Tag: vmware

AWS Snowball Edge And Hyper Converged Infrastructure Will Revolutionize Global Enterprises

The recent announcement by Amazon AWS of a portable Snowball EC2 compute platform represents a significant advance in hybrid cloud/data center computing. When combined with a Hyper Converged Infrastructure  (HCI) super computer and Zero Trust Network, enterprises across a broad range of vertical markets can transform their operational model.

1st Generation Hybrid: Two-Stack Architecture

The 1st generation of hybrid cloud/data center was characterized by a two-stack design with legacy apps in the data center and new apps in AWS. Application developers loved the idea of experimenting with AWS Marketplace but the IT department didn’t like the fact that apps could not be ported back into their data center. Additionally the two-stack architecture suffered from disaster recovery and security issues if there was a cloud outage.

VMware noticed the issues IT departments were having with 1st generation hybrid environments and offered vSphere in AWS. VMware's solution improved load balancing and disaster recovery for legacy applications but it didn’t address the problem of AWS app portability.  Thus many global-scale enterprises waited on the sidelines for something better.

2nd Generation Hybrid Infrastructure: AWS Snowball Edge + HCI Super Computer 

The recent announcement of Snowball Edge by AWS represents a significant advance in hybrid infrastructure. For the first time enterprises can run apps using AWS software logic on a "physical" EC2 instance inside their data center. When combined with a Petaflop-scale Hyper Converged Infrastructure (HCI) super computer enterprises can operate a common application environment for legacy and new AWS apps across the data center and cloud infrastructure.

Looking at the image below we have a high level architecture of a 2nd generation hybrid compute architecture. The Snowball Edge in the data center allows enterprises to run software with embedded AWS logic outside the cloud. To allow enterprises to run legacy as well as compute intensive applications like machine learning there is a high performance Hyper Converged Infrastructure (HCI) super computer paired with the Snowball Edge. In the AWS cloud we have the enterprise’s VPC as well as vSphere environment. Connecting the Data Center and AWS environments we can have any combination of broadband satellite, SDWAN or VXLAN/MLPS.

One of the challenges with such a fluid architecture is routing users to the correct Secure Enclave and blocking self-propagating malware. A SDP-based Zero Trust Network ensures that users are only connected to authorized applications irrespective of where the workload sits.  Unlike standard VPNs, SDP blocks self-propagating malware from moving thru the hybrid compute environment by locking down physical and virtual network interfaces.

Some of the new technical capabilities of a 2nd generation hybrid cloud include:

Workload optimization: While EC2 is great for the majority of workloads sometimes a super computer is better for applications needing millions I/O operations per second. A 2nd generation infrastructure allows hyper-scale computing across super computing and cloud fabric for large data set machine learning or Smart Cities IoT management applications.

Partitioned Compute: The partitioning features of Snowball Edge and a Hyper Converged Infrastructure (HCI) allow for the creation of Secure Enclaves that can only be accessed by authorized users after their compute device has been remotely attested by a Zero Trust Network.  Lateral movement within the hybrid environment is blocked using encrypted APIs.

Disaster Recovery: A pure cloud-centric enterprise is a great idea except if one loses access to the cloud or it’s down. The Snowball-HCI combination allows enterprises to have true active:active redundancy that is synchronized in real time.

Micro Data Center: One interesting aspect of the Snowball-HCI super computer combination is that you can have a two box data center! The small footprint of a Micro Data Center opens the door to edge computing in a broad range of vertical market applications where installing racks of gear is impossible.

Vertical Market Applications

In addition to improving cost structure and functionality for enterprises, 2nd generation hybrid computing holds the promise to revolutionize vertical markets:

Finance & Healthcare: Financial and medical institutions have strict requirements on encryption and access control for regulated data that make it difficult to utilize a public cloud. The 2nd generation hybrid infrastructure provides regulated entities a way to develop business logic in AWS marketplace while processing sensitive data on a Hyper Converged Infrastructure (HCI) at their data center.

Energy & Transportation: Energy and transportation companies build expensive satellite networks to backhaul telemetry to centralized data centers. 2nd generation hybrid compute can reduce the need for expensive satellite communications by processing data in Micro Data Centers. Moreover the integrated security and intelligence of a Micro Data Center edge node allows for load balancing across multiple satellite providers to improve redundancy and cost structure.

