Microsoft Corporation (MSFT) Earnings Call Transcript & Summary

Good afternoon. My name is Diana, and I will be your conference operator today. At this time, I would like to welcome everyone to discussion with Microsoft Security conference call. [Operator Instructions] I would now like to turn the conference over to Mr. Keith Weiss, Head of U.S. Software Research, Morgan Stanley. You may begin.

Excellent. Thank you, and thank you to everyone joining us this afternoon for this conference call. We're very pleased to have with us today the opportunity to dive deep into the Microsoft Security business, a business that we think is bigger than a lot of investors appreciate, making Microsoft a more important leader in the security space than I think a lot of investors have really wrapped their head around. We wrote a report on this that we published late last week that gave our view into sort of where we see Microsoft playing, what they are leveraging within the installed base and their technology stack within that marketplace and our view on sort of how big Microsoft is in this marketplace. Today, we're going to be able to jump in with some people who actually really know what they're talking about, Ann Johnson, Corporate Vice President of Cybersecurity for Microsoft; and Andrew Conway, General Manager of Security Marketing. There will be a answer -- an opportunity for the clients on the line to ask their questions at the end, but I'm going to start off with some of kind of my high-level questions and dig a little bit deeper from there into Microsoft before we open it up for questions. So Ann and Andrew, thank you very much for joining us this afternoon. I hope this -- I hope we find you well during these pretty crazy times that we're finding ourselves in.

Yes. Thank you so much, Keith. Hope you and everyone on the phone and your families are also staying safe.

Yes. Thank you. Thank you, Keith. Same.

Excellent. So where I wanted to start off the conversation was just kind of a look back on Microsoft almost like how did we get to where we are today because it's a pretty remarkable transformation that we've seen in the security story at Microsoft. We went back 10 years ago, Microsoft was part of the bear -- security was part of the bear case on Microsoft is that this was an area that people are worried about, the security of the underlying operating system, the security of Windows systems overall. A lot of the initial efforts and the initial investment was in shoring up that image as to become a more secure underlying operating system, but it's gone so much beyond that over the past 10 years. Now you guys are leaders in -- I think it's about 5 Gartner's Magic Quadrants. You have leading market share positions in a couple of these spaces as well. And the security solutions are standing on their own as real, stand-alone leading security solutions in some of the forward-looking elements of the security landscape, stuff like the Sentinel business and security analytics. Can you talk to us a little bit about sort of, over that 10 years, what was the driving force? What was the impetus that drove Microsoft to get so much better at security so quickly?

Keith, I think it's a lot of things, and I'll hit on a few, and then I'll turn it over to Andrew. But I think that there are several things that were driving us from a market standpoint, from a customer and partner standpoint globally. First, I would say this huge proliferation of data, right? Customers are continuing to just amass large petabytes of data for storage. And that data, it needs to be secured. You couple that with the increase in cyberattacks and cyber criminals going well beyond nation-state to cyber criminal groups that are monetizing attacks for financial gain. You add to that, then, the move to the cloud, right, a lot of assets in the cloud very quickly for our customers. But that also becomes a place where customers are realizing that there's a potential in the cloud to actually improve their security posture because the ability to see events globally and react to them and respond to them in milliseconds, right, not now with a very decentralized system. And then the final thing I'll add is Microsoft as the platform vendor, right? A lot -- we have a very significant installed base of folks that are using our productivity tools, folks that are using our cloud tools, and of course, the Windows platform. So there is this inherent need and really an imperative for Microsoft to take seriously our role as part of the security ecosystem and make the investments to support that.

Got it. Were you going to add to that, Andrew?

Yes. I mean I would -- building on that, I would say was really this growth and sophistication in the number of attacks, which really spoke to the need for cloud-based technologies to solve them across things like artificial intelligence and automation. And so I think it was that recognition that -- it needed that new approach to really help customers here.

Got it. And you mentioned the increased level of investment. Do you guys give any detail in terms of the level of investment Microsoft is making behind the security portfolio today?

