INNOVATE

JUNE 2021 | VMWARE CONFIDENTIAL

NATURE OF WORK
RE-THINKING THE
Table Of
Contents

00
Perpetual Innovation: Tanzu Service Mesh
Greg Lavender, Emad Benjamin, Pere Monclus
The lesson from this story is that bold ideas are good, but bold actions are
better.

05
New Support Model for Largest Customers
Renu Raman, Chirag Patel, Michael Hein
A new support model architecture to make customers happier, while re-
ducing necessary headcount by 73%.

12
Environmental, Social & Governance
Natasha Tuck
In order to stay focused on the most pressing matters, we have to set a
vision for where we want to go. Our 2030 Agenda is that vision.

20
A Brief History of Differential Datalog
Mihai Budiu
A 1,800-line Java program could be replaced with a 30 line Differential
Datalog program that is faster, uses less memory, and has fewer bugs.
23
Patent Talk: Extensible Token-Based Authorization
Dale Olds, John DiRico, Dexter Arver
Dale gives us the perspective of the ideator, while John gives us the be-
hind the scenes reveal of how VMware's patent process works.

FUSING EMPATHY
30

+ URGRENCY
Remote Field Work: Part 2
Bob Motanagh
Bob interviews Branden Lugabihl and Benoit Serratrice to find out how
The Field has adjusted to working remotely with customers.

36
A Data Analytics Platform on VMware Private Cloud
Rumen Barov
Super Collider is VMware's internal analytics service that has had an
annual data volume growth rate of 200% in the last 7-8 years.

45
Project Kepler: Origins of the Anywhere Workspace
Shawn Bass, Craig Connors, Brianna Blacet
One of VMware's responses to the pandemic was to help our customers
and their employees work from anywhere—securely and easily.

53
Objectives & Key Results: A Short How-To
Jen Handler
Get the real low-down on OKRs by learning from
Jen's practical experience in using them.
DEMOCRATIZING
DIGITAL ACCESS

58
The Backlog Standup
Erica Dohring
Learn and try the Backlog Standup for a faster,
more focused start to the day.

60
Aligning on a Shared Future: OKRs, OGSMs, NSMs
Andrew Zusman
Andrew breaks down three popular organization-alignment frameworks.
Which one should you use? Read to find out!

69
The ACE Team: Unblocking FedEx + vRA 8.3
Tom Scanlan, Luis Valerio Castillo
The ACE team accelerates adoption of new products by collaborating
with customers and VMware Business Units.

73
University Talent: Benefits, Adaptability, and Innovation
Kate Wilkinson
The UT team overcame the various challenges caused by COVID-19 to
better engage with interns and new college grads.
 Editors: Joe Samagond, Dexter Arver, Austin Roth Eagle

T h e Tanz
n : u S
i o er
a t
ov

vi
ce
nn
etual I

Mes h
St
p

o
r

r
Pe

y
GR

S
LU

G
NC
E

LA
VE M O
ND
ER, ERE
EMAD MI N,P
BE NJA

0 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

Crisis Breeds Innovation
Last year provided ample proof that crisis often breeds innova-
tion. The relatively sudden onset of a global pandemic quickly
led to remarkable achievements: from mapping the COVID-19
genome to releasing the first of several vaccines in just nine
months.
There are important lessons for all of us to learn from this
achievement about meeting a critical and urgent societal need.
The pandemic response necessitated tremendous collabora-
tion between the healthcare-and-biopharma industries, and
governments around the world. The success story of the Covid
vaccines is one of focused dedication and the application of the
most modern technology combined with traditional scientific
methods—all performed under extreme pressure in the public
spotlight.
VMware has grown and thrived because we have focused from
the start on delivering innovations that meet or anticipate our
customer’s needs. But how do we maintain and build upon a cul-
ture of perpetual innovation, even as a large, global company?
A great example of such innovation at VMware is VMware Tanzu
Service Mesh. This revolutionary product’s journey from idea
through incubation, financing, testing, and final delivery was a
huge achievement for VMware. The lessons from this story not
only show us how to ensure our continued growth as a compa-
ny—it has already helped perpetuate our culture of innovation.
This is a story of things done right.
VMWARE CONFIDENTIAL
Three Key Concepts
There are three key concepts that are critical to seeing any inno-
vation through from idea to product introduction. All three are
evident in the Tanzu Service Mesh story:
1. Co-innovation is the concept of working with other
partners—internally and externally, including other busi-
ness groups, customers, academia, institutions, and oth-
ers—to produce ideas. It is critical in any organization, but
particularly in a global enterprise technology company like
VMware;
2. Co-investment is the grease that helps the process move
along smoothly. Any innovation requires seed funding, re-
sources, and buy-in from different sources to succeed, often
both inside and outside the company;
3. Collaboration. Innovation is a collaborative process. Good
ideas can come from anywhere and multiple sources. It is al-
most always necessary to work across teams and silos within
the organization to achieve the desired result. Getting
critical analysis from others, while often uncomfortable, can
lead to a better product in the end.
Seizing an Opportunity for Innovation
CIOs are hired to drive feature velocity and some are later fired
for resiliency issues with their systems. We have witnessed that
driving feature velocity can complicate system resiliency.
The modern app is dynamic and distributed. It is made up of
dozens, even hundreds, of microservices which can be spun up
and scaled quickly to meet evolving user and market demands.
Architecture flexibility in a multi-cloud world often results in a
lack of visibility—with services spread out across multiple cloud
INNOVATE | JUNE 2021 | 1
providers and on-premises infrastructure. As a result of that,
cloud architects are finding it difficult to know whether mod-
ern applications are performing as intended. They can't rely on
the old approach that expects every service in this distributed
world to perform consistently as designed. Instead they should
embrace a well-advertised “declaration of service intent” in order
to tame complexity in such systems.
Over time, as it became clear that application owners were strug-
gling to maintain desired Service Level Objectives (SLO)1 for their
application users, we ventured to look at SLOs as a “declaration
of service intent”. The providers who host these applications are
then expected to deliver and operate against those SLOs. What is
needed in this environment is a modern app connectivity solu-
tion to provide true multi-cloud, multi-cluster, and end-to-end
secure connectivity.
Today, many SLOs are defined in spreadsheets, with various
manual processes that stitch them together in an attempt to
achieve the desired systems behavior. With application services
spread out across multiple cloud providers and on-premises
infrastructure, cloud architects find it difficult to know where
applications are performing as intended. Combine this with the
low reliability of some systems, and we have a problem. Almost
half of new applications fail to meet performance SLOs even
though most enterprises overspend on cloud costs by a factor of
two to three.
Another challenge facing application teams developing new
applications using a microservices architecture is enabling
connectivity between microservices deployed as containers and
distributed across multiple clouds and hybrid environments.
1 SLOs define the quality of a service consumers can expect from the application
experience.
2 https://blogs.vmware.com/networkvirtualization/2021/05/addressing-multi-
cloud-connectivity-and-security.html/
2 | INNOVATE | JUNE 2021
Teams also need to more effectively ensure that users are given
the right access permissions to applications; that application
components are properly ring-fenced; and that communications
across hybrid infrastructures and workloads are secured. Pere
Monclus recently wrote about this in detail on VMware's Net-
work and Security Virtualization blog2.
We realized that what CIOs really needed were more intelli-
gent, resilient, and secure systems that can observe application
performance and automatically address issues in real-time—so
that the applications behave in accordance with the prescribed
SLOs. Creating in essence, a system of resilience trust via a set of
cascaded SLOs across distributed application services.
Solving the end-to-end application resiliency problem required
a new way of thinking about apps and app experience. Since
the modern app is essentially a dynamic network of services,
developers need to treat it as such. This requires a new, modern
service mesh that acts like an interconnectivity superhighway
to give application owners and cloud architects critical infor-
mation across disparate silos, so they can make just-in-time
decisions.
So, we asked ourselves, “If we had to build a product from scratch
in this space what would it look like?” This is where we came up
with the concept of the Predictable Response Time Controller
(PRTC). With the PRTC, the user specifies the performance met-
rics expected from their services and the controller does its best
to deliver on these objectives based on the available resources.
We built a prototype that needed a service mesh. That is when
we discovered that Pere Monclus and his team were separately
looking at the potential of Istio, an open-source service mesh
technology. We combined efforts to chart the future of applica-
tion resiliency.
What should this new, modern service mesh look like? We first
aimed to understand and truly listen to our customers.
VMWARE CONFIDENTIAL
Afterwards, we determined these five critical capabilities:
• Declarative Approach: Rather than manually stitching
together the right experience, organizations need to take
a declarative approach to application experience where a
desired SLO can be set and automatically delivered.
• Traceability: The service mesh needs to track the overall
performance of user transactions in a specific geographic
location—from the time a user clicks on an application to
the time the transaction is completed—regardless of the
number, location, and provider of the distributed cloud
services it uses.
• Context: The new, modern service mesh then needs to
be able to apply these insights to specific metrics that are
constantly measured and put into the proper context across
multi-cloud environments.
• Testing and Iteration: Testing allows the user to roll out
new services in a mesh and compare predicted experiences
to a set baseline.
• Align to Cloud Spend: Experience doesn’t occur in a
bubble, so the new, modern service mesh should be able to
apply desired experiences to actual cloud costs. This allows
organizations to balance experience with cloud spend.
The result was Tanzu Service Mesh3, which combines connectiv-
ity, observability, control, and security across a set of microser-
vices. Tanzu Service Mesh allows the customer to define ap-
plication SLOs and track application health, while also allowing
operators to centrally manage end-to-end application traffic
routing, resiliency, and security policies. It was just what our
customers needed.
The Innovation Process
So how did the Tanzu Service Mesh idea come together? And
how did it achieve success in only a few months? Keep in mind
the three key concepts of innovation that we mentioned earlier:
co-innovation, co-investment and collaboration. Let's go back
and look at what Tanzu Service Mesh team did—in detail—after
they built their prototype.
The vision of the OCTO (VMware Office of the CTO) team was
geared around application resiliency patterns that can be deliv-
ered with a service mesh, while Pere’s team, in the Networking
3 For more details on Tanzu Service Mesh, check out
https://www.vmware.com/products/tanzu-service-mesh.html and https://tanzu.
vmware.com/content/vmware-tanzu-service-mesh-resources/tanzu-service-
mesh-datasheet.
4 https://via.vmw.com/PRTC
VMWARE CONFIDENTIAL
and Security Business Unit (NSBU), were separately exploring
using a service mesh approach to build a holistic product that
would offer various connectivity and security patterns. After
several brainstorming sessions, we realized that if we combined
application-resiliency use cases with security into one product,
it would revolutionize market perceptions of what a service
mesh could do.
While collaboration sometimes feels like a slower, more difficult
path, it usually produces more refined, sophisticated solutions.
This is why some of the most remarkable innovations are the
product of one key idea combined with a collaborative team
effort to bring that idea to life. We certainly can see that in the
Tanzu Service Mesh example.
We can also see how one idea grew from exposure to others in
the organization. It’s important to remember that innovation is
not the sole responsibility of a single business unit, or the CTO.
Good ideas can arise in any part of the enterprise. They often
come from those we work with outside our own walls, especially
customers, partners, universities, and government agencies.
Pere Monclus, CTO of NSBU, had the original idea—NSX Service
Mesh. This is the seed that grew into Tanzu Service Mesh, incor-
porating the power of a service mesh in solving the SLO prob-
lem. Emad Benjamin of the VMware Office of the CTO conceived
the killer use case (Predictable Response Time Controller4) to
bring the idea to life and helped pull all the internal parties
together. Greg Lavender, VMware’s CTO, saw the opportunity to
solve a significant customer problem and had the key to unlock
the funding to overcome the shortfall in resources to resolve it.
The final product is now being distributed through the Modern
Applications Platform Business Unit—a totally different Busi-
ness Unit! The entire process required a high level of coopera-
tion and collaboration among these teams. No one team could
have done it alone.
In the success of any innovative product or service, there are
several common characteristics to keep in mind as you deal with
the inevitable challenges and setbacks:
• Innovation happens both organically and inorganically,
often in unplanned ways. It requires an open, innovative
mindset, and an investment plan to bring off-roadmap
innovation to life, and to empower people to come up with
disruptive ideas and experiment with them.
• Innovation involves an inherent tension between oppos-
ing points of view. This process can be uncomfortable. But
rather than seeing “pushback” as an obstacle, view it as an
INNOVATE | JUNE 2021 | 3
 element of creative tension, as a way to improve an idea or
concept through a respectful back-and-forth process. In
the Tanzu Service Mesh case, there were several junctures
where the proposal could have gone off track, but the team’s
culture kept us focused. As an innovator, sometimes you
need to step back, reassess, and either validate or change
the direction toward a more productive outcome. Critics can
almost always be overcome with effective results.
• Learn from setbacks and failure. As we challenge each
other’s ideas, we identify what will and will not work. This
process helps us build the mental muscle and fortitude to go
the distance and become a catalyst for others to join in. Even
failures can be good motivators.
• Innovation involves collaboration and stimulates more
innovation. Once the initial hurdles to develop an idea are
overcome, such as funding, the forward motion increases
in velocity, attracts more supporters, and becomes a self-re-
inforcing cycle. The speed with which we got Tanzu Service
Mesh to market reflected this phenomenon.
• Listen, listen, and then listen some more. Listening to our
customers and other stakeholders is critical. We believe lis-
tening has a distinct “look.” It is perhaps the biggest source
of ideas for innovative solutions. True listening helps us ar-
rive at a deeper understanding of our customers’ needs and
helps us identify opportunities to address them. Along the
way, we need to continuously re-validate our assumptions.
• Seek out diverse opinions and thought. Throughout our ca-
reers, we have absolutely found diversity to be a competitive
advantage. Diverse thinking, skills, backgrounds, perspec-
tives, and approaches are integral to collaborative problem-
solving and co-innovation. This is how great advances are
made, how lasting innovation thrives, and how material
progress is made.
4 | INNOVATE | JUNE 2021
Conclusion
The successful incubation and launch of Tanzu Service Mesh
occurred during a time of crisis. Although the project started
before the pandemic hit, we had to adjust and work together
while being in various locations around the world. That immedi-
ate and radical change in our work environment was unsettling
and strange at first. We suspect our desire to achieve success
with Tanzu Service Mesh, while everything around seemed to be
in a state of flux or uncertainty, gave us an even stronger sense of
mission. Crisis breeds innovation.
We want to leave you with one more important thought that this
story embodies: Bold ideas are good, but bold actions are better.
Great ideas succeed only through persistent actions. Putting
ideas into action sounds easy, but it is actually quite hard. Too
often, teams fall into the trap of confusing activity with progress.
Things can go sideways quickly, so there must always be a stan-
dard of progress against which we measure ourselves.
This is how we help set the disruptive technology agenda for
ourselves, and how we create the potential to influence the
direction of the industry.
Greg Lavender is the Chief Technology Officer (and SVP), who leads
the Office of the CTO. You can reach him at lavenderg@vmware.com.
Emad Benjamin is the Chief Technologist for Cloud Application
Platforms and works in the Office of the CTO. You can reach him at
ebenjamin@vmware.com.
Pere Monclus is the Chief Technology Officer in the Network and
Security BU. You can reach him at pmonclus@vmware.com.
VMWARE CONFIDENTIAL
 A NEW SUPPORT MODEL FOR
OUR LARGEST CUSTOMERS:
VRE, SRE, AND ITOPS
Authors: Renu Raman, Chirag Patel, Michael Hein with inputs from Kit Colbert, Jeff Hu, Alex Rankov, and many more. Editor: Dexter Arver
Motivation
The classical IT-ops support model—
where a customer is supported by
VMware’s Engineering, Support,
Professional Services Organization
(PSO), and Customer Success orga-
nizations—is a multi-layer support
structure resulting in:
• many exchange of hands for the
customer;
• mis-alignment of authority and
responsibility;
• issues that are ping-ponged be-
tween Business Units;
• more people being needed, which
means a higher Total Cost of
Ownership (TCO);
• and lower availability at scale.
In many ways, this has resulted in
VMWARE CONFIDENTIAL
our customers having to navigate a
somewhat broken organization tree
as Support Tickets and Escalations
are handed off between responsible
Business Units. For our top 100 cus-
tomers, who are looking for a private
cloud that mimics the capability of
Amazon Web Services (AWS), Google
Cloud Platform (GCP) or Microsoft
Azure, we must transform the tradi-
tional IT-ops and VI-admin model
from both a customer satisfaction
and business model perspective. This
is a proposal to take the best learnings
from classical IT-ops and Site Reli-
ability Engineering (SRE) and adapt
it to VMware’s on-prem customer
base. We call this VMware Reliability
Engineering (VRE).
We have data to support the econom-
ic value of VRE to VMware. Currently,
we deliver our Infrastructure as a
service (IaaS) solution in one of four
ways:
• Individual VMware Product
Components
• VMware Cloud Foundation (VCF)
• VMware Cloud on Dell EMC
(Dimension)
• VMware Cloud on AWS (VMC)
As can been seen in the chart on the
top of the next page, VCF (the red box)
has the least influence in the total
cost of operations. Dimension (the
blue box) goes one step further in
handling physical infra operations,
but is limited to vCenter. As we evolve
to have foundational IaaS services,
INNOVATE | JUNE 2021 | 5
 ure data from 2018 to 2019 (provided
under confidentiality agreements)
calls out the top 4 non-availability
scenarios:
1. lack of automation
2. software versioning of apps and
IaaS
3. incorrect configuration setup due
to human error
4. inability to triage a problem in
real time during incidents

Equally relevant is the monitoring of

all failure events and taking correc-
tive action by triggering automated
and/or manual processes.

Both the economic and availability

VMC (jointly with AWS) is covering ment (ELA) is only 10% of the TCO, reasons highlight the need to reduce
all the operations—from data center "human-in-the-loop" to achieve lower
while 50% of the TCO is the people
to elements of Platform as a Service cost, while increasing availability.
cost. What is the reasonable limit of
(PaaS). For us to achieve a reduction in the
physical machines, operations staff,
number of staff that are assigned by
and thus virtual machines? Control-
There are two overarching reasons to our customers to support the cloud
ling the cost of operations staff is stack environments, we can re-use
ponder a different structural model difficult, but the desired outcome
of operating IaaS. One is related to and build on the same methodologies
here is to be cost competitive relative that many of our cloud competitors
the economic model and the other, to consuming a VM with a hyper-
availability. are deploying. This becomes a model
scaler—at-least 50:1 (i.e., 5 times the for not only how we release & support
current ratio). our software, but also as a model for
Economic Reason
Let's dig into the TCO model by taking how we should be reorganizing to de-
Availability Reason liver on these goals. To achieve these
a look at two anonymized companies.
There is a second reason for a dif- optimizations, we need to explore
Company A, a large international
ferent structural model of operating and characterize the guiding prin-
database vendor, has 25,000 physi-
cal machines, which are managed by IaaS—availability. Company A’s fail- ciples of the VRE/SRE model.
2,500 direct staff and 2,500 extended
staff (lower cost). Company B, a large
international bank, has an environ-
ment that is roughly twice the size of
Company A. These companies have a
physical machines to IT staff ratio be-
tween 10:1 to 30:1. The drive to keep
that ratio as low as possible leads to
a non-optimal decision to consoli-
date around bigger machines at the
cost of larger fault domain or blast
radius (i.e., one 4 socket server vs two
2 socket servers). The TCO of a 150K
VM landscape with an annual growth
rate of 25% results in a 500K VM
landscape over 5-years. It costs $2.5B
to operate such a landscape in which
VMware Enterprise License Agree-

6 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 Guiding Principles for VRE/SRE model
1. Discipline and Execution: Repaving “Build the plane as you fly the plane” Methodology. There is industry data that
shows—at scale (1K, 10K, 100K, 1M VMs)—there are faults that have to be tested at development time that has to be
tested, validated, and integrated in situ.
2. Automation/Manpower: The #1 problem for availability is related to inadequate monitoring, automation, and human
intervention in operations. The #1 cost component in the TCO model is operational staffing cost. The need is more highly
skilled and trained operational staff who can automate workflows and be less dependent on vendor or 3rd parties by
relying more on VMware and our customer operations team. Achieving 15 minutes of Mean Time to Recover (MTTR) will
require revisiting architectural assumptions along with upskilling and cradle-to-grave ownership of the services engi-
neered for 24/7/365.
3. Culture: A culture and methodology of fail-fast and fail-first with integrated testing. A culture of not shooting the mes-
senger or passing blame, but taking every failure as a lesson learned to improve the system. A culture of developing and
deploying only if there is measurable improvement over what exists. The teams will deliver to defined SLAs and inter-
faces.
4. Skills: Everything delivered as code (automation); turn manual processes into automation. Those automations should
be designed to cloud scale, which are inherently distributed. A culture of connection between operations (50%) and
development (50%).
5. Accountability + Responsibility: This is what successful support teams at AWS and other cloud organizations look like:
flat and modular teams in development with associated business leadership that interacts directly with the sales account
teams. Alignment of accountability (including revenue ownership, which trickles back from the general account man-
ager to the services PM) and responsibility for both incident response, feature development, and revenue targets. There
is one throat to choke at each layer on the in-bound (revenue and incident) and outbound (which is feature, RCA, and
operational automation).
6. Streamline the # of layers: Currently, it’s a matrix structure that responds to customer needs. As you will see below, we
can streamline the model with a clear in-bound (e.g., revenue, incident, feature requests) and outbound (e.g., feature
capability, issues/fixes, Day N operational support) flow.

Having defined the core principles for the VRE/SRE model that we desire, let’s take a look at the golden rules that governs the
interaction with our customers and how this model will benefit the overall customer experience.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 7

 Details of VRE, SRE…Current
engagement model with cus-
tomers
Key tenets of the VRE/SRE model are
the following:
1. Minimize the # of hand-offs
from development (features and
capabilities) to deployment at
the customer site (alignment of
authority and responsibility).
2. Formulate an SRE team that
extends engineering’s ability to
create foundational services that
are supported and maintained
24/7/365 around the globe.
3. Build a closely knit VRE team that
takes the output from the SRE
team and enables the customer
to operationalize their private
cloud—including Day 2 opera-
tions. The VRE team also acts as a
“PM” for operational features that
the customer requires.
4. This is not a separate delivery
team or function. Backend
engineering is still responsible
for releases and no separate forks
or releases are created. Patches
are still delivered via the regular
channels.
8 | INNOVATE | JUNE 2021
The visuals below show the current
state of engagement and enablement
of private cloud with our customers.
Having defined the high-level prin-
ciples and the customer interaction
model, let’s look specifically at the
profile of the reliability engineers and
their roles and responsibilities.
VMware Reliability Engineer
profile
VRE is the customer's primary
interface. VRE works closely with
the customer during Day 0,1, and 2
operations on behalf of VMware’s
SRE and engineering teams. Their
primary objectives are to help reduce
customer operational expense and
improve availability and operational
experience. To that end, a VRE has
the following attributes.
1. Customer requirements: Trans-
lates the customer requirements
into product/service require-
ments. Acts as a voice of the
customer to the SRE and product/
service teams.
2. Incident Management: Manag-
es ticketing and routing of events
1 https://miro.com/app/board/o9J_lfQSnzs=/
(automated or manual) to the dev
teams (SRE) and other 3rd par-
ties. A visual of the incident flow
and the role of the VRE is shown
below. The incident management
workflows are detailed here1.
3. Private Cloud build (Day 0, 1
automations): Works with the
customer to architect private
cloud builds from standard
blueprints and help drive stan-
dardization across customers. In
addition, the VRE (in conjunction
with the customer) will validate
every release, including sub-sys-
tem release, using the customer's
test landscape and green light
releases. Lastly, the VRE will sup-
port the customer by automating
workflows—closing gaps in VCF
that are bespoke to the customer
instance.
4. Day 2 Automation: Today, a
significant gap that exists is Day
2 operations from the standpoint
of TCO and availability. Many au-
tomations (failure recovery, per-
formance, and capacity manage-
ment) are bespoke to a customer,
but some need to be brought
back to the core platforms—the
VRE needs to be skilled enough
to make that determination. A
VRE typically spends 50% of their
time in software development in
creating bespoke automations.
This includes translation of run-
books into automation flows with
the customer. They are co-located
with the field organization and
works across VMware's SRE
teams to ensure the right services
and automation workflows are
delivered against the needs of the
private cloud instance of their
customers. To align accountabil-
ity and responsibility, a VRE also
acts as the customer's product
manager.
VMWARE CONFIDENTIAL
 The VRE (in light green) would orchestrate the flow of information
between the customer and all other parties.

VRE Role and Responsibility

• Is the customer's solution ar-
chitect and develops the archi-
tecture in conjunction with the
customer, while also validating
the platform.
• Is the customer's product and
service manager, thus collect-
ing requirements and acting as a
gatekeeper for feature releases.
• Has the responsibility and
authority to address customer
private cloud availability. This
means 24/7/365 support—2 or 3
shifts with pager responsibilities.
• Is responsible for routing alerts,
events, and takes on L1 calls—
jointly with the customer op-
erations team—before SREs and
product teams are alerted. The
VMware GSS team will be co-
participants.

