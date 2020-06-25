Palo Alto Networks Inc (NYSE:PANW) Zero Trust Architectures Virtual Thematic Conference June 25, 2020 12:30 PM ET

Company Participants

Nikesh Arora - CEO

Nir Zuk - CTO

Conference Call Participants

Keith Weiss - Morgan Stanley

Keith Weiss

Welcome, and thank you for joining us this afternoon to everyone on the line. We're very pleased to have with us on our next presentation on our Zero Trust Architectures Virtual Conference from Palo Alto Networks both

Chairman and CEO, Nikesh Arora, as well as Founder and CTO, Nir Zuk had some technical difficulties on the back end. So Nir, maybe a question to start out with for you. The theme of the virtual conference today is Zero Trust Architectures and it's a buzzword that we've heard a lot and a lot more over the last year or so. But I still get a sense that it means different things to different people. Could you talk to us a little bit, what's the Palo Alto Networks perspective on it? What does Zero Trust Architectures mean and where does your portfolio fit into that?

Nir Zuk

Sure. So we believe Zero Trust is a concept in cybersecurity where every entity, whatever that is an endpoint the workflow, the server cannot trust anything that happened before that and anything that happens after that and it's responsible for its own security. So let's take an example.

Let's say that a private banker, Morgan Stanley gets a call from the customer, they need to go into the customer account through an application. It starts with, you need to trust the machine they’re running, we need to trust the operating system, you can trust it, maybe it was tampered with, need to trust the application that we use, it might be web browser with plug-ins, you need to trust all of those, then the user access their private banker in this case accesses the front end server, there need to be trust established there, the server cannot trust the user, cannot trust the input so on and then after that, there are probably several micro-services behind it in the form of hosts and VMs and containers and serverless functions, the public cloud all the way to where the data is, which can be as application like a database or

like a database in a Cloud, private or public cloud application, sorry environment that again Zero Trust is at every stage of these stages, you can trust what happened before.

You need to re-verify everything. So in micro-service in the form of your container needs to be able to verify that another micro-service in the form of VM. So before they talk to each other, we need to verify each other's identity, we need to look at the content and so on. So it starts with endpoint security. Let's make sure that the endpoint is secure. Then you have what's called Zero Trust Network Access, ZTNA which is really most of the vendors that you will talk to when they say Zero Trust, they really mean that little portion between the user and the first server that it is, Zero Trust Network access, verified the user, verified the content of that that there is no malware and you’re exploited, no command and control and so on. And then from that server, you go to the first micro-service that needs to verify again, everything that's happened before and so on.

All the way to pass security at the end. So it's to us Zero Trust is really end-to-end, each component as little as possible is responsible for its own security. And now if you and maybe before I talk about products, then there's another layer to Zero Trust, the way most security organizations are set up, they have the security operation center or so which essentially is there to verify again, all the trust decisions that have been made.

So yes, I allowed you to log into a system. But I want to verify that it was okay because if you look into a system from one place and then three minutes later, you logged in from another part of the planet, then something is fishy. So you have to re-verify everything. And that's what this stock does, so the stock looks at all the trust decisions, I mean it's not the way the stock positions. But in essence, what they do is they look at all the trust decisions and they have to go and re-verify them, right. So and again when you talk to other vendors, they will have components of that being presented with Zero Trust, right. So some of the network security vendors and the proxy in the cloud vendors would say that ZTNA is Zero Trust, no it's part of that, it starts with the endpoint, then comes ZTNA, then commodity says, if you talk to identity access management vendors, they will say authenticating the user with Zero Trust.

No, it's not, it’s part of Zero Trust, you have to take that identity and run it all the way through, they only authenticate the user at that point. But who's going to make sure that at the end, the access to the database is a result of what the user did in some malware or something like that. So different vendors of course, I mean it's all self-serving. I mean, we're also self-serving right, when we say that it's end-to-end, I talk about the portfolio in a second, but different vendors would look at different components of Zero Trust and say this is Zero Trust for us. We believe that it's an end-to-end. If you look at our product strategy, right it starts with input security, which is more Cortex feeds. And then you have Zero Trust Network Access which is where the physical firewalls as well as Prisma access fit.

