A10 Networks, founded in 2004, sells a range of high-performance solutions that help enterprises, service providers, web-scale companies and government-level organizations accelerate, secure and optimise the performance of their data centre applications and networks. We caught up with Kamal Anand, vice-president of A10’s cloud business unit, en route to Mobile World Congress towards the end of February.
We began by asking how A10’s July 2016 acquisition of Appcito — where Anand was CEO and co-founder — had gone.
“A10 was a pretty strong player in the traditional data centre with application delivery solutions; what Appcito brought to the table was much more of a cloud-native solution. From an integration perspective — and I’ve been involved in many acquisitions — it’s gone really smoothly, for two reasons: first, our product portfolio was very complementary to the strategy A10 already had; and second, our culture of being agile and fast is also the culture of A10.”
“What we’ve specifically done is launch a new application delivery service, A10 Lightning, which has two main components — a SaaS-based controller that does centralised policy management and analytics, and then the actual ADC. This controller is becoming a strategic element of pretty much all of A10’s portfolio going forward. Customers can get a uniform management and analytics experience, independent of the infrastructure these technologies are running on — whether that’s public cloud, bare metal or private cloud.”
“So from my perspective, the integration has gone really well. We just had sales kick off at the end of January, and I think the worldwide sales team is very excited at the joint potential we’re moving towards.”
Presumably A10’s technology stack is pretty modular, allowing different elements to be slotted in as required?
“Yes, and specifically, our controller and A10’s management platform called aGalaxy were both built on a microservices architecture, with components doing different things. So we are effectively taking some of this technology and embedding it as a microservice in the controller — it’s a nice easy way to integrate, and to leverage what already exists.”
A10’s USP and strategy
How would you summarise A10’s USP and strategy for the near term?
“I think we have a true purpose-built, cloud-native solution that also marries analytics and visibility with the basic functionality around security and manageability. Now, a lot of vendors these days use the word ‘cloud’, but ultimately we’re a cloud-native solution, which means it’s elastic, the business model is one of consumption, and the same technology is available across on-premise data centres, private and public clouds. We call this a ‘bridging strategy’: 85 percent of enterprises say they’re going to have multiple or hybrid clouds, so a lot of workloads are on-premise and will move to the cloud, but will use technology that can bridge. If you have centralised management and policy, and so on, you’re indifferent whether a workload is on-premise or in the public cloud, and it can migrate back and forth.”
“In the traditional enterprise, A10 is not the market share leader — that would be F5 Networks. But as the architectures are changing, as they are moving to cloud, microservices and containers, we have a great opportunity to insert ourselves in that new architecture and gain share. So we really believe that in the next 12-18 months there’s a great opportunity for us to engage with the enterprise.”
“Historically A10 has been in the high end of the market, serving web-scale companies and large service providers, so from a performance and scalability perspective we are the leaders. But we are learning from what those guys are doing and bringing it back to the enterprise market.”
“We are evolving the company in two dimensions: one is, we’ve taken traditional application delivery and really focused on secure application services; the second transformation we’re doing is from a hardware to a software and cloud company — we think that’s a very high-growth market, and we want to be a leader in that space.”
The rise of DevOps
One relevant development in the cloud space is the rise of DevOps: what are your thoughts on its importance, particularly regarding ‘digital transformation‘?
“From my perspective, the movement towards cloud, towards DevOps, is very driven by agility — that’s the foundation. Companies and organisations want to deliver functionality faster: for example, all of us, on our mobile phones, are used to apps that are updated on a daily basis, with new functionality showing up, and there’s a lot of competitive pressure to continue that innovation.”
“What does that mean? That means I need infrastructure that’s easily available and can be provisioned on demand; it means applications and code that can be updated on a weekly or daily basis rather than once a year. Digital transformation strategies are evolving because there are so many technology changes, so you have to react fast. DevOps is critical for digital transformation, but I would say as an enabler rather than a definite requirement — it allows you to be more agile, deliver things faster and react to market conditions quicker.”
“What we’ve done at A10 — especially in the Lightning product — is make sure not only that we integrate deeply with DevOps processes, but that we are also able to add value and make them more efficient. For example, we’ve done some specific things around integrating and delivering containers, helping people deliver code faster and automating that in a more efficient fashion.”
People talk of ‘bimodal IT’, contrasting legacy on-premise ‘systems of record’ with innovative, agile digital transformation projects — but surely DevOps methods can apply to the legacy stuff as well?
“What I’m noticing is, there are definitely ‘mode 1/mode 2, traditional/DevOps-agile’ infrastructures — but central IT is still making sure they have the responsibility to oversee and deliver infrastructure for these two different use cases. So the buyer is still the central IT organisation, but the budget and the influence comes from different teams within the enterprise. As a vendor, it’s our strategy and focus to provide the IT team with cloud/agile infrastructure for their app teams, while also allowing them to maintain the same governance, visibility and security across their entire infrastructure. About a year and half ago, I thought they were becoming two separate buying centres, but what I’ve seen in large organisations is central IT coming back and saying ‘I need to deliver a uniform infrastructure’.”
How important is it to get the IT culture right as well as the technology?
