Cloud Native ComputingDevelopersDevOpsFeaturedLet's TalkOpen SourceSecurityVideo

Galeal Zino Founder & CEO, NetFoundry


In this episode of Let’s Talk, we sat down with Galeal Zino, Founder and CEO of Netfoundy.


Swapnil Bhartiya: Can you tell us a bit about the company?
Galeal Zino: So applications are increasingly everywhere, as you know. Multi-edge, multi-cloud, we’re talking enterprise applications that previously were mainly in the private data center, in the branch office. We like to say that Elvis has left the building and so has the application. Now, from a networking perspective, historically, all legacy networks, SD-WAN, MPLS WAN, VPN, they focus on connecting sites, connecting buildings. Well, now the app is out of the building. It’s everywhere. And so you need to reinvent networking to provide programmable, secure, high-performance networking, no matter where the application is. Sounds relatively simple, right? Provide secure, high-performance application access, no matter where the application is. Let’s start at the backend, where the application is. That application is across clouds, across ServiceMaster, across edges, mobile devices, IoT, et cetera. What a Netfoundry uniquely does, you can take our SDK, compile your app against our SDK and no matter where your application goes, any network, it just needs an internet connection, it now has access to secure, performable, programmable networking.

Now, obviously our software comes in different form factors, right? So you can use our SDK to embed in your application. Equally, you can integrate with our software-based endpoints, which are available for mobile, iOS, embedded systems, et cetera. You can take our site gateways in the form of a VM or a container and put them at the edge of your network. But fundamentally what we’ve done is, take the network to the application instead of the old model of putting the application on top of the network. We call that application-specific networking. Number two, we believe that the only way to really have application security, it’s just to go with what’s called a zero-trust paradigm and because we use only internet access, which is inherently insecure, we actually have to have that paradigm. But it benefits us because, in scenarios like business-to-business, connected supply chain, IoT, cloud, they have to use the internet.

And the reality is, although everyone somewhat understands that you can’t trust the internet wires, you really can’t trust MPLS wires, SD-WAN wires either. In fact, that architecture has been around for 20 years. It’s vulnerable to attacks from the inside, so Zero Trust Networking ensures that what you’re doing is taking the application, the identity of the application, the business policies of the application, you’re authenticating and authorizing based on that, and now you are secure wherever that application goes. Third point, performance. The Internet itself, internet weather, best-effort performance, and don’t get me wrong, I love the internet. Built my first startup, I take C voice over IP on the internet. We were doing 30 million minutes a day on a typical mother’s day on the internet, best effort in ’99, when it was worse than it is today, but it’s not yet at the performance from a liability that all enterprise apps use.

So what we’ve done is we’ve built the world’s largest dynamic internet overlay fabric that’s composed of software-based routers that we call ZD routers that we spin up and spin down on-demand across multiple ISPs, multiple backbones, so that those applications, when they need to get to point a to point B, the algorithms, our software, the SDKs are able to look at all the different paths available and when there’s bad in there, where they’re on path A, dynamically switch packets to path B. So that’s how we get the performance to marry with the zero-trust security and marry with the programmability of embedding the networking into the application.

Swapnil Bhartiya: How do you see Stateless workloads?
Galeal Zino: Yeah, it’s a good question because actually the application itself, we’re not doing, for example, caching, edge caching, D duplication, compression. So to us, real-time applications, full-duplex, bi-directional real-time applications are inherently handled the same way as let’s say a typical web app or typical client-server application. Architecturally, we’re giving the developer the control. We’re giving the application to control to essentially in a declarative type manner tell the network, “Hey, here’s what I need in terms of latency, packet loss, throughput,” and then the dynamic fabric that I mentioned essentially did not honor that need in real-time on a per-application basis and then do the same thing for the next application, even if it’s a completely different type of application. That’s actually part of the magic so to speak when you can take the network and put it into the application and give the application control of the network. Now you can handle those various scenarios.

Swapnil Bhartiya: How much open source do you do?
Galeal Zino: We are a CNCF member. We were also a founder of the  LF Foundation’s Edge X Foundry, which builds open edge software started on IoT in edge use cases, but in reality, it can be applicable to any use case. We essentially have two offers for our customers. We have the open source offers for the folks who want to take the components and build something really cool and innovative on their own and hopefully they contribute back. It’s Apache v2 but of course, we’ll see what type of innovation they come up with. On the other side, on our enterprise offers, we have a network as a service. So this enables you as a business or an enterprise to be able to spin up your own networks on top of our platform, on top of the dynamic fabric that I mentioned, simply using a web console, our APIs, you can integrate right into your DevOps tools.

So for example, you can take your Ansible, your Jenkins, Cloud Formation, et cetera, and you can spin up your networks just like you spin up your application environments. So with these open source announcements that come tomorrow, we then have the open-source option and the network as a service option.

Swapnil Bhartiya: Let’s talk a bit about the platform that you’re building there.
Galeal Zino: The platform in many ways is the most difficult of what we’ve done. I mean if you think about it, we’re taking a platform that essentially hands a developer the keys to global private networking, keys that were previously only available with very expensive routers, dedicated circuits, MPLS, et cetera. And our platform needs to be able to give that developer the same level or better of security and performance without all that expensive hardware.

