VMware Tanzu seeks IT attention with Kubernetes security buy

VMware buys Octarine for security cred in a crowded Kubernetes management market, but some VMware shops will shift to SaaS apps rather than deal with container infrastructure.

VMware's acquisition of Kubernetes security startup Octarine adds advanced features to its Tanzu container platform, but the company’s enterprise user base must consider a range of ways to modernize applications that may not include container infrastructure.

VMware Tanzu is an amalgamation of products from other Kubernetes management companies VMware has acquired, including Heptio, Wavefront, Bitnami and Pivotal. It consists of three major parts: a Kubernetes distro based on Heptio called Tanzu Kubernetes Grid; the Tanzu Application Service based on Pivotal Cloud Foundry with a Kubernetes version recently released in public beta; and Tanzu Mission Control, a multi-cluster, multi-cloud Kubernetes management control plane.

Octarine, which came out of stealth in November 2019, uses a mesh of containers integrated with the Envoy sidecar proxy, called OctaGuards, to monitor production container infrastructure for security threats and anomalies. Its Octarine Controller orchestrates that mesh, provides monitoring dashboards and an interface for security policy configuration.

The Octarine product line also includes Guardrail software that checks workload configurations for security problems as they move through CI/CD pipelines. In addition, Octarine has released an open source Kubernetes security scanning framework called kube-scan, a risk assessment tool for Kubernetes clusters, and the Kubernetes Common Configuration Scoring System (KCCSS), which assesses the security risks within container workloads.

VMware will embed Octarine’s technology in the VMware Carbon Black Cloud endpoint protection platform, according to a press release. It plans to tie Octarine’s Envoy-based Kubernetes security tools into VMware Tanzu Service Mesh, which is based on VMware NSX. Financial terms and an expected closing date for the deal were not disclosed.

In many ways, the move is an obvious one for VMware, which must build Tanzu quickly through acquisitions so it can catch up with competitors in Kubernetes management. Octarine also fills important Kubernetes security gaps in the Tanzu platform, especially since it can also be deployed with the Istio service mesh as a control plane, said Fernando Montenegro, analyst at 451 Research, now part of S&P Global.

However, “Octarine positions its offering for broader Kubernetes deployments, not just service mesh, so some customers may look into this as an on-ramp for more advanced functionality,” Montenegro said. “VMware can use the Octarine technology to integrate with the Carbon Black offering, [which] is known for its endpoint security functionality, but when it’s [used to secure] endpoints [as] part of a cloud-native deployment, it starts [to function as] cloud workload protection.”

VMware Tanzu seeks a market niche

VMware Tanzu succeeds several attempts by VMware to offer server virtualization customers a smooth transition into containers and cloud-native applications. Those efforts didn’t gain the same traction as competitors’ products, such as Red Hat OpenShift, now owned by IBM. Though still in its early stages, VMware Tanzu has strengths its predecessors didn’t, however, such as two of the original authors of Kubernetes in Heptio’s co-founders, as well as some momentum achieved by Pivotal Kubernetes Service (PKS) that VMware now looks to expand upon.

Still, some VMware shops question whether they need container infrastructure to modernize their apps, particularly when ISVs can offer SaaS versions of customers’ critical on-premises apps as a path forward.

“VMware Tanzu is great for people that need it, who deploy new applications and Kubernetes at scale,” said Brian Kirsch, an IT architect and instructor at Milwaukee Area Technical College, which uses the VMware vSphere Suite and virtual desktop infrastructure products, but doesn’t plan a move to VMware Tanzu. “But if you don’t have a team of developers writing their own apps, and refactoring them for containers, the next version of your commercial off-the-shelf software is likely to be SaaS.”

That’s the route Kirsch’s organization will likely take, he said, and while SaaS providers might be able to use something like Octarine Kubernetes security as a potential selling point, it doesn’t hold huge interest for him as an end user.

Meanwhile, IT shops wary of wrangling too much plumbing also may skip container management in favor of abstracted cloud services such as AWS Fargate.

“My current favorite statement is ‘Friends don’t let friends run Kubernetes,’” said Jim Ford, chief security architect at fintech firm CrossBorder Solutions in New York. “I like the idea of focusing on business value, not how to manage orchestrators.”

VMware Tanzu must balance business value with openness

There is still an audience for VMware Tanzu between those points of view, but it’s too soon to tell whether VMware will win there over competitors. For this audience, VMware must be careful not to tie its Kubernetes support too closely to the Tanzu platform, analysts said, and it remains to be seen how VMware will navigate between open heterogeneous support and generating necessary revenue from Tanzu.

“At least in the short term, I’m sure Octarine will support other [Kubernetes] distros, but it’s too soon to know how that will play out in the long term,” said Arun Chandrasekaran, an analyst at Gartner. “If they really want Tanzu Mission Control to have traction, I’d like to believe they’ll keep these assets available for multiple environments – otherwise it defeats the purpose of what they’re trying to do with that product.”

VMware officials said this week that from a pure security standpoint, the Carbon Black platform will support any Kubernetes distribution, not just Tanzu, though VMware would prefer customers use the full VMware Tanzu package. The company also plans to use Octarine to differentiate other products in the Tanzu family.

But it will take more than one or even a handful of acquisitions to truly make VMware Tanzu stand out in Kubernetes security, Chandrasekaran said. Amid the COVID-19 economic downturn, VMware will have plenty of affordable startups to add to its collection in the coming months -- as will competitors.

One of the biggest challenges VMware Tanzu faces is a potentially confusing set of overlapping products, a problem Red Hat doesn’t have with a relatively simple set of OpenShift variants, Chandrasekaran said.

However, other analysts have been critical of the OpenShift approach to VM management with OpenShift virtualization, and see VMware Tanzu as a more natural enterprise migration path from VMs to containers via Cloud Foundry.

“It’s too soon to count VMware out – they are a formidable competitor with a huge install base, and they’ve assembled all the right strategic elements with Heptio, Bitnami and Pivotal,” Chandrasekaran said. “But now it’s all about moving from strategy to execution and being seen as a good open source corporate citizen, which is a relatively new area for VMware. So, it’s too soon to pronounce them successful as well.”

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center