And we're seeing more and more shift towards Prisma Access for Zero Trust Applications. Then you have Prisma Cloud which runs inside all these different micro-services and establishes all the Zero Trust right in containers and in VMs, and so on. And we made a bunch of acquisitions there. And at the end, we have passed security, which is again Prisma Cloud right tool to evident acquisitions that do that. And on top of all of that sits Cortex which collects data from the entire infrastructure, reevaluates all the decisions that we made for the SOC and automates these the processes of responding back or changing things if Trust decision was, it wasn’t incorrect.

Keith Weiss

Got it, that's super helpful. And Nikesh, from your perspective is Zero Trust the concept that you're hearing from customers. Is that something that they're asking you about? Is this actually driving purchase decisions for Palo Alto Networks yet? Or is this more of a sort of a marketing and a buzzword we're using on our side of the fence?

Nikesh Arora

Well, I mean what I understand is that the gentleman who coined the phrase Zero Trust, (inaudible) came to Palo Alto Networks how many years ago here, Nir? Five, six yes six years ago, John Kindervag wrote the first piece of seminal piece of work on Zero Trust in Palo Alto Networks, so we have been presenting Zero Trust since he came to Palo Alto Networks and he's been champion both externally and internally. So we've been presenting our solutions as enabling Zero Trust across the board for as much time, we do hear customers and as they're going through their security architectures wanting to make sure that there is Zero Trust capability across every piece of the security chain.

Just that that drives the conversation. I think there's a fallacy that any one vendor out there has a solution for Zero Trust because great, it has Zero Trust for identity management. What happens after your credentials allow you to get into the rest of the network, who's making sure that Zero Trust as your traffic traverses through bylaws or traverses the cloud or if your access provider great, you secure from the point I enter till the point I exit, but what happens after you exit in my infrastructure and what happened before the point I inverted the laptop or from an endpoint? So I think there's a fallacy that there is one solution, one silver bullet in the Zero Trust world and that one or two vendors are going to win the race because they solve Zero Trust.

We actually need every element of your security architecture to solve Zero Trust and it's more an architectural approach from our customer that allows them to do that as opposed to any one particular solution. As they articulated, we've tried to make sure that every one of our products fills that gap, at least from the point we see a user come in further into the Cloud network with that the infrastructure all the way through that.

Keith Weiss

Got it. Can you talk to us on how companies actually deployed it, when does this shift toward more of a Zero Trust Architecture come into the environment? Is it layering on additional sort of aspects of security? Is it are they taking out any elements of the security like, how does this come about and does it matter the company size, is an SMB going to go about this differently than a large enterprise?

Nikesh Arora

Well, I don't think they need to go a different way. Just you may need less security solutions that if you don't have a Cloud instance, you don't need or if you don't have a data center, you just go to the Cloud, you don't need anything in the datacenter. So you may find a reduction in scope of what they need to do because the size of the business, but the more complex the business you can take Morgan Stanley, you guys have a reasonably robust and complex IT architecture and you probably have a multitude of vendors providing all this stuff then becomes if you don't, if you're not careful, and you have too many people solving the same problem, then the cost of stitching all that together. The owner sits on (inaudible) diversity so and the less we have complexity, the less number of vendors we have, the possibility of using solutions that work together allows you to reduce that footprint, but Nir do you have anything?

Nir Zuk

One thing I would add is that especially the ZTNA is a Zero Trust Network Access, vendors are trying to present this as something new and thorough and something that's never been done before. Okay, I'm sure you have the VPN client on your laptop 20 years ago. And I don't know if you've ever used those secured e-cards right from RSA, that was Zero Trust, right. You have a VPN client on the laptop trying to access your organization, you verify who the user is. Okay, so back then it was not as sexy as Okta, but it was a secure ID card. And it was all encrypted, and you didn't let anything in, that authenticate. That's Zero Trust. Okay, I built those systems 25 years ago for another company. So it's not something that's new.

