Soni Jiandani: Why Pensando’s Edge Platform Leapfrogs AWS’ Nitro System

Pensando Co-founder and Chief Business Officer Soni Jiandani says the company’s breakthrough edge platform, which is now available on some Hewlett Packard Enterprise servers and HPE GreenLake, leapfrogs AWS’ Nitro system architecture.

Pensando Co-founder and Chief Business Officer Soni Jiandani says the edge cloud startup is flat out delivering better performance and security at the edge than rival Amazon Web Services’ Nitro system.

The ability to build the new edge architecture from the “ground up” has given Pensando, led by an all-star team of former Cisco engineers along with former Cisco CEO and current Pensando Chairman John Chambers, an architectural advantage over AWS Nitro, said Jiandani.

“That gives us the ability to leapfrog what the likes of AWS and Nitro are doing,” said Jiandani, one of the members of the famous MPLS (Mario Mazzola, Prem Jain, Luca Cafiero and Jiandani) Cisco executive team responsible for many networking breakthroughs, who are all now executives or board members at Pensando. “We are making this available to enterprise customers who can now build a private cloud with the same blueprint as a hyperscaler architecture.”

In fact, Jiandani said, the Pensando technology is delivering hyperscaler economics that were not previously available for enterprise data centers.

“This is a transformation and an architectural play which will democratize the notion of delivery of cloud services, whether it is on-prem or off-prem,” said Jiandani. “That is why we call it a democratization. You don’t have to be AWS to have Nitro. You can have this offering available from your enterprise server companies, and your partner can bring a blueprint and the services to you so you can build a better cloud—a more secure cloud, a more agile cloud—and drive the same level of operational efficiencies with the scale that you could only get previously from a hyperscaler.”

Pensando is delivering nine-times faster performance with lower latency, while also protecting the “root” access to the server—effectively cutting off bad actors, said Jiandani.

Pensando Wednesday said it is teaming with Hewlett Packard Enterprise to deliver a breakout edge security offering with the Pensando Distributed Services Platform (DSP) as an option on the most popular HPE servers and the HPE GreenLake pay-per-use platform.

“One of the things that occurs the minute you include a [Pensando] Distributed Services Card (DSC) in an HPE server is it not only takes over the function of a classic adapter in your server, but it also prevents the bad actors or unauthorized people to not get root access to your compute infrastructure and your compute platform which is a huge advantage from a security perspective,” she said.

Jiandani spoke to CRN about the benefits of the HPE partnership to the channel and to customers, the future of edge computing and why Pensando would like to work with Cisco.

What is the margin, recurring revenue and services opportunity for partners selling the new HPE servers?

The economic model is pretty valuable to the companies in the systems business. The bulk of these technologies and the way they are making their way into the organization is just using commodity pricing. Now you have the opportunity to really drive cloud economics. You have the opportunity to have power cooling savings as if you are a cloud provider. As an enterprise you get to take advantage of a very attractive total cost of ownership model, which allows you to retire your older infrastructure in a much smoother manner while elevating your security posture within your data center cloud offering.

I think the opportunity for channel partners as well as the go-to-market partners like HPE is immense, whether they are offering it as part of their infrastructure selling motion or as part of GreenLake, HPE’s as-a-service consumption model. It gives them the ability to offer a variety of elements, including security at the edge and various services, while saving the customer tons of money from a total cost of ownership perspective. It’s a win-win-win model all across the board from a margin as well as from a services pricing model.

What is Pensando’s commitment to partners in terms of driving margin for both the OEM and the channel?

We will continue to work with strategic partners like HPE and partners from a channel perspective as this blueprint becomes more applicable across other segments beyond just the ones where security and compliance are very important aspects.

We remain very committed to these channel engagements because at the end of the day these partners and the best practices they build will allow us to replicate this model across hundreds if not thousands of customers. This clearly is an area where you will start to see us investing our dollars and our energy in building that up. It is very, very important to us to develop those partnerships and to amplify this architecture across thousands of customers.

What are the economic benefits from the Pensando Distributed Services Platform (DSP) card on HPE's ProLiant, Apollo and Edgeline systems, and GreenLake?

