean” network virtualization solution rather than working with them to define specific security use cases like NSX for PCI compliance. This market confusion hinders NSX penetration and opens the door for competitive alternatives (Cisco ACI, Nuage Networks, third-party micro-segmentation, etc.). To overcome this situation, VMware needs to invest in go-to-market initiatives that speak the language of cybersecurity rather than rely on broad brush computer science messaging or Silicon Valley hype.
In summary, VMware has a good thing going with NSX security from a technology (and customer) perspective but continues to have a number of remaining challenges in terms of sales and marketing.
If I were Pat Gelsinger, I’d develop entry-level NSX security pricing and packaging to goose the cybersecurity pipeline and add resources with strong security chops to help organizations understand where NSX security adds short-term value, offer services for planning and deployment, and work with customers on phasing in more NSX security over the next few years. If VMware takes a “land grab” mentality, it may be able to establish NSX as a foundational technology for cloud security. If it does not, NSX will slowly become a network security option in the VMware installed base over time.