I think the concept that's new is to do it end-to-end. And the pieces that are being talked about the most are the ones that have been done for 20 years. The pieces that customers are looking for, but I would be talking about publicly are really the new ones that the part where you do inside organization between workloads and between the endpoint or all the way to the past application, where the data is that that's the new part.

Keith Weiss

Got it, got it. So you guys have been investing a lot in a new part and we could talk about that sort of the, a lot of the acquisitions have been sort of building out the Prisma Cloud as you guys to secure the assets in the past type environment Twistlock they are enabling to secure these new micro-services as well as building out Prisma Access. Over time, I think the question I get most from investors is about the other side of the equation, the stuff that's persisting in the data center. What does this mean for traditional firewalls, are traditional firewalls still an important component of the security architecture? Do they rise or fall in their sort of importance or sort of where they position as a central part of the security architecture?

Nikesh Arora

I’m going to give you the commercial context. And then Nir can give you the technical context. But I think if I read your software or your colleagues, they're telling me that they expect 30% to 50% of the IT infrastructure customers out there move to the public cloud in the next five to 10 years right in some context. If you believe that is true, it's somewhat of a issue where we shut down most of our data center in the last few years, and we moved a lot of it to Google and Amazon on the back-end as a public cloud. We don't mind, we don't have that Big Data center. So we will not be buying as many firewalls as we were, we’ll not be deploying any firewalls as we were two years ago, because we're sending less traffic in the data center, we're sending it to AWS and GCP. But what we've done is, we've put a virtual firewall in front of our GCP and AWS instance, to allow the same capability to monitor the traffic now going towards public cloud.

We replaced the blocks in the software, the firewall feature is still there, we still would have somebody paid for the loss that they pay for that. And all of our employees use Prisma Access to get access to Google application in terms of public cloud, so we don't have a physical firewall sitting in many of our offices, we can use Prisma Access to do that. I think the form factor change will continue to happen in the next five or 10 years as we go from hardware to virtual firewalls, or firewalls deliver the Cloud to Prisma Access or virtual machines, I think the need for firewall capacity in the industry will continue to grow at 6% to 8%.

As I said because look at what's happening in the Google world, the thing that's working is your technology based capabilities, whether it's selling something whether it’s Nike or whether it's Walmart, everybody is doubling down on a technology infrastructure and the need for your customers to log in, or ask for services and the online work, which gives you more capacity, capacity keeps going up for IT technically and you start deploying using the cloud more data centers, you'll need more capacity to do firewalling. How are you doing whether it's hardware or software becomes a second question.

As long as our entire categories are going, we believe we need to continue to need to take share, but Nir do you have more technical?

Nir Zuk

I think you got all of it. I think the one important thing is that we think it's going to remain a hybrid world for quite a while. It's important to have physical firewalls, virtual firewalls, as well as cloud delivered firewalls for Access that are completely compatible with each other. So you can make a decision what's good for you at every location, in some locations you want physical, some location you want virtual, in most locations for Access you want remote access in most locations, you will virtual, in most physical data centers you need physical, in large headquarters campus, physical refers to campuses and we believe that one of our advantages is that we have all of them are the same thing. And it's the same way and you can either change them technically from one to another in a matter of seconds.

Keith Weiss

Got it, so the advantage that you would hold, having sort of multiple form factors for the same kind of underlying firewalls means a common rule set across all of them, common administration, you get visibility, common data set, coming from all the different firewalls whether they're virtual, whether it's Prisma Access, whether it's a physical firewall, and that gives you a more holistic view on what's going on, on that network?

Nir Zuk

And it simplifies the customer environment, you don't need many vendors and you know we have the subscription services that run on top of all of them. So if you want to do threat prevent ITS, ITS right, if you're filtering across all of them, it's the same. And we recently launched our IoT Security Service. If you want to do IoT security, it's the same across all of it, doesn't matter which form factor you use. So that's another advantage we have is that our architecture is that, it's really subscription services, security services running on top of physical, virtual and cloud delivered and it doesn't matter which one you use. It's the same function everywhere. So migrating from one form factor to another is technically very simple.