It is critical to empower the VRE with

the above to be effective in achieving
the desired objective.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 9

 Services Reliability Engineering
Profile
SREs are owners of the services that
are delivered in conjunction with the
engineering product teams (i.e., they
create the services that run on the
VCF infrastructure). With Anything as
a Service (XaaS), SREs own out-of-the-
box services that are customer visible
and consumable. These services are
the basis of the foundational IaaS
layer; and examples include Vir-
tual Machine as a Service (VMaaS),
Container as a Service (CaaS), and the
foundation services (e.g., file, block,
object, LB, DNS, Auth, register, etc.).
The SREs partner with the core
engineering teams to develop these
services that are optimized for at-
scale clusters. There is significant
overlap and movement between the
core engineering team and the SREs.
But SREs has one responsibility—
which is to work closely with the VRE
teams and make VREs successful in
consuming these foundation services
for the target customers. A typical
10 | INNOVATE | JUNE 2021
service would require 8-16 engineers,
who would be responsible for "cradle-
to-grave" support—24/7/365 for the
said service.
SRE Role and Responsibility
• Creating Services (foundation
and platform services).
• Collaborating with engineering—
cross-functional and cross -BU.
• They are ephemeral teams that
are formed to address VRE needs.
• They are an extension of platform
teams.
• They are a part of the incident
flow, working with VREs and
product teams, or resolving is-
sues with the services that they
own.
• They act as a backstop for the
VREs. Most field issues that are
escalated are handled by SREs
before its sent over to the dev
teams.
• 24/7/365 role.
• They generally possess unique
expertise in one of the founda-
tion or platform services.
VMWARE CONFIDENTIAL
 In Summary
We have defined a new proposed
structural model that sits between
engineering and sales/customer-
facing organizations. This model
streamlines the operational needs of
our large customers while lowering
the overall cost and creating stron-
ger alignment of accountability and
responsibility. We have seen that the
model has the potential for up to a
73% reduction in headcount between
VMware and the customer. We have
also observed a reduction in overall
cost even with the addition of the
VRE teams. Furthermore, we expect
an MTTR gain by updating monitor-
ing tooling, and reducing the incident
time (i.e., recovery automation and
many more areas). In addition to
the TCO and MTTR gains, an overall
corresponding Customer Satisfaction
(CSAT) is also anticipated. We expect
gains in Infrastructure Readiness (IR),
with improved automation goals.

NEXT STEPS
We will work closely with 1-2 customers to pilot this new model. We hope to be able to give an update once we have demonstrable
results from this new model. If you would like additional information, please reach out to any of the authors of this paper.

Renu Raman is a Senior Cloud Platform Architect working in the Office of the CTO. You can reach him at renur@vmware.com.

Chirag Patel is a Principal Consulting Architect working in Americas Professional Services. You can reach him at cpatel@vmware.com.

Michael Hein is a Sr. Staff Engineer working in the Office of the CTO. You can reach him at heinm@vmware.com.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 11

Environmental, Social & Governance
Author: Natasha Tuck | Editor: Dexter Arver
 VMware has a legacy of positive impact on the environment, as well as responsible cor-
porate citizenship. We have enabled carbon emissions avoidance of over 1.2B metric tons
through the use of our products—that’s equivalent to a 2019 Tesla Model S Long Range
electric car driving back and forth to Mars more than 28,000 times!!1 We have a strong 1 IDC White Paper, sponsored by
culture of people who live our EPIC2 values and care deeply about giving back as citizen VMware. “Enabling More Agile
& Sustainable Business through
philanthropists. Carbon-Efficient Digital Trans-
formations” August 2020. http://
At VMware, we have always viewed sustainability with a holistic lens—we acknowledge www.vmware.com/go/VMware-
the interconnectedness of our environmental efforts, social initiatives, and strategic busi- IDCWhitePaper2020
ness priorities. This is why, over the past 5 years, we have talked about sustainability in
terms of our People, our Planet, and our Products. By the way, this “3P” or “Triple P” fram-
ing is commonplace in the sustainability field and is intended to emphasize that sustain-
ability does not standalone. Recently, we have evolved our strategy further and developed
an innovative approach to our next set of goals—our 10-year commitment to driving
positive business outcomes by 2030. In this article, I will cover how we arrived at our 2030
Agenda and the shift toward Environmental, Social & Governance (ESG) through the lens
of innovation.

Our Innovative Approach to Getting to 2030

At VMware, we love to innovate in everything that we do. And so, when we went to devel-
op the 2030 Agenda, we innovated on how to develop an ESG strategy. As we got started,
we asked ourselves what are we really trying to achieve by 2030? And what does the world
need in order to be better? This is how we arrived at our outcome-driven approach, which
keeps Trust, Equity, and Sustainability front and center.

Additionally, we had a unique opportunity at VMware to build our strategy from the
inside-out—we started with our people, we reviewed our products and technology vision,
and only then we aligned the ESG goals (according to impact). Unlike many companies,
VMware’s core business strategy (e.g., intrinsic security, distributed workforce technology,
radical efficiency of digital infrastructure, etc.) is uniquely aligned to ESG and can there-
fore contribute in powerful ways—amplifying the impact that we can have as a company
on material environmental and social issues.

What do we mean by Trust, Equity, and Sustainability and how are they aligned to our
business? Here are some examples:
• Intrinsic security to drive trust in the IT sector.
• Digital workspace technology to drive equity by enabling people to work from any-
where and however they want to work.
• Radically efficient workloads to drive sustainability and support our customers in
decarbonizing their IT infrastructure.

14 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 “Our 2030 Agenda is transformative because our 30x30 goals are owned by our
business leaders and built into everything we do—from the way we develop
software and bring our solutions to market, to the way we build a culture
of inclusion—and in this way we are aligning our core purpose with doing our
part to create a more sustainable, equitable, and resilient world.”
Nicola Acutt, Vice President, Environmental, Social and Governance

Additional examples of ESG goals within the VMware 2030 Agenda include:
• Collaborating with our public cloud partners to achieve zero carbon operations by
2030.
• Investing in transformative research that inspires the next generation of sustainable
digital infrastructure.
• Closing the digital skills gap and making digital transformation more accessible for
all.
• Hiring one woman for every one man and ensuring 50 percent of our managers are
women or from an underrepresented community.
• Achieving net-zero carbon emissions for our operations and supply chain and reduce
our emissions 50 percent by 2030 from our 2018 baseline.
• Engaging 75 percent of suppliers (by spend) to reduce their emissions by setting
science-based targets by 2024.
• Procuring 100 percent of our power from renewable energy sources.

After aligning our core products and business strategy with the material topics that we
identified after a formal materiality assessment process (you can read more about this 2 https://www.vmware.com/
process in our 2020 Global Impact Report2), we began to work with key stakeholders—de- content/dam/digitalmarketing/
vmware/en/pdf/sustainability/vm-
veloping goals across these topic areas and aligning them to our outcomes. We have built
ware-global-impact-report-2020.
in accountability by integrating these ESG goals into our business functions. These goals pdf
are owned by our business leaders.

The most far reaching impact (the ‘outest’ of our inside-out) is represented by the United 3 https://sdgs.un.org/goals
Nations’ (UN) Sustainable Development Goals (SDGs)3. These were created in 2015 by the
UN to address the world’s most pressing issues—with the hope that by achieving these 17
goals, the world could be a prosperous planet for all by 2030. VMware is a member of the 4 https://www.unglobalcompact.
UN Global Compact and we are aligned4 to several of the UN SDGs, as well as their time org/what-is-gc/participants/137744
horizon. As a result of the work, we arrived at 30 goals to achieve by 2030, also known as
“30x30”, and these elements make up our integrated ESG strategy—our 2030 Agenda.

Innovation is a Mindset
As I reflected on our team’s development of the 2030 Agenda, I had an epiphany about
innovation. I believe that the way we can be more innovative is viewing our work through
the lens of our work’s greatest purpose. When we hold the belief that we are building
something larger than ourselves, we think differently—with more vigor, enthusiasm, and
urgency—and with this renewed sense of purpose, we see the possibility of what could be.

Another unique quality of our 2030 agenda is that it was developed from the ground up.
These goals were not prescribed by our executives, rather, they were developed by our
BUs and functional teams across the company. This was a collaborative process which
assessed the alignment of existing work and any moonshot goals. When I worked with
these teams, I saw first-hand that teams were energized by this alignment and the oppor-
tunity to embed environmental and social outcomes into business goals. I also saw that

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 15

 VMware ESG Strategy = 2030 Agenda = 30x30 Goals
A CCO U N T A B L E
FRAM E W ORK TH EM ES G O A LS O U T CO M E S F U N C T I O N (S )

1. Workload Carbon Efficiency Accelerate productivity and carbon efficiency of customers’ digital operations OCTO/PCS
ENVIRONMENTAL

2. Zero-Carbon Clouds Catalyze the transition to zero-carbon clouds PCS/CSBU

SUSTAINABILITY
3. Carbon Transparency Enable transparency to the carbon reduction impact of VMware solutions WWCO/Mktg.

4. Net-Zero Emissions Achieve net-zero carbon emissions for our operations and supply chain REW/Sourcing

5. E-Waste Responsibility Drive e-waste responsibility throughout operations REW/IT

6. Business Resilience Ensure business resilience from our physical infrastructure to our distributed workforce IT/InfoS/REW

7. Distributed Energy Support the transition to distributed energy REW/Sustain.

8. Water Resilience Enable water resilience amongst our global communities REW

9. Impact Investments Invest in innovations at the intersection of social, environmental & financial impact Finance

10. Sustainable IT Infrastructure Advocacy Advocate for public policy that drives secure, resilient and sustainable IT infrastructure Legal/GA

11. Anywhere Workforce Enable our customers’ distributed workforces to be productive and engaged wherever they are working. IT/EUC

12. Nonprofit Digital Transformation Accelerate nonprofits' digital journeys OCTO/SI

13. Dynamic Workforce Build a diverse, innovative workforce by meeting talent where they are and how they want to work HR

14. Technology Accessibility Ensure the technology we develop is accessible for all PCS
SOCIAL

EQUITY
15. Equitable Pay Drive equity through equitable pay HR

16. Diversity & Inclusion Drive equity through doubling down on diverse hiring and inclusive leadership DEI

17. Engagement & Wellbeing Empower our employees through accessible, inclusive and innovative engagement and wellbeing programs HR

18. Culture of Service Foster a culture of service among our global communities Foundation

19. Supplier Diversity Support diversity in our supply chain by increasing spend with diverse-owned and underrepresented suppliers Sourcing

20. Digital Skills Advance technical and digital skills acquisition around the world OCTO/SI

21. Intrinsic Security Enable a safer cyber world through Intrinsic Security PCS/SBU

22. VMware on VMware VMware’s internal infrastructure will leverage its own software and services with a focus on trust, security, experience and sustainability IT
GOVERNANCE

23. Privacy by Design Inspire customer and employee trust by embedding Privacy by Design across our products, services and operations Legal/IT/PCS

24. Digital Ethics Advance our approach to digital ethics & stewardship OCTO/PCS

TRUST
25. Workforce Development Enable our people to advance from every chair HR

26. Fair & Ethical Advance fair and ethical business practices Legal

27. Integrated Reporting Transition to integrated reporting, meeting or exceeding the environmental & social disclosure standards Finance

28. Transparency for All Stakeholders Accelerate accountability and transparency for the benefit of all stakeholders Legal/Fin/ESG

29. Sustainable Finance Integrate sustainable metrics into our financial decision-making process. Finance

30. Social Impact Advocacy Support relevant public policy that drives social and environmental impact through IT Legal/GA
1
Confidential – Internal only │ ©2020 VMware, Inc.

each team is striving for innovation in its own way—whether

through implementing a new tool to do predictive analytics,
thinking differently about employee wellness, or re-imagining
responsible sourcing. This is a 10-year journey that we are just
getting started on and we will continue to work to bring along
each team with their part in driving the 2030 Agenda. Our
plan is to continue to embed our ESG strategy into business-
decision-making across the company (e.g., Which companies
should we invest in?, Are we building the latest feature with
‘green’ code?).

In some ways, it’s simple—as humans, we are raised to make

choices in life that are kind, considerate, and compassionate.
In business, we have steered away from the human aspect and
the understanding that our businesses should support society
in developing thriving communities. It’s not too late to priori-
tize people and the environment as we make business deci-
sions—we call it integrated decision-making .

One of my favorite sayings at VMware is “individual actions

matter” (this caught my attention when I joined six years ago as
an ongoing call to action). I too believe that small things add up
to big and even bigger things. I especially believe that if we are Natasha and her son, Nicco at the Duomo in Milan. "We’re
aligned, we can amplify our impact. not laying bricks, we’re building a cathedral!"

16 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 Making sense of ESG
People are still trying to get theirs heads around ESG and I think that’s because the ESG
space is changing so rapidly. Investors owned the term ESG until recently and now compa-
nies are adopting this framework as a way to embed social and environmental, risks and
opportunities into their business. This new evolution of ESG is about fully integrating the
risks and opportunities to drive business resilience and to future-proof our business.

You can think of it this way…traditionally, in-house Sustainability or Corporate Social

Responsibility teams have been somewhat siloed and for the most part, a nice-to-have,
but ESG is a more strategic approach that considers the perspectives of a wider group of 5 “The Rise of ESG Reporting”
https://blog.nacdonline.org/posts/
stakeholders. As one example, ESG is assessing the impact that climate change could have rise-of-esg-reporting
on VMware’s business and putting good governance in place to address social and envi-
ronmental risks. Imagine a climate change event that impacts our largest customers, or a 6 https://www.vmware.com/con-
city where we have a concentrated number of employees—our preparedness for this is a tent/dam/digitalmarketing/vm-
ware/en/pdf/microsites/vmware-
reflection of our strategy. Investors want to know that companies are considering envi- global-impact-report.pdf
ronmental and social issues that could negatively or positively impact their business. It’s a
holistic view on these global risks that companies now need to consider.

2020 was marked by social unrest, the COVID pandemic, and environmental disasters
across the world—all which inadvertently raised public awareness around the burgeoning
field of ESG practices. Today, the notion of wiping out poverty, protecting human rights,
ensuring clean water, and mitigating climate change are no longer seen as feel-good
fantasies that are out of scope for businesses. They are viewed as moral and economic
imperatives for living gracefully on a planet inching its way toward 10 billion human in-
habitants. In fact, Julie Bell Lindsay, executive director of the Center for Audit Quality, said
that we are now experiencing a “watershed moment”5 with the increased investment in
public companies with strong ESG practices. I especially loved reading this after publish-
ing our 2020 Global Impact Report last August, which named this watershed moment on
our front cover6.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 17

 “ESG is no longer a nice-to-have, but it has become a business imperative. With
the changing political tide, increased consumer pressure and focus around
employee wellness, we see each environmental, social and governance issue
be top of mind of our CEOs, CFOs and audit committee chairs. With growing
internal and external momentum, the focus on ESG in North America has never
been more promising.”
Angela Jhanji, ESG Leader7

Does ESG matters to our stakeholders? 7 Grant Thornton (2021). ESG is a business
imperative. https://www.grantthornton.
The proof is in, companies that care about ESG outperform their peers. As Jon
com/-/media/content-page-files/realestate-
Hale reports in Morningstar, “after holding their own in the fourth quarter, sus- construction/pdfs/2021/ESG-business-
tainable equity funds finished 2020 with a clear performance advantage relative imperative-real-estate.ashx
to traditional equity funds.”8 For this reason, investors are continuing to sharpen
8 Hale, Jon (2021). Sustainable Equity Funds
their focus on ESG. It is the differentiator that is driving value. Blackrock9, the
Outperform Traditional Peers in 2020. https://
world’s largest asset manager, has doubled-down on the importance of ESG and www.morningstar.com/articles/1017056/
is leading the charge. Larry Fink (their CEO) has changed the landscape with his sustainable-equity-funds-outperform-tradi-
annual letter10, which is written with more conviction each year in its request, and tional-peers-in-2020
now mandate, for companies to get on board and accurately disclose their risks
9 https://www.blackrock.com/us/individual
and opportunities related to climate change. BlackRock will dispose of companies
that aren’t keeping up. As I read recently, the conversation has moved from “Why” 10 https://www.blackrock.com/corporate/
to “How.” investor-relations/larry-fink-ceo-letter

ESG is no longer a nice-to-have. Rather our focus on ESG will help VMware's business flourish.

18 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 Here is another proof point on how investors view ESG; these are the latest stats from
Edelman’s Trust Barometer. The 2020 Edelman Trust Barometer Special Report: Institu-
tional Investors11 identifies pivotal issues shaping investment criteria and how companies 11 https://www.edelman.
com/sites/g/files/aatuss191/
can build trust with the investment community.
files/2020-11/Edelman%20
2020%20Institutional%20Inves-
The proprietary research surveys 600 institutional investors in six countries represent- tor%20Trust_FINAL.pdf
ing firms that collectively manage over $20 trillion in assets. The survey was fielded from
September 3 through October 9, 2020. Some of the findings are below-left.

Those statitics are no longer esoteric, as VMware’s top shareholders have high expecta-
tions. Here’s what they’re saying (below-right).

Edelman's trust barometer VMware shareholders & ESG

• 92% believe companies that perform well on ESG
deserve a premium.
• 99% expect the Board of Directors to oversee at
least one ESG topic.
• 88% believe companies are not prepared for regu-
lation of ESG reporting.
• 93% believe that ESG activism by traditional finan-
cial activists will increase.
Dodge & Cox: "As value-oriented investors, we weigh valu-
ation against risks and opportunities for each company and
issuer, and we believe material ESG factors can have a mean-
ingful impact on current and future valuations."12
Blackrock: "We know that climate risk is investment risk.
But we also believe the climate transition presents a historic
investment opportunity...we are asking companies to disclose
a plan for how their business model will be compatible with
a net zero economy...[and] how this plan is incorporated into
your long-term strategy and reviewed by your board of direc-
tors."10

• Investors want to hear more from: CFO (41%), Vanguard: "Climate change presents a profound risk to
Head of ESG (35%), and CEO (33%). companies and their long-term investors...we expect company
boards to be aware of their role in the changing climate." 13

Closing 12 https://www.dodgeandcox.com/
pdf/ESG_Policy_Statement_US.pdf
When we envision the future, we imagine a sustainable world that is secure, equitable,
and resilient. As breakthrough innovators, it is our responsibility to build dynamic and ef- 13 https://about.vanguard.com/
ficient digital infrastructures for our customers. As global citizens, it is our responsibility investment-stewardship/perspec-
to be better stewards of our global resources. As a responsible company, it is our business tives-and-commentary/2020_in-
vestment_stewardship_annual_re-
to build a secure, resilient, and sustainable digital foundation for a future in which our
port.pdf
technology will make a positive impact on all our stakeholders: employees, customers,
shareholders, citizens, communities, and our planet.

With each innovation our business has brought to market, we have seen how even a single
step forward can create a ripple effect that transforms an entire industry. We can and
should apply this thinking to the challenges that our world faces today: a global pandemic,
social injustice, financial instability, and climate change. As Greg likes to say, “innovation
happens everywhere” and this moment is an opportunity to create systemic and scalable “We cannot
change by applying the lens of innovation to everything we do. solve our
problems
In order to continue our legacy of positive impact, we need to continue to lead on issues
that are most material to the world and to our business. The world is constantly chang- with the same
ing and in order to stay focused on the most pressing matters, we have to set a vision for thinking we used
where we want to go. Our 2030 Agenda is that vision.
when we created
Natasha Tuck is the Director of Sustainability and ESG working in the Office of the CTO. You them.”
can reach her at ntuck@vmware.com. Albert Einstein

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 19


A BRIEF HISTORY OF
DIFFERENTIAL DATALOG
Mihai Budiu
Senior Staff Researcher
VMware Research Group
mbudiu@vmware.com
Research on programmable networks
In 2017 Leonid Ryzhyk, a Senior Researcher from
VMware Research Group (VRG), initiated a project
called NERPA: NEtwork programming with Relational
and Procedural Abstractions. The goal of NERPA was
to make software-defined networks easier to create
and manage.
Leonid’s background is in formal verification.
Formal verification deals with the creation of artifacts
that can be proved automatically correct. Leonid’s
prior project, called Cocoon [1] (Cocoon is another
acronym, which stands for Correct by Construction
Networks) showed how formal methods can be suc-
cessfully applied in the context of network design
and management. In the same way type-systems and
garbage-collection led to the creation of safe languages
such as Java, where certain classes of bugs are impos-
sible, precise specification languages can be used in
the network realm to simplify and improve network
construction.
By analyzing the code of VMware’s network man-
agement platform, NSX-T, Leonid became convinced
that relying on general-purpose languages (such as
Java) for network construction and management was
not the best approach—rather, designing domain-spe-
cific languages for the context of networks could lead
to significant improvements in programmer produc-
tivity.
The NERPA project started with the goal of defin-
ing a unified programming language for implement-
ing both network data-planes and the network control-
planes. Leonid convinced several other employees to
join this effort—Mihai Budiu, from VRG, as wells as
Ben Pfaff and Justin Pettit from NSX. To prove NERPA’s
viability, the team sought to rewrite a significant net-
work management software using the proposed pro-
gramming language. The NERPA project proposed two
languages joined at the hip—an imperative language
for writing packet processing pipelines and a declara-
tive language for writing network control planes.
20 | INNOVATE | JUNE 2021
Editors: Leonid Ryzhyk, Ben Pfaff, Mohsin Beg, Lori Blonn, Dexter Arver
RADIO 2018
The team, together with a few other collaborators,
wrote a paper about the NERPA design for RADIO 2018
[2]. The paper was accepted as a long presentation at
RADIO, and the presentation was delivered by Leonid.
Following RADIO, the team was contacted by several
engineers from the NSX team who were intrigued by
the idea and wanted to give it a try. Wei Guo and Niko-
lay Semenov thought that the proposal could benefit
some tricky parts of the NSX controller. As a result of
this collaboration, the team focused all its efforts on
the development of one of the two NERPA languages,
the one used for writing control-planes. Thus, DDlog,
or Differential Datalog, was born.
Differential Datalog
The team realized that one of the constant things
in computer networks (especially in virtualized
networks, like NSX) is… change. Networks change
continuously and frequently, due to the various states
of virtual infrastructures: VM start/stop, VM migra-
tion, network maintenance, network faults, change
in administrative policies, or just changes in traffic. If
one could automate the handling of changes, it could
simplify the management of networks significantly.
The team realized that by combining some existing
technologies, they could build the right tool—an incre-
mental programming language. By using an incremen-
tal programming language, programmers only have to
express what they want to achieve, and the language
automatically computes how to get there when exter-
nal conditions change. This is DDlog in a nutshell.
The team obtained approval from the Open Source
Program Office to start and evolve the DDlog project as
an open-source project with an MIT permissive license.
The project is hosted on github1.
NSX-T Distributed Firewall
Together with the NSX engineers, the team
rewrote several algorithms from the NSX centralized
1 https://github.com/vmware/differential-datalog
VMWARE CONFIDENTIAL