Emergency Services: A hurricane, flood or earthquake can easily destroy the communications and compute infrastructure of a whole region. The autonomous operational capabilities of a Micro Data Center combined with 4G coverage and broadband satellite allows emergency personnel to "light up" impacted areas within 48 hours of an event. Moreover the ability to ingest live video feeds from drones and helicopters and fuze them provides on-site personnel improved situational awareness.

Smart Cities: Looking to the near future, the collection and processing of IoT sensor Petabyte-scale data is the single biggest challenge to Smart Cities. The massive data that energy, transportation and environmental sensors generate will overload any compute or network infrastructure. In contrast, 2nd generation architectures provide a high performance distributed compute model where IoT sensor data is first processed at Micro Data Centers and then transferred to centralized management systems. Additionally the Secure Enclave features of 2nd generation  infrastructure can be used to remove personal identifiable information while maintaining relevant data to ensure Smart Cities don’t become a giant surveillance system.

The ability to mix and match applications in a 2nd generation hybrid infrastructure frees enterprises to provision the optimal combination for each project thereby reducing cost and improving agility.  Moreover the ability to operate in a completely disconnected autonomous mode simplifies disaster recovery.

Other Amazon Reporting at CTOvision

Technologies To See At DoDIIS

The DoDIIS Conference is almost upon us. August 12-15, 2018, members of the defense intelligence community will gather in Omaha for several days to listen to the latest in mission needs and requirements from key government leaders and to witness demonstrations of cutting edge IT on a very well attended expo floor.

If you have not registered to attend yet do so now here: 2018 DoDIIS Worldwide Conference

One of the challenges we have mentioned before is the overwhelming amount of innovation that will be on the expo floor. We recommend everyone put thought into who to spend time with before the event. We recommend reviewing the full list of exhibitors to get a gist of who is going to be there, then refine your intent on who to spend time with by considering your requirements and how these firms might potentially address them. It is also important to build in time for serendipity of course, but a bit of planning in advance can make this a much more productive conference.

As another input to your planning we reviewed every company with an eye towards potential positive/disruptive innovation in national security missions. idea of where you should spend your time. The list of who you see should be shaped by your own requirements of course, but we have a list below that may help. The list below are the tech firms we want to bring your attention to. In my view they are coming with innovations that could be very positive for the many important missions of defense intelligence.


The CTOvision List Of Must See Tech At DoDIIS

  • Alteryx: We like Alteryx for their focus on ease of use for business intelligence use cases, especially around self-service data analytics.
  • Amazon Web Services: We all know them but with their continuous innovation it is important to track the latest. Ask them about Kinesis for data and video.
  • Appian: They enable any company to be a software company. Would love to see more of this in government agencies.
  • Atlassian: Every developer seems to love them, largely because they remove friction in fielding real capabilities. Great collaboration for techies.
  • Attivo Networks: Advanced deception technology.
  • Anomali: Threat intelligence identifying threats to networks.
  • Basis Technology: Continues to innovate around language.
  • Blue Prism: Pioneers in robotic process automation and digititizing
  • Bricata: Innovative next generation intrusion prevention, detection, response
  • Carahsoft: Removing friction for government decision-makers. See at DoDIIS for access to 100's of great technologies
  • Cloudera: The absolute leader in fielding enterprise data solutions that scale and operate at speed. Modern platform for machine learning and analytics optimized for the cloud.
  • Data Robot: Automating tasks for data scientists. Great capability.
  • Fidelis Cybersecurity: Providing a new platform to detect, investigate and stop advanced cyber attacks.
  • Palantir: Transforming the way organizations use data.
  • Percipient.ai: Artificial Intelligence for national security missions.
  • PFP Cybersecurity: If you want to make it hard on nation states trying to hack you, use these guys.
  • Recorded Future: Fast insights into cyber threats put in context of your enterprise needs.
  • VMware: Accelerating digital transformation for the enterprise.


By the way, we track these and many other hot technology firms in the CTOvision Disruptive Technology Finder . Use that to kickstart your market research.

VMware: A Tech Titan And Leader In Cloud Infrastructure and Digital Transformation

Everyone has heard of VMware. But the firm has become so very capable it is easy to misunderstand the firm. Their roots are in virtualizing operating systems on servers. But through innovation and acquisition and a focused strategic of improvement they have gone far beyond that. VMware provides enterprises with a way to better manage internal IT resources, better manage internal clouds, better manage public clouds, and orchestrate workloads over all those systems. They provide ways to more smartly store and secure data.