What customers are getting is their compute infrastructure shipping out of the HPE factory with a much more secure posture.

One of the things that occurs the minute you include a distributed service card in an HPE server is it not only takes over the function of a classic adapter in your server, but it also prevents the bad actors or unauthorized people to not get root access to your compute infrastructure and your compute platform, which is a huge advantage from a security perspective.

Above and beyond the firewalls that protect your North-South traffic, East-West traffic is becoming more pervasive, particularly with the buildout of the private cloud. You want to have the ability to have a much more visible private cloud with all of the observability attributes built-in and one that will not rely necessarily on your old ways of building your service offerings.
As you increase the number of software elements that you will turn on in this distributed services cloud you will have the ability to, in addition to an increased security posture, have more visibility, have the ability to turn on more functions that are more push top at the edge. It is a pay-as-you-grow model.

You can acquire the server with the base functionality, and it works in the context of your existing tooling capabilities. And then you have the ability to turn on more and more software capabilities through a licensing model.

What is the pricing on the distributed services platform on those HPE systems?

Typically the way you should think about this, whether it is the ProLiant, Apollo or Edgeline, the customer will end up paying approximately 10 percent or less than 10 percent of what their compute platform is costing them for the services that they want to turn on.

If you want baseline functionality, it would be under 10 percent of what you would be paying for the cost of the old solution in your servers. If you wanted more advanced functionality, including functions like encryption, you would then pick up what is called the Platinum package, which would be in the range of approximately 10 percent of the whole solution. That is the cost to the end user.

When the customer makes the decision on whether they are opting for the base platform or the Platinum package, then the way the revenue flows back into Pensando is tied to the software license that the customer has paid. There is a revenue-sharing model between us and HPE. For the base platform we will get paid from the time that we get the order and ship it back to HPE. For the base platform we get paid for right away. Then depending on the choice of what the customer wants—the base package or the Platinum package—there is a revenue-sharing model associated with that between us and HPE. And of course in HPE’s case, it would be applicable to HPE and its partners.

What does the base package cost on these systems?

It depends on the price of the base server platform. As you know these three platforms—the Edgeline, Apollo and ProLiant—have a pretty wide range in terms of price.

Security is top issue for partners and customers. Is that security part of the base package?

Security is an embedded part of the platform. Remember I talked about how root access for a bad actor is prevented as part of the base functionality of the product. The highest level of security, like encryption, is in the Platinum package. But if you just want the base package, including observability, that function—which is also being used for security—is part of the base package.

Does this root access security protection provide better security than VMware NSX and Cisco ACI?

I would say we operate in an ACI or NSX environment and we would complement the existing functions that are available through those SDN technologies from a security point of view.

When we talk about preventing root access, that is something that ACI does not control. ACI is an SDN model that runs within the network. So it does not have much applicability on the compute platform in terms of root access.

Think about this technology as further complimenting what functions those technologies offer. It further strengthens the security posture for an end customer.

How does Pensando work with offerings like NSX and ACI in terms of security?

It is definitely complimentary to the technologies like NSX and ACI. It gives you the added protection from an I/O perspective, and it future-proofs your ability to have line-rate services because we are offloading and accelerating a lot of these functions, including supporting functions like encryption without any CPU overhead. We are subsuming these functions. We are accelerating these functions and we are doing it at line rate with low power within your compute infrastructure. So at 100 GbE we are sub-30 watts. In 25 GbE we are sub-20 watts in your enterprise class servers. When you think about customers thinking about their architectures, the beautiful thing about this platform is it will fit within what the customer already has in place. It is not as if the customer will have to redesign their network or their VMware deployment. This would be an added-on function that would allow them to future proof this with even more security.

If you are an HPE partner, is the message, 'Buy ProLiant, Apollo, Edgeline so you get better security and private cloud performance vs. Cisco and Dell-VMware?'

If you are an enterprise customer and have a variety of deployments consisting of Cisco ACI and VMware, you want to have the ability for a technology like this—which is transformative —to run on existing brownfield [legacy technologies]. So the key message to the partner is as architectures evolve you now have the ability to build today what only a hyperscaler like Amazon is able to build.