Figure 1: Leonid Ryzhyk presents on the mainstage at RADIO 2019.
controller, which dealt with the distributed firewall—
with the hand-written, incremental version of these
algorithms being quite involved. The resulting paper
was presented at RADIO 2019 (Figure 1). It showed how
a 1,800-line Java program could be replaced with a 30
line DDlog program (see Figure 2) that is faster, uses
less memory, and has fewer bugs.
This was just an initial prototype. Several other en-
gineers from the NSX team joined the effort to produc-
tize the code, including Eric Kao and Harold Lim. The
road to a product was a long and winding one. DDlog
had to be included in the build system, certified via
security reviews, tested, and hardened. The team also
developed several other NSX controller applications.
NSX-T finally shipped in the fall of 2020 with several
components written in DDlog.
Figure 2: This is the complete implementation of the NSX-T Distributed
Firewall span (the final program used is somewhat more involved due to
some manual optimizations.)!
VMWARE CONFIDENTIAL
Skyline
A serendipitous encounter with Mohsin Beg, a Se-
nior Staff engineer from CMBU, brought the incremen-
tal computation capabilities of DDlog to the attention
of CMBU. Coincidentally, this encounter occurred at
about the same time Mohsin transitioned from a previ-
ous project (where he led the Log Intelligence service)
to managing the Skyline project.
Skyline is a managed service, offering proactive
and preventative health analysis to VMware custom-
ers. Customers can opt into reporting their SDDC con-
figuration and topology data as part of their support
license. These configurations are then uploaded into
VMware’s cloud and analyzed (based on knowledge
base articles) using a custom rule engine that detects
misconfigurations, known problems, etc. Lastly, the
health results are then reported to customers in SaaS
service, who have remediated more than 65% of their
problems without engaging VMware Global Support.
While Skyline has been successful, the continuous
increase in breadth, depth, and frequency of health
findings was linearly consuming cloud resources.
Mohsin realized that an incremental engine that would
only analyze changed data, and not whole configura-
tion, would offer the non-linear resource consumption
scalability that was needed.
Mohsin made the risky bet of choosing the rela-
tively new technology of DDlog to rewrite the rule
engine and rule base. Moreover, since DDlog was not
designed as a cloud service, a whole new set of internal
services for a clustered data-plane (with load-balanc-
ing, fault-tolerance, multi-tenant support, etc.) had
to be developed to run DDlog as an analytics engine
service. The new Skyline Insights Platform, which
powers Skyline, went live in June 2021. As proof of
DDLog’s capabilities, the old and new health analysis
services are being run in parallel and customers will be
migrated periodically without any loss of accuracy. The
new Insights Platform has tremendously improved the
system scalability, bringing down cumulative compute
and memory required to produce the same analysis,
while decreasing the latency of health processing to
report health findings from a few hours to a few seconds.
OVN2
In the meantime, Ben Pfaff, Leonid Ryzhyk, and
Justin Pettit continued with their effort to show that
DDlog is not just a research prototype, but that it
could be used to write very complex applications. The
three ported an existing open-source virtual network
management system, OVN, from the C programming
2 https://github.com/openvswitch/ovs/tree/master/ovn
INNOVATE | JUNE 2021 | 21
 language to DDlog. The effort was substantial, and
it produced a 16,000-line DDlog program that has
most of the features of an industrial-strength network
control systems. This DDlog program is roughly the
same size as the original C code, but it is also fully in-
cremental. This means that it will react very efficiently
to any change in configuration. This is very important
when managing large scale networks (hundreds of
thousands of virtual machines). This DDlog implemen-
tation has been certified by tests to be fully equivalent
with the C implementation and has been merged into
the main branch of OVN in January 2021.
xLabs funding
In the meantime, emboldened by the new use
cases and demand, the DDlog VRG team applied for
funding from the xLabs program—an Office of the CTO
program which funds the development of promising
new technologies. The xLabs team approved funding
for three workstreams related to DDlog, and the team
started looking for qualified engineers. The team cur-
rently has 3 xLabs employees, the first having started
in January 2021. They are accelerating the develop-
ment of the language, runtime, and associated tools.
Several of the xLabs proposals were also converted
into proposals for RADIO 2020. Two of these were pre-
sented as a part of RADIO 2020: the development of a
distributed DDlog implementation [4], and the imple-
mentation of a compiler that converts SQL to DDlog
[5]. The development of the distributed version of
DDlog was significantly bolstered by another VMware
Engineer, Daniel Müller, who chose to work on DDlog
by utilizing the Take3 program.
Mimar, D3Log, and NERPA again
The Skyline team realized that there was high
value in exposing the capabilities of DDlog, as a hosted
service, that many teams within VMware could poten-
tially take advantage of. So, a new project was born,
called Mimar, which is attempting to provide a data
transformation as a managed pipeline. By the way,
Mimar is also being funded by xLabs. The Mimar team,
together with several engineers from the Workspace
ONE Intelligence team, built a new prototype show-
ing how a Mimar pipeline could replace a complex,
big-data processing pipeline based on Apache Spark,
Flink, and Redis. This paper was published in RADIO
2021 [6].
In the meantime, the xLabs team is forging for-
ward with developing a distributed runtime for DDlog
called D3Log (from Distributed DDlog). The hope is
that this runtime can be leveraged by projects such as
Mimar, Skyline, and NSX for running more scalable
versions of DDlog3. Another interesting innovation
22 | INNOVATE | JUNE 2021
in D3Log is that is uses the DDlog language both as a
data-plane language (for performing data transfor-
mations), but also as the control-plane language, to
manage the DDlog distributed system itself, as it was
originally envisioned and used in NSX.
Finally, the team has again revived the NERPA
project, dormant since 2018, attempting to build a new
prototype that marries DDlog with industry-standard
programming languages, such as P4.
Conclusions
The DDlog story has only begun. The open-source
project has high visibility and significant updates.
Several VMware products have shipped with DDlog
components. But perhaps the most interesting les-
son of this story is about the successful technology
transfer—an idea born in research, its adoption by
engineers who are looking for the best tools for solving
hard problems, and the persistence and continuous
effort required to convert a great idea into a useful tool
that can be used on an industrial scale.
Bibliography
[1] Leonid Ryzhyk, Nikolaj Bjørner, Marco Canini, Jean-
Baptiste Jeannin, Cole Schlesinger, Douglas B. Terry,
and George Varghese, Correct by Construction Net-
works using Stepwise Refinement, NSDI 2017.
[2] Leonid Ryzhyk, Mihai Budiu, Nina Narodytska,
Mooly Sagiv, Frank McSherry, George Varghese, Justin
Pettit, Ben Pfaff, NERPA: Concise, Modular Program-
ming of Industrial SDNs, RADIO 2018.
[3] Mihai Budiu, Wei Guo, Deepika Kalani, Yanjun Lin,
Leonid Ryzhyk, Nikolay Semenov, Accelerating Dis-
tributed Firewall Span Computation Using Differential
Datalog, RADIO 2019
[4] Daniel Müller, Mihai Budiu, Wei Guo, Eric Kao, Har-
old Lim, Leonid Ryzhyk, Building Distributed Network
Control Planes with D3log, RADIO 2020
[5] Mihai Budiu, Lalith Suresh, Leonid Ryzhyk, Incre-
mental computation in SQL by compilation to
Differential Datalog, RADIO 2020
[6] Mohsin Beg, Pooja Khandelwal, Manish Roy, Leonid
Ryzhyk, Yao Zhang, Luke Yue, Mihai Budiu, Mimar: A
Programmable Stream Processing Service, RADIO 2021
Mihai Budiu is a Senior Staff Researcher working in the
Office of the CTO. You can reach him at
mbudiu@vmware.com.
3 https://via.vmw.com/ETYy
VMWARE CONFIDENTIAL
 Extensible
Token-Based
Authorization

The figure above shows a high level block system for authenticating access to resources in accordance with the present disclosure.

Patent Details Dexter Arver caught up with Dale Olds

Patent number: US10452328B2 (olds@vmware.com) and John DiRico
TITLE: Extensible Token-Based Authorization (jdirico@vmware.com) on April 26,
Inventors: Dale Olds, Fanny Strudel, Brad Neighbors 2021. Dale Olds is a Principal Engineer
Application filed: 2016-08-31 working in End-User Computing. John
Application Granted: 2019-10-22 DiRico is a Intellectual Property Coun-
sel II working in our legal department.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 23

 Dexter: Hi Dale! Could you explain
this patent to me?
Dale: This patent was about com-
bining multiple areas together. It
was building on the OAuth2 stan-
dard protocol which has to do with
delegating authorization to appli-
cations, but it doesn't specify how
that's done. All it specifies is how the
tokens are transferred and protects
them. This patent was about how
could we do that in a way that used
OAuth2, JSON Web tokens, and vari-
ous other standards; but combine
them in a different way than I had
ever seen done.
A lot of these protocols, such as
OpenID Connect and OAuth2 were
designed for consumer use cases.
For example, on your phone, you
will get an alert to consent to an app
getting your data (e.g. Facebook
wants to know this much informa-
tion about you). All these protocols
were about delegated authorization
based on users’ consent. But in the
enterprise that's not really our use
case. We install applications and
our IT department configures what
information that VMware owns
about us can be delivered to ADP, for
example.
So, what we saw here in this patent
was a way that we could combine
these protocols in a way that made
sense for enterprise use cases, and
even provided some security aspects
that I had never seen before.
For example, we can now have a cus-
tomer’s application that can be in-
stalled into VMware services, but an
administrator can say, I don't want
that application to get authoriza-
tion information for anything more
than read-only access. And that can
be configured in the authorization
server. No matter what that applica-
tion does, it cannot get authoriza-
tion information that is beyond
read-only capabilities. So it's a way
24 | INNOVATE | JUNE 2021
of compartmentalizing the security
characteristics.
Dexter: And how did you come to
work on this?
Dale: I actually joined VMware to
work on Cloud Foundry and worked
on an authorization server on Cloud
Foundry called the UAA. And then,
when Cloud Foundry was spun out,
I switched to work in EUC on what
was then called Horizon Application
Manager (it is now called Workspace
ONE Identity Services). I've been in
this space for a long time—on exten-
sible applications, service-to-service
communications—and trying to
make this stuff as secure as possible.
This particular patent is interesting
because we thought this was a good
idea from inception. We were inter-
ested in solving for questions like,
"How do you add applications and
constrain what they can do?", "How
do you provide for service-to-service
authorization?". You know, these are
issues that came up a lot.
We came up with this patent ap-
plication that my co-inventor Fanny
Strudel codenamed Hecuba. Brad
contributed some really good ideas.
Most of it was me and Fanny talk-
ing about how we could solve these
things on a whiteboard. And that
was...July 2016.
We thought this was novel, so we
submitted the IDF. We were also
trying to figure out how to get this
into Workspace ONE. Then about
six months later, January 2017,
we had a hiccup in a project and it
needed identity services, like the IDF
described.
We had a design that we were work-
ing on for CSP (Cloud Services Plat-
form) and it didn't work out. We had
to scramble as we were way behind
on our commitments. And when we
looked back over this idea we had in
July, we thought, oh this… this fits
really well. The end result is that the
vast majority of the contents of this
patent are now the IAM (Identity
and Access Management) system for
CSP, used by VMC (VMware Cloud),
and all VMware CSP-based services.
The patent, as it was written, didn't
totally fit, and there were some
significant changes when we imple-
mented it. For instance, the patent
doesn't specify a tenant model and
a lot of what we had to do was deal
with tenancy issues for CSP.
Dexter: Did you have to file like
another thing after to add the tenant
model part or was that not a part of
the patent.
Dale: That wasn't part of the patent.
Dexter: How did you know that this
idea was novel? Is it because this was
something you hadn't seen and you
are very familiar with this space?
Dale: Yes. I’ve dealt a lot with Ope-
nID Connect and Oauth2 protocols;
that's what I did at Cloud Foundry.
That’s what Workspace ONE oper-
ates on—these various identity
federation protocols.
You know, I’ve tried to escape iden-
tity management two or three times
in my career, but I can't ever do it—I
always have to come back to work-
ing on identity stuff. So it's the area
that I have the most experience in.
Dexter: You want to do other stuff
besides identity stuff but you keep
getting pulled in? The gravitational
pull of identity management is too
strong for you?
Dale: For instance, I did a start up
for a while—this was decades ago,
doing large file delivery over the
internet based on internet cost.
That didn’t work out. When I joined
Cloud Foundry, I thought, "oh cool
VMWARE CONFIDENTIAL
 I'm going to work on platform as a
service." And then I ended up do-
ing the identity system. And then I
didn't want to get spun out. I wanted
to stay with VMware and the logical
place to go was EUC. At that time,
it was called Horizon Application
Manager and I thought "Good at
least it's not an identity system."
And then shortly after I started they
changed the name to VMware Iden-
tity Manager.
Dexter: (laughing) Nice. This is
your destiny.
Dale: (smiling) Yeah, I gave up try-
ing to escape it.
Dexter: Are you known as the iden-
tity guy then? Like in your circles?
Dale: Well, there are various circles.
There is a group of identity people
in the industry that tend to all know
each other because it's a very small
group. We go through various
companies, but we all know each
other. There's an internet identity
workshop I just attended last week
that has been going on twice a year
since 2006, and pretty much every-
thing that happens in this space is
discussed in those workshops. We
all we all know each other pretty
well. A lot of my best friends outside
of work are people that I met in the
identity space. Inside VMware...
pretty much what I do is work on
identity across VMware across busi-
ness units.
We've also had something similar
to what happens in the industry
within VMware in that some of the
the senior technologists like Fanny,
who was one of the primary authors
of this invention, moved on to work
in CPBU where she's working on
the workload control plane, Project
Bedazzle, and those things. And
so I have an identity contact that I
can deal with in that area. Emily Xu
moved from Workspace ONE Access
VMWARE CONFIDENTIAL
into the Dimension project, and now
I have a contact that I can talk to
there. There are many identity peo-
ple in the company that I can turn to
when identity issues come up.
Dexter: (joking) Okay, I didn't know
there was such a title for various
people inside the company...that
there are a group of people just
called the identity people. That's
pretty cool.
Dale: They probably would not self-
identify that way.
Dexter: (laughing) Probably not.
Dale: Just to add on about what
we’re doing, a lot of what we're
doing right now is Project Eiffel—a
part of the cloud architecture forum,
by the way—which is really a lot
of the same things as this patent
application. It is figuring out how
we get consistent authorization and
identity services across VMware
products.
Dexter: So at first it was develop-
ing identity services for CSP, and
now you're working on how to bring
this identity management towards
all the other VMware products that
need it?
Dale: Yes, and another thing to con-
sider is that VMware is transitioning
to services. Which means that every
service needs to be able to handle
federated identity and common
authorization—which is precisely
what this this patent is about.
Dexter: What was your title and po-
sition when you first came up with
the idea for this patent in July 2016?
Dale: Yeah, so I had to look up all
this stuff because it's a long time
ago. I looked it up and I had just
been promoted to Principal Engi-
neer earlier that spring. And then,
we worked on this in July or so.
I remember very well, that I was
getting ready to leave for Burning
Man, which means that this was
around late August, and I got some
urgent calls because some part of
the paperwork for the patent ap-
plication hadn't been done right or
something. Fanny scrambled and
got that done for me—so that I could
continue packing.
Dexter: And so you mentioned
Fanny already, who are some of the
other co-inventors and how did they
help you.
Dale: The other co-inventor was
Brad Neighbors. Brad was working
out of the Cambridge office at the
time. I believe he was working on
what is now called UAG. And I had
gone out there to visit that office
and run over some of these ideas
with them. And I remember Brad
had a particular interest in it. And
one of the things I was struggling
with was how to identify resourc-
es—the issue is that if you want to
attach an authorization policy to
something you need to specify what
that something is.
I was struggling with various ways
of doing that, and Brad's idea was
just have it be a bunch of name value
pairs, almost like an LDAP search
filter. And so that really helped. That
was Brad's contribution to the patent
and it was very useful.
Dexter: How did you know to reach
out to Brad? I'm sure he was a con-
tact you knew before, but why did
you bring that up to him and why
did you seek advice?
Dale: Well because I knew him
through the UAG team. The UAG
team worked within the same orga-
nization (EUC and Workspace ONE)
organization and I was visiting their
office.
INNOVATE | JUNE 2021 | 25
 John DiRico
Dexter: And then with Fanny, I'm
going to guess that she's somebody
that you work with all the time or
somebody you like to work with and
so it just naturally came up.
Dale: She was the dev-ops manager
in the Workspace ONE Access team
at the time. Actually, when this
project started up as a part of CSP,
because she had been working with
me on these concepts, she transi-
tioned to become the tech lead for
the GAZ implementation team, the
team that actually implemented
this stuff for CSP. She led that effort
for a few years, then got promoted
to senior staff. And then took off to
CPBU. I work with Fanny a lot and I
would say the vast majority of this
was whiteboard discussions. I don't
even remember who thought of
what.
Dexter: And so that's why she was
the second name listed.
Dale: Yup.
Dexter: Did you come up with a
proof of concept in July or just the
idea?
26 | INNOVATE | JUNE 2021
Dale: It was just the idea and filed it.
Dexter: I'm going to guess that
you're very familiar with the patent
process when you reach out to the
legal team for this patent?
Dale: Yeah.
Dexter: And did you work with John
before July or was this first time?
Dale: An interesting part of this
conversation is that I work with
John a lot, just not on this patent.
Dexter: Oh, okay. So you guys have
like a long history.
John: Several years. Yes. This one
was actually more broadly ap-
plicable, so it was handled by Jim
Kiryakoza, who's on my team. But
like Dale was saying, most of the
rest of Dale's filings have been under
me and I've also worked extensively
with Dale reviewing invention dis-
closures. Dale is part of our patent
committee that helps us evaluate
whether to patent an idea or not
when it's a close call for us.
Dale Olds
Dexter: So when did y'all start
working together?
John: Probably 2017.
Dale: It's been years.
Dexter: Dale, is John your favorite
legal person to work?
Dale: (smiling) Absolutely.
Dexter: Why do you like working
with John so much?
Dale: He’s practical. In reviewing
the invention disclosures, there can
be all kinds of issues. I always found
John to be very practical—he'll say
"Okay, we don't really have anything
here let's move on quickly," or "Okay,
we'll follow up this way" or "There's
no reason to have a meeting if we
don't have enough material." I ap-
preciate that.
Dexter: Dale, do you find that work-
ing with the legal team on a patent
filing is like a partnership, in that
both parties have to put in a lot to
like get it through the process? How
does this process feel like for you?
VMWARE CONFIDENTIAL
 Dale: One of the reasons I brought
up this particular patent is because I
just remember being shocked. I had
been listed on some patents before
but hadn't really participated in the
filing process much. This one was
one that I pretty much drove.
At my previous employer, I had filed
15 or so patents and was on their
patent review program. Compared
to my previous experience, I was
shocked how easy and well things
were done at VMware.
On this particular patent (I had
never seen anything like this be-
fore), our Patent Team brought in an
outside patent attorney to interview
Fanny and me—we spent one ses-
sion, lasting a couple hours, on a
whiteboard with him. The outside
patent attorney then went off and
wrote up the entire patent applica-
tion! We, of course, reviewed and
Patents At Vmware
VMWARE CONFIDENTIAL
iterated to make a couple of adjust-
ments. But that was it. Up to that
point, I had never experienced such
ease when filing for a patent. It was
phenomenal.
Dexter: I didn't even know that
was an option! Of having somebody
interview the inventors and have
the interviewer write up the patent.
I would have imagined the writing
and filing portion to be the most
time consuming part.
Dale: It was great.
John: Actually, that's our standard
practice here at VMware.
At VMware, we use outside patent
attorneys (who have a long relation-
ship with VMware and are familiar
with VMware technologies) who
conduct what's called disclosure
meetings with inventors after we've
4 in 25
Current R&D employees
have filed or have been
granted a US patent
decided internally that we're go-
ing to file a patent application for
an idea. There is usually just one
session, and these patent attorneys
get all the information necessary to
draft the patent application without
significant further involvement
from the inventors.
Whereas, as I understand it, at other
companies, it can require a lot more
hands-on involvement from the
inventors. Some of the trouble that
others run into is that there can be
attorneys who don't necessarily un-
derstand the technology or that the
attorneys didn't sufficiently describe
the invention in the patent applica-
tion. We try to take the burden of
drafting the patent application off
of the inventor's plate as much as
possible.
Dale: Yeah, that's definitely been my
experience at VMware and I would
INNOVATE | JUNE 2021 | 27
 encourage anyone that wants to file
a patent application to do so, be-
cause the patent process at VMware
is so well done.
I had a very painful experience at a
previous employer with an idea that
I thought was the most novel and
patentable thing I have ever come
up with. For three years, I went in
circles between the patent attorneys
who didn't understand the idea and
the patent examiners who didn't
understand the idea. I kept having to
update the patent application over
and over and at a certain point, I
eventually gave up.
But all of the patent filing experi-
ences I've had at VMware have been
amazing. The patent attorneys take
the time to understand it. They de-
cide how best to support you and it's
been very positive.
Dexter: So VMware has patent
review board meetings. Do we
need them because we file a certain
amount of patents per year and we
just want to make sure that each
patent we file is worthy of the invest-
ment required to file a patent?
John: Yes, we review more poten-
tially patentable ideas, per year, than
we have budget for filing them. The
majority of the ideas that we pat-
ent are ideas that are going into our
products. That said, people still do
submit ideas that could possibly go
into our products in the future or
have nothing to do with our current
product portfolio, but are good ideas
and meet the technical require-
ments for patenting (being that the
idea is novel and non-obvious).
The process for our Patent Team
goes something like this. When we
receive an invention disclosure, the
VMware (internal) patent attorney
takes a first pass reviewing them.
We then narrow it down based on
whether we think there is a chance
28 | INNOVATE | JUNE 2021
that it would pass muster under the
novel and non-obvious requirement.
Then if the idea is clearly something
important, we'll approve it and
we'll file a patent application with
the Patent Office. If we're unsure
whether an idea is clearly impor-
tant, then we bring it to the Patent
Committee. The ideas that the Pat-
ent Committee goes over are ideas
that could go either way. We look
for the committee's feedback as they
may have better perspective into our
product roadmap or technologies in
the invention disclosure.
Dexter: John, what is the patent
process like at VMware from your
point of view?
John: So, there are VMware (in-
ternal) patent attorneys, like me,
assigned to various technical cat-
egories (TCs). So, if the IDF is being
submitted from an inventor from
the TCs I am assigned to, then I am
responsible for reviewing it. In the
review, if we decide that the inven-
tion's scope is broader or different
than the TC under which the IDF
was submitted, then we recategorize
the IDF under the more appropriate
TC and the IDF is reviewed by the
appropriate patent attorney for such
TC. For the patent we've been talking
about with Dale, this exact thing
may have happened where the EUC
patent attorney reviewed it, found
the idea to be more broadly applica-
ble (to Security), and transferred the
file to the Security patent attorney.
Dexter: Dale, do you feel pressure
to come up with patents? Is there a
quota for PEs?
Dale: I would say, I do feel pressure
to come up with patents. I don't feel
like I come up with enough. I have
been asked by various people to
encourage people to file patents or
file my own, but I don't think that's
where the pressure comes from. I
think the pressure comes from my-
The figure above is a high level block diagram of
a computer system configured in accordance with
some embodiments of the present diclosure.
self. I believe there's business value
to VMware in patents. And while I'm
not fond of using software patents
as weapons, one of the reasons why
I wanted to file this particular patent
was that I believed VMware would
use it defensively. And if someone
else had patented this idea, then we
would have to figure out how to deal
with that. So, I do feel pressure and I
wish I could file more patents.
Dexter: How many patents do you
have now?
Dale: The last time I counted I had
something like 15.
Dexter: Is there a number of patent
filings that you could do for this year
where you wouldn't feel pressure to
file more patents?
Dale: I think that's why I don't keep
track of the filing count—there isn't
really a number I'm trying to reach.
I'm just trying to protect the terri-
tory of our business.
Dexter: John, do we use our patents
defensively or offensively?
John: The primary reason that we
have a patent program is for defen-
sive purposes. To date, we have not
used them as an offensive weapon
VMWARE CONFIDENTIAL
 except as counter measures in litiga-
tion brought against VMware. And
we have used them outside of litiga-
tion as counter value for licensing
deals. So, in a minor way we have
used them offensively, but for the
most part, our trove of patents dis-
suades companies from bringing a
patent suit against us.
Dexter: Have we had to deploy
those tactics against patent trolls?
John: The trouble is that you can't.
We can't use them defensively
against patent trolls because they're
non-practicing. In these situations,
we attack the patents that they claim
we are infringing.
Dexter: Dale, besides, the patent
cubes, do you have any other forms
of recognition for the patents that
you have filed?
Dale: We get a little bonus at some
point along the way.
Dexter: For every patent, do the
business leaders give you a hug or
something when they see you?
Dale: (laughing) Not that I know of,
but you know, as soon as I get back
to the office, I'll bring it up to Kyle.
Dexter: Once the patent is granted,
do you have a little party with the
co-inventors of the patent?
Dale: I have not. I know some
people do. I know some people
display all their patent plaques in
their office. I have mine in a box in
the attic.
Dexter: You don't have a tattoo of
the number of patents?
Dale: No. But going back to the
party idea, I'm quite confident Fanny
would use any possible excuse for
celebration, so maybe we should, at
long last, do that.
VMWARE CONFIDENTIAL
Dexter: How much work do the co-
inventors have to do to be listed on
the patent? Does that determine the
order of the co-inventors?
Dale: My understanding is that
anybody who was there when the
discussion of the idea occurred, or
contributed in any way at all, should
be included in the patent applica-
tion.
John: Yes, so inventorship is actual-
ly a legal definition. And so we have
an obligation to the patent office to
submit the appropriate names as in-
ventors. The legal definition for in-
ventorship is that it is an individual
who contributed to the conception
of the claimed idea. It's generally the
people who were white boarding the
solution or design together. Some-
one who was merely involved with
the idea in having helped imple-
ment the idea in software, without
having contributed to the idea’s
conception, is not an inventor under
the law.
Another common misunderstand-
ing is the relative importance or
weight of each inventor listed on the
patent. In every patent, every inven-
tor has equal weight, and the listed
order has no bearing on the weight
they are given under the law. This
means there is no concept of “pri-
mary” inventors under the law.
Dale: And it has no weight on the
bonus, as it is split equally.
John: Right. Yeah, the bonus we
give is $1,000 per person at filing
and $2,000 at issuance. There is a
cap of five for both of those bonuses,
which means filing is capped at
$5,000 and at issuance is capped at
$10,000. The cap means that if there
were more than five inventors, then
all inventors must split the bonus
equally.
Dale: You know, the lure of being
listed first can be used for good.
Generally, the person listed first
is the one who has spent the most
time writing up the IDF and work-
ing through the patent process. I've
been involved in situations where
we've had a junior developer in-
volved with the idea write up the IDF
and work with the patent process, as
it's good for career development.
Dexter: John, why do you think Dale
has such a positive experience work-
ing with you?
John: Well, we really try to take
everything off of the inventor's plate
as much as we can. I think we are
just respectful of people's time and
we get good results. Because we're
selective with the patents we file, we
have a pretty good success rate our
filed patents being issued. Another
reason that engineers like work-
ing with us is that we're engineers.
Patent attorneys need to have a hard
science or engineering background
in order to take the patent bar, so
we're a little different than your
standard attorneys.
Dexter: What do you find most
rewarding about your work?
John: It's rewarding to recognize
people's ingenuity. It's nice telling
people that they have really good
ideas, which is what our process is
effectively doing. It's also rewarding
to continue to work with inventors,
because it keeps us engaged with
state-of-the-art technologies.
Dexter: How did you come to spe-
cialize in the EUC space?
John: I was at AirWatch for two and
a half years before it was acquired by
VMware, and I’ve mostly focused on
EUC since!
Dexter: Thank you Dale and John
for your time!
INNOVATE | JUNE 2021 | 29
Remote
FIELD
WORK:
Part 2
This image is another dramatization of what the author, Bob Motanagh, looks like while working
in his home office. He's aged a bit since the last issue, probably due to the Buffalo Bills.
Oh no, it's 2AM again and I'm working on yet another project.
Not only that, but I'm writing about working at 2AM again.
Talk about Deja Vu.
Except this time, the reason I'm up so late isn't by choice. I just
got my first COVID-19 vaccine shot (Pfizer) and I can't sleep,
which also makes it the perfect time to write! My left arm (where
I got the shot) is very sore, and I get a reoccurring sensation that
there's this itch under the skin that I can't scratch, no matter
what I do.
It's more of an annoyance, but also just enough of one that it
makes it nearly impossible to sleep. I should have taken my
friend's advice about having some melatonin before bed the
night after I receive my first shot.
On the bright side, parts of the world are finally getting vaccina-
tion shots, it's 2021, and things might finally (hopefully) be on
the up and up. I'm back to share two new interviews I've had
with former colleagues of mine who also happen to work in The
Field. I kind of feel like the Cryptkeeper (from Tales of the Crypt-
keeper) in setting the stage for these interviews...
Not that they're particularly horrifying interviews, I'm just mak-
ing the comparison due to how I have Tales from the Cryptkeep-
er on in the background, like a comforting friend spinning weird
tales to make the background noise in my house more interest-
30 | INNOVATE | JUNE 2021
ing than just the general drone of the furnace (this is a run on
sentence above and really needs to be edited) [Editor's note: Nah].
First is a good friend of mine named Branden Lugabihl. He's a
Senior Consultant with VMware's Professional Services Orga-
nization (referred to as PSO from here on out) and specializes
in network/system security work. He’s really handy with NSX
(both flavors, the en vogue NSX-T and the ancient forbidden art
of NSX-V.) We had a fun chat around how things have been going
for him during 2020, what engagements are like these days in
VMware PSO, and what he's done to stay sane and improve his
workspace and general outlook on day-to-day work activities.
Second is another old friend of mine named Benoit Serratrice.
He's a Staff Multi-Cloud Solutions Architect, but also used to
work in VMware PSO with me. He's quite knowledgeable in
several different disciplines across our various products, but
I've always known him as one of the Masterminds of vRealize
Orchestration. He's good with vRO. Like really good. He's also
had quite the journey as far as where he chooses to live. Prior to
his current living situation in Singapore, he lived in the Boston,
Massachusetts area and before that in France. We had an inter-
esting chat around how things have been going for him with
working in Singapore during the pandemic, as well as what his
current office situation is like and how he's juggling working at
home with his newfound duties of being a relatively new dad.
Let us jump right into it with Branden, here we go!
VMWARE CONFIDENTIAL
 Branden Lugabihl