“Typically the hardest challenge is to change the culture — somebody, senior enough in the organisation, needs to be a champion to drive those processes. As a vendor, we can’t influence the culture of organisations, but in our product we’ve created this concept of a hierarchical tenancy model, so an IT person can be the central provider, allowing business units or app teams to be their own tenants — spin up their own infrastructure, build their own policies. If some part of the culture hasn’t changed, IT can manage that infrastructure for them; but those who are willing to be agile and take ownership of their own technology…IT can enable them to do that.”
Security and cloud-native apps
The new breed of cloud-native, microservices/container-based applications have many advantages, but what are the security implications — is there a downside here, and how can A10 help?
“Just moving to cloud I don’t think is insecure: the cloud providers are doing a good job of providing infrastructure-level security, the right tools and capabilities are available, so you need to make sure you turn them on. But what’s changing is that, whereas in the enterprise you had a perimeter that the IT team built, with firewalls and other technology to keep the bad guys out and protect your assets, when you move to cloud, and you build applications with microservices and components everywhere, you have to rethink that and say: ‘hey, my perimeter is becoming a bit porous and more distributed — what do I need to do?’. Each application has to be protected with a ‘skin’ around it — and that’s where A10 comes in, because we have a per-application infrastructure to make sure we protect against application-level attacks.”
“You have to think about what you’re doing a bit more, but I don’t think cloud infrastructure is any less secure, per se, if you turn all the right knobs. Some things that you could offload and not think about on-premise, now you have to think about as you go to the cloud. There’s a lot of traffic in the cloud that’s not real traffic — bots that are trying to scan your servers for vulnerabilities, for example. That’s where A10’s technology is critical, to sit in front of those servers and make sure we are letting only the good traffic in, and protecting your assets from malicious attacks.”
Do you find that A10’s customers worry about lock-in to public cloud services, or is that problem receding now?
“There are two things going on here. First, the cloud providers are building more and more services, because they want to keep customers on their platform — and once you get sucked in, sometimes the cost starts spiralling up. But most of the larger application guys don’t want to get too tied to particular infrastructure; they want choice — if nothing else, to negotiate better prices. So having an infrastructure that spans across clouds is a critical requirement. For example, A10’s controller is built from microservices and runs on a public cloud, but the way we’ve architected it and used services is, we are very cloud-independent — tomorrow if I want to run from Amazon, Google, Azure, OpenStack, or VMware, I can do that in less than a day.”
“A second trend we’ve seen, which is kind of interesting, is there’s a bunch of companies that have gone to the cloud, and then they’re finding — especially as they increase scale — that the economics are in favour of moving the application back to the private cloud. What you see is, the core predictable capacity is coming back to the private cloud, but they’re using the public cloud for excess capacity or bursting on an as-needed basis. I think the jury’s out: I don’t think it’s all going to be public cloud, nor are companies saying it’s only going to be traditional data centres — it’ll be a mix of different clouds for different workloads and use cases. We [A10] are big believers in multi-hybrid clouds.”
“My thesis is that, in the next year or so, the major cloud providers — Amazon, Google, Azure — will move towards similar offerings, at least at the core. There will be some spikes — more analytics here, something else there, but the core infrastructure will be similar from a price and capability perspective.”
5G and IoT security
Tech Pro Research interviewed Kamal Anand on the eve of Mobile World Congress, where A10 Networks announced a new carrier-class firewall range designed to help service providers prepare for 5G networks and cope with an increased incidence of IoT-borne threats. We asked him for his views on 5G’s progress and IoT security.
“From our perspective, the thing that’s happening is, mobile traffic is increasing tremendously and the IoT is both creating traffic on the network and opening up lots of security holes — like we saw last year with the Mirai attack and others. Our announcement at MWC is really about protecting the carriers’ assets themselves from denial-of-service at the right scale. Two things we’ve done there are: integrate firewalling with denial-of-service and carrier-grade NAT, all in the same box at extremely high scale; the second thing is, we’ve provided a virtualisation of that so it can get integrated into SDN and NFV architectures.”
“The coming bandwidth explosion is forcing the carriers to rethink what architecture they need, what scale they need, and how to architect using software and SDN. Every time there’s change it gives an opportunity for us — or any vendor — to say ‘do I have something that meets customer needs better than what they had previously?’, and I think that change is happening both in the enterprise application space, where we are focusing on cloud, as well as the 5G service provider market with the explosion of mobile and IoT.”
So, if 5G service providers deploy the right technologies, do you see the IoT security problem beginning to be solved anytime soon?
“I’m not sure this can get solved in, say, 12 months. I think we’ll make some progress with technology solutions that help protect assets, but just adopting these technologies at large enterprises and service providers takes time, so I think it’ll be an ongoing problem for the next few years in terms of protecting assets and learning from new attacks that come along, using visibility and analytics tools.”
“I’m also involved with some IoT companies as an advisor, and what’s happening there is, people are building IoT platforms: this is a layered problem, so even if devices are compromised, you want to make them secure at the network edge; then if something gets through you need to start protecting at the mobile core, the infrastructure and finally applications — it’s a multi-layered approach. The interesting thing is, technology is becoming available where you can profile a typical network or traffic pattern, and if it deviates you get an alert and can start to figure out what’s going on. I think you’ll see a lot more cognitive or AI-like machine-learning capabilities starting to creep in around different areas of the network in the next few years.”