Now you can take that same architecture and move it within your own private cloud. I would want the ability for this new architecture to be accommodating of what I already have in place. So interoperability becomes an important facet of this, which is what we are doing.

We are coming in and saying, 'You may have assets from VMware, Cisco ACI, and now you want to have the ability to move in the direction of building up a private cloud, which will have the ability to push services at the edge. We give you that opportunity. We provide you the ability to run what you already have in place while increasing the security posture.'

As an enterprise customer I would want the same functionality to be available on my compute coming from different vendors. So what I am very proud of is the combination of this relationship with HPE is taking advantage of what they already have on their servers, which is the ability to have Silicon Root of Trust access. When you combine that with what Pensando is offering, which is of course the ability to even further enhance root access or eliminate root access, it is a one-plus-one-equals-three type of formula for the channel partner as well as for HPE customers.

What are the top three benefits of buying Pensando on the HPE systems?

The first benefit clearly will be you are bringing cloud architecture that is currently only in a hyperscaler model to your data center. The second biggest thing is increasing the security posture, including eliminating anyone from having root access to your compute platform. The third one is driving operational simplicity through an always-on telemetry capability, even when you turn on encryption, with the ability for you to troubleshoot things much faster and resolve time to repair much more quickly.

What are the channel go-to-market and field compensation models for HPE's direct sales force, HPE partners and Pensando?

We have been shipping on a limited basis with HPE. Now we are in general availability across the Edgeline, Apollo and Proliant platforms. Think about the go-to-market models. If I am an enterprise customer or even a tier two cloud provider or service provider, I want to have the ability to take this technology and embrace it through my server vendor. So what is exciting is that we have the models that are in place that allow us to deliver this technology as a core part of the compute offerings coming from the premier systems vendor HPE. The same goes for the services and the services offerings that HPE will start to deliver both through GreenLake as well as through their own services platform.

From a channel partner perspective, we have identified key channel partners with whom we will collaborate in addition to our counterparts at HPE in order to ensure they have all the necessary elements, including training and the right profitability models. We are working in close concert with them. That is what I consider to be the next step of the evolution of the go to market.

We are not only working closely with a partnership with HPE, which is a strategic investor. We are also strategically aligned with HPE on numerous other projects including the one we are launching this week with them. But we also want to be in a place where we are not leaving the channel partners behind. They are not an afterthought. Instead we are going to be working in a three-way manner with HPE, Pensando and the channel partners. We want to make sure they are treated right, and they have an equal seat at the table from an amplification perspective for this architecture, best practices that we will build alongside with them and the right profitability models across the three entities working closely together.

Is there a big managed services opportunity across the Pensando distributed services platform?

Yes, that is another opportunity we will be working on and looking at more closely. I would say – Let’s first walk together, then sprint with each other before we go run the marathon together. I would say it will come in phases. I would say today we are in phase one. This announcement is a validation of our go to market models with the server vendors and HPE. The next one will be to start working with identified partners in terms of how we will evolve that partnership and the channel program with them, and then the third step will be the managed services offering.

How big a milestone is the HPE partnership for Pensando?

It’s a very big milestone for us. Since the shipment of the product it has been very exciting. We have been baking this for the last six to seven months. We are very excited as to how quickly we were able to come to market with HPE with volume availability. We are already in proofs of concept with six of the Fortune 50 companies. A number of cloud providers are also in production as they look to finish a variety of service offerings on top of our platform. Seven service providers are also going through proofs of concept.

Do HPE partners have to request the Pensando card?

Partners have to request the Pensando technology as part of the order. It would be same experience for a partner whether they want a classic legacy adapter or a cloud-ready platform with Pensando. We are part of the ordering system. You would order Pensando for the server and then determine at the time of placing your order whether you want the base package or the Platinum package. Even if you said you wanted to go with the base and then later upgrade to the Platinum that option is available to partners.

We are working very closely with partners alongside HPE around building practices around this capability. We have work ongoing with HPE on a number of training programs. If partners want to be included in that list, reach out to HPE and Pensando and we’ll make it happen.

Why should partners include this Pensando technology in their HPE servers and start selling it to their customers?

