adzicnatasa - stock.adobe.com

How HashiCorp is driving cloud provisioning and management

HashiCorp CEO Dave McJannet talks up how the company is supporting cloud provisioning in a hybrid environment and its investments in Asia-Pacific to capitalise on the region’s growth potential

Known for its Terraform software used by DevOps teams to deploy cloud resources using infrastructure as code, HashiCorp was formed a decade ago when terms such as multicloud and hybrid cloud had not entered the cloud computing lexicon.

But at the time, the founders of the company, Mitchell Hashimoto and Armon Dadgar, already saw that the future was multicloud and organisations would need automation tools to deploy and connect their applications to any combination of public cloud and on-premise environments.

Today, the company has expanded its range of infrastructure management tools, including Vault which manages keys and secrets in distributed systems, and Consul, a tool that automates networking across clouds.

In a wide-ranging interview with Computer Weekly in Singapore, HashiCorp CEO Dave McJannet shared how the company is driving cloud provisioning and management and its investments in Asia-Pacific to capitalise on the growth of the region’s cloud market.

Talk to me about the company’s directions and the overall strategy to grow the business.

Dave McJannet: Our point of view when we started the company was that the steady state of cloud would be multicloud. Therefore, we had an opportunity to provide consistency against the operational realities for people running cloud infrastructure.

The way we decompose the problem of cloud is basically into layers. There’s a provisioning problem people have in cloud – how do I provision compute in a consistent way? There’s also a security problem, which is how do I adopt identity as the basis of security, given that everything is happening outside the datacentre in the cloud world? Whereas in the private datacentre, if you’re inside this range of IPs, then you’re allowed to talk to each other.

Number three is around how do I think about networking in this new world where an app running on Amazon Web Services (AWS) needs to connect to a database running in a private datacentre? So, those are the three core principles of cloud and that’s why we have such a broad product portfolio that addresses all of those problems, and each of them is a distinct problem.

I think that point of view turned out to be very accurate in the way the markets have played out. Terraform has basically standardised how people do provisioning. Vault has standardised how people broker identity between machines and Consul has standardised how people do networking.

Every company we speak to has more than one cloud partner. And whether by accident or by design, people have ended up in a multicloud world. That means they run into these problems one by one, depending on their level of maturity.

Despite us being a cloud vendor, the most common way people consume our products is they download and run them on AWS and other clouds because they want control
Dave McJannet, HashiCorp

There are countries, like those here, that are just starting their cloud journey. They run into provisioning or security problems first, so they generally adopt Terraform or Vault. Those that are more mature on their cloud journeys will run into the networking problem, but every company goes through that same journey. In the US, for example, most companies that have adopted Terraform and Vault are now deeply looking at the networking problem. That’s certainly the case for Australia as well.

As a company, we have committed to being their multicloud partner for all aspects of that cloud journey. Our product portfolio represents that and sort of overlays with the maturity of the market, with different products being more popular in different markets.

I understand that HashiCorp is also going deeper into each of those areas you mentioned, and as a result of that, you might be up against the likes of Okta, for example, in identity management. What are your thoughts on the competitive landscape?

McJannet: Every time there is an infrastructure transition, from the old world to new world, there’s an opportunity for a new vendor to emerge. We’re going from a world of private datacentres to a world of cloud and that’s when the existing vendor landscape gets turned over because the products you’ve built, for example, in the mainframe era, don’t really translate to the client-server era. The products in the client-server era don’t really translate to the cloud era. So generally speaking, there’s a reshuffling of vendors.

I think you’ll have to look closely at each of these different markets, though, to be able to decompose how they fit together. With a private datacentre, you have separate teams for security and networking, each with their own budget – even in the cloud world.

But the cloud programme owns all those things and there’s no separate networking or security budget. It’s just one budget, so those concerns get aggregated in the cloud world under a common buying centre. For most people, that’s their cloud programme or their platform team. That team may have used a firewall for security in the private datacentre, but a firewall doesn’t even make sense in the cloud world because everything is outside of the datacentre. So, they need to rethink what their security controls are going to be.

As the world goes cloud, private datacentre incumbents do come under pressure because there’s a new way of solving the problem and that’s normal. The second aspect is within this cloud estate – how do I think about the different problems and wish my vendors are going to be there?

For us, it’s very clear. For identity-based security, we assume you use Okta for your people-to-SaaS [software-as-a-service] connections, and you use Vault for your machine-to-machine connections. So, we’re not competing at all with Okta. It’s more about what the market landscape looks like for each of these layers.

How are you helping customers who are dealing with hybrid environments where workloads could be on-premise and in the cloud?

McJannet: A very common scenario is this: I have my private datacentre, and I use AWS, Microsoft Azure and an edge environment in a retail store or wherever it may be. The database could be on-premise and the application could be in the cloud, so how do I establish a connection between them?

It turns out that the problem is, how do I authenticate the identity of the container running on AWS using the AWS identity model and that of the database in a private datacentre using Active Directory? I can authenticate the identity of the endpoint, which Vault does, and then make the connection between them using Consul. So, it turns out that the problem we’re solving explicitly is the hybrid problem. We do that by supporting different identity models that allow you to bridge different environments. This was exactly what Starbucks did. They have like an edge environment where the apps are running, and they need to connect to a private datacentre.

