NetApp - Dave's Blog

NetApp has created a new division, called StoreVault, to provide storage systems for small and medium businesses (SMBs). The S500 is our first StoreVault system. It's based on the same Data ONTAP software that we use in our enterprise systems, but with a management interface optimized for SMBs, including simple wizards for the most common tasks. (Pricing starts around $5,000. Maximum capacity 6 TB. Supports iSCSI, Fibre Channel SAN, CIFS and NFS, as well as snapshots and double protecting RAID.)

Enterprise Disease
One challenge of building an SMB product in a company like NetApp is that we focus so much on the requirements of giant enterprise customers, that it would be easy for us to get confused about the needs of small and mid-sized companies. Mid-sized businesses aren't just stripped down versions of big enterprises. They have their own separate requirements, and simply creating a stripped down version of the standard enterprise solution isn't good enough. Our CTO calls it "enterprise disease" when people who have spent too much time focusing on giant customers try to design products for smaller ones. We created a separate StoreVault division in part to protect our SMB team against enterprise disease.

It's not just the product itself that's different. The manufacturing model is different (outsourced overseas), the distribution model is different (two tier to resellers), and the service and support model is different (completely separate from our existing support staff). Throughout the division we do things very differently than for our Enterprise Storage Systems group.

In fact, we've made no effort to make StoreVault available for existing large customers. Our direct sales force can't even sell the StoreVault. Existing customers are certainly free to buy it from an approved reseller, but they should be aware that the enterprise support organization they normally work with won't support StoreVault.

StoreVault is a NetApp company, but the products are distinct from NetApp's other products, much like what Cisco did with Linksys.

Jay Kidd, who is the Senior VP above the StoreVault division, explained it to our direct sales force like this: "What you need to know about StoreVault is what a priest needs to know about sex. It's going on all around you, but it's not your concern."

SMB Pain
SMBs typically have small budgets and little or no dedicated IT staff—almost never any dedicated storage staff—so cost and simplicity are especially important.

Many SMB customers tell us that backup and restore are their biggest pain points. Good data availability and secure backups have become critical because so many SMBs rely on their data to run their business. Try making an appointment to get your teeth cleaned if your dentist's storage is down.

In the future, I expect that regulatory issues will become more important. The fact that thousands of SMBs are subject to Sarbanes-Oxley has only begun to sink-in. As it does, I expect that we will find more and more "enterprise" features that are also critical to SMBs. There are over 10,000 public companies in the U.S. Only the top few thousand are "large businesses", which means that there are many thousands of public SMBs. Plus, many other regulations that apply to both public and non-public companies.

Data ONTAP is a great foundation for meeting these requirements. NetApp has years of experience meeting data protection and management challenges in large data centers, and we have a history since we first began of focusing on simplicity and easy of use. Having one system that supports all the major storage protocols really reduces complexity.

Irony
The big irony for me personally is that small and medium businesses were our initial target market when we started NetApp, back in 1992.Sun and Auspex were already selling high-end networked storage, and our goal was to slip in under the radar by targeting the little guys. The whole point of the appliance model was to reduce complexity to the point that anybody could have one. We called it "Storage for the rest of us." We thought it would also help us sign up resellers, because it would be less work for them to sell and support.

Of course—as so often happens with startups—things didn't go at all as we predicted. Never mind the simplicity, we discovered that technical customers loved our product because it was blazingly fast, and then all these hyper-growth Internet companies started installing us in their data centers, many of them running large Oracle databases on our storage—and, well, the rest is history.

I certainly don't mean to complain about how things turned out! My point is just that I personally find it very gratifying that—after all of these years—NetApp is finally addressing the founding vision.

After my last blog on encryption ("Why Encrypt Data on Disk?"), I got a message from a user asking "how to evaluate and develop a strategy for data encryption."

When you talk about IT strategies, I think it's important to step back and ask, "What business problem am I trying to solve?" After you've clarified that, then you can ask, "What tactics and tools can help me solve it?"

In that context, I would say that you don't really want a "Data Encryption Strategy", because "Data Encryption" isn't a business problem. When people talk about encryption, the business problem is usually this: I have sensitive data and I don't want bad people to read it. To dig into this business problem, here are some questions to ask:

• What standard practices exist for my industry?
  If you choose your own path, you'd better be very sure that you are right and everyone else is wrong, otherwise the lawsuits and the newspaper coverage may be especially painful.
  