All indications are that their investment in R&D for enterprise solutions will continue which means innovation will continue.

From their website:

This year, VMware celebrates 20 years as an industry pioneer. When the company launched in February 1998, we transformed the data center forever by mainstreaming virtualization, the core principle of cloud computing. Twenty years later, we remain just as focused on innovating in everything we do, and committed to solving the most difficult technology problems for our customers. We apply the same principles of virtualization and software innovation to securely connect, manage and automate the world's complex digital infrastructure. And there's so much more to come.

We see opportunity to apply those principles to growing technology areas like IoT, edge computing, and AI, amongst others. We are optimistic about the power of technology to be a force for good, with the potential to solve the big societal problems of today and tomorrow. Software, as we see it, has the power to transform business and humanity. 

For more see: VMware.com

VMware on Twitter

This is a dynamically generated feed from the official company account:

"Our migration to SD-WAN has made life much easier to the IT staff, allowing us to implement best practices across all retail sites and reducing network error." https://t.co/XjiDpqNcvL #SDWAN

Security threats are becoming more formidable. Learn the 4 steps you can take to combat them: https://t.co/twdBT5Dobe

Meet our technical marketing engineer @kmruddy, and learn why he geeks out about the REST APIs in @VMwarevSphere 6.5 https://t.co/o2aG8smeFT

Explore @vmwarevsan 6.6 features: data-encryption at rest, deduplication and compression, RAID 5/6 erasure encoding, iSCSI Target support, and more: https://t.co/mTl3MoQDRK

Register now and begin planning your agenda for #VMworld 2018 US before it's too late! https://t.co/2aHYWysvvi

I'm pleased to announce the list of 2018 NSX vExperts. Congratulations to everyone who made it into the program. The announcement can be found at https://t.co/8MqWOE7wZR

Explore what's possible. Discover the future of digital business, transformative technologies and innovation at @VMworld US and Europe. https://t.co/xGoHDa775Z #VMworld

Time to expand your knowledge! 💭 Check out our new online NSX course on Coursera to get equipped with the basics of networking virtualization & VMware NSX.

Enroll now ➡️: https://t.co/k4uliQ00Mv

VMware is a #security company. Seriously? Yes. Check out the VMware Security Guide to #VMworld US 2018: https://t.co/pUsGbzmizF

Load More...

Microsegmentation – Secure Your Internal Network

Microsegmentation - Bigger,Better than Segmentation?

Microsegmentation like that provided by vendors CISCO and VMware state that traditional perimeter defenses akin to medieval castles walls no longer work. The problem is that threat actors are able to get through the castle gates (firewalls) and once in, are able to evade the castle guards (IPS). Then threat actors can wander around freely to plan their attack, evading the Kings’ soldiers (IDS). Microsegmentation will fix this.

As I see it, the problem is that a perimeter defense never worked, not in medieval times, and certainly not today.

endinburgh castle

Edinburgh Castle Flying the British Flag

If we look at some of the greatest walls in history, we see how true this is. The old Scottish city of Edinburgh was built on top of a giant rock, rising 260’ up into the air. On top of the rock they build high stone walls, enclosing the Old Town. Looking at Edinburgh Castle, it’s hard to imagine that any invader could penetrate its defenses. Especially as inside were hordes of Scotsmen, the fiercest fighters in the world. I am sure you are familiar with the famous saying, “if it’s not Scottish…its crap!” But when the English attacked Edinburgh the siege didn’t last six months…or a month…only four days. And the English took over Edinburgh not just once but four times.

Microsegmentation is supposed to be a continuation of segmentation. So if segmentation is good, is Microsegmentation better?

Cisco explains that normal segmentation is very coarse and is often only done at the subnet level. Their other complaint is the segmentation primarily protects north-south traffic. The argument is that today with the expansion of n-tier distributed systems and massively parallel architectures, east-west traffic has increased exponentially. Threat actors they say primarily now travel east-west.

The problem I have with these statements is that every network engineer I know segments their network more than just at the subnet level and their segmentation is not limited to just north-south traffic. Since 2000, secure networks have been built by segmenting traffic at the switch port level from server to server, radically limiting east-west traffic. This approach is very effective and combined with a practice known as zero trust is very effective, but it is a manual, static, and intensive process.