Branden Lugabihl

blugabihl

Sr. Consultant - Networking and Security

This is the very beginning of your direct message history with @blugabihl

Bob Motanagh Branden Lugabihl

HI BRANDEN! I would say I completely redid my office. This used to be
my bedroom, which is now a dedicated office, and my
Branden Lugabihl new bedroom is a room with no TVs, no distractions,
HI BOB! or anything—just a bed. I’ve completely segregated the
functions of those two rooms, which has been a big help.
Bob Motanagh I’ve got a couch in my office to keep it somewhat relaxed,
RANDALL1! MY DUDE! as I’ve got to have some warmth in my office; I can have
12–16 hour days at times depending on the customer or
Branden Lugabihl situation.
Yup there he is, haha.
Bob Motanagh
Randy.jpg
I know how that is with PSO work, good sir. There’s
a lot of hard work that gets done by your and your
colleagues. I also noticed a nice-looking cat tree in the
background there, is that new?
Branden Lugabihl
Yeah! I wanted Randy to be able to hang out with me
while I’m working so I got a nice cat tree so he can sit
down and rest during the day.
Bob Motanagh
Any new physical equipment on your end?

Bob Motanagh
Anyways, I did this with Mr. Meulemans a couple of
months ago, so now it’s your turn. I know you’re in PSO
(Professional Services Organization), and I’m still of the
belief that a great resource to ask about the subject of
our interview (working from home/remotely) are the folks
who have been doing it for years now—the PSO consul-
tants and architects. You’re a Senior Consultant with PSO,
correct Mr. Lugabihl?
Branden Lugabihl
That is correct!
Bob Motanagh
Let me ask you this first. Have you done anything new/dif-
ferent with your office space since things got bad with the
pandemic? Anything that you're proud of?
Branden Lugabihl
Yeah, I moved to a wireless mouse, and I got a really nice
Drop ALT keyboard. I also changed up my desk setup
to something nicer with more space. I went through
two EVO desks due to issues with the desktop itself.
This one I’ve got here is just two inches of straight birch
wood, purchased from Home Depot at a cheap price.
It’s a much nicer surface than what I had originally, and I
saved a ton of money doing it myself.
Bob Motanagh
NICE. That’s the good stuff right there. Next up, have
you adopted any new applications or methods for task
tracking or time tracking since things got bad with the
pandemic?
Branden Lugabihl
I’ve been doing a lot of the bullet journal stuff. I’m not
following the exact methodology for doing bullets per
task tracking, but I’ve got a bunch of notebooks/journals
for keeping track of tasks I want to accomplish. I draw
everyday too, which is something I’m pretty proud of.

1 Randy is Branden's cat

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 31

 Branden Lugabihl
Branden Lugabihl
In the pandemic it’s easy to put stuff off but it helps a ton
to keep track of things in my journals. And the drawings
help a ton as it helps me stay on task— it keeps my mind
busy so that I don’t just get stuck in this anxiety loop of not
getting things done.
drawings.jpg
Bob Motanagh
Oh yeah, I’m right there with you on the anxiety part.
Branden Lugabihl
Yeah, the journaling helps a lot as I get a list of accomplish-
ments of things that I got done that day. And it’s been help-
ing across several different aspects, from both physical
and mental-health to time tracking the stuff I do for work.
Bob Motanagh
It helps so much. I’ve been using Things for iOS/Mac
myself to do some of the same tracking, and on those days
where it feels like you’ve been busy without getting any-
thing done, seeing that list of things you have gotten done
fights back against those feelings. Plus, time in general in
situations like this pandemic just flies by. Days go by, and
before you know it something that you thought happened
a day ago was 2 weeks ago. During my time in PSO all
travel made time just collapse into this weird state where I
would see old friends and what felt to me as if it’s been just
a few months was something like 2-3 years. I think a lot of
folks are going to be experiencing that now as the social
restrictions around the pandemic ease up.
So, anything else you’ve found that helps things at all?
Branden Lugabihl
I miss our Jackbox Games sessions.
Bob Motanagh
Me too!
Branden Lugabihl
Even if it’s one Friday a month, it really helped.
32 | INNOVATE | JUNE 2021
Bob Motanagh
Even though we talked about silly stuff, it was super nice
to see and talk to folks again. I think it fell apart because
folks had busy Fridays.
Branden Lugabihl
I’ve gotten into some small vegetable farming too, that’s
helped me get up in the morning. I got a lemon tree, and
I’m growing some spices. It’s a nice hobby that I’ve got-
ten into.
Bob Motanagh
That’s such a good idea, plus it gets you out of the house
which is super nice. OK! Something new I’m trying here.
I’ve noticed over the pandemic that I’ve gotten into a
horrible habit of leaving browser windows open with a
gratuitous number of tabs. On average, how many tabs
do you think you leave open yourself?
Branden Lugabihl
Average browser window? Probably 10 tabs per win-
dow, but I’ll have 5-6 windows open at a time.
Bob Motanagh
I’m not looking to tab-shame here, as currently have
a window with… [counts] 32 tabs open currently. You
know what’s bad for me? When I think that “Hey, I can
still see text in the tab” is still a small number of tabs. I
only identify it as being a bad situation when I can only
see the site favicon in the tab. Anything else you want to
share before we go?
Branden Lugabihl
Yeah dude, this pandemic stuff is lonely. I got Randy
here, but gosh I can’t wait till this is over.
Randy.jpg
Bob Motanagh
Well thanks Branden and thank you Randy! Hopefully
we see the both of you in the #cats channel soon.
VMWARE CONFIDENTIAL
 Benoit Serratrice

Benoit Serratrice

benoit

Staff Cloud Solutions Architect

This is the very beginning of your direct message history with @benoit

Bob Motanagh Benoit Serratrice

Alright bud, here we go! Oh no, my wife works in the same room I do…

Benoit Serratrice Bob Motanagh

Ok so I’ll be answering in French so you can practice your Hello!
French?
Benoit Serratrice
Bob Motanagh
Yeah, she’s working while doing the treadmill. It’s a
Eh… I’m not all that great with French. Care to share
standing desk with a treadmill.
with me your official title, preferably in English?
Bob Motanagh
Benoit Serratrice
Oh, super cool. That is awesome.
Sure, yes, let’s get serious first. So, I think my official title
is Staff Cloud Solution… wait… no… not that… it changed… Benoit Serratrice
hold on I need to check out Workday . Staff Multi-
Yeah, she’ll log something like thirty thousand steps a
Cloud Solution...I mean Solutions—plural!—Architect. Staff
day on that.
Multi-Cloud Solutions Architect. It’s a global team and
we’re spread across the world, supporting customers and Bob Motanagh
partners with their journey into multi-cloud. Last year, I Oh wow! That’s impressive. So, what about you? Are you
was primarily helping our VCPP (VMware Cloud Provider also using a standing desk?
Program) customers but this year, it’s those same partners
Benoit Serratrice
adapting to this new multi-cloud world.
I am!
glasses.jpg
Bob Motanagh
Fantastic, so do I. Speaking of, according to my Apple
Watch it’s time to stand, so let’s switch to standing mode
here. Do you have a treadmill as well?
Benoit Serratrice
Oh no, I’ve got a bike trainer here I’ve been using. So, I’ll
go from sitting down working, to standing up working,
to going on the bike whenever I have to watch videos for
recorded meetings or training or the like. Because I’m
in Singapore, I must often watch recorded meetings, so
I figure I might as well take that time and get something
like a workout going on!
bike_trainer.jpg

Bob Motanagh
Hey, look at us, former PSO folks working in the Cloud
field! We’re pretty much aligned in the same vertical. What
a coincidence. Hey, are you working alone in your room?

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 33

 Benoit Serratrice

Bob Motanagh Bob Motanagh

Besides getting some good exercise time, I see you’ve
got your standing desk… mind if I ask if you ended up
using your Wellness Benefit for either of those?
Benoit Serratrice
Actually, I ended up using that to get a (non-trainer) bike!
Bob Motanagh
Me too! I finally get to ride on the trails around South Den-
ver! It’s been fantastic for my physical and mental health.
So, I don’t know if you’re still doing vRealize Orchestrator-
related work or not, but are you involved with anything
else?
…Of course you would be doing that. Again, you’re a
wizard, Benoit. Ok, I lied, I’ve got two more questions for
you, but they’re easy. What’s your favorite Slack chan-
nels, and on average, how many tabs do you tend to have
open in each browser window?
Benoit Serratrice
My two favorite ones are the #weekendarchitects and
the #cloud-gardening channels. The second one is a
bunch of folks talking about gardening.
Bob Motanagh
I’ve never even heard of those, that’s cool.

Benoit Serratrice Benoit Serratrice

Yeah, I do still work with vRO! I work a lot with Field En-
ablement; getting labs together for SEs around the world
so they can demo apps/environments in OneCloud. It’s not
a lot of fun for SEs to spend their valuable time building
these environments from scratch, so I’ve been writing a lot
of code to spin up OneCloud labs from scratch. In addition
to that, I’ve also been automating some other things in my
life, like watching the availability of certain restaurants
here in Singapore to see if there’s openings for reserva-
tions.
Bob Motanagh
Wait… you’ve automated the task of watching for open
reservation spots in restaurants?
Benoit Serratrice
Yeah, haha.
Bob Motanagh
That’s incredible. You’re a wizard, Benoit.
As for tabs, on average, I probably have something like
20-30 at a time.
Bob Motanagh
My man! I think my record is something like 65. I’m really
bad at cleaning up after myself when it comes to open
tabs. Anything else you’d like to add about working dur-
ing the pandemic?
Benoit Serratrice
I’ve been able to connect with people across the world a
bit more easily due to how everyone is home, and no one
is travelling. Besides that, I hope things get better soon,
as I just find myself feeling more exhausted more often
lately. I can’t explain why, but it’s something my wife and
I both experience.
Bob Motanagh
Well, I hope you get some sleep, Mr. Serratrice, and
thank you so much for your time!

Benoit Serratrice
Story continued on next page ->
I’ve also been doing a lot of code for some of my photo
management here as well, with some of my free time.
Bob Motanagh
Ok, I’ve got two other major questions here, I know you
code a lot of your own tools, but are there any apps in
specific that you don’t write yourself that you find yourself
using?
Benoit Serratrice
Slack and email, really, those are my two biggest com-
munication tools. For family, WhatsApp is a popular
chat messaging app that’s used here in Singapore and
elsewhere in Asia. I know you asked about other apps
that others develop, and… I’ve also been working on
something of a personal app that will allow me to enter
my tasks completed for work so that they’re automati-
cally posted in the various places that I must report my
work.

34 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 Mark Meulemans speaks at the Mental Wellness at VMware Tech Talk (https://tech-talks.eng.vmware.com/talks/mental-wellness-at-vmware).

Talk about iterating and improving on the previous version of Lastly, I wanted to thank my boss and colleagues from Sofia—
this article. There are two interviewees this time! Before I let you Vlad, Georgi, Atanas, Borisov, and Ivo. They’ve been a very sup-
fine folks go, however, I'd like to share some more observations I porting team to me during these weird times, and I’m apprecia-
have had since I've written the last article. tive of it. Oh and… go Bills, they were so close this year.

I mentioned the Wellness Benefit in my interview with Benoit,

and I just want to emphasize how amazing that benefit is. I used
mine to get a nice hybrid road/trail bicycle that’s helped me get
out of the house and see the great outdoors here in Colorado.
That’s something that’s been great for my health, but I’ve seen
colleagues use their benefits for everything from home-labs
to gaming consoles. If it helps you, it’s something you should
investigate.

In my last article I mentioned my reMarkable 2 tablet. I’m

still using that, and it helped me plan this very article! I’ve got
another tool I’ve been using what I used my Wellness Benefit on
from 2020: the Freewrite Traveler. It’s a portable typewriter with
an ePaper screen. It has insanely long battery life and its very
portable. I bring it with me on bike rides when I find somewhere
comfortable and secluded to get some good writing done. It
can sync over wifi and doesn’t have a web browser or any other
functionality. For someone with ADHD (such as myself), the
intentionally limited functionality of devices like the Freewrite
Traveler and the reMarkable tablet are things that have been a
big help.

I also wanted to give a quick shout out to my colleague (and

former interview subject) Mark Meulemans for his participation
in the Mental Health Tech Talk that occurred earlier in the year.
He did a fantastic job with that. Mental health is something that
everyone should pay attention to, especially given the condi-
tions of the pandemic. I know it’s mentioned quite often, but Bob Motanagh is a Senior Solutions Architect in the Cloud Services
the symptoms of mental health issues can really sneak up on a Business Unit working on Cloud Director Availability. He’s a die
person, and they’re not exactly a lot of fun to deal with. hard Buffalo Bills fan and is (still) secretly wishing that this is the
year they win it all. You can reach him at bmotanagh@vmware.com.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 35

 A Data Analytics
Platform on
VMware private
cloud

Author: Rumen Barov | Editor: Ben Duong, Dexter Arver Photo by panumas nikhomkhai from Pexels.com
 INtroduction
Digital innovation goes hand in hand with data1.The
chart below2 shows the ubiquitous data growth over
the last decade and projections for the next few years.
The numbers are mind boggling.
Take the example of Super Collider, VMware’s internal
analytics service. The system has had a steady 3x an-
nual data volume growth for the last 7-8 years.
The more data you have, the more you can automate
business value, however, more data means more cost.
To achieve a positive return of investment on data
you need a data system whose value grows faster than
its cost. Extracting value from data is possible when
organizations have a data system that would allow for
efficient services built on top of it.
What is Super Collider?
Super Collider is an elastic, opinionated, self-service
analytics platform with data lake and data warehous-
ing capabilities. The platform is built and operated
within VMware and is intended for internal use—ev-
ery VMware employee has access. To really understand
what Super Collider is, let’s go through its history,
architecture, and we’ll then drill down into implemen-
tation details, past and present challenges and some
use cases.
Super collider History
It was clear from the beginning that VMware Cloud
(VMC) would be unlike on-premises software, as the
SaaS world is extremely dynamic, and navigating
through it requires frequent and swift data-driven
decisions. Back then, inside VMware, there were a
few sufficiently mature data systems. One was a data
warehouse built in-house containing back office, sales,
1 https://www.gartner.com/smarterwithgartner/cio-agenda-2021-
prepare-for-increased-digital-innovation/
2 From https://www.youtube.com/watch?v=eHTCR1BDhhA
VMWARE CONFIDENTIAL
customer, and support info. The other system was
an in-house data lake containing primarily product
telemetry from all VMware products, with a bi-di-
rectional data pipe used by on-premises products for
cloud-assisted features.
For VMC to start working with the two systems would
have required adapting multiple processes and dif-
ferent toolsets. Moreover, they needed data driven
decisions ASAP, so they decided to quickly setup a new
Amazon Redshift-based system to work with the new
SaaS data. This approach initially worked well. Howev-
er, when data shows its value, the hunger for more data
grows, and very soon the VMC team found themselves
in a position where instead of 2 systems, they needed
to work with 3, delaying the time-to-market of their
analytics and worsening the company data segrega-
tion problem. At the same time, VMC’s need for a fresh
and clear customer view was pressing. The needs for
unified access to customer, product, and SaaS (and all
other kinds of data) collided, hence the name Super
Collider. Super Collider inherited the Amazon-based
system with SaaS data, and the in-house system with
product data. The increased adoption of Super Collider
increased data variety and volume, and also increased
the need for real-time analytics and AI. And with thou-
sands of active users from all VMware departments
(full-time data engineers, data scientists, software
developers, managers, sales, executives, etc.) grew the
need for collaboration capabilities, data management,
governance, and self-service capabilities. In Super
Collider, we combined the data and capabilities of the
Redshift-based system into the in-house lake-based
system and added more self-service tooling.
So, we’ve built Super Collider to serve as a platform
that enables every team at VMware to innovate and
build data features. A few examples of features built on
top of the Super Collider platform are the following:
• VMware Cloud team relies on machine-learned
algorithms to predict hardware capacity needed by
VMware Cloud on Amazon, which allows VMware
to purchase hardware capacity early, at a better
price.
• Another example is vSphere Health—a power-
ful feature of vSphere 6.7 that works to identify
and resolve potential issues before they have an
impact on a customer’s environment. Resolutions
INNOVATE | JUNE 2021 | 37
 and recommendations are provided to guide the
customer through remediation.
What is unique about Super Collider
In Buddhism, nirvana is the ultimate goal—it marks
the end of the vicious cycle of doing things the wrong
way over and over again. In Super Collider we define
the nirvana of the data world to be data democratiza-
tion. The goal of data democratization is to have any-
body use data at any time to make decisions with no
barriers to access or understanding; it is an easy way
for people to understand the data so that they can use
it to expedite decision-making and uncover opportuni-
ties for an organization; it is an enabler for x-analytics
and decision intelligence.2 In short, Super Collider is an
opinionated, multi-tenant, self-service data platform
that promotes data mesh principles. Multi-tenancy
encourages decentralized data ownership by domains.
Data domains promote data quality and treating data
as a product; when data is a product, owners do their
best to make their customers (data users) happy. And
being self-service allows for unobstructed interactions
between users and owners. Last but not least, the plat-
form facilitates (makes it easy for users but does not
enforce) processes and tools aligned with our opinion
on how to manage data efficiently, including all aspects
of data management and policy compliance.
When the data platform is self-service, it is up to the
business to decide how many resources to invest in
implementing a given data feature. The platform gives
more options for securing the needed data person-
nel—you can either wait for centralized VMware
2 https://www.gartner.com/smarterwithgartner/gartner-top-10-
trends-in-data-and-analytics-for-2020/
38 | INNOVATE | JUNE 2021
resources from the IT, data science, and data engineer-
ing teams or leverage team members with data science
skills for a faster approach using the self-service
platform to quickly meet your business need. The
above operating model affects product, technical, and
process decisions we take in Super Collider. Providing
such flexibility of self-service was a challenging but a
mandatory step.
Data flow
Let's look at the history of data solutions. First was the
data warehouse, a centrally managed monolithic store
for structured data, where data is first cleaned and
then organized into marts. Then, Massively Parallel
Processing (MPP) architectures allowed for cost effi-
cient systems that were able to handle larger data sizes
and organizations started building data lakes contain-
ing all the raw data. And in recent years the data mesh
shifted the focus towards unlocking value out of data
by organizing data and processes into bounded data
domains.
From an architectural perspective, Super Collider is a
structured data lake, but it offers warehousing capa-
bilities too, and the tooling and recommendations we
provide facilitate data mesh-like practices—domain-
driven pipelines, and cross-team collaboration. A typi-
cal data flow with Super Collider is shown on the top of
this page.
Super Collider users are organized into self-organized
teams (so far we have 100+ teams onboarded with the
platform). Teams ingest and process data with the
end goal to provide usable data and accurate busi-
ness insights. For regular ingestion and data process-
VMWARE CONFIDENTIAL
 ing, teams use an in-house built feature called Data
Pipelines. Data Pipelines provide an abstraction layer
over Super Collider APIs called by the workflow engine
with the goal to make data engineers more efficient
(e.g., instead of opening an ODBC connection to Super
Collider, dealing with credentials, retries, reconnects,
etc., Data Pipelines allows you to just invoke a method
called “execute_query”). Everything exposed by Data
Pipelines includes built-in monitoring, troubleshoot-
ing, and smart notifications capabilities. Using Data
Pipelines also allows Data Engineers to experience
higher SLAs of Super Collider compared to the SLAs
they’d get if they were directly using Super Collider. Of-
ten the gain is ½ to 1 additional “9” of availability (e.g.
from 99.9% original, users get 99.97% actual availabil-
ity, because Data Pipelines is capable of sophisticated
error detection mechanisms and can retry on-system
related failures such as network errors, for example).
Screenshot from Super Collider self-service portal at https://supercollider.vmware.com
Teams also manage data visibility; by default all data—
both the raw and the processed—is VMware confi-
dential (visible to all VMware employees). Data is only
restricted when policy compliance requires it to be.
Every piece of data and every process has exactly one
team who owns it. For higher developer productivity
and to enable iterative development, Super Collider of-
fers staging and production support where staging and
production data is logically separated.
All data—staging, production, lake, and warehouse—
can be accessed with a single SQL query, which allows
for rapid ad-hoc analysis and hypothesis validation.
VMWARE CONFIDENTIAL
Although this approach is more expensive to imple-
ment (e.g. traditionally, staging and prod are different
deployments, accessible via different URLs) it enables
extremely fast prototyping and speeds up the overall
data management process.
How Super Collider is built
Looking at the big data technology data landscape (see
image below)3, it is clear that choosing a technology
stack for data processing is far from trivial.
Few organizations have the skills and resources need-
ed to do that, as the data engineering work required
to build such applications is daunting. A recent paper
by Google highlighted the huge engineering “debt”
involved in building and maintaining the platform
behind their Machine Learning (ML) services. The vast
majority of the “debt” has nothing to do with ML and it
is the choice of technologies that determines the debt.
In Super Collider, we wanted both low cost and the
flexibility to change our technical decisions in the
future. We continuously challenge our architecture
and make changes to it. For example, we moved off
Hadoop, moved off Amazon, considered using Snow-
flake, etc.. After a few iterations of that kind, Super
Collider is built entirely on open-source and VMware
technologies and is deployed in OneCloud—VMware’s
internal IaaS Cloud built using VMware Cloud Director
and operated by the IT Organization.
Using proven and readily accessible open-source
software (OSS) technology stack gives us flexibility and
3 https://mattturck.com/data2020/
INNOVATE | JUNE 2021 | 39
 ensures the best speed of innovation; this, combined
with our expertise in operating Open Source Software
(OSS) keeps cost down. Another significant factor for
cost reduction is going to the cloud4 and using cloud-
native technologies; we’ve tried public, private, and
hybrid, and finally settled with private cloud.
Architecture
Speaking of the technology stack, we can define three
layers in the Super Collider implementation:
• IaaS stack—the layer that provides all networks, as
well as the storage and compute infrastructure.
• PaaS stack—the layer of OSS installed on the IaaS.
• SaaS stack—the layer that stitches everything
together and exposes the data capabilities to users
(and reduces complexity by hiding implementa-
tion details from them). The SaaS layer exposes
functionalities like SQL interface to all data, data
pipelines, data lake, data warehousing capabilities,
multitenancy, data discovery, governance, etc. For
Super Collider users, this layer is the data platform
that allows them to do all sorts of analytics.
Before going into details about each of the three layers,
let’s highlight some architectural requirements.
A key requirement to the architecture was for the
system to be able to handle large amounts of data at a
low cost. This requires storage and compute to scale
independently. Relational database management sys-
tems (RDBMS) at scale are expensive, so we focus on a
combination of a scalable storage and a query engine.
Another key requirement is for the architecture to be
open for extensions. Technologies in the data domain
change very rapidly and the migration of petabytes of
data is costly, so we need a way to maintain the con-
tracts with our users without moving the data. Also,
acquisitions and system mergers are not uncommon.
Throughout the history of the system that is now
known as Super Collider, we have already merged with
a few other systems, including the aforementioned
Amazon system with SaaS data. To open Super Collider
for other processing engines, the data format needed
to be widely supported, so we choose Apache Parquet.
Similarly, the interface through which data is exposed
4 https://www.gartner.com/smarterwithgartner/4-trends-
impacting-cloud-adoption-in-2020/
40 | INNOVATE | JUNE 2021
needed to be standardized, so we chose HDFS.
OK, let’s get technical. First, we’ll take a look at the
high-level architecture of Super Collider and then we’ll
get into next level of details.
Super Collider high level architecture
The data pipe is Kafka. Kafka consumers are
Kubernetes(K8S)-based jobs, primarily Spark jobs. Us-
ers can plug whatever jobs they implement, and those
jobs get packaged into containers which Super Collider
can run and operate. The results of these jobs can go
to both the data lake (for batch analytics) and back to
the sender (real-time analytics); data destinations are a
matter of user-provided deployment configuration.
The access to the data lake is through Apache Impa-
la—an MPP SQL query engine. The lake provides virtu-
al data warehouse capabilities where users can create
data pipelines, usually used for batch processing and
ML data preparation, or to maintain high-quality data
marts that feed downstream reporting and analytics.
Data Lake and Analytics Stack
For the query engine, we choose Apache Impala.
Permission management is solved with Apache
Sentry, where group membership (authZ) is provided
by FreeIPA. This setup allows us to integrate a Super
Collider-internal Kerberos instance (for Super Collider
service users) and VMware Corporate LDAP. Another
potential option was Apache Ranger; however, we dis-
carded it in favor of simplicity and flexibility. We could
have chosen a simpler architecture if our company's
organization was different (e.g., without FreeIPA, or
without Kerberos, or without both).
Workflows are deployed to in-house K8S clusters and
the technology of choice for workflow management is
VMWARE CONFIDENTIAL
 Apache Airflow, which is exposed to users. Metadata Infrastructure: IaaS
management is delegated to Apache Atlas. A few words about OneCloud, the private VMware
Speaking about technologies—a noteworthy recent cloud that Super Collider relies on. If you have heard of
optimization is the migration from Hadoop YARN. Cloud Director, then you already know what OneCloud
Because we had lots of very simple data pipelines, is. VMware provides datacenter design recommenda-
where each pipeline needs a fraction of the resources tions to help its partners to build and operate their
that YARN needs to run the job, migrating our data own VMware-powered cloud. To validate and test these
pipelines from YARN to K8S saved ~90% of the used designs, VMware actually operates large private clouds
CPU cores, and ~80% of the used memory. For exam- to run production workloads within the company. In
ple, here’s the memory and CPU consumption of the other words, OneCloud is not something proprietary, it
vSphere Health data jobs before and after the migra- is just an IaaS technology stack built and operated by
tion: VMware for VMware. VMware customers can spawn
their own OneCloud-like systems.
Streaming Streaming
Super Collider benefited from the latest vSphere
workflows workflows reduction reduction %
ecosystem version. For example, the optimizations in
v1 (YARN) v2 (K8S)
vSAN and NSX helped squeeze the best performance
# of CPU out of Impala, while vSphere offered native container
538 40 498 92%
COres support for the K8S workloads.

