When we spoke with Ronan Kavanagh, sales director of Galway, Ireland-based SpamTitan, he described SpamTitan’s membership in the Virtual Appliance Marketplace of the titan of virtualization, VMware.

A major benefit of its partnership with VMware is that it’s “letting a lot of people know we’re out there,” which Kavanagh explained is helpful since the “decision-making process” for “the larger organizations can be a little bit longer than the smaller ones.” And, SpamTitan’s “solution works fantastically for those environments, with 10,000 to 20,000 users. SpamTitan has been delivering at the highest level for quite a while, either as a hardware solution or a software solution,” so “we have some good people using it.” By being part of VMware’s Virtual Appliance Marketplace, Kavanagh has found SpamTitan’s able to reach out further, so that even more good people can end up using its solution.

From Hardware to Software Appliance

Kavanagh recalled how “we looked at launching a software version of our physical appliance about 18 months ago, and while investigating the way we were going to do this, we became aware that VMware themselves were investing considerable resources into virtual appliances as a key strategy for themselves. The timing was coincidentally very, very good. We contacted VMware, and got introduced to the people running their virtual appliance program – they have their processes and partnership programs, and we went through that. We were an early adapter from their point of view – one of the first ten companies to get certified under their Virtual Appliance Marketplace certification program. They were happy as much as we were delighted to be involved in their certification program, to ensure our virtual appliance meets their product suites, and works seamlessly with their product suites.” Kavanagh noted, “We’ve attained that certification,” and this “adds weight to the product, certainly in the marketplace, from a customer point of view if they’ve deployed VMware products. And if they are looking to add products, they’re going to add certified products because they know it’s going to work.”

So far, from a study of its data from its VMware partnership, “60 to 70 percent of their customers running SpamTitan are on free versions of VMware” — suggesting use by smaller organizations. “There may be notions out there that VMware is an enterprise product,” and “if on the SME level” users may thus “bypass that product,” but the evidence suggests that this is “absolutely not the case,” as “most people are using free versions of the VMware product, and getting tremendous value of out it.” Being certified by, and partners with, VMware “are pretty key” to SpamTitan’s success, since “of the virtualization products out there” — of which there are “three or four mainstays out there” — Kavanagh has found that “VMware is about the only company pushing virtual appliances to the extent that they are.”

VMware’s Virtual Revolution

We spoke with Srinivas Krishnamurti, Director of Product Management and Market Development at VMware, who explained the company has “been around since 1998,” and that “starting around June ‘05, we started talking around the concept whereby ISVs can actually ship their software preinstalled and preconfigured in a virtual machine,” and this “evolved into our virtual appliance strategy.” Krishnamurti recalled VMware “first started talking about this concept of being able to distribute software in a virtual machine in June 2005” and “at that point in time, we said, ‘hey this is a new software distribution paradigm.”

At that time VMware was working with “about six partners” like Oracle and Red Hat, who “preconfigured their software into a VM and put it up on our website,” and customers found they didn’t have to “spend any time installing and configuring our software” for evals, so the “time to value was vastly reduced.” Krishnamurti added, “since then, we’ve been talking to a lot of ISVs and a lot of customers, saying, ‘what do you guys think about distributing software already installed and configured to run?’ He added, customers “don’t have to waste a lot of cycles getting configured.”

The logic proved infectious, and the “virtual appliance became the new paradigm for software distribution in 2005,” and after starting off with just a handful of products in the virtual marketplace, So while VMware’s virtual appliance market started off with only “about 6 products,” just “fast forward” to the present day, and there are now “over 600 products listed in our virtual marketplace” and the “rate of downloads [is] two downloads per minute off our website,” and “we see ISVs saying, ‘this is a better way for us to distribute our software’” since it can lower their costs.

So while the paradigm was originally intended for support and eval, it has evolved for all manner of software products, since otherwise selling software is “complicated,” as vendors had to “send a rep to the site to get it up and running,” which is “pretty expensive for an ISV to do.” So far, VMware has seen “a tremendous amount of traction for distributing software in virtual machines,” and “about a year after they started seeing a trend where some vendors starting coming up and saying it was good not only for just evals but also a viable way for selling production software.”