  
• What bad things happen if someone does read my data?
  Along with standard practices, this determines your budget. If nothing bad happens when people read your data, maybe you should let them.
  
  
• What attacks are most likely and—if they occur—most harmful?
  This determines what to protect against. You'll never protect against everything.
  
  
• How would bad people get at my data?
  This determines which protection techniques to use. Encryption is great at protecting stolen disks or tapes, but it doesn't protect against people whose job requires them to see the data.

In developing a strategy, standard practices are often a good place to start. Unfortunately, things are still pretty chaotic when it comes to protecting sensitive data. Everyone knows that you should have a firewall on your network, and locks on the doors of your data center, but encryption is still new enough in the commercial world that there aren't really any standard practices yet.

On the other hand, the financial services industry—banks, brokers and insurance companies—is moving very quickly. Within 12-18 months I believe that encrypting backup tapes will be standard practice for these firms. Financial services and Fortune 500 companies are moving fastest, but I expect encrypting backup tapes to be the first step for many other firms as well. Backup tapes are especially vulnerable because they hold so much data, and because they are often sent offsite. After human error resulted in lost tapes at Iron Mountain, they began recommending that all of their customers encrypt backup tapes. (In fact, they use and recommend our Decru DataFort appliance, and offer an outsourced encryption service based on it.) Right now, over 50% of our encryption business is encrypting backup tapes.

Sometimes it makes sense to go beyond standard practices. One Wall Street firm we work with has a division that does wealth management for super-rich people. The general manager concluded that their data was so sensitive that they should encrypt everything—disk, tape, optical, whatever. The risk to their business, if this data escaped, was just too high. I could even imagine this being a competitive advantage for them.

Standard practices are different for different industries. In the intelligence world, encryption has been standard practice—even legally required—for quite some time. At the Department of Defense, there's a Decru DataFort specifically to protect Donald Rumsfeld's data. The second biggest component of our encryption business is with various military and intelligence agencies.

Standard practices also change over time. Right now Congress is considering legislation to tighten the requirements on protecting sensitive consumer data, and there are already dozens of state laws in place. There has been so much bad press, and so many new laws, that I believe most industries are still struggling to define what makes sense for their data.

In this blog I've taken an encryption-centric perspective (because part of NetApp's strategy is to sell encryption), but I wrote another blog about "Data Security Broadly Defined" that talks about Perimeter Security, People Security and Data Integrity. A complete strategy to protect sensitive data really needs to address all of these areas.

This Monday we released ONTAP GX, which is a super-high performance clustered version of our software. GX combines Data ONTAP with the technology from our Spinnaker acquisition in 2003. Since you can read about how great GX is from our press release, web site, and in trade press (more press, and more), I'll talk about the big picture.

Origins of GX
GX descends from a distributed filesystem called AFS. AFS was developed at Carnegie Mellon University (CMU), spun out into Transarc Corporation, and eventually purchased by IBM. AFS didn't win in the market, but the customers who used it—like Wells Fargo and Intel—absolutely loved it. Much of the team that built AFS re-formed as Spinnaker in an attempt to apply their experience and do it better this time around.

A big advantage of AFS was that it used a powerful (but proprietary) protocol to connect the systems that were sharing data. It had excellent caching properties that allowed high performance over widely spread systems, and it had data management capabilities that most storage systems still don't have today. Unfortunately, the proprietary protocol was also a disadvantage because it required OS changes to every computer. This made AFS expensive to develop and maintain, and it was difficult for customers to manage, especially in environments with many different operating systems.

Spinnaker solved these problems by applying AFS-like techniques within a cluster of appliances, but using standard protocols to communicate with the outside world. In other words, the team created a powerful new architecture that combined their best ideas from AFS with the appliance philosophy pioneered by NetApp.

Acquiring Spinnaker and Merging the Technology
In some ways the acquisition felt very natural. Mike Kazar helped invent AFS at CMU, before co-founding Spinnaker, and I borrowed some of his ideas in developing WAFL. I knew his work and admired him. Likewise, the Spinnaker folks viewed NetApp as a source of inspiration on the appliance philosophy, and they respected us, despite the fact that their business plan was to attack us!