RAM (GB) 187 30 157 84% Now, lets drill down into compute, storage, and net-
work.
Infrastructure: Administration model
Infrastructure: compute
For IaaS, we use OneCloud. The OneCloud team is
The Super Collider team optimized VM CPU utilization
responsible for provisioning hardware and for (opera-
by running several less-CPU-intensive OSS services
tions of) running the IaaS Cloud.
in a single VM (e.g., Hue and Zookeeper). The team
The Super Collider team is responsible for deploying
also combine CPU-intensive and non-CPU-intensive
the Super Collider analytics stack in VMs and to con-
machines on the same physical host using VM affinity
tainers on the IaaS Cloud. Terraform is used to manage
rules. To increase performance of the memory-hungry
VM lifecycle, and Ansible for in-VM configurations.
Impala, we disabled memory ballooning and memory
overcommitment on the VMs that host Impala.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 41

 These kinds of configurations allowed us to achieve
the desired balance between performance, stability,
and cost.
As expected, Impala with its metadata cache was the
heaviest memory consumer, followed by Kafka—the
backbone of the data pipe. Real-time data processing
workflows are #3 in the list, and this was expected, as
they work with data that is not yet on HDFS.
Infrastructure: Storage
The data lake storage file system is HDFS powered by
Dell EMC Isilon (provided by OneCloud). The main
reason for this choice is lower cost without sacrificing
scalability. For example, Amazon S3's (widely used for
data lakes) TCO is a sum of 5 separate components, one
of them being storage per GB. This single cost compo-
nent (leaving the other 4 aside) is comparable to One-
Cloud’s TCO per GB. And unlike Amazon, OneCloud
does not charge us for #requests & data retrievals, for
management and analytics features, and/or for data
transfer (except for the overall network cost).
The above-right donut graph is how Super Collider
services use block storage. The largest consumer of
block storage is the data pipe. Since we do not want to
lose data in the pipe (Kafka), we rely on Kafka to handle
redundancy, and we provide Kafka with a storage
configured by OneCloud for low latency. The second
largest consumer is Impala, which does aggressive
caching (ephemeral writes). To eliminate the replica-
tion load on the vSAN from those ephemeral writes, we
use vSAN Direct Configuration™.
42 | INNOVATE | JUNE 2021
Infrastructure: Network
For inbound Internet traffic (e.g., VMware SaaS and
products deployed at customer premises pushing
telemetry data to Super Collider), we tried a few CDN
providers and also experimented going without a CDN.
Finally, we chose Akamai services—mainly for DDoS
protection, invalid request filtering, and rate control.
Every big data platform is extremely I/O and network-
intensive. The generic environments offered by cloud
vendors are not optimized for such scenarios. Group-
ing of workloads for network proximity both on virtual
and physical level is critical for performance and cost
optimization.
Using the latest version NSX-T Data Center allows the
segmentation to be configured across SDDCs, which
allows the network to scale beyond the limits of a
single SDDC. This option to span across SDDCs also al-
lows for network maintenance without downtime.
Requesting dedicated physical environment and hosts
that are physically close to each other may be possible
with some cloud vendors, and it comes at a higher
cost. Here again we benefit from using a private cloud.
With OneCloud, we got this feature almost for free—
we only had to explain our needs early enough to allow
the OneCloud team to plan accordingly.
Infrastructure: Operations
Super Collider offers decentralization of data manage-
ment, which creates challenges in resource planning
and capacity utilization. At the same time, Super
Collider is a centrally funded system, and the efficient
VMWARE CONFIDENTIAL
 resource and capacity management is a requirement.
On an aggregate level, however, the growth curve looks
smooth, and we have been able to predicte its growth
accurately enough to be able to manage our budget.
With more than a hundred teams using the platform,
it is not uncommon for a team to double their load on
the system within a few days. And especially during
development, it is not uncommon for a query or a
data pipeline to be implemented in a way that is very
resource-intensive. To help users utilize the resources
efficiently, Super Collider offers show back capabilities
that enable data engineers to optimize their workloads
for capacity, thus lowering the overall operational cost.
Still, Super Collider is a self-service platform that al-
lows any VMware employee to implement any kind
of data application. This might lead to and opens the
door to congestion points and resource starvation. To
solve the noisy neighborhood problem, we are heavily
relying on Kubernetes namespaces. For example, the
data pipelines of one team can be physically separated
from the data pipelines of another team. On the SQL
side, we rely on Impala resource pools, and for the
network we use VMware NSX network segmentation
when needed.
Infrastructure: Support and availability
Since Super Collider is used as a platform for in-prod-
uct and business-critical features, high availability
of the system and 24x7 support are a must. Level1
support is provided by a central incident management
team and Super Collider software and infrastructure
engineers across the globe take shifts to provide 24x7
Level2 support.
In Super Collider, a “data loss” incident is considered to
be P0, and we have designed our system architecture
and backup/restore strategy in a way that prevents
data loss even when there is a failure in a given part
of the system. For example, Kafka topics are persisted
on SSD, so that if a given broker fails, data is not lost.
In addition, a backup of Kafka is kept for a week. This
allows us to restore and replay data in case of a failure
in downstream data processor, even when the prob-
lem was found hours or days later. With regards to
monitoring, we initially we started with Grafana and
InfluxDB, but recently we find ourselves using the Pro-
metheus stack more, mostly because of its K8S integra-
tion. Every component is being monitored in isolation
and via end-to-end monitoring. A main single-page
Grafana dashboard shows the overall system stability
by user-facing components (e.g., SQL endpoint, Data
Pipelines, ingestion endpoint, control plane, etc.), and
VMWARE CONFIDENTIAL
each panel is clickable and allows drill-down to ease
troubleshooting. That main Grafana dashboard is pro-
jected on a large central display in the office.
Past and future considerations
In the above sections we explained how our system
is built. In this section we want to shed some light on
the reasoning behind some of our architectural deci-
sions. Each decision below is a candidate for a separate
article itself, as the number of variables evaluated in
order to get to the final decision was significant. To
mitigate that complexity, for every significant decision
we try to do our best to convert everything to a dollar
cost in 1, 2, and 5 year segments. For simplicity we’ll
only outline key facts that steered our decision in one
direction or another.
Past: Cloud-native vs hybrid vs private cloud
In 2017 it was time to decide the Super Collider deploy-
ment model for the next 5 years. With that we also had
to choose a vendor for lake and warehousing capa-
bilities. The three options for vendors were Amazon,
Snowflake, and an in-house built system based on
open-sourced software.
Amazon vs. Snowflake: From a product perspective,
Snowflake is an integrated solution with streamlined
usage practices. Their vision is aligned with our needs
for integrated and democratized lake and warehouse
capabilities. On the other hand, Amazon, with its
multiple data services, is like LEGO®—the way you as-
semble blocks determines your solution and cost.
Let’s start with Snowflake—the cost of Snowflake, at
the scale we were in 2017, was actually a bit lower than
the on-prem variant. However, Snowflake did not offer
an on-prem deployment, so we had to add the cost of
migrating existing workloads (both VMware-internal
and workloads we had on Amazon) to the total cost.
Also, given that Snowflake data format is proprietary,
we had to calculate the cost of migrating off Snowflake.
This made the total cost of Snowflake higher than the
cost of the on-prem deployment of an OSS stack.
With Amazon, the calculation was not that simple
because we had to validate and estimate several com-
binations of technologies including Presto, Athena,
Kinesis, etc. For our use-cases, Redshift Spectrum +
Glue was the winning combination, and still, TCO of
Amazon-based stack was significantly higher than
running OSS-based stack deployed and operated at
VMware.
INNOVATE | JUNE 2021 | 43
Top-left: Rumen Past: Hadoop
Barov, the author
We had 2 main challenges with Hadoop-based compo-
of this article.
nents: HDFS and YARN
Top-right: The
Super Collider With HDFS, we used to run a version that was inef-
Team.
ficient above a few million files. This challenge was
addressed in newer HDFS versions, so we upgraded to
it (back then it was Hadoop 2.6). The other challenge
with HDFS was its cost. HDFS is cheap, but modern
technologies can be even cheaper. For example, HDFS
was originally designed to run on local drives, but run-
ning local drives in the cloud is expensive—so, we ini-
tially started with EMC VNX (shared iSCSI). Later, with
the release of Dell EMC Isilon, we got the same SLAs
at 4.5x lower cost, because A) Isilon does not need 3x
replication factor, and B) Isilon is a more cost-effective
per gigabyte.
We had a challenge with the utilization of memory and
CPU resources by YARN-managed workloads. Migrat-
ing to K8S resulted in savings of up to 90%, depending
on the service being migrated, with an average of 50%
overall, thus halving our IaaS resource utilization.
Present: Read uncommitted = no isolation
As mentioned above we picked query engine instead
of RDBMS. The problem is that this setup offers no
transaction isolation capabilities (transaction isolation
level “read uncommitted” as defined by the SQL-92
standard).
In Super Collider we have implemented multiple work-
arounds to this problem, however with time and scale
those workarounds become costly and less efficient.
We are still looking to fill in the gap between what the
market offers—file storage, and what we actually need,
a table storage. And there are solutions out there, usu-
ally contributing with innovations in the contact area
between SQL engine, metadata, and storage. Take a
look at Apache Iceberg or Delta Lake, for example.
44 | INNOVATE | JUNE 2021
Present: Data Federation
Data attracts data, hence the term “data gravity.” With
current data growth trends—data landscape changes
and data sources proliferation—it is impossible for all
the data to reside in a single data lake backed by a sin-
gle file system. Trying to keep Super Collider as a single
filesystem-backed data lake is a doomed mission.
There are attempts in different directions that are
aimed at providing a federated view over datasets.
While distributed query engines like Presto, solve the
“data read” problem quite well, the challenge with
writes and transactions is still a work in progress.
Another approach is data orchestration (e.g., Alluxio).
Cloudera has invested in a toolset that makes it easy to
copy data with its metadata and permissions, etc.This
trivializes use-cases that require subset of all the data
in the lake. Although data copying is a workaround,
and not a solution—this workaround is good enough
when data volume is in the GB ranges.
What’s next
Bridging the gap between object storage and table stor-
age is a problem that the data world has yet to solve.
Solutions like Delta Lake work in particular setups,
however, there is no available open data platform yet.
Ensuring data and metadata consistency between file
system, query engine, and metadata store—without
a vendor lock-in—is a billion-dollar challenge and
VMware is betting on Project Taurus to solve it. Super
Collider and Project Taurus are now “one team, two
projects” and we cannot be more excited about the
future. Stay tuned!
Rumen Barov is a Staff II engineer in the Cloud Services
Business Unit. You can reach him at rburov@vmware.
com.
VMWARE CONFIDENTIAL
 Project Kepler:
The Origins of
the Anywhere
Workspace
VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 45

Before its external announcement,
VMware’s Anywhere Workspace was
code named “Project Kepler.” Brianna
Blacet sat down with Project Kepler’s
leaders—Shawn Bass, VP/CTO, End
User Computing, and Craig Connors,
VP/CTO Service Provider and Edge
BU—to find out why and how this
project came into existence.
Brianna: So, Shawn, will you give
us the high-level “Project Kepler for
Dummies”? How did this project get
started?
Shawn: The pandemic was the
genesis of how this project came to
be. Pre-pandemic, most companies
had a remote workforce of roughly 15-
20%. But during the pandemic, out of
necessity, that number rose to about
90%-100%. That immediate shift
caused great disruption for a lot of
organizations. How could they make
this remote workforce as productive
as possible as quickly as possible?
Some organizations struggled with
getting devices in people’s hands.
For example, if they weren’t laptop
users, how could they quickly order
everyone laptops or help employees
repurpose their BYOD devices? How
could they give them remote access
to the corporate environment?
Separately, disconnected from the
46 | INNOVATE | JUNE 2021
tools that companies used to manage
devices, devices fell off visibility from
VPNs. Suddenly, they’d have 10,000,
20,000, or 30,000 devices that they
couldn’t patch or keep up to date.
Patching, visibility, and security
became big problems.
During that transition, most
organizations either started to
increase their VDI capabilities or
starting rapidly expanding their
VPN appliance footprints to manage
that change. For most companies,
their VPN capacity was designed
for a remote workforce of no
more than 30%. They struggled
with how to meet a 90% remote
workforce overnight. Since most
VPN technology is based on physical
hardware, they struggled to expand
capacity. They had issues sourcing
more VPN appliances. We began to
talk to customers about how to shift
to a software-defined model. As long
as they had enough compute capacity,
that would give them the ability to
scale to meet demand.
The other challenge was security—an
increase in two attack vectors. Every
major vendor of VPN appliances on
the market has had a 9.0 or above
CVSS vulnerability in their VPNs.
Over the last 13 months, they’ve seen
their VPN hardware has all been
targeted by nation-state attackers.
Also, end users were onboarding
personal devices, which usually
doesn’t have adequate security
software. So, attackers started using
those as a pivot point into the internal
network.
Brianna: So how did Project Kepler
address these issues?
Shawn: I’d like to preface this by
saying that the technologies coming
together in Project Kepler are
designed to become a future work
style for organizations going forward.
Even as the pandemic wanes, we still
expect organizations to be in a heavy
remote-work operating model with
somewhere between 40% to 60% of
the workforce being distributed at all
times. We don't think it's ever going
to go back to that 15%-20% mark.
So it's a very big market opportunity
that won’t disappear with COVID.
Our former CEO Pat Gelsinger said
that, but I’ve heard the same from
my conversations with a number
of different CIOs. We’re seeing very
similar patterns all throughout the
industry.
Project Kepler isn’t a product, per se.
It’s made up of parts—pieces coming
together from three different BUs
and integrations between them.
But it appears more seamless to the
end user. So when they purchase
the Anywhere Workspace solution,
there will be a client component on
their devices, which is the Workspace
ONE tunnel technology. That’s what
will get a device that is not already
connected to the VeloCloud fabric
onto the VeloCloud fabric.
Craig: If we think about Secure
Access Service Edge (SASE—
VMware’s software-defined, or SD
WAN technology), it's really access
technologies and then security
technologies. The existing access
technology we had for SASE was
SD-WAN. So customers had software-
defined technologies deployed in
VMWARE CONFIDENTIAL
 their corporate offices. Although
there have been some work-from-
home deployments with SD WAN,
to reach a much larger audience
of remote workers, we needed a
software-based solution for accessing
the same fabric. So, really, a lot of
different VMware technologies have
come together to help us deliver as a
cloud service a scalable way for these
remote-access clients to access that
same fabric, as Shawn said, that the
SD-WAN branch offices had accessed.
Brianna: So how is this different
from other products on the market?
Shawn: I think if you compare it
to other market competitors, there
are many elements that align to
other vendors’ technologies in bits
and pieces—if we were to compare
some of the device-management
elements or zero-trust elements that
Workspace ONE brings to the table.
There are corollary components
available from Microsoft, for example,
that are very similar in nature. But
the difference is that Microsoft
doesn't really have a solution for
SASE that brings customers to the
VMWARE CONFIDENTIAL
cloud and routes them intelligently to
the backend (where their applications
reside) or provides a way to provide
inline security as traffic goes through
the SASE PoP and out to the cloud.
So, when you look at these
technologies, a customer would
have to go and acquire a technology
from Microsoft, technology from a
cloud-security provider, an endpoint
security offering from a third vendor,
and then piece together all these
components that we're offering in the
Anywhere Workspace. We're basically
telling customers that you can
replace an endpoint-security vendor,
a Secure Web Gateway vendor, an
SD WAN vendor, and an endpoint-
management vendor with our all-in-
one solution offering.
Brianna: Is it one SKU or multiple
SKUs?
Shawn: It is offered as a single SKU.
But there are different additions
or versions of that SKU that will be
available. Customers can add more
and more functionality.
Brianna: Do we have any customers
using it now?
Shawn: There are some customers
using an early-access version
of secure access, which is just a
component that takes the Workspace
ONE tunnel piece and brings the
customer to the VeloCloud SASE
PoP. But that's not the architecture
that will be generally available (GA).
It's an early form of it that's running
the AWS cloud. It's not meant to be
scalable or production-ready.
That early access version was not a
full featured product. We didn't have
any of the cloud-security capabilities
built into the early secure-access
version. It’s just an improved
mechanism for intelligent routing,
not a set of security technologies
delivered from the cloud.
Brianna: So, can this be used easily
for BYOD?
Shawn: Yes and no. As I explained,
we have the tunnel capabilities
today. On Windows devices, there
is a capability called “registered
INNOVATE | JUNE 2021 | 47
 mode.” It doesn’t mean that it’s MDM Brianna: Do you guys want to talk ONE tunnel technology. These are
controlled, but it does mean that more about the architecture? kind of the “onramps” into the SASE
there is a device registration in our PoP.
console that we can link policy to. Shawn: The one piece we haven't
So we have that support today for talked about is how all these different Craig: Yeah. So if you think about it
Windows 10’s registered mode. We elements come together. The slide in terms of the VMware vision of “any
do not yet have it for Mac, but that below is the architecture view that app, any cloud, any device,” the slide
is something that we're working on shows the endpoints, the SASE PoP, below is our pictorial representation.
in the Q2-Q3 timeframe. We will be
and the elements it’s composed of. We have three different types of
working on it for iOS and Android in
It shows what would happen as an users now—we have the work-from-
the Q3-Q4+ timeframe. By the end of
end user goes to use different types anywhere user who's mobile and on
this year, you'll have this capability
for almost all of the major operating of websites or SaaS apps, as well as the go in Starbucks, in the airport,
systems. In the second half of the what ultimately happens, in terms of or wherever they may be. We have
year, one of the most important applying policy in the SASE PoP. the work-from-home user, which
things that we will be working on is
rehabbing the compliance engine
within Workspace ONE to be able to
focus more on the device posture of
devices. This basically refers to our
ability to assess the risk of the device
and to use that risk in decisions that
we make in real time within the
Workspace ONE tunnel and within
the cloud web-security solution.