Indeed, customers are saying, “’I can buy my software as a hardware appliance or as a virtual appliance,’” and VMware has “started to see a jump from evals to actual production use as well.” Krishnamurti recalled that “last year, in June, we started an actual certification program,” during which VMware will “run that virtual appliance in our labs and make sure it is really optimized for our VMware infrastructure stack,” so by “using that logo,” it’s “optimized to run as VMware infrastructure.” And as of today “we actually have 600 virtual appliances in the marketplace. Customers are taking note, realizing, “‘this is a better way to sell my software,” since “for customers, this is much easier for me if I don’t have to install and configure software.” Krishnamurti noted, “Some of the customers that we’ve talked to… have already deployed virtually appliances into production use today.” Indeed, coming into the marketplace is “quite the gamut” of companies that “we’re actually seeing,” and “the area where customers are very comfortable putting a virtual appliance into production use, the first area is the security space. For firewalls, anti-spam and that kind of software – a lot of vendors in that space have been shipping hardware appliances, and if you want to buy a firewall you get this box.” Krishnamurti noted “customers are getting used to getting these boxes and plugging it in” and having them be “plug and play” right out of the box. But then “here comes a box that is no standard,” and customers find they “can’t manage the software” so they “have to go back to the vendor,” lest it end up “not getting utilized.” Enter the virtual marketplace, where there is no need for a box, and the preconfigured software is available through download: “What if I can get the same software stack – and without the plug in box, get same stack and put it into a virtual machine and go deploy that for whatever virtualization platform they’re running on.” So, while “security software is the first place where customers are saying, ‘you know what, I’m going to place a virtual appliance down,” Krishnamurti observed that “now we’re seeing vendors like BEA, etc., middleware vendors, also jumping on this virtual appliance bandwagon.” And this is good news for the enterprise, the SMB, even smaller customers who might never have anted up for the plug-in box in the first place.

As Krishnamurti explained, “SMB customers don’t tend to have a large IT staff” so the “install is a nuisance for them,” so “for them, being able to download something and click onto a couple of buttons and boom, it starts to work – this is a tremendous benefit.” And for the enterprise, “they may have a lot of IT folks, but they don’t have a lot of resource to waste time installing software,” and once they’ve “bought software, they want to start using it as quickly as possible” and minimize the “effort to install and configure this thing.” This is evident in the rising interest in a virtualized BEA stack: “Also know a lot of our enterprise customers are very keen to deploy the BEA stack as a virtual appliance,” Krishnamurti noted, and “we have talked to a number of those customers as well.” Thus, VMware is finding, “it’s the whole gamut, we’re seeing interest from across the board.” So while with regard to deployments, “security is getting the most amount of traction,” virtualized security solutions are just the tip of the spear with much, much more on its way. As Krishnamurti observed, “We’re actually seeing interest from across the board.” He added, “The other big thing the virtual appliance simplifies, in terms of ongoing maintenance as well,” is you “plug it in and suck it up.” Basically, you just “install and configure onetime.”

But with regard to the “ongoing basis, what happens if you don’t have a virtual appliance,” and “you have the OS and app sitting on top of it,” then the “OS needs to be patched, the app needs to be patched,” but in reality, the “OS vendor doesn’t talk to ISV” and a “security fix could potential break my app,” and when this happens, “Do I call my ISV, or my vendor?” Which ever one you call might retort, “It’s not my problem,” with the ISV pointing the finger instead at the OS vendor and vice versa. This is “just a hassle” as “no one is talking to anybody,” and the “customer feels like” he’s getting “bits and pieces from different vendors,” and this is “very problematic – even if you have an IT staff, the number of people responsible for patching is just enormous.”

All this hassle goes away when you enter the virtual appliance marketplace. That’s because, as Krishnamurti explained, the virtual appliance is akin to a black box, something we may think of like a Tivo Box, which has Linux running inside – but you never care about it, since it just runs the way it’s supposed to. “Why cant enterprise software be that way?” asked Krishnamurti. “I should be able to buy whatever app I please, put it down and it starts working – and not have to worry about patching. Customers just want to see it work.” For the enterprise, this is a welcome relief from the long nightmare of patch management. “Even if you have an IT staff, you can say ‘Go work on something strategic rather than install, patch and do all that grunt work.’”