The call to action is to leverage the distributed services platform to bring the cloud within each one of your customer’s data centers and enable your customers to transform those clouds to have the more efficiency, agility and a much more secure posture and operational simplicity than is available today. With this you can ride the same architecture that only the hyperscaler providers have in place.

What progress is Pensando making on the business side of the house?

We are very excited to be at 150 percent year to date of our sales goal.

Has the work-at-home boom with the coronavirus pandemic had an impact on sales?

I would say for starters the go to market has evolved in a very reasonable fashion. We have been lucky that our customers are working very closely with us. Some aspects have been tricky and dicey because with COVID-19 we have an inability to meet in the labs with customers. But we have adjusted remarkably well. They are providing us with the ability to work with them remotely during this proof of concept process. They are doubling down because they have seen huge increases in customer demand as a result of COVID-19.

So, where we come in with these cloud companies is the ability to offer them more scale or more capacity within their clouds to respond to their growing business customer needs and increase their security posture, which is very, very important at a time like COVID-19 where the number of attacks has really grown, particularly with people working remotely and new teams opening up. Having a platform with more security postures becomes a very welcome addition both in the enterprise and in the cloud space. And I would say that this will be the new norm. This is going to be the way things will be for some time. It’s been a remarkable adjustment on the part of our partners and our customers, and of course our own teams from a go-to-market perspective.

What are you hearing from customers?

Our customers are the ones telling us the fact that they can prevent a bad actor from having root access has been a huge advantage. They are telling us if a bad actor were to insert themselves on the perimeter, they would not have the opportunity to have this level of security without Pensando. The use cases we are seeing are increased scale from customers wanting to increase their capacity and customers in highly regulated industries building out cloud architectures with more security.

Intel tried to at one point to build security into the chip. Is Pensando building security into the processor?

It has several attributes from a security point of view. We built into it a PCI firewall. So if you are connecting this card into your server over the PCIe interface and you did get a bad actor we would prevent through the PCI firewall capability the ability for that compromised state to permeate across other elements that are being shared with that server.

By preventing access to the platform from your central CPU we will also have the ability to avoid a bad actor from getting root access – from pretending to be what they are not. When you turn on functions like encryption you now will have the added advantage of running your services with fuller availability with encryption without putting any overhead on your central CPU- allowing that central CPU of yours to run your application. When you define the [security] policy, that is done outside of the workloads. So you are separating your variables. You are saying your applications can run while where I define the policy is in the private space of the DSC card. So there are various architectural levels of security that have been thought through from the ground up as you offer more and more security services.

How does the security you are providing stack up against the security AWS is providing?

They have been using a technology that they acquired from a company called Annapurna which is called Project Nitro. A lot of their service offerings are tied to what the Nitro platform is able to deliver. If you take a look at what we can do on a single DSC powered by a single P4 programmable processor by Pensando, they would need five such devices to offer similar functionality.

What that means to a customer is a much more increased power footprint. So you would be drawing three times the amount of power vis-a-vis the AWS Nitro device for equivalent functionality. Then you would need to go and think about how these five devices interact with each other when you are offering differentiated services whether it is connecting storage devices or connecting and offering network services. Doing it on one device really protects your root access from a security point of view with all of the services that you are delivering right on top of it, including the ability to do line-rate telemetry and observability.

What we are essentially poised to do is deliver it nine times faster [than AWS] with low latency in a predictable manner, protect the root access of the device. We are protecting the root access because it is one, not five devices. And we are doing it from a power profile that is one third less than AWS Nitro.

What is the impact of AWS Arm-based AWS Graviton2 processors, which provide a big performance boost, on the Pensando model?

We are agnostic to what processor you would run on your server. The server could be based on an x86 platform. It could be based on an Arm processor. It could be based on GPUs. We are agnostic to the main server processor that you are utilizing. We are not necessarily even on our own programmable processor using our own four Arm cores for any data processing.

All of that is done in our device on our P4 processor, which has 112 match processing units. What this means is it allows us in a very low power footprint to deliver eight times the amount of packet processing that can be done by the AWS Nitro device. AWS needs five devices to do the equivalent of what we need one device to do on a server. Whatever the application processor is when you are running your application, whether its Arm or x86, we are agnostic to that. What I'm describing to you is the efficiencies and the advantages of our product when compared with the Nitro platform for AWS.