There's some machine-learning stuff

happening on the backend as part
of the Workspace ONE risk analytics
that's part of workspace. Today, we
sample user behavior patterns, both
in terms of how they authenticate to
Workspace ONE and we also leverage
patterns, based on the device posture.
So we look at things like—what is
the behavior the user is trying to
accomplish? Are there too many
failed login attempts? We use that as
a mechanism to assess the risk.
We also look at certain things on the
device, like the pattern of behavior
of application downloads. Is this
normal behavior or is it abnormal?
We use those factors to compute a
risk factor for that user. That risk
factor can then be used when the user
goes to authenticate the next time.
We can use that as a mechanism to
determine whether we should permit
or deny it. We can also do things in
between, such as doing a multi-factor
authentication to make the user
prove they are who they say they are.
Shawn: When I talked earlier about
there being two onramps to this SASE
PoP architecture, that's represented
in the diagram above by those two
objects on the left of the SD WAN
gateway and the secure access.
So, functionally, if you've got a
branch-office user or a home-office
user that has one of the VeloCloud
appliances, they're going to get to the
SASE PoP through the existing SD
WAN fabric from the appliance. If it's
a standalone home user that doesn't
have an appliance, or if they're in a
hotel or airport or whatever, then they
would come through that secure-
access offering that Craig talked
about earlier. That’s the Workspace
is now a much more prevalent part
of the workplace, post-pandemic,
than ever before. And then we still
have work-from-office users. We will
always have work-from-office users
going forward. We want to make
sure that we have a solution for these
three different types of users that are
accessing the solution.
As Shawn said, on the left side of
the slide, we have our two different
types of access technologies coming
into the SASE PoP. We have secure
access, which is the Workspace ONE
tunnel service containerized in
Kubernetes—it's horizontally scalable
and multi-tenant, providing those
work-from-anywhere and work-from-

48 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 home users that are using Workspace
ONE with access from the network
side. And then we have our SD WAN
gateways, which are bringing in the
work-from-office users and any SD
WAN user who's working from home
and has an SD WAN device in their
home, like me, for instance.
These two access technologies
give you access to the applications
on the right, either through the
technology that SD WAN already
provides, in terms of connecting you
to your enterprise datacenter, or by
routing you through the security
technologies on the right to reach
those applications. So, with the
launch of the secure access in the PoP
in June, we will have the cloud web-
security offering, as well, which is a
secure web gateway functionality for
web and SaaS applications.
So, how do I securely access Office
365? What about security techniques
provided by cloud web security, such
as URL filtering? How do I block
gambling sites or adult websites
for my work users? We use a cloud
access security broker (CASB). How
do I protect things like OneDrive
and other business applications and
provide data-loss prevention (DLP)?
How do I make sure that sensitive
information—such as social-security
numbers, credit card numbers,
and things like that—isn't being
leaked out of my enterprise. There's
also a play for securing enterprise
applications, either in the datacenter
or running in IaaS, such as AWS or
Azure.
Next year, we will also add the NSX
firewall-as-a-service, similar to what
we did for secure access, in terms
of making it a multi-tenant, cloud-
scale solution. We have to do the
same thing for the NSX firewall. We
will add that on the right side of that
architecture diagram, for securing
the applications on the bottom.
VMWARE CONFIDENTIAL
Brianna: Have hybrid and multi-
cloud added a layer of complexity?
Craig: One of the things that's kind
of important here is this single
orchestrator at the top of the diagram.
So we're bringing all of these under a
single-pane-of-glass configuration.
There will always be some things,
like mobile-device management,
where you have to go to a different
portal. But as much as possible,
bringing everything under a single
pane of glass allows us to simplify the
management of this for the users.
We already did this for the hybrid
network with SD WAN. But now,
bringing the work-from-anywhere
users, the cloud web security, and the
next-gen firewall under that same
simple single pane of glass is what
makes it easier for users to operate
their networks in a secure way.
Shawn: Historically, what
organizations would do in order to
secure these things was to route the
users’ traffic back to the datacenter
utilizing VPN and then leveraging
various capabilities—proxies and
firewalls and things of that nature—
to try to provide security. But the
problem with that is, as more and
more applications go to the cloud
and SaaS applications are routing
the users’ traffic to the datacenter
and then back out to a public-cloud
application, these additional routes
add latency, which impairs user
experience. We want to make the user
experience better. The only solution
available for most VPN technologies
is to enable split tunneling and to
take that traffic out of the VPN and
let it go directly to the cloud. But
the downside of taking that traffic
out and having it go direct to the
cloud is, you lose all the visibility and
security that you had previously in
the datacenter.
So this notion of security moving out
to the edge is that you can still apply
all those capabilities—spearfishing
prevention, malicious URLs, DLP, and
CASB. Now you're just employing
it at the SASE edge and doing it in
a way that doesn't impair the user
experience, because you're not
routing them to one central location
to apply those security benefits.
Craig: To Shawn's point, when I had
that stack of boxes in the datacenter,
if I want to move that to the cloud, it
doesn't work if they're all different
vendors, because now my traffic is
hopping cloud to cloud to cloud. That
was before. But what we've done is to
put them all in the same PoP. So, it's a
true single pass.
Brianna: So now can you tell me a
little bit about how this all evolved
within the organization and who
the players are? How did the project
start? Who initiated it and what BUs
are involved?
Craig: Great question, although
I'm not sure I have a good answer.
I mean, I was involved relatively
early in the project, but it was kind
of after the idea was already born. I
think where it really kind of came
from was Shankar Iyer, the GM of
End-User Computing Business Unit
and Sanjay Uppal, the GM of Service
Provider & Edge Business Unit. But
we're talking about the pandemic
response and what needs to change
with our technology structure within
VMware as a whole—to make our
solutions more consumable as a SaaS
platform and that type of stuff. Both
the VeloCloud business and the EUC
business are pretty well-suited to
this idea of cloud consumption and
subscription consumption. Add that
to the pandemic response of people
shifting to a distributed workforce
model and also our technologies
that can help that scenario, it kind
of made sense to bring these two
together. So, I think it just kind
of evolved out of something that
naturally made sense for both BUs.
INNOVATE | JUNE 2021 | 49
 I talked before about the challenging
security dynamics that are happening
right now. We had spoken to the
Security Business Unit and said
“Hey, we've already got existing
integrations between Workspace ONE
and Carbon Black.” Separately, the
security business unit was working
closely with NSBU on integration
between Carbon Black and NSX and
the last-line technology. And so it
kind of made sense that the security
elements became a key part of this
overall offering.
It was like August or September of
2019 when we first started talking
between VeloCloud and NSX about
how we do SASE. I remember sitting
in a meeting with Tom Gillis (the GM
for Network and Security Business
Unit or NSBU) and talking about
remote-access technologies. We were
like, “Oh, you know Workspace ONE
has tens of millions of endpoints.
We should just use Workspace
ONE.” My team’s initial focus was
on how we could bring security into
the PoP. I thought we’d get to the
Workspace ONE piece later, which
was being explored in parallel by
Pere Monclus’s team under the name
Project RAMBOS (Remote and Mobile
Branch Office Services). And then
the pandemic hit and suddenly, it
really accelerated everything we
were doing. And that's when those
conversations between Sanjay and
Shankar happened.
Shawn: That definitely accelerated
the whole joint offering. I think
there were there were elements of
engineering collaboration before
that, but I don't think we had really
formulated a solution at that time.
With the pandemic, it was like, “Okay,
now's the right time. This has got to
be produced.” I think it made a lot of
people think about their technology
offerings in a new light.
We have been extremely busy. I would
say that Craig and I each had been
50 | INNOVATE | JUNE 2021
doing a huge number of customer-
related briefings trying to articulate
the vision and strategy behind Project
Kepler. It has been one of the most
exciting things from a customer lens.
More and more and more customers
are asking us about this and it's really
coming from two different angles.
There's the business impact of
what we're trying to solve with
Kepler of making a productive
distributed workforce. But an adjunct
relationship to this project is that we
have a number of customers asking
us right now about being able to
articulate a pan-VMware zero-trust
strategy.
NSBU had been heavily engaged with
a large number of customers to be
able to articulate what the future of
networking and endpoint security
could look like, as far as security
and authentication. When you start
changing the way that you access
things from unmanaged devices and
new IoT devices—versus the prior
world, which was all driven based
on corporate-managed devices—a
number of things have to change
about how you evaluate device
posture and risk, and how you
respond to changing conditions on
an endpoint. And that’s why I would
say that the zero-trust elements that
factor into Kepler is another area of
great acceleration and what we'll do
over the next couple of years. There
are still some missing technology
elements in our stuff today that needs
further development. One of those is
around continuous authentication
and continuous device posture. That
is something that we're working on
for the second half of this year.
But I think that's another area that,
from an innovation point of view, we
have a lot more work to do between
our BUs. So that when we tell a story
about zero trust, holistically, for
VMware, we're talking about zero
trust from the point of view of all our
business units, as far as how all those
build on each other. Because right
now, there are missing pieces of that
picture.
Brianna: What are the plans for
testing and rollout?
Shawn: That's a great question.
There's a lot of work I think that has
to happen on testing. The good news
is that, at least from an EUC point of
view, all the technologies that make
up the Anywhere Workspace are
tried-and-true existing technologies
that tens of thousands of customers
are already using today. So this will be
an evolution of existing technologies
that we already have. The use cases
around Anywhere Workspace are
some net new-use cases, but it doesn't
represent a material change or how
the technologies are tested today.
Craig: Earlier, Shawn mentioned
our ability to exchange things like
posture data in real time. That
underscores one of the things we
did with our SASE architecture. We
use GENEVE tunnels as our service-
chaining mechanism between
components. One of the things that
this allowed us to do was to build
simulators for Workspace ONE as
an ingress point and Cloud Web
Security (CWS) as an egress point.
This allows us to automate all of
the SASE touchpoints, in terms of
all the different ways traffic can
come in and out and make sure that
works—independent of Workspace
ONE testing and CWS testing—to
make sure they are functioning
properly. This use of GENEVE as an
integration mechanism between
our components, as well as making
sure that we have a quality solution
for testing the different components
in isolation, reduces the amount of
integration testing and issues. Beta
goes live next week.
Brianna: How many customers will
be in that beta?
VMWARE CONFIDENTIAL
 Shawn Bass
Craig: Approximately 20.
Shawn: It's been a long time coming.
Craig, Pere Monclus, and I have
been on a large series of calls with
J.P. Morgan Chase (JPMC) about
their future of work, with regard to
next-gen SASE architectures. JPMC
represents an interesting opportunity,
because they have come to us for
a zero-trust approach, inclusive of
SASE. They may potentially see us as
a replacement for multiple vendors
and their existing stack, from the EUC
point of view.
They are a Microsoft endpoint-
managed solution today. They use
Citrix for VDI and app remoting. This
project has the capability to come
together and give us an opportunity
to displace two other competitors
in the space—a result of this effort
around SASE and zero trust. So
it's exciting to us, because it's a
customer we’ve been pursuing for
probably 10 years. The intersection
of these things is finally breaking
open the opportunity for us to go in
and potentially displace two other
competitors.
Brianna: So what else do you think
that VMware people should know
about what's happening?
Craig: This is a natural evolution of
what we're doing. I think one of the
things that's really important is that
it represents one of the first close
collaborations between different
VMWARE CONFIDENTIAL
Craig Connors
BUs, which is not something that
historically we've done a great job
of. To give an example, somebody
from my team just committed code
into the EUC repo, which seems like
a really small thing, but it's almost
unheard of.
So, this close collaboration between
BUs—this real “better together”
story of “if I add multiple VMware
products, I get a better experience”—
is something that we've been chasing
for a long time and is now, I think,
really coming to fruition.
Shawn: I think with this SASE and
zero-trust notion is starting to make
people realize that there is a market
for us to be focused on offering a set
of things to devices that are managed,
where we're simply just assessing
posture and using that to inform risk,
authentication, and access. It's giving
us a new perspective on devices
that are either BYOD or devices
that are managed by a third-party
tool. You know, one of the requests
that we have is to be able to have
a mechanism of this offering that
can be sold into customers that are
managing their devices with another
competitive technology.
Historically, that would have been
something that you would have
approached by saying, “Okay, step one
is to replace your existing incumbent
device management with Workspace
ONE. Step two, add SASE.” That is not
going to work for a customer who
Johannes Kepler
wants to get immediate time to value
by deploying the SASE technology.
So we're reworking some of the
unmanaged or third-party-managed
capabilities in Workspace ONE to be
able to say, “I want to unlock SASE
capability, even if Workspace ONE
is not the management agent.” The
long-term destination, of course, is
for us to capture that customer as a
Workspace ONE managed device, but
that can be sold at a later date—after
we've given them value immediately
through the SASE route to market.
We can then work on trying to
say, “Hey, now that you own this
component of VMware technology, let
us show you the full capability when
all these things are working together.”
It's kind of like a seed strategy of “how
do we quickly get them some value
and then use that to layer on more of
the capabilities of the full-platform
approach?” That's where Craig talked
earlier about how this integration of
our two technologies is sort of that
launching point to give customers
value. But we want to be able to build
on it with more capabilities as time
goes on.
Brianna: So, anything else about the
future of this project that we should
know?
Shawn: Yeah, I would say one
of the key things—and I kind of
already touched on this earlier
in the interview—is that this is
really changing the way we do
INNOVATE | JUNE 2021 | 51
 endpoint device posture. This
is something we're targeting to
deliver in the second half of this
year. As I mentioned, what we're
developing is the ability to do device-
posture checking on devices that
we're not managing, and, more
importantly, able to do continuous
verification of device posture and
use that continuous verification
as a checkpoint. So while the user
is connected, if some other device
deviates from what we consider
“known good” or an acceptable
posture, we then have the ability
within the tunnel used by the SASE
PoP to be able to enforce a disconnect
of that session midstream.
Craig: The slide above may be
interesting, because it shows all the
different components. All of this runs
on top of the VMware infrastructure
stack in our PoPs—ESX, NSX, and
Tanzu. Then you have SD WAN secure
access from Workspace ONE. So
almost every group within VMware
is represented here in some way—a
huge portion of the company.
In terms of the future, we don't
52 | INNOVATE | JUNE 2021
envision this just as delivering the Hungry for more information about the
four core sets of SASE features that Anywhere Workspace? Read this blog1
we showed on that other slide. We by Shawn Bass and watch the recording
envision this as delivering a lot of the online event held on May 5th and
more features in the future. So, you 6th: “Leading Change: Build Trust with
know, there are additional security the Anywhere Workspace.”2
functions that will come in SASE,
like the remote-browser isolation
that Shawn mentioned. Something
that may be more interesting is
that this same platform gives us a
way of bringing in users securely
from anywhere to a datacenter and
delivering services on top of this
framework. You can imagine that
there's an endless array of services
that we could deliver: DNS security,
IP address management (IPAM), edge
computing…lots of other things that
will deliver out of the SASE PoPs and
continue to expand the value of this This interview was conducted by
offering going forward. Brianna Blacet. She is an Innovation
Storyteller working in the Office of the
Brianna: Well, it seems like we have CTO. You can reach her on Slack or at
arrived at the end. Thank you guys so bblacet@vmware.com.
much for taking this time to explain
it all. 1 https://blogs.vmware.com/euc/2021/04/
anywhere-workspace-announcement-
overview.html
2 https://www.vmware.com/anywhere-
workspace-event.html?src=so_606248b47ee86
&cid=7012H000001l67p
VMWARE CONFIDENTIAL
 Objectives
& Key
2.8333 in
Results 3.1667 in

A Short How-to (or How I Learned to

Stop Worrying and Love OKRs)

Jen Handler

1 https://www.whatmatters.com/
articles/the-origin-story/
2 https://www.amazon.com/dp/
B078FZ9SYB/
3 https://www.amazon.com/
dp/0996006087/
4 https://www.sweetgreen.com/
54 | INNOVATE | JUNE 2021
What are OKRs?
OKR stands for Objectives and Key Results. This is a management framework developed by Andy
Grove at Intel1 in the 70s, and it’s been used by many other orgs since—like LinkedIn, Oracle,
GE, and Google—to focus teams of people on delivery of high value results. There are two other
people often associated with OKRs:
• John Doerr was one of Grove’s mentees, had a lot of success with OKRs, and wrote a book2
about them
• Christina Wodtke3 is another person who’s gotten a lot of practice with OKRs, and writes a lot
about them
Anatomy of an OKR
An Objective is 'what we want to achieve' in support of a mission, within a certain timeframe (3
months is common). Objectives are a bit vague, should be inspiring, and don’t contain numbers.
They require further definition.
A Key Result is a measurable way we’ll know that we’ve achieved our objective. It further defines
our objective, and for every objective, it is common to have 3 key results. Good key results are
leading indicators that we’ve delivered on our objective (what we can measure within the
period), versus lagging (measurements after the period).
A Mission is an important element of the OKR framework, too. Think of this as the culmination
of your OKRs. OKRs represent milestones along the way of achieving your mission.
Example
Imagine Sweetgreen4, a store that sells salads in the U.S., is launching a new service that enables
customers to buy additional produce, to use at home, from the store. This service will be called
“Farmer Direct,” and the first product sold will be lettuce. Assume Sweetgreen has validated that
customers want to buy more lettuce directly from the store in launch locations, and that they will
launch the service in the first half of this period. Here is one OKR for the quarter:
Mission: To inspire healthier communities by connecting people to real food.
• Objective: Launch an awesome “farmer direct” buying experience
• Key Result 1: Point-of-sale lettuce purchases >20% total revenue for launch stores
• Key Result 2: 75% conversion in every launch store (conversion = oz. lettuce sold/oz. lettuce
supplied)
How to get the most out of OKRs
OKRs can be incredibly focusing and motivating, but they can also be paralyzing and de-
motivating.
OKRs work best when they:
• Provide focus for a team on the results that really matter (because they are the results that
really matter)
• Drive alignment within teams
• Help other teams know what a team’s focused on, at a high level (vs the detail in a backlog)
• Inspire people on the team to reach farther than they might otherwise
• Help teams deliver some amazing results (versus a collection of outputs with unclear results)
• Are something leadership AND the team care about
• Are frequently checked in on, and new actions are generated to achieve the OKRs
VMWARE CONFIDENTIAL
 OKRs won’t work when they:
• Are totally unachievable given known constraints/conditions. Aspirational is good; totally
unachievable because of [solid reasons] is not good.
• Don’t represent the things that matter most for the team to deliver
• Aren’t focused. Too many OKRs is a bad thing. A good target is 3 OKRs.
• Aren’t measurable (the key results aren’t measurable)
• Are not something leadership AND the team care about
• Are set at the top of the quarter, and forgotten

Key roles
Shepherd: The OKR shepherd looks after the OKR process and manages the team through it. The
OKR shepherd isn’t accountable for all of the OKRs, but the OKR shepherd might be a captain of
an OKR or two.

Captains: Every OKR needs an owner: someone to look after the OKR. This means:
• Measuring KRs
• Ensuring there’s work being done to deliver the OKR
• Influencing others to participate in the work to deliver on the OKR
• Holding planning meetings for the OKR, as needed
• Participating in OKR planning meetings
• Sharing feedback (what’s working, what isn’t working) about the OKR process

Captains are not responsible for doing all the work themselves. The objective is to influence and
enlist others in the work.

The OKR cycle: Generate

Toward the end of an OKR period, we’ll consider the next period’s OKRs. Some may carry over,
others may be new. There are three ways this can work:
• Leadership puts forth suggested OKRs; the team provides feedback; OKRs are refined and set.
• Works well when the team is not very experienced with OKRs, and/or does not have the
insight to be able to generate OKRs
• Leadership puts forth suggested objectives only. Team provides feedback, then generates Key
Results collaboratively with leadership. OKRs are set.
• Works well when team is starting to become more comfortable with OKRs, and has a bit of
insight to be able to generate OKRs (but not without leadership support)
• The full team collaborates on the generation of OKRs for the period.
• Works well when the team is experienced with OKRs and has the insight needed to be able
to generate OKRs

Act The OKR cycle: Deliver

Once OKRs are generated and set, we move into the Deliver phase. Within this phase, there’s a
repeating cycle through the period that looks like this:

The OKR cycle: Deliver: Act

Delivering a key result tends to involve doing a bunch of different things. These things are todos,
aka backlog items. Some may have a more immediate impact than others, and we’d prioritize
those.

The OKR cycle: Deliver: measure & Learn

Throughout the period, we’ll measure KRs to know how well we’re doing, and to inform our
Measure & Learn confidence level in our ability to deliver these results. For quarterly OKRs, it works well to

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 55

 measure every 1-2 weeks. This is how we know whether new actions are needed. In check-ins, we
can enlist the team to help us figure out what actions to take, and which to take first.

Check-ins
Throughout the period, we need to check in on our OKRs and iterate—either on the OKRs
themselves, if priorities have changed, or on the things we’re doing to deliver OKRs.

How this has worked for us:

• Every two weeks, captains (mandatory) and anyone else interested in joining (optional) will
gather on Monday afternoon ET to talk about how it’s going with our OKRs
• The goal of this meeting is to help one another come up with ideas for how we can get some of
those low confidence scores up
• Captains should come to the meeting prepared with a “confidence score” for each of
their KRs, and be able to talk about why their confidence score (why it’s low, or why it’s high)

How to run a confidence check

Captains may want to take on confidence scoring with the people working on the OKR prior to the
check in. Here’s how to run a confidence scoring session to generate actions.

Option 1: Good for small teams who are just starting with OKRs
Time: One hour (could shrink to 45 minutes as team gets into rhythm)

1. Set the meeting up with a quick refresher on why we’re here and what we’ll do today.
2. Facilitator prompts: “Any questions/concerns before we start?” Give people a minute to do a
silent read, and offer thoughts. Assuming they’re ready to go…
3. Facilitator prompts: Take a minute to read the first objective and key result, and think about
how confident you are in our ability to deliver on it.
4. Score: When everyone appears ready to score, the facilitator counts to 3 and, on 3, each
person shows their score using their fingers. Use a scale of 1–10, with 1 being “hardly any
confidence” and 10 meaning “we’re super confident we’ll crush this.” You can also use a 1-5
scale, which may help the team avoid questions like “what is the difference between a 7 and
an 8?”
5. Discuss: Facilitator prompts: “Let’s discuss!” People take turns talking about why they gave
their scores. The facilitator takes loads of notes. Why the high score? Why the low score? And
this might blend into the next part...
6. Generate actions: At some point during discussion, the facilitator prompts: “What could we
do today to boost our confidence?” The best ideas go into the backlog.

Option 2: Good for larger teams, and teams that are used to OKRs.
Time: 30 minutes
Pre-work: Add OKRs to a shared document that you and your team can collaborate in (my team
uses a Google sheet). On day the of the confidence scoring, invite captains to add their scores in
advance to the shared document (assume this won’t happen though—take a few minutes at the
top of the session to score).

1. Set the meeting up with a quick refresher on why we’re here and what we’ll do today.
2. Score: Facilitator prompts: “Captains, please take 5 minutes and add scores.” Captain will
enter their confidence scores.
3. Discuss & generate actions: Facilitator prompts discussion on OKRs. Captains take turns
talking about the “why” behind their scores. Facilitator prompts all attendees to generate
ideas for how to increase confidence in low scores. Facilitator captures notes/actions in the
document, and captains take actions into their backlog.

56 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL


5 https://www.whatmatters.com/
faqs/how-to-grade-okrs/
6 https://www.perdoo.com/
resources/okr-crash-course/
7 https://tanzu.vmware.com/content/
slides/the-fallacy-of-okrs-and-how-
to-find-the-right-measurements-of-
success
8 https://medium.com/@jseiden/
to-write-better-okrs-use-outcomes-
e82be6e7b460
9 https://www.amazon.com/dp/
B015VACHOK/
VMWARE CONFIDENTIAL
Score
OKR scoring is about scoring how well we did (versus confidence). Traditionally it’s done after the
period ends. I’ve found it to be more useful to do a preliminary score prior to the end of the period,
though, because it can motivate a team for a last minute burst of action, and could inform OKRs
for the next period.
OKR scoring looks a lot like confidence scoring, except now we’re scoring how well we did (or,
really, how well we are on track to deliver). Above image is John Doerr’s scale5.
Instead of discussing additional things we can do to deliver our OKRs—like we do in confidence
checks—we’ll now discuss what we might want to carry into the next quarter (and why), and what
we learned in this quarter that may have an impact on next quarter’s OKRs.
(By the time we score OKRs, we may be well into planning for the next quarter and have a draft
that can be adjusted based on discussion in our scoring session.)
Other Stuff
Here are some other suggestions/thoughts I have related to OKRs. Some of these are departures
from the advice some books would offer on OKRs. These come from my own practical experience:
• If we need to change them, let’s change them. OKRs are proven to be great tools for focus,
but let’s agree to not use them as contracts. If priorities shift dramatically and an Objective or
KR doesn’t seem relevant anymore, say something! Let’s talk about it.
• Celebrate wins along the way: Delivering a KR is a big win, but delivering an outcome along
the way of delivering an aspirational OKR is also a big win. If you have a win, radiate it to the
team so we know and can celebrate.
• Let’s figure out how to account for/support “non OKR work that’s also important.”
This could be “business as usual” work that simply needs to continue to keep our business
humming. It could be occasional customer work. We want to balance this with OKR work, and
make sure we have the bandwidth to make a strong impact on our OKRs. We may also find
that some work that seems important and doesn’t seem to map to an OKR actually is.
• Make sure leadership and the team are aligned on how aspirational / realistic the OKRs
should be: Teams will really struggle if some of the crew feel that any of the KRs are more "set
in stone" than they are intended to be.
Further reading
Quick reads: Longer reads:
Perdoo (OKR tool) crash course6 Measure What Matters2
The Fallacy of OKRs7 High Output Management9
To Write Better OKRs, Use Outcomes8 Radical Focus3
Jen Handler is a Director of Product Management of Customer Experience and Success in the Modern
Applications Platform Business Unit. You can reach her on Slack or at jhandler@vmware.com.
INNOVATE | JUNE 2021 | 57
 THE BACKLOG STANDUP
TLDR—try the Backlog Standup for a faster, more focused start to
the day.
Background
Does your standup feel slow? The Backlog Standup followed by
role-specific standups could be a solution. Different roles of the
product development team have different needs around the
daily standup meeting:
• Product managers need to know what’s going on with work-
flow items, especially if there are blockers.
• Engineers use it as a time to decide who is working on what
for the day or ask for help.
• Designers use the time to update the team on major user
learnings.
To address these various needs (and maybe somewhat by habit/
tradition), most teams use a “circle” format. Each person goes
around typically talking about what they did yesterday and
today.
58 | INNOVATE | JUNE 2021
Author: Erica Dohring
"Yesterday, I worked on [feature]. I ran into
issues with [library] so I debugged that for a
while. I also worked on [other feature] and that
was tough because the test was so finicky.
Today I'll move onto [yet another new feature]
and follow-up about that blocker.
Tomorrow, I'm going to a doctor's appointment
at noon, which means that I might be out for an
hour or so."
This format has the following issues:
• Folks tend to feel the need to talk more as a representation
of their productivity.
• The details raised are often not relevant to everyone.
VMWARE CONFIDENTIAL
 Backlog Standup
(Today)
Engineering Standup
(Planning Today)
Format
The Backlog format is more work item focused. Here is how you
run it:
• Pull up the backlog for everyone to see.
• Ask for a comment on each work item in progress. En-
gineers can report “going”, “blocked”, or “done.” Blocked
sometimes needs a discussion for a minute or two but can
be pushed to the end.
• PMs and design give any updates relevant to engineers. Key
product direction changes or user learnings for example.
• Finish asking, “does anyone have any stucks, blocks or
helps?”
• Clap it out.
• Head to product-design or engineering standup based on
your role.
This standup version feels relevant and snappy. No more ir-
relevant details. In addition, this version also has the benefit of
making sure your tracking software is up-to-date. Especially
in larger teams, an even slightly out-of-date backlog can lead to
duplicated work. Taking care of this at standup decreases that
likelihood and makes it easier for the PMs to keep a pulse on
workstreams.
But what about …
• Detailed Design <-> PM Communication—PM and design host
a “product standup” immediately after this one to discuss
those details. Engineers head to an engineering standup.
This helps keep the shared Backlog Standup free of technical
details irrelevant to product and design.
• Fun Time—we typically have a few minutes for a laugh or
“interesting” at the start while we are waiting for folks to
arrive, giving us that sense of connection. We also schedule
team bonding time at a different point during the week.
VMWARE CONFIDENTIAL
Product/Design Standup
(Planning Today and the Future)
• Vacation Announcements—we typically communicate those
during “stucks, blocks or helps” in addition to keeping a wiki
with team time off.
• Availability —we share our calendars.
• Product Roadmap Updates—we do this before our weekly
planning meeting to not make standup take too long. Plus
once weekly is generally sufficient.
• Detailed Design <-> Engineering Communication—Design
and engineering typically run on 2 different time horizons1.
Most of the time engineering is focused on the day-to-day
and design is focused on a week or more out. This Backlog
Standup hones in on the former. We encourage other tools
to keep that link strong:
• Rapport—attend and rotate hosting the Backlog Stand-
up. You’ll hear a much shorter version of what you heard
before from Engineers (no more implementation or
calendar details) and you can still see how everyone is
feeling.
• User Updates that Impact the Backlog for the Next 1–2
Days—definitely share that in Backlog Standup
• Fun, Interesting User Updates—share those in Backlog
Standup! That is a great daily nugget and keeps the
team focused on their mission to solve user problems.
Different roles have different needs. Our team has found this to
be a huge improvement in making our morning. We feel more
focused and have a clean, reliable backlog.
Erica Dohring is a Senior Developer in the Modern Applications
Platform Business Unit. You can reach her on Slack or at edohring@
vmware.com.
1 https://www.researchgate.net/publication/343280168_Dual-Track_
Development
INNOVATE | JUNE 2021 | 59
Aligning on a Shared