As Krishnamurti reflected, “This concept of being able to install software in a virtual machine and distribute a machine ready to run is something our company has been thinking about since day one,” and “if I talk to any of our founders, they were obviously thinking about that – it was not a surprise for us,” as VMware was not “waiting for virtualization to find traction before we started to think about other things,” but kept their eye on the future, listening to the needs of their customers. “Our customers, once they found out a little bit more about it, the light bulbs start to go off,” and they began to realize, ‘I’m spending a lot of time doing stuff I really don’t need to do,” and this realization “changes the IT paradigm. The more people we talk to, the more light bulbs start to go off, and we’re starting to see more downloads. As awareness grows, we’re seeing more and more demand for it.” Added Krishnamurti, “When the customer downloads that file, and the software is up and running, the sales cycle speeds up quite a bit.” Consequently, the download rate at VMware’s virtual appliance marketplace has enjoyed a doubling from around one download per minute six months ago to two. “Now it’s gotten to stage where it has actually doubled in terms of coming to the virtual marketplace and downloading of the actual appliances.” Added Krishnamurti, “We’re pretty excited about it.”

Virtualizing Security: SpamTitan Joins VMware’s Virtual Marketplace

Krishnamurti recalled that VMware started to work with SpamTitan about a year and a half ago, and noted they “originally shipped these hardware appliances, these hardware boxes” off to prospective customers. “Just think about evals,” noted Krishnamurti, “to evaluate the SpamTitan stack, they had to send an actual box, ship that to the customer and back as well. Just doing an eval was pretty expensive to them, and they couldn’t have a 1,000 eval boxes, this limited the number of customers who could do an eval of their software.”

The constraints imposed by the reality of selling hardware appliances raised an important question at SpamTitan – how to expand sales in their current markets, and also increase the number of markets where they can sell. Being based in Ireland, “it’s expensive to ship boxes to Asia or even America, it was exponentially expensive and this limited SpamTitan to sales mostly in Europe. But when they thought about the virtual appliance, they realized they can sell it anywhere – and take exactly the same stack, put it into a virtual machine, and now put it up onto the web marketplace and support thousands of evals at the same time.” Now, Krishnamurti observed, SpamTitan was “not limited to the number of boxes they can ship. Now their evals and sales are coming from the world over, expanding the total available market to which they can sell.” Krishnamurti boiled this down to “the two important things: one, they didn’t have to make any important changes to the software, and two, it opened up new markets to them.” On the former, Krishnamurti explained, “That’s the thing: with the whole concept of virtual appliance, the important thing is we’re not asking the ISVs to rewrite any piece of their stack, and instead of putting it onto CDs or a hardware box, virtual machines are almost the exact same thing as the physical machine,” and for the ISV, this is “easier for them.” And, Krishnamurti noted, an added benefit to SpamTitan: “given they were one of the first ones to jump on the virtualization bandwagon, they believe it was a competitive differentiator as well,” and thus their embrace of the virtual appliance marketplace “worked out very for them.” VMware offers ISVs a virtual appliance certification program, which can be turned around in just a couple of weeks.

Krishnamurti explained it was “a pretty aggressive testing matrix,” something that is “shared ahead of time” to help the ISV prepare. “It’s not something we try to ding people on,” but instead “we share the best practices,” and this “enables them to pass the certification as quickly as possible.” That way, “once submitted to the program for certification, it’s as close to certification as possible.” VMware provides ISVs with “detailed feedback,” so getting certified is something they can “turn around pretty fast for anyone who wants to build virtual appliances.”

Krishnamurti emphasized that “the important thing is we provide a lot of information for ISVs that want to create a virtual appliance,” and that way, “for ISVs to create certifiable appliance, the number of times we have to go back and forth with these ISVs is going to be reduced.” Spam Titan was “in actually one of the first, I’d say, ‘batch’ of ISVs to get their appliance certified. We had the website where we hosted all these virtual appliances, and we branded it as Virtual Appliance Marketplace last December.” SpamTitan was “probably among the first five ISVs to get certified, and to get re-listed on the new rebranded Virtual Appliance Marketplace.” SpamTitan, as one of the “first ones to do it,” has enjoyed “already some competitive differentiator to it.” The relationship with SpamTitan and its early embrace of the virtual appliance model has been good for both VMware and SpamTitan. “They were one of the first [ISVs] from the security/anti-spam space to actually do virtual appliances,” and “we’ve actually seen a pretty big uptick in downloads of their appliance, so we’re pretty excited about their participation in the virtual marketplace. The impact for them is they’re able to see a much more global audience – we’re excited to enable this, and to open new markets to them.” And “for us they’ve been able to provide us with some input into saying, ‘Hey, as you think about your virtual appliance roadmap, here are some things you should think about for enabling for us.’” This has made for a positive and reciprocal partnership. “As partners, we’re able to get some product direction input from them as well – that’s one of those things where both parties are in a win-win situation where both parties are helping out each other.”