Could you talk a more about the HashiCorp Cloud Platform (HCP) and how it fits into the larger picture of what you’re doing?

McJannet: As people’s cloud journeys mature, they’ve come to realise that they need to standardise what they are doing. For example, I might have 10 different business groups and I want them to all use Vault or Consul when they build applications. So, what ends up happening is every organisation eventually centralises ownership of Terraform or Vault and offer them as a service to their development teams.

Deutsche Bank is a good example. They have one team that runs a Terraform instance consumed by all their development teams. Despite us being a cloud vendor, the most common way people consume our products is they download and run them on AWS and other clouds because they want control. They’re literally in the runtime path of every application, so they want to run it themselves.

We have invested disproportionately in this part of the world because we think there's a huge opportunity in Asia. Our ability to onboard customers here is important as people are making this cloud transition for the first time
Dave McJannet, HashiCorp

What we heard a few years ago was that people were saying they don’t have the operational expertise to do that. They wanted their teams to use Vault and wanted us to let them consume Vault as a service. So, HCP is a common platform that customers can use to run Vault on public cloud services in the cloud regions they prefer. It’s as if a central platform team was running it, but we run it for you. It’s a logical way for people to consume our products and reduce some of the friction.

That said, it’s still early days for this category of infrastructure. If you think about that scenario where I have an app here that wants to talk to a database there, I connect to Vault and establish the connection. If Vault ever goes down, then the app stops working, so it’s critical enough that they generally want to self-manage.

But as the market matures, most people would prefer HashiCorp to manage it for them because we can run it better. In our last earnings call, we shared that HCP represents about 9-10% of our revenue, but it’s growing a lot faster than other parts of our business.

But how would an enterprise that is running a hybrid environment benefit from HCP?

McJannet: That’s the challenge, right? Given the problem that we solve is fundamentally one of integration, it’s not possible for us to run it in your private datacentre. So, there will never be a world where we manage it all for you, for now.

There might be some business groups where it makes sense for us to manage it. Unlike other vendors such as MongoDB, where you can run MongoDB on your own or use MongoDB Atlas, you’re only ever going to run MongoDB Atlas on a cloud platform because it’s for a new application. That’s not the case for Vault. You will have Vault instances running on AWS, Azure and in your private datacentre.

So, if you have multicloud, you will have Vault everywhere. We can manage some but not all of those – that’s why we will always have the self-managed version of our products.

But if a customer is big enough like JPMorgan, would HashiCorp go down the route of providing managed services to manage HashiCorp products deployed in the customer’s private datacentre?

McJannet: It’s certainly technically possible, but the question is whether the customer is willing to let you do it for them. I believe over time, the answer will be yes as people don’t want to be in the business of running infrastructure. But broadly, I would say that the market is not quite ready for that even if we are ready. I don’t think JPMorgan would be ready for us to have a full-time connection to their datacentre.

Meanwhile, do you have any tooling to help companies manage the instances of HashiCorp products they have in different environments?

McJannet: We do and, in fact, that goes back to our history. Basically, we have two versions of our products: we have an open-source version, which is designed to be run just by an individual user, whenever you want; and then we have a commercial version, which is designed to be run as a central shared service. That’s the conceptual difference between the two – Terraform and Terraform Cloud or Vault and Vault Enterprise.

When we first started the company, we only developed open-source products. About seven or eight years ago, people came to us and told us they loved how Vault works, but they need to run Vault as a shared service, so it needs different capabilities, like replicating across environments and the ability to back it up. That’s what our commercial products do.

As to how we help people manage that complexity, with the open-source Vault, you can only run it as distinct instances on different environments. But if you are running the commercial version, we actually keep them in sync and run them at scale using the Raft protocol.

Could you give me a sense of HashiCorp’s growth in the Asia-Pacific region?

McJannet: I’ll decompose it into countries and then into industries. My first trip to Singapore was in 2016. That was when we started getting our early customers, mostly the big companies and generally speaking, Terraform is what people start with. I would say for Asia-Pacific in general, Australia was probably the fastest adopter of cloud. Southeast Asia has been pretty quick as well. Developing economies such as India are also leapfrogging to the cloud.

In terms of industries and segments, not surprisingly, we have a cohort of cloud-native companies that became our earliest customers, and it’s kind of everybody after that. But it tends to bias towards markets that are most proficient in application development because ultimately cloud is about building new things. So, it tends to be the financial services companies and telcos which all have big investments in application development.

In our last reported earnings, we grew 51% year over year globally and all of our regions are growing very quickly.

What sorts of investments are you making in this region to capitalise on that growth?

McJannet: I’ll put it in three categories. First, we opened a support organisation in Asia and that has been an important part of our focus to support global customers.

The second part of it is our field investments – we have 60 people in Singapore which is essentially our Asia-Pacific headquarters, and hundreds of people across the region. We have invested disproportionately in this part of the world because we think there’s a huge opportunity in Asia. Our ability to onboard customers here is important as people are making this cloud transition for the first time.

The third part is around HCP’s managed offerings, which are going to be particularly important. We’ve added region support to be able to deploy in local cloud regions, including AWS regions in Australia and Singapore. We’re forward investing in product capabilities to be able to run in local regions here, because countries expect to have local deployments as opposed to running on AWS in the US.

Read more on DevOps