OKRs, OGSMs, a
 Photo by Dave Colman from Pexels.com

Future:

and North Star Metrics

Andrew Zusman

Editor: Dexter Arver


Aligning on a shared vision is critical
to success. Whether you are working
in a small team, startup, or even a
large organization, the path to suc-
cess will depend on a shared under-
standing of what the future should
look like.
Here at VMware we have heard the
term "Fast to the Future", but how
might we know we are all headed
toward the same future, together?
Using frameworks like OKRs, OGSMs,
or North Star Metrics can help us
align on a common understanding
of where we're headed. Then, we can
just focus on the hard work of getting
there!
In this article, we will discuss the
differences between outputs and
outcomes, give an overview of key
frameworks for aligning on a shared
future, and relate some of my person-
al experiences working with different
frameworks in pursuit of enterprise-
scale digital transformation for our
clients.
I think many people who would
choose to write an article on this topic
would truly love it, but the truth is
that I haven’t historically loved frame-
works.
Instead, this article is generally fo-
cused on how even someone who has
historically not loved frameworks,
and have been widely skeptical of
them, has found value in using them.
I’m not going to lie. This is a long
article. If reading is your jam, you’re
in luck. There’s a lot here to read. If
you don’t love reading, you can catch
a recording where I talk about some
of these frameworks here1. Enjoy!
1 https://tech-talks.eng.vmware.com/talks/
aligning-on-a-shared-future-outcomes-okrs-
ogsms-and-north-star-metrics
62 | INNOVATE | JUNE 2021
Mind Maps and Brain Dumps
My default way to prioritize informa-
tion has been to just brain dump. I
look at problems from a bunch of
different vectors and angles, toss
out a ton of ideas, and just see what
sticks. To put it another way, I write
lots of notes, blow up a lot of balloons,
pop them, and see what’s left. To put
it a third way, I talk things out, try to
record things as I go, kinda bounce
around, and then eventually over
time I find some clarity. Sometimes,
I’m able to clearly articulate the
outcomes I find, but it’s much more
difficult to articulate the process of
information-gathering in a represen-
tational way. In other words, the way
I think is great for me personally, but
it’s not easy to share with others.
Mind Maps are an example of what
this process might look like visually.
They are relational, have hierarchy,
connect nodes of information to
other nodes of information, allow dif-
ferent groupings of information, and
are a way to mirror my default way
of prioritizing information. It’s the
output of a brain dump.
If I’m by myself thinking through a
problem, then this is a great system.
It works for me, and that’s about all
that’s required of a personal system.
There are, however, many problems
when I start collaborating with my
teammates. Mind maps are messy.
They are not ideal for finding align-
ment with others. Brainstorming is a
very important skill. Cataloging infor-
mation is an important skill. Neither
brainstorming nor cataloging is, in
my experience, helpful for collabora-
tion. Mind mapping isn’t digestible
any more than whiteboards filled
with ideas are digestible. I have cam-
era rolls filled with whiteboard pic-
tures that lose their value because
the artifact on the whiteboard was
never as important as the process
of brainstorming and cataloging
information. And this is something
I am working on improving—shar-
ing back information to help guide
longer term product strategy.
What’s the point of great ideas if they
can’t be easily related to other teams
and teammates?
I find that the larger the scale, the
harder it is to communicate great
ideas, and the more important it is to
communicate them and align.
If you’re just working through a
brainstorm for yourself or in a small
group and you can work out the com-
munication later, then maybe a Mind
Map, whiteboard (Miro) or some kind
of personal organization could be
great, but for a team trying to scale
and communicate with other teams,
disorganized thought means lack of
alignment.
The lack of high level communica-
tion on strategy is something I have
experienced across a wide swatch of
clients I’ve worked with, and probably
something we are all familiar with.
It leads to duplicate effort, slower
scaling, misalignment, and opaque
knots that are difficult to unravel. For
my clients, who are often working
very hard to scale, inability to align
and communicate is uncomfortable
at best and a path toward failure at
worst.
In order to avoid these issues, we
must gain alignment, but what do we
mean when we say alignment? And
why does it matter so much?
Alignment
Alignment means a straight line—
everyone on a team, multiple teams,
or even an entire organization—is
headed in the same direction on the
same road with the same idea of what
they’re meant to accomplish. We can
think of it like a school of fish. They
may all swim separately but they
understand what the school needs—
protection, food—and can execute as
a group. If one fish leaves the school,
VMWARE CONFIDENTIAL
 they’re weaker, and we can think of
that as similar to the effect of being
out of alignment.
Culture plays a big role in alignment.
Culture can be defined as col-
lective instinct. The instincts of a
team, group of teams, or an organiza-
tion are formed by having the same
thoughts and desires for outcomes.
The fish have a culture that compels
them to swim in a similar way for
specific reasons.
Alignment is what we do to facilitate
having those same thoughts/desires
and ultimately the same collective
instinct. While I won’t go into too
much depth on this, something to
keep in mind as you read through the
different frameworks below is that
alignment is often a mirror of cul-
ture. Companies can align in many
different ways and don’t all need
frameworks, but misalignment and
toxic cultures are, in my experience,
correlated.
I also want to note that alignment
and purpose often overlap and, not
coincidentally, purpose overlaps with
happiness. Knowing what’s expected
of you, what you can do to contribute
to the broader good, and what your
role is in comparison to others is
often helpful for productive work. So
while I’m primarily talking about how
organizations align across multiple
teams from a top-down perspective,
I also want to call out that having
alignment and using frameworks can
contribute toward overall happiness
of employees.
When we talk about alignment, it is
important that we are aligning on
outcomes and not outputs. Outcomes
are the way something turns out and
outputs are the amount of something
produced. For example, an outcome
might be, “increase indoor air quality
in my house” while an output might
be, “spend three hours vacuuming
each week and the amount of pol-
VMWARE CONFIDENTIAL
lutants will drop by 10%.” Whatever
framework we use to push for align-
ment, pushing for outcomes is ideal
for alignment because it’s not pre-
scriptive.
We’ll see how this plays out when we
actually apply different frameworks
to the same concept of alignment,
but outputs, in my experience, are
less conducive to alignment success.
Outputs often push people to make
decisions they might not otherwise
make. Similarly, outputs often push
teams toward metrics that may not
be indicative of real success. We also
give teams autonomy to solve prob-
lems in meaningful ways.
Now let’s take a look at three popular
frameworks in enterprise software:
OKRs, OGSMs, and North Star Met-
rics. Frameworks are communication
tools that help us to align with other
teams and across an organization.
To explain these popular frame-
works and how organizations use
them to push toward outcomes and
gain alignment, let’s talk through a
scenario!
Fruit Finders
Fruit hunters are people that travel
the world sampling exotic fruits. They
spend outrageous amounts of money
every year on fruit and often order (or
even import) fruits from outside their
local area.
Fruit hunters want to eat rare or
exotic fruits, rate what they’ve eaten,
and then connect with others who are
passionate about fruit.
Fruit Finders is a company of sixty
employees aimed at building a
marketplace for the fruit hunting
community. It connects fruit vendors
with fruit lovers and it aims to build a
community for fruit hunters.
The company is split into three
teams.
The first team is the business team.
They are working to align the whole
company around objectives that will
help with a funding round and ex-
pand the team to 150 employees.
The second team is building the
company’s vendor experience—the
fruit farm or fruit vendor that wants
to sell fruit.
The third team is the fruit hunter
team that helps the fruit aficionados
rate, track, connect with others, and
most importantly to the business
team, buy more fruit from the second
team’s vendors.
So is there alignment between these
three teams? Probably? Maybe?
Here are some questions to consider
to try to figure out the answer:
• What kind of communication do
the teams have? Are they aligned
on a common vision?
• What's the connection between
making the purchasing process
easier and having a successful
funding round?
• Does upgrading features help in
attracting top talent?
• Does increasing the average pur-
chase amount per fruit hunter go
hand-in-hand with adding new
fruit hunters?
• Do we need more users or do
we need existing users to buy
more?
• If we add more users, will our
average purchase price drop?
• If our purchase price per user
drops but our overall revenue
increases, that’s good for the
first team, but will it help at-
tract new vendors?
We can keep cross-referencing the
different things the different teams
are trying to accomplish, but this is a
common struggle in many organiza-
tions.
INNOVATE | JUNE 2021 | 63

Objective
500 fruit purchases are made daily.
Crush the 95% of fruit hunters checkout with multiple items
purchasing
experience!
90% of first-time purchasers make an additional
purchase within 30 days of their first purchase.
The teams are all working together.
They are all working towards com-
pleting their goals.hey all care about
the business value and the end-user
value that they are building.But in
spite of it all, it is hard to ensure align-
ment in everything
So, let’s take a look at how Fruit Find-
ers might apply different frameworks
to gain that alignment.
OKRs
One way the teams might align is by
using the popular OKR framework.
OKR stands for “Objective and Key
Results”.
The OKR framework tasks teams with
creating a singular objective that the
whole team will push toward. The
objective is a “moonshot” that a team
is meant to be only 50/50 in terms
of their confidence in executing
on. Objectives are chosen at longer
intervals such as quarters, halves, or
even yearly.
Key Results are metrics that explain
what success would look like with
just 50% confidence that each key
result can be completed. Teams are
encouraged to pick just a few key
results and to meet weekly to chart
their confidence as they push toward
those results.
OKRs can cascade as one level in the
hierarchy may have a Key Result that
64 | INNOVATE | JUNE 2021
Key Results
(5/10 confidence)
in their cart.
will feed into the objective for a team
below it in the hierarchy.
Let’s take a look at how this might
work for Fruit Finders with the OKR
above.
No matter what team you’re on, these
are your goals. The entire business is
optimized around just one objective
and needs to be inspiring.
Everyday, employees wake up, go into
work, and think “What can I do today
to crush the purchasing experience?”
Each team can focus on one of the key
results or, maybe, all three at once.
Each week when the whole business
meets to discuss their confidence
score, they can say, “Hey, this week we
had a ton of first time purchasers so
we got to 500 fruit purchases every
day this week, but we’re not sure if
we’ll see the results next time because
we gave them a discount code, so
maybe we’re 6/10 confidence on that
one.”
10/10 confidence isn’t considered
a “good” thing in OKRs. It means
that they set their sights too low and
weren’t ambitious enough. Con-
versely 1/10 confidence isn’t consid-
ered a “good” thing in OKRs because
it means that a team set their sights
way too high and generally that’s poor
for morale.
Completing OKRs is seen as counter
productive—OKRs aren’t a task list.
They are inspirational stretch goals
that could result in better outcomes.
OGSMs
Another option for Fruit Finders is to
use a different framework—OGSMs
OGSM stands for Objectives, Goals,
Strategies, and Measures.
Unlike OKRs there are multiple
OGSMs for a company with each team
having their own. A common trait
with OGSMs is that they can cascade
to help form a chain of goals, which
helps with alignment.
Objectives have both goals (metrics
that define the success criteria of the
objectives) and strategies (pathways
to achieve the objectives). Measures
are ways to define the success criteria
of the strategy.
Contrary to OKRs, OGSMs are less in
the realm of moonshots. We still want
to push toward something ambitious,
but the point of an OGSM is not to
rally the entire business around one
moonshot idea and, if we fall short,
to feel okay having fallen short. The
point of an OGSM is to meet the goals
we set as a business, and align on a
pathway for completion.
Because OGSMs cascade through a
business, this also means that the
entire organization has transpar-
ency into how their work will directly
impact the work of those above/be-
low them in the hierarchy. Strategies
should cascade between levels and
each level should own the outcomes
and appropriately prioritize. This
means that work can be traced back
to higher level goals and hopefully
that will show employees how their
work impacts the overall business.
That transparency can be beneficial,
especially as organizations scale. It
also means that team efforts can track
metrics that will be impactful overall
and strive for them.
VMWARE CONFIDENTIAL
 Objective: Fruit finders is the most successful online marketplace for fruit buyers and sellers.

Business team Vendor partnership team fruit hunter team

Fruit buyers pay less for exotic fruits on Fruit

Become the most profitable fruit marketplace Vendors have more repeat customers online
Objective online than in their brick-and-mortar stores
Finders than they would at their local store by
signing up for a subscription

Vendors see 10% average monthly increase An average of 100 net new subscriptions are
Monthly Recurring Revenue increases each
goals month over the next 10 months by at least 5%
of returning customers over brick-and-motar signed up for each month for the next 10
sales using Fruit Finders subscription plans months (1000 new subscriptions)

Referrals to use Fruit Finders are streamlined

strategies Fruit Hunters are buying more fruit
• Fruit Hunters that make their first purchase on
Fruit Finders make a second purchase within
measures 30 days
• 20% of Fruit Hunters sign up for recurring sub-
scriptions with their favorite vendors
Returning customers get a bonus when they
sign up for a subscription
using referral links from each Fruit vendor and
Fruit Hunter account
• Each subscription customer gets a referral link
• 75% of new users join the platform using a
that can earn them a 30% discount on their next
referral code
order
• 90% of website visitors come from a specific
• Each vendor sends their referral code to five
users' referral link
prospective buyers each month

The above is a quick example of an
OGSM I drew up for Fruit Finders.
There’s an overall company objective
that filters to the Business Team. The
Business Team is defining success by
profitability To increase profitability,
they will need to increase Monthly
Recurring Revenue (MRR). If fruit
hunters are buying more fruit, then
the MRR will go up, and one way to
make that happen is for there to be an
increase in subscriptions.
The Vendor team can see the need
for more subscriptions and sets their
objective based on the metric of the
business team—20% of Fruit Hunt-
ers sign up for subscriptions. To
make that happen, the Vendor team
sets having more repeat customers
than the brick-and-mortar stores of
their vendors as their objective. To
get there, they will need to see more
repeat customers via subscriptions
and to get more subscriptions, they
try using discount codes.
The discount codes mean that the
fruit hunters will pay less compared
to buying at their local stores, so the
Fruit Hunter team focuses their atten-
tion on new subscribers for the next
10 months.
Hopefully, in the above example, you view into which metric is the most
can see the cascade effect that helps critical for the overall company and
to build alignment across the orga- how the metric they’re working on
nization and the transparency that feeds into that overall metric.
helps teams to stay on the same page.
I don’t mean to present NSMs as a
In the final Framework we’ll look combination of OKRs and OGSMs,
at today, you will also see a cascade but there is some overlap between the
effect. considerations of both in how NSMs
are generated and how they work to
North Star Metrics improve alignment.
North Star Metrics (NSMs) are a form
of a single metric that matters. Amplitude, a product intelligence
company, has championed the North
The company has a singular metric Star Metric2. Here is their checklist of
that is the most critical and then the what makes a great NSM:
metrics cascade from there. Each 1. It expresses value. We can see
team then works on what will be most why it matters to customers.
beneficial to helping to achieve that 2. It represents vision and strategy.
metric. Sometimes those are called Our company’s product and busi-
Sign Posts. ness strategy are reflected in it.
3. It’s a leading indicator of success.
One of the hardest parts about North It predicts future results, rather
Star Metrics is actually choosing the than reflecting past results. (Not
right North Star Metric for an organi- Lagging)
zation. In my experience though, the 4. It’s actionable. We can take action
hardest part of having a North Star to influence it.
Metric is actually putting in the work 5. It’s understandable. It’s framed in
once the Metric has been determined. plain language that non-techni-
cal partners can understand.
One of the key aspects of NSMs is that 6. It’s measurable. We can instru-
they galvanize support for a singular ment our products to track it.
goal, much like OKRs, without requir- 7. It’s not a vanity metric. When
ing a moonshot or confidence score.
Everyone at the organization has a 2 https://amplitude.com/north-star

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 65

 it changes we can be confident
that the change is meaningful
and valuable, rather than being
something that doesn’t actually
predict long-term success—even
if it makes the team feel good
about itself.
For example, Slack’s NSM was mes-
sages sent within an organization.
This is a solid NSM. It expresses the
value of Slack (connecting organiza-
tional communication), it expresses
the value of the product being sold,
it’s actionable and understandable
and it could be a leading indicator
as well. Overall, this is a well written
articulation of a NSM.
We can speculate about why this was
the most critical to Slack. They chose
messages sent within an organization
rather than new organizations using
Slack. It’s interesting to optimize
usage over growth, but I think the
following:
• Usage leads to loyalty, which will
lead to long term growth.
• Usage justifies the price and
potential price raises.
• Usage requires a focus around
user needs and solving user
problems.
Another example is Zoom’s North
Star Metric—Weekly hosted meet-
ings.
Pretty straight forward NSM. This is
actionable and understandable. Every
team at Zoom can rally around trying
to get more weekly hosted meetings.
It’s a call to action.
It also expresses the value proposi-
tion of the company in a succinct way
and it’s even trackable.
Zoom could have rallied around paid
subscribers, time spent in each meet-
ing, participants in a meeting, but
they chose to go with weekly hosted
meetings. Maybe with COVID this
has changed to daily hosted meetings
66 | INNOVATE | JUNE 2021
or potentially even hourly, but the
outcomes there would be the same—
clear business value, clear user value,
leading indicator, and an understand-
able metric.
So how might Fruit Finders describe
its NSM?
FRUIT FINDERS - Each order in-
cludes more than two fruit types.
Why might this be a great NSM for
Fruit Finders?
1. It expresses value. We can see
why it matters to customers.
Fruit hunters want to sample new
and exotic fruits. User motivation
and product value are demon-
strated here. Trying more types of
fruit also means more reviews so
it bolsters support overall.
2. It represents vision and strat-
egy. Our company’s product and
business strategy are reflected in
it. Fruit Finders wants to encour-
age fruit hunters to try new and
exotic fruits, so the vision is
there. This also gives us a way to
measure or consider whether a
vendor is well suited to the plat-
form or not. If they are a vendor
that just deals in one type of fruit,
then in the long term, they may
not be a good candidate for our
push toward diversity of fruit on
the platform.
3. It’s a leading indicator of success.
It predicts future results, rather
than reflecting past results. This
is aspirational in that we want
orders to have more types of fruit
sold.
4. It’s actionable. We can take action
to influence it.
5. It’s understandable. It’s framed in
plain language that non-techni-
cal partners can understand. It’s
actionable and understandable
for each team. The business can
rally around that metric as the
one that drives growth (more
things per order), the vendors can
see more diversity in what is be-
ing sold and theoretically larger
orders that make vendors happy,
and fruit hunters can sample
more types of fruit.
6. It’s measurable. We can track this
metric.
7. It’s not a vanity metric. When
it changes we can be confident
that the change is meaningful
and valuable, rather than being
something that doesn’t actually
predict long-term success—even
if it makes the team feel good
about itself. This will be a mean-
ingful representation—the more
people try different fruits, the
more likely they are to continue
to order them. Fruit hunters love
fruit, so the more fruit we put it
in their hands, the more value the
system will have.
Strictly My Opinion: OKRs
I think there is a tendency to use
OKRs incorrectly or to use what I call
“lower case” okrs rather than “capital”
OKRs. It’s rather common to see too
many OKRs, poorly written OKRs, or
things that are checklist-y in nature
rather than provocative moonshots
that help drive and motivate teams to
reach for more difficult outcomes.
We think about OKRs as being an
“easy” framework because defining
an OKR isn’t so difficult and people
can understand the basic meaning
of the words quickly. However, the
concept of a “moonshot” is relatively
foreign to major enterprise compa-
nies (especially if it is publicly traded).
The desire for consistency is often
fundamentally at odds with the low-
grade confidence scores, which is a
requirement for moonshots (and thus
OKRs). Due to this, I don’t generally
recommend OKRs for enterprise. And
I have had to push back on their use
in many instances.
I also find that instead of one great
OKR for an enterprise, there are often
half a dozen; and this, too, is not a
galvanizing, inspirational method.
VMWARE CONFIDENTIAL
 Instead it is just a collection of goals
written in an OKR format. That’s
not beneficial. Great OKRs work.
However, it is very difficult to write
great OKRs and to persevere through
(potentially) years of learning the
framework, evangelizing it, and ex-
ecuting at scale.
There has also been a lot of writ-
ing over the past few years on how
organizations have tried to tie the
success of OKRs to a bonus structure
and why that’s a recipe for disaster. I
won’t spend time in this article dis-
cussing it, but it’s worth diving into
either Christina Wodke’s book or John
Doerr’s book for more info on that
conversation.
Strictly My Opinion: OGSMS
One great thing about OGSMs is that
they cascade and they offer a degree
of transparency. I think OGSMs are
helpful in an organization as each
team has insight into how their work
slots into other work being done in an
organization. It is helpful to have a
roadmap or strategy at that level and
certainly the act of putting together
an OGSM can be helpful in gaining
VMWARE CONFIDENTIAL
intra-team alignment. My biggest is-
sue with OGSMs is that, unlike OKRs,
they’re not inspiring. No one wakes
up in the morning and tries to crush
their OGSM. It is more of a way to
write out what you’re working on and
how it fits into the larger enterprise. It
is not meant to rally a team.
Strictly My Opinion: NSMS
Finally, I really love NSMs. If I had
to pick one for VMware to try, this
is likely what I’d pick as a first ex-
periment. It would be fascinating to
think about what we might use as
that NSM. The idea of galvanizing
and inspiring teams while retaining
transparency across an organization
and cascading goals top-to-bottom
is outstanding (especially in terms of
alignment).
I think the biggest hurdle is in select-
ing a North Star Metric. This can be
excluding rather than inclusive and
aligning an entire organization be-
hind the wrong metric can be disas-
trous in a way that OGSMs or OKRs
are unlikely to be as impactful if done
poorly. Even with that risk, I’d still
love to see more organizations select
NSMs as their framework.
Strictly My Opinion: OTHER
Certainly there are other frameworks
out there and many organizations
may choose simply not to use specific
frameworks. At Pivotal, “four im-
peratives” were passed down to each
team—they were just stated goals
that each team would autonomously
work toward. I think that was one way
to consider how a framework may
not be needed while still aligning a
company. It could be that all that is
needed is a directive, but consider
that the more crisp we are at formu-
lating understandable directives,
the closer we’ll be to alignment and,
hopefully, if we do everything right, a
better, scalable culture.
ResourceS: OKRS
There are two seminal works on
OKRs. The first is Christina Wodke’s
book Radical Focus3 and the other
is John Doerr’s book Measure What
Matters4.
3 https://www.goodreads.com/book/
show/28951428-radical-focus
4 https://www.goodreads.com/book/
show/39286958-measure-what-matters
INNOVATE | JUNE 2021 | 67
 I prefer Wodke’s book, but they’re
both pretty great. Here is how Wodke
sums up OKRs:
“OKRs are about continuous improve-
ment and learning cycles. They are
not about making check marks in a
list. So you didn’t hit any of your KRs.
Ask yourself why, and fix it. So you hit
them all? Set harder goals, and move
on.” - Christina Wodke
ResourceS: OGSMS
For OGSM my recommendation is
just to Google it. There isn’t a great
repository or book that I’ve found for
OGSMs. If anyone finds one, please
let me know as I’d love to read it. It
seems like a technique that many
companies have adapted and made
their own, but not one that has a cen-
tral body of knowledge or OGSM-spe-
cific experts. In some ways that could
be considered a good thing. One of
the drawbacks of using frameworks
is that they often aren’t as malleable
as needed for different organizations
at different stages and with different
personnel. In another way it’s prob-
ably not the best thing that there isn’t
a specific body of knowledge to focus
on.
68 | INNOVATE | JUNE 2021
I don’t think OGSMs are quite as
difficult to master as OKRs, so there’s
more wiggle room. Who knows,
maybe someone here at VMware will
be inspired and decide to write a book
on OGSMs and if you do, again, I’d
love to read it.
ResourceS: NSMS
Amplitude - North Star Metrics2
Amplitude runs some specific work-
shops and webinars that are free. I’ve
attended a few of them and got a lot
of value out of them. Lots of places
out there use North Star Metrics as
their framework, but Amplitude is
the primary thought leader.
Conclusion
If you’ve read this far, you’re probably
thinking that this is a lot of writing
for someone that proclaims to not
like frameworks. You’d be right. I
don’t like frameworks. What I do like,
however, is clarity and the separation
of signal from noise. I love to be in-
spired and I love to feel like the work
I’m doing is meaningful. Frameworks
are a great way to build the kind of
culture that makes me excited to go
into work everyday. I’m not currently
using any framework for my work at
VMware, but I do feel like the work
I’m doing is contributing to the over-
all success of the organization. It’s a
thought I go back and forth on in my
head. Do I need a framework to have
the feeling I want? I’m not sure.
I’d love to hear from you. I’d love to
hear about whether you find your
work to be meaningful, how you
know it’s helping the broader organi-
zation, and what your experience has
been like with these frameworks or
others. In short, we have an oppor-
tunity to drive thought leadership
together, to align on our own shared
future, and build the culture we want
for VMware.
If you loved this article, tell your
friends. If you didn’t (or you have any
questions or compliments), tell me!
Thank you.
Andrew Zusman is a Senior Product
Designer in the Modern Applications
Platform Business Unit. You can
reach him at @andrew on Slack or
azusman@vmware.com.
VMWARE CONFIDENTIAL
 unblocking
FedEX + vra 8.3