Does that mean Pensando architecture is in a much better position than the public cloud to provide that new edge?

I would say we are in a better position because we started in 2017 to build this architecture from the ground up. That gives us the ability to leapfrog what the likes of AWS and Nitro are doing. We are making this available to enterprise customers who can now build a private cloud with the same blueprint as a hyperscaler architecture.

What is the sweet spot of the market for Pensando edge?

I would say the sweet spot would be applicable to the Fortune 5000, particularly those that are in regulated industries like health care, the government and public sector as well as the tier 2 and tier 3 cloud service provider customers as well.

Is Pensando the impetus for private clouds to perform faster and more efficiently than the public cloud?

The world is going to be multi-cloud in nature. The reason the world is moving in a multi-cloud direction is no one vendor is in a position to meet the diverse demands of any enterprise customer. The enterprise customers—whether they are rearchitecting themselves to deal with the new way of digitization and transformation or whether they are doing it because of compliance with a higher degree of security as they think about that next generation private cloud—whatever the compelling events are we can all go in the direction of having a common way of managing our on-premises and our off-premises assets. Then it becomes a matter of determining where to run that application. Because now you have normalized your private cloud, and as you get to a set of public cloud vendors you can decide based on economics and what the strategy of the company is from a security and go-to-market perspective where to go run your workloads.

Without the common architectural elements, it is going to be very difficult because you are trying to deal with legacy [technology] and the new architecture of public cloud. You don’t want to be held hostage by any one public cloud vendor. You would want to be in a position to make a determination on where you want your workloads to run, where you want your data to reside.

This is a transformation and an architectural play that will democratize the notion of delivery of cloud services, whether it is on-prem or off-prem. That is why we call it a democratization. You don’t have to be AWS to have Nitro. You can have this offering available from your enterprise server companies, and your partner can bring the blueprint and the services to you so you can build a better cloud, a more secure cloud, a more agile cloud and drive the same level of operational efficiencies with the scale that you could only get previously from a hyperscaler.

Has the center of gravity moved from the public cloud to the edge? Is that the predominant architecture for the next decade?

I think so. Look at all the edge functionality and the variety of technology trends happening at the same time. It’s the perfect storm. It is 5G combined with all the end points that are being created with autonomous vehicles or IoT-type devices. It is the ability to process things very quickly at the edge and provide the ability at very low latency with less jitter in a very small power footprint with the ability to deal with millions of connections coming in per second with the requirement to secure it, encrypt it and decrypt it with line rate visibility. That is where the new innovation elements are being created. That is where all the action is now—at the edge.

One big question everyone has is why hasn’t Cisco supported Pensando?

We continue to be very interested to work with all of the major system companies out there. For us, working with Cisco would just come as naturally to us as it would be working with a systems company like HPE. Now clearly HPE is a leader in the server space. So HPE was quick to recognize that their vision of the edge with the security and the cloud attributes moving to the edge is going to be very synergistic with their strategy based on what Pensando is delivering.

So we were very fortunate in that while we engaged with all companies including Cisco, HPE quickly came to the realization that this would be a very strategically important play for them.

But I would say this is just the beginning. You will continue to see a lot more engagement that Pensando will be having with other system players, although the strategic nature of our engagement with HPE will continue to grow.

Are the companies that have not signed up for this trying to protect a proprietary platform?

Eventually I think the market forces will come into play. This architecture is being driven to a large extent by our customers. It is our customers who are validating that this is the way they will be building out their future cloud blueprint. There are going to people that are early adopters, and then there are going to be the people that become the mass adopters. You will see it follow the traditional technology curve where you will see the early adopters make it real and then the masses will follow by taking and replicating that footprint in their environment.

There are so many products out there with network visibility like Thousand Eyes, which Cisco is acquiring. Does this replace those products?

We essentially will have the ability to support multiple ERSPAN (encapsulated remote switched port analyzer) sessions that are bidirectional in nature directly on the DSC card. You are not limited by the number of ERSPAN sessions that are only unidirectional given that all the silicon out there from a networking perspective is bound by the number of ERSPAN sessions and it is only unidirectional.