While SpamTitan’s early embrace of the virtual appliance model has been mutually beneficial to both VMware and SpamTitan, and while it provided some early competitive advantage to SpamTitan, its competition watched and learned from SpamTitan’s early adoption. “Once people kind of got the word on virtual appliances and how it makes life simpler for their customers and their development,” Krishnamurti noted, the competition followed in SpamTitan’s footsteps. “Proofpoint is another vendor who found a virtual appliance in the virtual appliance marketplace” made sense, and is now a VMware certified member of the Virtual Appliance Marketplace. And McAfee just announced, and one I believe is in beta right now. Some big-name ISVs are starting to do virtual appliances now.” Outside the security space, middleware vendors include BEA, Business Objects, and storage vendors like LeftHand Networks have joined VMware’s virtual appliance marketplace, “and even within the security space big names are starting to say, ‘We should do something about this.’” Krishnamurti noted, “At the end of the day, it’s a great thing – it’s the same software but delivered in a very different and easy way. If I was a customer, if every vendor was going to give me a virtual appliance, it still comes down to, ‘What is the best product out there for me?” So in the end, “the people who are going to win are the ones who have the good software in the virtual appliance marketplace.”

Confronting an Evolving Threat

That’s something SpamTitan hasn’t forgotten, as it grapples with the evolution of the spam threat and its increasing complexity and lethality. Among recent spam trends, Kavanagh thinks that “botnets are probably the biggest” – but he added that in November of last year, he “started seeing graphic based spam, which looks like text but was in effect an image – and because it was an image, textual readers built into anti-spam solutions would be ineffective against them, and by and large they were – we would first have OCR technology built into our solution, and then the spammers went a step further: they started tilting and blurring those images to circumvent the fist generation OCR technologies released to deal with that spam. Then, Kavanagh added, the next biggest wave was PDFs — which have become very prevalent.” When victims “open them up,” thinking they’ve received an e-greeting card, “within there is the spam message” delivering a Trojan. The emergence of PDF spam has been “quite interesting,” Kavanagh noted, and is “tied into the area of botnets: sending out millions of PDFs was bandwidth intensive, something spammers could not do – but now with the use of botnets, the taking over thousands of PCs, by sending out so many spams from so many PCs, spammers can afford to send out larger files like PDFs.” Kavanagh has “been to some interesting talks that have demonstrated why it’s all happening,” and “the bottom line is – who is sending the spam messages out there? It is by and large criminal organizations.” So one big reason why the war against spam isn’t working is that “these guys break the law in 9/10ths of their business anyway, so international rules and regulations carry little weight with these guys.” Ultimately, when asking, “Why won’t spam go away?” Kavanagh said the answer is clear: “because someone’s earning money at it – as long as a buck is coming from it, it will keep happening.” And, he added, because spammers continue to evolve their malicious armory, they’re working tirelessly to keep one step ahead of the anti-spam crusaders. But the anti-spam software engineers at SpamTitan are working just as tirelessly: “There hasn’t been anything they’ve done so far that has really taken everything out, they haven’t yet been able to do that.” Fortunately, Kavanagh has observed, “there’s smart people on both sides of the fence.” When asked what to expect next, Kavanagh conceded it’s “hard to figure it out,” since “like the virus world, a lot of the solutions are still very much reactive solutions.” But one thing is easy to predict: when asked what we can expect to see coming down the road, Kavanagh’s answer was both sober and taciturn: “More.” And you’ll be in luck with this inevitable moment when less becomes more, as SpamTitan permits free trials/downloads of its software, at www.spamtitan.com. So when Kavanagh’s inevitability comes to pass, and you need help from the anti-spam pros to wrestle this more back into less, help will be immediately on the way.