Keith Weiss

Got it. It's hard to have a discussion nowadays and not bring COVID-19 into the equation and it's sort of the -- because there's huge disruption, huge changes in the way that people are working, at least from my user population, in near-term and we think it's going to, we're not going to all revert back working in the office anytime soon, it's probably going to be more permanent change. And it does seem like digital transformation is taking place faster like you're talking to Nikesh. What's the shift away from physical towards virtual like what's the implications for security broadly or more specifically for Palo Alto, where you're seeing demand for your portfolio?

Nir Zuk

Sorry, what's happening, I think out there is as I said earlier, people are getting one, everybody's realized that employees need to work from both the office and their home in an effective matter. So in the past, if you would have provisioned 8%, 10%, 15% of your employees to be able to work from home now there is a serious need to make sure that 100% of employees can work remotely and you can guarantee them the response times from your corporate data center or your cloud instances back to them in a way that makes it seamless and secure.

So you’re going to see this continued trend. I think we have not seen that trend so far aggressively in the numbers, because a lot of us including us, and many of our peers in the industry offer free service capacity for all those customers to make sure that the customers could make this happen without having to go, run through a purchasing process or contracting process. And also trials those search capacity offers are about to terminate hopefully in the next two to three weeks. So people have to go back and think about do I need this extra capacity in an ongoing basis? Or am I done and most likely, most people have not done because I don't see many people going back to the office yet.

So they're going to have to rethink how they want to think about remote secure access with employees. Some of them will just increase capacity for their existing solutions. Some of them will step back and look at the architecture and say maybe it's time for me to upgrade that solution to a different vendor or not. So we think that trend is going to continue. I think it is becoming visible that more and more customers are contemplating, moving a lot of their back end infrastructure to the cloud as evident in the success of the cloud service providers.

And I think that trend continues and that the margins will probably accelerate that which for us is good because it creates the need for a comprehensive cloud security platform which Prisma Cloud is. So that's kind of helpful on the Cloud front. But there's a lag because as people go get on the cloud and realize that putting stuff in production, they didn't go make this happen. And once you actually move to the cloud and step back and say, wait a minute, I'm not bringing all my traffic back to my data center, because all my data centers now AWS, or GCP, or Azure or Alibaba, that's when you start seeing the MPLS replacement or SD-WAN starting to happen.

So I think all these three trends are going to get accelerated with what's happening on the world right now. It's good for security. I think you have to couple that with the fact that there is still 20 million people filing for unemployment benefits on a weekly basis. And there's still a lot of people who are not going back to work. So there's going to be some companies, you're going to have to downscale or right size their businesses, and I don't have enough as to how to balance the two. But I think the long-term trend is accelerating. And in the short-term, we're going to get muddy data.

Keith Weiss

Got it.

Nikesh Arora

So maybe one more trend that we're seeing is around automation. So I think that the move of the security operation center from being 10, 20, 50 people sitting in a room or in multiple rooms and running the infrastructure to all of them sitting in different homes in different places and trying to run the infrastructure is leading to a lot of need for automation.

Keith Weiss

Got it.

Nikesh Arora

So we're seeing certainly a lot of deals around automating security operations.

Keith Weiss

Got it. This is actually a question that we got up at the webcast. This is pretty interesting, but as your business is shifting more towards the Cloud. I think if you think about the newer businesses, $800 million run rate business now with your Cloud businesses? How does that shift the competitive environment for you guys? Are you still running up against your traditional kind of firewall peers have a checkpoint for net or is a new competitive environment out there of where you're competing with Prisma Access or Prisma Cloud and the like?

Nikesh Arora

So it's both, there are customers out there who are still upgrading their firewalls or refreshing their firewalls and we will run into traditional firewall vendors over there, there are customers who’re evaluating their endpoint strategy with the coming of EDR, SDR and looking at saying, How do I get to the next generation, which is where we see a lot of our business Cortex XDR. We see a lot of automation with Cortex XOR and the cloud security space, we don't see many people. We see a lot of customers, there's more honestly evangelical job right now because there is just illusion that I've just got my concerts prior to give me some capacity, I'm sure that they give security. And all of them make the point saying look, we're guaranteeing the security of the infrastructure.