Then there is an equal aggregation. Today you are building independent networks to get that aggregation to a server. We will eliminate all of the requirement for that because we subsume that function. And we have the ability to have telemetry capabilities without requiring all the staff infrastructure that gets built.

Typically, customers spend as much money on a mainframe network as their attack aggregation network. So no longer would you need to go build that kind of infrastructure to get that level of visibility. And because all of this is happening on our P4 programmable processor, it is a matter of having the right software and continuing to enhance those software capabilities. Now all of a sudden you have eliminated a lot of redundant infrastructure, but you have real-time visibility and observability close to where your workloads are running.

Can partners play a role in developing services with the P4 programmable processor?

Partners will play a very important role. Stay tuned as we integrate into our customer’s existing environments whether they are using Splunk or ServiceNow. They are a very important aspect of our overall solution. Existing ecosystem integration is very, very important. That is an area we are putting a lot of focus and working and collaborating with the various system management and orchestration companies.

Pensando has the brain trust that built the Cisco networking model. Is this a bigger opportunity than the networking opportunity that the team worked together on at Cisco?

It is a different time. When we were starting off [at Cisco] the internet was just picking up at that time. The internet changed the way we work, live and play. At that time the internet was being built, and the switches and the routers that we were building were the foundation of what we have today where you have the experience of a consumer with everything within a click of a button. We were at that time undergoing that transformation of the internet era.

What is happening now is that the cloud is moving to the edge, and all the action—whether it is enablers like 5G, IoT, and machine learning and AI with a million connections coming in per second—that is where all the action is now. The cloud experience has been pushed to the edge. I think this is an opportunity for the next decade that Pensando is playing in. It is a huge opportunity. We are clearly not going at it alone. We are going at it with our strategic customers and partners that are backing us.

It is difficult for me to compare and contrast. Technology is moving so fast now more so than ever before. What is exciting is as cloud is moving to the edge it is giving opportunities to innovators like Pensando to see how we can contribute to this transformation. And doing it not alone but with a strong set of ecosystem partners is how we are going to transform it altogether.

HPE’s vision is to innovate faster than competitors. How big an advantage does HPE have moving first here?

I am very surprised as to how responsive our customers have been and how favorably they have responded in terms of looking at the next-generation architecture with us and HPE. The customers have been very, very receptive to this relationship and to transforming themselves as a result of our engagement with HPE.

The customers are moving quickly. HPE has clearly seen that this trend has been coming. A lot of their customers have been giving them similar feedback. We continue to be pleasantly surprised as to how fast the market wants to move with us. Because of the architectural advantage that customers are getting from us and HPE they want to make sure that as they look at the innovation coming from Pensando they have the relationship with HPE that can be brought to bear on a global scale.

How important is the first-mover advantage here for HPE and its partners?

It is very important. The ability to embark on new transformations and then build based on what your early customers are telling you puts you in a better position to service the next wave of customers. The sooner you start, the sooner you have the ability to build to deliver these type of experiences with early-adopter customers. Then you are in a position with more experiences so you can cater to a wider range of customers in a faster time frame.

What is going to be the ultimate economic impact of HPE-Pensando teaming if we look back at this three years from now?

Look at the adjacencies here like the security space, which is a multi-billion market. Today there are appliances which are primarily being used for North- South traffic. We are complimenting that with East-West functionality.

It is also a new way of building out architectures, providing telemetry capabilities. It eliminates a lot of redundant infrastructure today that customers are building to have visibility and telemetry on their infrastructure. This all gets subsumed within the [Pensando] Distributed Services Card.

I would say the adjacencies are multi-billion dollars in size. I am cautiously optimistic that this will not only drive a lot of cost savings for customers, but it will also drive a new way of architecting things at the edge. That is now very prevalent in the public cloud with the hyperscalers, but now you are bringing it to the enterprise. So I think it is going to be a net-net positive impact economically both for vendors like HPE but also for customers in terms of the total cost of ownership savings.

How does it feel to have product out now with the HPE servers?

It feels very good. It is exhilarating. Now we have the product out there. It is the first kickoff with a strategic systems vendor.