The idea behind this type of segmentation was that we knew it was impossible to stop all intruders, so it made sense to segment the network so that only white-listed traffic flowed on any segment. Zero trust in my mind doesn’t really mean “trust no one” because then you would have no traffic on your network. A better description is “Trust who you know and no one else.” By controlling traffic east-west, it was possible to slow down attackers, like pouring molasses on the floor. Attackers would either be so frustrated they would just leave. Or they would be moving so slow we could catch them.

The idea of “zero trust” is important. I once asked a famous mountaintoothbrusheer why he cut his tooth brush in half, noting “That can only save ½ ounce.” The mountaineer smiled. “Sure. But it reminds me while I am packing to leave out everything unnecessary. Cutting my tooth brush in half typically lightens my pack by  10 pounds!


Today, most opens systems, servers, routers, and switches ship with all the security controls open. It is up to the admin to lock down every port and access control that isn’t needed. This process is often known as “hardening.” It is a tedious process and error prone. Some systems like FreeBSD ship with everything locked down. Admins open up only what they need. While this approach is initially more work, it ultimately provides a more secure network and is easier than coming back and closing up all the holes.

Microsegmentation for Dummiesfor dummies

Microsegmentation brings three important things to the table: 1) support for network virtualization; 2) support for software defined networking; and 3) automation. Microsegmentation enables administrators to move from a manual, static, tedious process to a dynamic automated system. It enables Internet at Scale.

Microsegmentation for Dummies is a great read..   While it’s written by VMware, it is by no means specific only to VMware and NSX.  The book provides a really good background on the problem and talks about all the new concepts used in Microsegmentation. It’s a great read.

Persistence is an important concept in Microsegmentation. Working with virtual machines, virtual networking, and software defined networking, you can leverage automation to achieve all the benefits of segmentation without creating all the manual ACLs. You can create policies that affect workloads. Polices follow applications, databases, and web servers. Persistence means that virtual machines can move dynamically, while the policies follow the workloads. This is something you can’t do with static network ACLs at layer 2.

Ubiquity is a new idea to Microsegmentation. Ubiquity is a very important concept in security. Conventional wisdom has been to create different security levels for different applications. Initially this makes sense. Someone getting a library card doesn’t need the same security as someone getting food stamps, who doesn’t need the same security as someone getting Medicaid, who certainly doesn’t need the same security as a brokerage account holding your IRA. But this traditional model suffers from the same problem as segmentation. Threat actors move east-west, not north-south. If you start issuing low levels of security, threat actors get the easy entitlement and then work their way up the chain to escalate their privileges. Ubiquity says that you start with the highest level of security possible and apply that to everything.


Microsegmentation Vendors

Cisco and VMware are the big boys on the block, and provide complete Microsegmentation strategies, but smaller vendors like Illumio and vArmour provide some excellent solutions as well.


If you are a VMware shop, then their version of Microsegmentation is for you. VMware leverages their entire NSX infrastructure and their proprietary software defined networking to make segmentation effortless. It’s all built into the infrastructure. You can create dynamic policies that follow your workloads. It’s a beautiful thing. But remember that their solution is designed for the VMware hypervisor and virtual networking.

vmware nsx


Cisco Microsegmentation is part of a bigger strategy. Cisco ACI, or Application Centric Infrastructure, is key to their Microsegmentation strategy. It allows policies to separate segments from broadcast domains. It uses a new construct they call End Point Groups (EPG). This allows designers to build groups of end points regardless of IP address or subnet. Cisco EPGs can be a physical server, a virtual machine, a Linux container, or even a mainframe. This make the solution very flexible and vendor independent.

The components of Cisco’s Microsegmentation include their line of virtual switches, ACI, EPC and APIC, Cisco’s Application Policy Infrastructure Controller.

Illumio Adaptive Security Platform

segmentation timeline

Illumio doesn’t bill themselves as a Microsegmentation vendor, but their adaptive security platform delivers all the benefits users are looking for in segmentation. Their goal is to specifically address the problems with a perimeter security strategy, address east-west traffic, and protecting end points.

Illumio’s Virtual Enforcement Node (VEN) and their Policy Compute Engine (PCE) implement dynamic automated policies that protect traffic to and from virtual machines, bare metal servers and the cloud.

Illumio is vendor independent supporting VMware, KVM, XEN and Hyper-V hypervisors, bare metal servers, private data center, public clouds like Amazon, all versions of Windows and virtually every major flavor of Linux.


vArmour wants you to know that Microsegmentation is not easy. In fact, they advertise four major pitfalls. But they offer a comprehensive ebook that explains how to overcome these common problems.