THE

ACE Team
Authors: Tom Scanlan and Luis Valerio Castillo | Editor: Dexter Arver

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 69

A
ccelerated Co-Innovation Engineering (ACE) is a new
team in the Office of the CTO within the Advanced
Technology Group. ACE is chartered to collaborate with
customers and across VMware Business Units (BU) to infuse new
technology and enhancements into VMware products that ac-
celerate adoption.
ACE engages in strategic situations where it can make the most
impact for the success of VMware and our customers. To do so,
ACE listens to sales and other field teams, and looks into BU
issue trackers. Generally, what we find is that there are improve-
ments that can help our customers but BU prioritization results
in delaying the related benefits to our customers. Sometimes
improvements require fundamentally new technology, which
may be outside the core competency or responsibility of a single
BU.
A recent example of how ACE can help accelerate customer
outcomes involves our customer, FedEx. FedEx’s desired out-
comes required improvements in one product that had been
delayed for months and was not going to be prioritized soon.
FedEx would be stuck on an older (but working for them) version
of this product which would, in turn, prevent upgrades to several
other VMware products. Injecting expert effort into the right
place could help them adopt the latest version and unblock a
single deal worth $70 million. And the BU and FedEx were will-
ing to make that happen with the help of ACE.1
To support their future desired outcomes, FedEx wanted to move
from VMware Cloud Foundation 3.x to 4.x. As a prerequisite of
that upgrade, they needed to move from vRealize Automation
(vRA) 7.6 to vRA 8.x and NSX-V to NSX-T. Versions vRA 7.6 and
prior supported Puppet2 via a vRealize Orchestrator plug-in de-
veloped and maintained by Puppet Labs. vRA 8, was a complete
rewrite, and the puppet plug-in would not work with the change
in design. Some support for Puppet was built into vRA directly,
1 The ACE team would like to make clear that the ACE team supports outcomes,
not product release promises.
2 https://puppet.com/
70 | INNOVATE | JUNE 2021
but it was not in parity with the vRO plug-in. Because of their
extensive use of Puppet, FedEx would not update to VCF 4.x until
vRA 8.x supported feature parity with the vRA 7.6 release for a
few specific features of the Puppet plugin.
ACE is Called into Action
The upgrade issue was raised by the field in early to mid 2020.
They shared information with the Cloud Management Business
Unit (CMBU) on what specific issues needed to be overcome for
our customers. CMBU has the same problem of resource alloca-
tion as most engineering teams—there are finite resources, and
due to other priorities, some simply would not fit into the prod-
uct roadmap until mid-2021. CMBU and the field raised the issue
to ACE requesting that we take it on as an effort to accelerate the
needed capabilities in late November (as seen in our tracking
system3).
After review, ACE agreed to develop the required capabilities.
The team worked out an arrangement with CMBU to embed
ACE’s software engineers into CMBU engineering. The goal was
to get FedEx’s Puppet automation working with an early version
of vRA 8. By doing so, FedEx could immediately advance their
VCF upgrade and rollout. FedEx agreed that the outcome of over-
coming the obstacle to their upgrades was worth the time. Based
on that and the CMBU's agreement to embed our engineers, we
began in early January 2021.
Luis Valerio Castillo and Tom Scanlan were the members of ACE
embedded with members of the CMBU configuration manage-
ment provider development team, Deepak Mettem and Mrinali-
ni Anand. Initial on-boarding—coming up to speed on the code
base and team practices—took a couple of weeks. If you want
to know how providers in vRA work—and more specifically the
Puppet provider—you can head to the “On-boarding working
session recordings" Confluence page4 for all the deep diving you
might desire.
3 https://gitlab.eng.vmware.com/octo-ace/ace-submissions/-/issues/26#note_
139587d6b1f846ca477d25a9faf240d2bab87f3b
4 https://confluence.eng.vmware.com/display/VCMR/On-boarding+working
+session+recordings
VMWARE CONFIDENTIAL
Requested Outcomes
The outcomes requested by FedEx are covered by short descriptions and demos of the works as they came into being.

Requested Outcome 1:
Customer must be able to use vRA 8 blueprints to specify a Puppet primary server, and a geographically local Puppet compile server
for scaling.

FedEx has a global computing footprint, with tens of thousands

of VMs to manage. To use Puppet at that scale, FedEx is using
a Puppet primary server with many compile servers. In this
architecture, there is a top-level server in a high-availability
configuration that manages certificates and has a global per-
spective of all production VMs. At each datacenter there are one
or more Puppet compile servers that do most of the work local
to the VMs in that datacenter and synchronize with the primary
Puppet server. Compile servers max out around 2500 nodes, but
that limit can be raised by adding more compile servers and us-
ing a load balancing mechanism to spread the load across many
compile servers.

Blueprint containing "installMaster” property See https://via.vmw.com/EQEL for a demo of this outcome.

Requested Outcome 2:
Customer must be able to expect the same kinds of Puppet Facts available from vRA 8 as vRA 7.6.

Puppet Facts are attributes about VMs that can be used to affect
how the VM is configured. While some Facts are discovered from
the VM characteristics such as the size of disks, or the amount or
RAM or CPUs, others can be provided from an external system.
For example, servers with a fact named “type” and a value of”
webserver” could be configured differently than one with a
“type” fact of “database.”

To support external Facts, properties of the vRA blueprint are

Facts file as delivered in v8.1, vs 8.4 (video: https://via.vmw.com/EQEJ)
captured and sent as a file in the VM that is available for Puppet
to query at run time. That functionality existed in vRA 7 but was
lost while re-architecting vRA 8. The limitation was due to using
an “allow list” of Facts that could be passed to the VM that was
not configurable and allowed only a small set of blueprint facts.
The fix was to flip this logic around to a “disallow list” and allow
everything not on that list. Now any customer added properties
could come across by default, while some private information
could be prevented from being sent to the VM.

An interesting highlight about the ability—ACE had to be surgi-

Properties attached to blueprint (video: https://via.vmw.com/EQEI)
cally precise in that Windows and Linux shells support different
character lengths. This revealed a bug in the Windows imple-
mentation for handling large numbers of Facts—fixing Fact han-
dling for Windows would have required a larger re-design. Since
FedEx only uses Puppet with Linux VMs, this was not a problem
for them, and we pushed the Windows fix into the backlog for a
future release. We also documented the issue, added testing that
would reveal the issue and make it easier to fix for the engineer-
ing team in the future. We put in exactly what the customer
needed while advancing the engineering team.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 71

Requested Outcome 3:
Customer must be able to purge a Puppet node, and already purged nodes should not be considered a failure.
Successful purge during forced failure
ACE's Exit
The work is complete and is now generally available as part of
the 8.4 vRA release. FedEx and other customers can now utilize
these improvements when appropriate. Specifically, FedEx had
access to test an early release of vRA 8.4. Through customer-
facing demos and discussion, we learned that FedEx had a very
positive experience with ACE. In fact, CMBU and the field also
had a very positive experience with ACE.
ACE has officially stepped away from this project, having writ-
ten the code in a BU supported fashion and leaves continued
support to GSS. However, ACE will remain close by in case as-
72 | INNOVATE | JUNE 2021
Purging a Puppet node will cause the primary server to revoke a
certificate for the node being purged. In an early vRA 8 release
FedEx had tested in their lab, there was a scenario where a VM
would failed to deploy and a purge step would be triggered to
clean things up, but this purge step would fail because the VM
did not have a certificate registered with the primary server. This
caused problems where deployments could not be cleaned up in
vRA 8. As development on vRA 8 progressed, this bug was elimi-
nated. ACE didn’t make any changes to the code, but instead
they demonstrated that the current behavior matched FedEx’s
expectations.
The ACE Team loves it when a plan comes together.
sistance is needed. ACE has already moved on to the next set of
blockers, and we look forward to sharing more, great outcome
experiences in the future.
Tom Scanlan is a Application Platforms Architect working in the
ACE team in the Office of the CTO. You can reach him at
tscanlan@vmware.com.
Luis Valerio Castillo is a Member of Technical Staff working in
the ACE team in the Office of the CTO. You can reach him at
lvaleriocasti@vmware.com.
VMWARE CONFIDENTIAL
 From poster
session to propel:

benefits, adaptability,
and innovation of
University Talent at VMware
KATE WILKINSON
 At VMware, our employees are what set us apart from the rest of the technology industry.
The innovative spirit and passion of our employees has made VMware the leading
company it is today—including placing in the top 11% on Forbes’ 2021 America’s Best
Large Employers1. 1 https://www.forbes.com/best-
large-employers/
It’s no surprise then, that recruiting, hiring, and retaining our employees is crucial in
maintaining our innovative culture across the company. A great deal of time, effort, and
resources are put into developing strategies and programs to find the best talent at all
levels and experiences. This article examines talent management for those just starting
out in their careers at the university level.

VMware is committed to finding top global talent at the university-level for both
internships and New Graduate (NG) positions. Hiring at this level poses a different
set of challenges and processes than hiring for industry positions. Let’s explore those
differences and learn how University Talent innovates while recruiting incredible interns
and NGs.

I had the opportunity to talk with three University Talent (UT) team members—Maria
Raimundo, Cherielynn Tsay, and Katherine Nguyen—about their roles, the benefits
UT can have on a team, and their perspectives on how the UT team is innovating bringing
university-level talent into the company. We also talked with some folks from the Office
of the CTO’s Research & Emerging Talent team who are also passionate about recruiting
university talent.

Before we go any further, let’s introduce the UT team members who will be featured in this
article:

Maria Raimundo is a University Talent Engagement Manager, responsible for the global
NG and Intern hiring strategy for many of VMware’s Product Teams. Maria is part of the
UT team whose focus is to recruit, hire, and provide an excellent experience to all students
who work at VMware. Maria supports her BUs by partnering closely with their Chief-of-
Staff, Finance Director, Industry Recruiter, and HR Management Partner to devise a yearly
hiring plan that will meet the BU's early-in-career talent needs.

Cherielynn Tsay is a program manager on the University Talent Experience Team,

overseeing the AMER Intern Program. Cherielynn’s scope includes curating program
events and trainings; leading onboarding; supporting interns’ managers and mentors;
partnering with global counterparts to ensure consistent intern programming across all
regions; and being a liaison with UT recruiting teams for a smooth intern experience.

Katherine Nguyen is a University Talent Program Manager overseeing a variety of

different programs that reach the R&D community. Her work focuses on employee
experience by providing new graduate hires with the tools, resources, and opportunities 2 https://blogs.vmware.com/
to become a successful contributor at VMware. Katherine also supports the Talent careers/2020/10/vmware-code-
Acquisition’s overall strategy by planning and executing events that focus on VMware’s house-2020-the-virtual-experi-
DEI goals. Some of these programs and events include: ence.html
3 https://source.vmware.com/por-
• VMware CodeHouse2, an exclusive, invite-only, 3-day coding event for women in tal/pages/HR/university-flight
technology. 4 https://source.vmware.com/por-
• University Flight Program3, VMware’s global NG resource center. tal/pages/HR/university-propel
• University Propel Program4, a U.S.-based rotation R&D program. 5 https://blogs.vmware.com/ca-
reers/2021/01/meet-the-2020-vm-
• Achieve Scholarship5, provides women a one-time award of $10,000 if they are ware-achieve-and-vmware-rise-
pursuing a Computer Science or related major. scholarship-recipients.html

74 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 • High School Immersion6, a growing program that engages students at the high school 6 https://octo.vmware.com/high-
level interested in pursuing a degree in Computer Science. school-virtual-hackathon/

University Talent timelines & hiring processes

Unlike industry-level talent who can be hired anytime throughout the year, UT relies on
a seasonal cycle to recruit and hire based on academic calendars around the world. We
asked Maria for her perspective on the reasoning behind this structure, and some of the
benefits and challenges to this timeline.

As Maria explained to us, the best university plan is to interview once and hire twice,
meaning there is a great focus to hire the best interns, which allows VMware to get the
best NG full-time hires when they graduate. To get the top student talent means having an
overall hiring plan up to 1-2 years in advance, as many students find their job or internship
far ahead of graduation.

The UT hiring season follows the major global school timelines. The 2022 UT season
is from July 1, 2021—June 30, 2022. Globally, this means UT works on the overall 2022
University hiring plan from April 2021 to June 2021 and opens all planned NG and intern
requisitions by July 2021, even though the soonest VMware has student hires start is
February 2022 (the beginning of the new FY23 fiscal year).

While this timeline might seem very proactive—and a bit counterintuitive as upcoming
UT plans are made before annual budgets are set—Maria emphasized that timing is a
huge factor in capturing optimal university talent, especially from a DEI perspective
(we’ll discuss more later in the article). While hiring for industry positions happens
on a shorter cycle—usually month-to-month—university students are dependent on
when universities and/or local labor laws allow them to work outside of studying over
the course of a school year, so it’s ideal to have UT focus solely on those optimal hiring
periods. We work carefully with hiring teams to ensure they get the full benefit of having
student talent as interns and NG hires, so a lot of thought and planning is put into the
entire UT experience.

Importance of university level talent—and what they bring to VMware

When we were talking with Maria, Katherine, and Cherielynn about their roles and
experiences, their enthusiasm for UT was immediately obvious. While many teams at
VMware are familiar with hiring interns and NGs, they still wanted to emphasize the
benefit they bring to teams, as well as the general importance of university-level talent to
a company’s overall talent acquisition strategy.

As a UT Engagement Manager, Maria has a unique perspective on university-talent, as she

sees it mostly from the BU-perspective. When asked about the importance of university-
level talent, Maria believes companies should take advantage of the fact that students are
likely in tune with the newest technologies, which allows the hiring companies to stay
competitive and relevant. As Maria puts it, “students have an edge in being unvarnished
problem-solvers who are natural early adapters of the latest tech.”

Cherielynn and Katherine see the benefits of university talent through their direct work
with interns and NGs. When asked about the best part of her job, Cherielynn said:
Without a doubt, the best part of my job is getting to know the interns and listening to their
experiences. There’s never a dull moment with the interns. It’s a plus when they come back
as new grads, and I get to see them further their careers at VMware! Cherielynn Tsay

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 75

 From her work overseeing the AMER Intern Program, Cherielynn has taken note of the
innovations and new viewpoints interns can bring to the table. As Cherielynn says:
We always talk about innovation as a pillar of our growth and I believe our interns and
new grads plays a role in that. This emerging talent brings fresh perspectives to the table
and are always willing to push the envelope with a passion for technology. The pipeline we
have quite literally builds the future workforce at VMware! Cherielynn Tsay

Like Cherielynn, Katherine sees the benefit NGs have to VMware culture, technology, and
customers. According to Katherine,
New graduates bring a fresh set of ideas and energy to the company that can be quite
infectious! They’re creative, social, and willing to go above and beyond at the opportunity to
learn. For many new grads, VMware may be their first corporate job where they are working
on real-world projects, and they bring in fresh perspectives and a can-do attitude that is
beneficial to VMware’s culture and growth.

When asked about the best part of her job, Katherine answered,
The best part of my job is being able to work with students who are hungry to learn new
skills and ready to challenge themselves at VMware! I particularly enjoy working with
students because they bring a fresh mindset to VMware, and I believe we can learn from
them just as much as they learn from us. Katherine Nguyen

Like Katherine, Maria believes in NG’s high-impact energy and desire to create value for
their teams and customers. As she points out,
Teams benefit from hiring New College Grads because they are eager, bright employees who
are ready to learn the basics of the job. This also allows experienced workers the ability to
take on higher level projects—so everyone wins.

COVID-19 & University Talent

For over a year, COVID-19 has impacted every part of our lives, including the way we
recruit, hire, and build experiences for our new hires. Across the technology industry,
the COVID-19 pandemic and subsequent all-virtual environments changed the way the
internships had been run in the past, with many companies cancelling their 2020 and
2021 internship programs altogether. Despite these changes, the VMware University
Talent team was able pivot quickly while still bringing in top-tier talent. Maria Raimundo

We asked Cherielynn about how COVID-19 impacted her work and the internship
program. Overall, her team was surprised how the framework of their program was not
dramatically different when they decided late in the planning season to make the 2020
internship program completely virtual. In some ways, managing the logistics of all-virtual
internship events was actually easier than previous years’ in-person events, and costs
were cut down significantly. Also, more people were able to attend virtual events than ever
before; the annual Intern Poster Session used to be tied to office locations, but the 2020
virtual Poster Session allowed over 2,000 VMware employees from all over the world to
attend!

Understandably, the biggest difference from previous years was the lack of face-to-face
interaction the interns had with other interns, their managers, and their mentors, but,
regardless of that change, interns still had an overwhelmingly positive experience. The
VMware Global Intern Net Promoter Score for the 2020 UT Season was 86.5%—on par
with previous years.

76 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 Overall, the switch to a virtual internship encouraged the team to think outside of the box
and re-evaluate their processes. For 2021, the decision to go virtual was made far earlier in
the planning season, so Cherielynn and her team has plenty of time to adjust the program
based off the feedback from last season.

From Katherine’s perspective, hiring of NGs has not been greatly impacted by COVID-19.
In the beginning of the pandemic, they had to establish some new processes, but now
they continue to see many applicants and referrals. As Katherine works on many of the
UT programs, she notes that each of VMware’s partnered universities have seamlessly
transitioned to virtual events and conferences.

Also, VMware’s flexibility to work remote has allowed Katherine’s team to have a greater
reach among the new graduate community, as it increases opportunities for new
graduates who may not have considered VMware before because of office location or
relocation limitations.

Unfortunately, COVID-19 delayed 2020 UT hiring by almost two months—a very long time
in the University Talent realm! However, in terms of global recruitment methods, Maria

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 77

 is confident that the virtual engagement with students will be the norm from now on.
Before COVID-19, UT was already transitioning away from solely in-person career fairs to
virtual formats, as some countries saw attendance skyrocket when the event moved to a
virtual platform well before the pandemic. While it’s still too early to see how lasting some
of the changes will be, Maria notes that “it’s reasonable to assume virtual event hiring and
brand engagement are worthy investments for UT moving forward.”

Beyond UT, other teams within VMware saw a shift in how they partnered with interns
in 2020 due to COVID-19. VMware’s Research & Emerging Technologies team within the
Office of the CTO is enthusiastic about hiring interns to work on their ground-breaking
research projects. Interns bring a different perspective and new technologies to the
project. Their curiosity and fresh eyes inject a new energy into the team. In addition to
having unique knowledge and skills, interns serve as a conduit to collaborating with their
respective academic research groups.

COVID-19 brought both challenges and opportunities to the research intern program.
Many interns and researchers missed the in-person aspects of working together that we
all miss—mostly lunch. In lieu of crystalizing ideas via whiteboard, teams utilized Slack
and Github. Researcher Lalith Suresh had a very productive summer with his remote
intern, as he explained, “we’ve been using Github heavily to brainstorm. He thinks of an
idea or next step, writes it down in detail in a Github issue. Then the rest of us pile on and
iterate from there.”

Researcher Radhika Niranjan Mysore found the lack of physical location as an advantage.
She said,
Being diligent about writing down ideas, thoughts and decisions made throughout the
project helps with remote collaboration, but beyond that it helps if you’re working on a
publication you move more quickly in terms of the paper content and getting it in shape
well in advance of deadlines.

The networking aspect was helped by having a summer-long game, where interns were
paired with 3 different researchers every two weeks to solve a “fun” problem. While not
quite as effective as impromptu office chats, it did provide interns a chance to work with
folks that weren’t part of their project and do some informal networking while remote.

Innovations in University Talent

Innovation can be seen across VMware, from our Product organizations building new
technologies to our Operations teams supporting our employees through forward-
thinking programs, and the UT team is no exception. We asked Maria, Cherielynn, and
Katherine how they thought VMware’s UT team was innovative, especially compared to
other companies in the industry.

Cherielynn believes UT team's innovations comes down to the overall experiences and
opportunities VMware interns get to have. As Cherielynn points out, the interns get to:
Work on cutting edge technology and projects that have a business impact but also
experience our company culture firsthand. The way our managers, mentors, and teams
model our EPIC2 values day in and out truly makes a difference in their intern’s experience.

Katherine also sees innovations through the UT experience, specifically in the UT hiring
programs offered by VMware. Programs such as Academy, Propel, Launch, and Flight
ensure every new graduate, regardless of position or team, will be well-equipped with the
tools and resources needed to excel at VMware. As Katherine also points out, unlike other Cherielynn Tsay

78 | INNOVATE | JUNE 2021 VMWARE CONFIDENTIAL

 companies, every NG is onboarded into at least one—if not two—of the programs, which
guarantees that no new graduate is left behind.

Maria also attributes the experience offered to interns and UT’s hiring programs to the
innovation of the UT team. Interns work on projects that are both meaningful and tied to
VMware’s bottom line because UT views interns as future permanent hires.

Maria also notes the innovative strategy in how UT reaches students from diverse
backgrounds. Aligning the UT annual planning with academic seasonality is a big
benefit in this area, as 70% of the overall DEI UT strategy and budget is focused on DEI
conferences and branding events, most of which happen in the September to December
timeframe. Therefore, BU’s having their intern and NG plans ready to go by the start of
the UT season on July 1 allows them to get embedded into the DEI recruiting community.
Outside of the US, VMware partners with many universities on their top-tier computer
science curriculum and they also support student populations with higher concentrations
of women and/or underrepresented minorities.

Get Involved with University Talent

Now that you’ve read all about the benefits and innovations happening within the
University Talent space—not to mention the adaptability of the UT teams when
something unprecedented like COVID-19 happens—you might be wondering how to get
involved!

One of the best ways is to check out the Get Involved with University Talent Source
Page7. From there, you can learn more about UT programs to volunteer with, and find UT 7 https://source.vmware.com/
portal/pages/HR/get-involved-
contacts to reach out for more information. You can also reach out to Walter Christmas8 with-university-talent
or Monisha Kothari9, two members of VMware’s University Talent team who can answer 8 wchristmas@vmware.com
questions and help get you involved. 9 kmonisha@vmware.com

Another way to get involved is to encourage your leadership to hire interns and NGs.
Reach out to your University Talent Engagement Manager to find out more about what
your BU can do. As we’ve learned, interns and NGs can contribute in many more ways
than helping with a project. They offer new perspectives and help in finding creative
solutions, as well as positively impact VMware’s culture and direction. And while we
might be past the planning cut-offs for UT’s 2022 season, it’s never too early to start
thinking about 2023!

Thank you to Maria Raimundo, Cherielynn Tsay, Katherine Nguyen and Lori Blonn for
their help with this article and their positive impact on VMware through their hard work.

Kate Wilkinson is a Sr. Program Manager working in the Office of the CTO. She’s an expert in
diversity matters and leads that effort in OCTO. She also happens to be an amazing human
being. You can reach her at katherinew@vmware.com.

VMWARE CONFIDENTIAL INNOVATE | JUNE 2021 | 79

STAFF
DEXTER ARVER
LORI BLONN
BEN DUONG
SLOAN GRIFFIN
BOB MOTANAGH
ZACH SHEPHERD
KATE WILKINSON
ANDREW ZUSMAN

EDITORS
DEXTER ARVER
MOHSIN BEG
LORI BLONN
BEN DUONG
AUSTIN ROTH EAGLE
BEN PFAFF
LEONID RYZHYK
JOE SAMAGOND

CONTRIBUTORS
DEXTER ARVER
RUMEN BAROV
SHAWN BASS
EMAD BENJAMIN
BRIANNA BLACET
MIHAI BUDIU
LUIS VALERIO CASTILLO
CRAIG CONNORS
JOHN DIRICO
ERICA DOHRING
JEN HANDLER
MICHAEL HEIN
GREG LAVENDER
PERE MONCLUS
BOB MOTANAGH
DALE OLDS
CHIRAG PATEL
RENU RAMAN
TOM SCANLAN
NATASHA TUCK
KATE WILKINSON
ANDREW ZUSMAN

VMWARE INNOVATE
JUNE 2021
VMWARE CONFIDENTIAL

The journal cover is a digital art piece by

Hanna Friend called “Perpetual Innovation".
She would like y'all to know that this is The
Super Duper Fun Issue.

Also, we’re always looking for interesting

stories. If you have a story to tell, reach out
to Dexter Arver on Slack.