But it's the application on top that you build. And when you put them in production, the firewall you need, that's still your responsibility as a customer because we don't have visibility into how porous or how robust, you're making an application. That's where Prisma Cloud comes in, it's not protecting Amazon servers, it’s protecting the applications that you as a customer are putting into the public cloud.

Keith Weiss

Got it. And Nir, maybe for you, I'd love to get your perspective particularly when we talk about that Zero Trust Network Access part of the equation. There's a big industry debate going on, do you need a proxy up in the cloud or if you do it without a proxy? What's your take on that debate?

Nir Zuk

You want me to repeat what I said in Analyst Day a year-ago, I couldn't do that. I already killed two generations of proxies in the past, right. The checkpoint we killed the old secure computing Grapple TIS and so on. And then at Palo Alto Networks, we killed Blue Coat and their competitors. Proxy is not a good solution. Proxy is an easy solution. It's not a good solution for security. It's the easiest way to deliver security but you can't really deliver good security and you cannot deliver good networking with it. And customers will look for alternatives to proxy, if there is that you cannot run a Zoom through a proxy.

If you look at our proxy competitors, they will give you their latency commitment is 100 millisecond average over a month. Our latency commitment is 10 millisecond over an hour. So just if you can avoid a proxy, you will avoid a proxy that's been proven twice already in the past, right checkpoints and that inspection firewalls killed the proxy and then we killed Blue Coat, it will happen again. I'm sure and just there was never really a good reason to use the proxy other than it's easy to deliver basic functionality with that.

Keith Weiss

Got it. I want to dive a little bit deeper into the solution portfolio. You guys just rolled out a new panel as it is 10.0, you’re calling it more of a machine learning powered next gen firewall. Could you talk to us about sort of (inaudible)

Nir Zuk

Things there, the first one is there's always been the debate of seeking to prevent things is has diminished over time because things change very, very rapidly. And so far now these two signatures in the network as paid to do things outside of the firewall because running something that's not a signature and spending, this is very, very difficult, right.

So the way it would work until recently, I think we made the announcement last week is you run signatures inside, and then whatever, you cannot stop with the signature because you send it to the cloud, you process things there and then when you find something bad, we go to next process, we think that the best process is to bring machine learning into the firewall itself. So you can do a lot of the things that traditionally were running outside of the firewall in the firewall itself in bandwidth, they know through the use of the hardware that we have on physical firewall and the software plus hardware that we have on Intel in the virtual file, while we're able to bring machine learning into the firewall itself such that we can do machine learning in real time versus signature in real time and machine learning offline. And then there are really four major things that we put into the stuff we believe are disruptive at least as disruptive as what we've done 13 years ago.

Next generation firewall introduction, the first one is machine learning internally inside the firewall using machine learning, there are still things that require machine learning there's not enough power in the firewall. So we have the capability of sending information from the firewall to the cloud but holding the data packet and within 10 milliseconds receiving your client and sending it forward, and in many cases not make sense like DNS for example security, where you hold a DNS request, you send it to the cloud, we look for DNS attach within 10 minutes, using machine learning using their computing the cloud within 10 milliseconds, you have an answer you send the packet through.

The third thing that we introduced that is very important is for things that do take longer as I said, the processes and send it to the cloud we process and then you send back signatures. Most of the industries have 24 hours, every 24 hours, they'll send signatures back from the cloud. Over the last several years, we brought it down from 24 to five minutes, 24 hours to five minutes in time we spend over doing it in real time, meaning once the cloud has an answer, within a few seconds zero delay, the signatures are in the file when the firewall is able to stop them.

And the last thing that we added is collection of the telemetry data from the firewall, so that we can automate the configuration of the firewall and the use of the firewall through machine learning. One of the biggest complaints we hear from customers of ours, not complaints, but when you ask our top customers, what keeps you up at night. The number one thing is always configuration errors. I have the best technology in the world from Palo Alto Networks, whatever but people still make mistake when they configure it. So what we added is the ability to collect, we collect information that enables machine learning to go and figure out that things are configured correctly with customer base, things like that.