So fundamentally there are three parts of the platform. One, cloud orchestrated management and operations. Set of microservices, it sits in a net Foundry network across multiple private and public data centers in such a way that, either the enterprise with the network as a service or a developer with open source, you control the network, but all of the infrastructures are managed by Netfoundry as a service. That set of microservices, we call it the MOP Management Orchestration Platform. And again it ties directly into your existing toolsets, so use the web console or just take the APIs and plug it right into your existing tooling. Again, whatever your DevOps or Dev Sec Ops tool of choice.

Number two, just moving down the stack is that fabric that I mentioned. Think of it as a global software-defined network. It enables on top of it the customers to spin up their own private dedicated networks, leased privileged access, zero-trust security, application micro-segmented, but on top of that fabric and without going into too many details, basically what that fabric is doing is it’s enabling you to get the security and the reliability while still being able to access from any internet, extremely important to us.

Basically, if we’re putting wires in the way, if we’re saying you need these specific Telco carrier hardware, ISP, a nonstarter. For us, it has to be internet, internet, internet and that’s what Fabric does. Finally the endpoints at the bottom of the stack, so to speak, the endpoints enable us to reach out to that application wherever it is. Again, you can take the SDK, a few lines of code. We’re announcing some of the bindings tomorrow as open source and we’ll continue to build those bindings, but fundamentally we’re building towards mobile. We’re talking building towards the cloud, we’re building towards the edge. In addition, if you want to simply take your existing application topology and essentially leverage Netfoundry, then you can take software-based endpoints and you can put those software-based endpoints on your Mac, on your PC, on Linux.

You can put them at the edge of your network in a container or VM, so those endpoints at the bottom, just to complete the picture, are authenticating and authorizing backup to the layers on top. It’s bi-directional certificate-based access, embedded into our solution, so you’re not worried about PKI and certificates and enrollment and all the difficulties involved in those areas. We do it for you. In fact, in many cases, we can go even better. Hardware-rooted trust solutions that provide an immutable identity based on the silicon and environmental of the silicon. We can actually use those identities to control your global networking. So we call that silicon-to-cloud security. We’ve announced a partnership with Micron, for example, that does exactly that. So in a nutshell, that’s how the platform enables you to get zero-trust, high-performance networking without owning and managing the network.

Swapnil Bhartiya: How do you bring your services to your customers? Do you work with a partner?
Galeal Zino: Actually the partners and ecosystems couldn’t be more important to us. I mean, listen, we do some cool things with networking, but let’s be realistic, networking is a thin layer of the solution and if the other layers aren’t there, then you don’t have a full solution. So we’ve designed our networking layer to plug into solutions like Micron with the hardware we would trust, as I mentioned, and other endpoint security type solutions as well as to plug into DevOps tooling. I mentioned a Jenkins or Ansible or confirmation or Azure research manager. And finally, we’ve integrated with the leading cloud so you can go grab our software in the AWS marketplace, the Azure marketplace, et cetera, prebuilt software that you just put into your environment, your VPC, your V net, and it magically has taken care of the integration for you.

Finally, from a go-to-market perspective, we have a model where ISVs, independent software vendors or developers can simply take our STK to integrate it with their application in an OEM, white-label type manner, and now when they sell their application to their customers, to hospitals, to retail, to manufacturing, no longer do they need to say, “Hey, here’s my application. Now we need to nail up a VPN to bridge our C 19 18 space or for security or for whatever reason”. Now it’s, you install my application and it just works. It’s secure, it’s reliable, it’s performant, so that’s one major go to market. In that method, the end customer doesn’t even need to know per se about Netfoundry. What they’re getting is a full solution that just works out of the box.

The second type of solution we have is with the cloud integrators, the managed service providers or MSPs, they have a similar challenge. They need to provide their customers with security and reliability from edge to cloud. And again, they’re looking at the massive distribution of applications and clouds. The differences between cloud one and cloud two, edge one and edge two, that’s pain. That’s complexity, that’s cost. Instead, they can integrate Netfoundry and all of a sudden all those boxes and wires go away.

They’re abstracted. So this idea that you’re going to have to buy an MPLS circuit just to get to Azure and then go buy another one to get to AWS and then do the same thing in another region, and then change it all when the application moves, it will seem ridiculous in a few years, especially at a place like this, at Cube Con, when we’re talking about containerized apps and the fact that I can move my apps all over the place, it’s true. But what happens when your network doesn’t move with the applications? The network is the final piece of the puzzle there. So on the go to the market and our channel partners enabling those MSPs, those SIs, those cloud integrators to use our services to get rid of the pain complexities of wires and boxes is a second major focus for us.

Third, especially with what we’re announcing tomorrow. And the analogy we usually get here is Twilio right? So Twilio really broke the model in terms of enabling the developer to embed text messaging, voice, video without being an H.323 Engineer or a CIP engineer or VoIP engineer. But we do the same thing for private networking. So now a developer, just like they could use Twilio to embed, let’s say, text messaging, now they can use Netfoundry to embed secure private networking. We can’t wait to see how developers take advantage of that new capability. And we know when you give developers a new capability, they innovate in ways that you never imagined. So we’ll see on that side with our announcement tomorrow with our open source initiatives, what develops there?

Finally, on the last side, we have plenty of service providers, managed service providers, et cetera, who simply use our technology for the base functionality, secure performant application reliability, and they embed it in their offers in whatever manner they need to. But the bottom line is they’re replacing, again, usually constructs like SD-WAN, MPLS WAN, and VPN with a full software cloud orchestrated network as a service solution.