  • Pitfall #1: It’s too complex to deploy and manage
  • Pitfall #2: You need to buy and stitch together multiple products
  • Pitfall #3: It’s resource intensive
  • Pitfall #4: It cannot scale to support multi-cloud environments

vArmour takes a different approach than VMware or Cisco. They are a software only solution which is built for virtualization and cloud environments, whether it’s on-premise VMware, Nutanix, Openstack or KVM, or public cloud like Amazon. Like the other solutions, they are workload focused, so that policies are persistent and travel with the workload.

While vArmour is very focused on Microsegmentation, they play more in the security space by providing continuous monitoring and deep visibility into network traffic up and down the stack. The solution comes with full analytics to take advantage of all the data.

Their architecture is called the vArmour Distributed Security System and is comprised of the vArmour Fabric, vArmour Analytics, and vArmour Shared Defense.


Final Thoughts

Microsegmentation is definitely a continuation or extension of the idea of segmentation. So if your current segmentation plan is very coarse and only north-south, then you should like all the ideas of Microsegmentation, as they will help improve your internal security by limiting east-west traffic.

If you already segment your network on a granular level and limit east-west traffic, then you are going to LOVE Microsegmentation, because you will be able to leverage automation to make your job so much easier.

Microsegmentation leverages virtual networking and software defined networking, but it also bring many best practices that will help us secure our networks on the inside, while we figure out how to attackers on the outside.


The Technologies At Hadoop World: Here is our cut on the best technologies to see there

Hadoop World was held 15-17 Oct in NYC. This post provides insights into some of the best technologies demonstrated there.

CTOvision has attended Hadoop World since the beginning. Attending has helped us better track tech trends and assess the potential business impacts of some of the greatest technologies created for the enterprise. It is also a great place to interact with business-focused architects, engineers, planners and of course CTOs.

One of the greatest things about the Strata Conference and Hadoop World is the ability to discover new technologies.  It is also a great way to get updates on well known capability providers who continue to enhance their offerings. The things we learn will drive our assessments here at CTOvision and help us continue to create business focused analysis for our readers.

By our count there were over 135 technology vendors on the expo floor. It would be great to spend a full hour with every vendor. Let me see, 135 vendors at one hour each, that would be over three weeks of work assuming 40 hour work weeks. OK, that does not scale! With this post we can reduce that 135 hours to a few minutes. Please look this over and give us your thoughts.  With that, we present:

The CTOvision Must See Tech List for Hadoop World

Category One: Enterprise Data Hub Providers

  • Cloudera: Delivering framework of capabilities that enable the enterprise data hub concept.
  • IBM: Big and expensive but clearly they perform. Ensure you benchmark what they can do.
  • EMC: From roots in storage they now provide analytics.
  • Oracle: With both software and hardware they can deliver well engineered solutions.

Category Two: Infrastructure Management and Data Tools

  • Cloudera: CDH is 100% open source with great management tools. Cloudera manager adds more functionality.
  • Databricks: Mastery over Apache Spark
  • MongoDB: New style data storage, retrieval and analysis including document focus.

Category Three: Analytics

  • Clearstory: Good combination of known data with your holdings
  • Platfora: Great focus on users, but terrific back end and incredibly fast ability to iterate data
  • Pentaho: Open source platform focused on business analytics.
  • Ngrain: 3D interactive and augmented reality technologies.
  • RevolutionAnalytics: Everyone knows R. Revolution makes R ready for the enterprise.
  • SkyTree: Machine Learning platform

Category Four: Adjacencies

  • Intel: Chips with capabilities to accelerate analytics and secure big data
  • MemSQL: Distributed database for real-time analytics.
  • Cisco: Smart data movement
  • Mellanox: Supplying end to end InfiniBand and Ethernet interconnect.

Category Five: Consulting, Training, Integrating, Teaching

  • CSC: Proven past performance
  • Caserta: Tech innovation consulting
  • Koverse: Awesome team delivering a platform that separates signal from noise.
  • Syracuse University iSchool: Curriculum available online.
  • Texas A&M University: Focus on analytics including MS in analytics.


It is also very important that you speed read the entire list of sponsors and firms on the expo floor, I could have left someone out from my assessment that has just what your enterprise mission needs. The entire list is below:

The Technologies of Hadoop World