I believe the acquisition went so well in part because both teams had strong mutual respect. The beauty of GX is that it combines Spinnaker's overall architecture, including global namespace and clustering, with NetApp's crown jewels, including WAFL and RAID-DP. It runs on standard NetApp hardware, giving customers flexibility. The result is amazingly scalable and easy to manage. We just posted a million-ops-per-second SPEC SFS benchmark result that is triple the previous best result. It's easy to manage because it acts like a single system even as you add more compute nodes and storage.

I admit that merging Spinnaker and ONTAP took longer than we expected. In 2003 we hoped to ship by late 2005. We also changed our release strategy. Initially we planned to ship the merged software as the next major release of ONTAP. However, we realized that so much change would piss-off our enterprise customers. Instead, we will develop GX in parallel with ONTAP 7G for the next few years. Right now the interfaces between 7G and GX are not as similar as I'd like, but we'll enhance them both, and converge them over time, much as Microsoft converged Windows and NT.

I believe that GX puts us way ahead of large competitors like EMC, Hitachi, and HP. None of them have anything like this—certainly nothing that runs on their standard hardware. Our advantage over small competitors (like Isilon, 3Par, Ibrix, Panasas) is our rich data management features. These features mostly aren't turned on in this first release, but they are sitting there in the code—thousands of engineer-years worth of technology just waiting to be tested.

Future Strategy
The first market for GX is high performance computing (HPC)—chip simulation, giant software builds, oil and gas seismic processing, Hollywood special effects and the like. Here's a good rule of thumb: If you have hundreds of nodes of Linux, all working in parallel on the same task, then you are a great candidate for GX.

In the long run, ONTAP GX is for everyone. The benefits go way beyond speed and scalability. I think of GX as a whole new dimension of virtualization. (I define "virtualization" as making the physical reality that you are stuck with into a virtual reality that you like better.) With GX, we virtualize multiple systems so that they look like a single large system. This not only improves performance and simplifies management, but it enables many new opportunities for automation.

I believe that the combination of virtualization and automation creates a powerful foundation for innovation in storage.

How do you explain to non-technical people what a high-tech company like NetApp does? I found myself in this position last week, because I spent the week on jury duty. About half of the jury was technical, computer programmers and chip designers, but the other half was non-technical, United pilot, mother of three kids, real estate agent, management consultant/executive coach—jobs like that. (We found the defendant, a drunk college student, not guilty of battery but guilty of resisting, obstructing or delaying a police officer.)

When the other jurors asked me, "What does NetApp do?", here's the answer I gave.

NetApp sells giant boxes of disk drives—boxes with hundreds or thousands of disks. Yahoo! stores all of their customers' e-mail on our boxes. The folks who made the Lord of the Rings movies, and lots of other movies, store all of the special effects data on our boxes of disks. Those are the flashy customers, but most of our customers store stuff like financial information, databases of their customers and employees, or maybe engineering design information for chips or cars.

But the trick is, NetApp doesn't make the disks. For some of our systems we don't even design the box or the electronics. Most of what we sell is software that does things like protect your data in case a disk fails, or even if two disks fail. If your whole building burns down, we've got software that'll make sure there's a remote copy of all your data somewhere a long ways away.

More recently we've been getting into even more advanced forms of protection. Like if the SEC visits your company and wants to see e-mails that your CEO sent eight years ago, we've got software that makes sure all the data from back then is still saved, and software that proves it's been kept tamper-proof so that the e-mail the SEC is looking at today is exactly the same as it was eight years ago. Or if you have disks or tapes with private information that you don't want anyone else to see, even if you lose the tapes, we've got encryption to protect the data from other people getting it. The military is using the encryption product in Humvees in Iraq, to make sure that the bad guys can't read our secret information.

In other words, even though we sell big systems full of disk drives, mostly what customers like about us is that we help them manage all that data more efficiently and easily than our competitors. They can store lots of terabytes in one place, be confident that it's safely protected, and manage the whole process with as little complexity as possible. And because NetApp is a younger company than our competitors, we have a more modern approach, which our customers find more flexible and responsive.