Keith Weiss

Got it. I want to touch on CloudGenix, the most recent acquisition that you guys have made getting further into the SD-WAN space. SD-WAN for me has been in a confusing market, there's people coming at it from sort of pure networking side of the equation. VMware is in this marketplace, Fortinet is in this marketplace. And now you guys have doubled down with Genix. Why does Palo Alto Networks need to be in the SD-WAN space number one and number two, what’s the customer reaction then thus far to that acquisition?

Nir Zuk

Sure. So what is SD-WAN, SD-WAN is just the more efficient way of running things on top of the Internet versus just sending traffic to the Internet. So if you want to move away from private networks like MPLS either because of cost reason more importantly, because your applications are now in the cloud. And you're going to use MPLS to send your application traffic to the cloud.

You want to move to the Internet. The Internet is not that great. You probably are seeing when you use the Internet every now and then it gets stuck or it gets slow or latency is very hard, right, if you type something in then you get an answer in two seconds. That doesn't work for enterprise applications. So SD-WAN is a technology in general to make that better, how you first can connect with the Internet with multiple Internet connections, one from one service provider, one from another.

And then SD-WAN is making decisions as to where to put the packet, is it better to send a packet from here, is it better to send a packet from here and sometimes which path should I take, and so on. Now that sounds great in theory. In practice, even if you put the packet on the right lead, a few hops down the road, a few routers down the road, your decision doesn't matter, you end up in the same router, and then you have conditions and things like that.

So we're seeing more and more SD-WAN architectures move from we'll send the traffic from this point to this point using SD-WAN to we're going to create hubs. We're going to create hubs of SD-WAN and connect them with public private links and then use SD-WAN just to get to that hub. So I'm going to use the Internet for the first month and then the actual network is either private or semi-private and piece around that.

And that's what we're seeing customers are doing with SD-WAN equipments in general. Some vendors don't have the capabilities of doing it, some vendors provide a typical doing it. And what we said is, yes, that's okay. But then you have to manage those apps, and you have to buy private links and pay for private links. And there's very -- it's very difficult to get private links that will cover the entire planet in all the apps that you need across all continents, most countries, let's provide it as a service. That's called Prisma Access. So Prisma Access to us is for the case use case of SD-WAN are really that have hubs and all the connectivity between them.

And now the question is, okay, how do you connect from the branch office to the Prisma Access to the hubs. And there are two ways to do it. One way is with a physical firewall in the branch that has SD-WAN embedded in it, and that's what we've done first. And the second way is you forget about the firewall we just put a simple SD-WAN device in the branch, bringing the traffic to the cloud into the firewall into the cloud which is what CloudGenix was doing for us.

And by the way, we support other SD-WANs as well. You can use VMware SD-WAN, you can use Cisco’s SD-WAN to get into Prisma Access. From us, you have the full firewall and you have the standalone SD-WAN and both are valid use cases. We also have customers that still say what Prisma Access is nice. I want to build it myself. So they buy either the firewall or CloudGenix with the branch office, and then they buy our high-end 7000 series firewalls, they put them in data centers, they buy private links, they build their hubs. Basically, they build Prisma Access themselves, using our physical firewalls or virtual firewalls in something like Equinix data centers around the world.

Keith Weiss

Got it, excellent. I got a ton more questions. But unfortunately, this takes us to the end of our 30 minute time slot. I want to be respectful of your time. Fascinating conversation, thank you very much both for joining us and thank you to all the clients on the line. Please stay tuned for the rest of the programming this afternoon. We have a couple more companies to talk to. If you have any questions about this presentation or anything that we're talking about today, please feel free to reach out to myself or anyone else on my team. Thank you very much for everyone for joining us.

Nir Zuk

Thank you, Keith.

Nikesh Arora

Thank you.

Keith Weiss

Thank you, Nikesh. Thank you, Nir.

Question-and-Answer Session