We do. We -- go ahead, Andrew.

Sorry. Go ahead, Ann.

We invest $1 billion annually, and we have 3,500 dedicated engineers working on the security portfolio.

Okay. Got it. Is there any way of assessing like how much of that is focused on making sort of like existing solutions more secure versus how much of that is focused on sort of the actual security SKUs that are monetized in the marketplace directly?

We don't break it out that way.

No. We don't...

Sorry, Andrew. We don't tend to break it out that way. It's a combination of a few things. One, the platform -- the inherent platform security that you need to run this platform securely; the solutions that we're monetizing and adding value to our customers in the marketplace to make their overall productivity or cloud experience as more secure; and also in the activity we do to fill in the white space, whether that's strategic partnerships or M&A-type activity. Andrew, I think you had a couple of things you want to expand there.

No. That's fine.

Got it. And then, Ann, on that topic, M&A has been a part the portfolio expansion historically. How should investors think about kind of the balance between organic and inorganic investments on a going-forward basis? Will M&A be a likely continued avenue of expansion for you guys?

We are continually looking at the portfolio and identifying where we think there is customer demand, market demand driven by attacks or driven by just new technologies that come to market. IoT would be something to think about or even artificial intelligence. And as we look at the market, we think about it. Is there a partnership we can strike there? Is there something organically we should build or something we have we can enhance? Or is there something we need to acquire? But there's no plan that says we're going to spend X by Y companies over years. It's all a very detailed analysis about where we are and what the market needs.

Got it. Got it. And then maybe a question for Andrew because this is kind of on positioning. The security market has, at least in the past 10 years that I've been focusing a lot on it, maybe even 15, just date myself, has been -- a marketplace has been very dominated by best-of-breed buying. And if you survey chief information and security officers or the like, the number of vendors in place in any particular enterprise, 60, 70, 80 is not uncommon whatsoever. Because of that, that's a breed buying. You've always wanted to get the best solution to control a certain vector or a certain threat vector in your environment. By its nature, Microsoft is going to be more of a suite solution that's going to be more of a platform for added security. Do you think Microsoft could change that bias towards best-of-breed buying and move more towards more of a consolidated spend with Microsoft?

Yes. I mean what we're hearing from customers, Keith, is that the bias is already shifting. So to your point, CSOs have many, many different solutions, and they're spending significant time and resources on vendor management and operational costs and even contract management around all of these different solutions. Also from a security point of view, there's a growing realization that the gaps between the security solutions and the cost of integrating the security solutions together is harming security and security posture and is also -- it's just not the place where our CSO wants to have that time -- their team spend time and money. And so I think there's already a move. There's already this move towards consolidation and more integration. The thing that I would push on there, though, as well is that we don't view this as a compromise. And so as you noted earlier on the call, we're working hard to have best-of-breed solutions in all of these categories, which are then, in turn, integrated together. And so Microsoft can offer customers solutions at that same best-of-breed quality, but then they have the benefits of best of integration.

Got it. Got it. That's a new -- that's a good segue into sort of the next area that I want to dig into is kind of let's drill down into some of the areas that you guys have shown leadership. I think Microsoft is now a leader, and correct me if I'm wrong, like 5 Gartner Magic Quadrants: CASB, endpoint protection platform, enterprise information archiving, unified endpoint management and access management. As I'm looking across kind of where you guys have seen success, it seems to me that the common theme is it's an area that you guys have had infrastructure success and that you have an installed base. And then because you have an installed base, like the -- obviously like in the operating system and the number of endpoints that are out there, it gives you a data advantage, that you just have so much data that's coming from all of those endpoints that you could utilize in the security fashion, that you guys are able to get a really differentiated security positioning for those areas. Is that a fair way to characterize where Microsoft has seen the most success in security thus far?

I would say that -- go ahead, Ann. Sorry.

No. Go ahead, Andrew. Please.

I would say the thing that I would add to that, Keith, is, first of all, I mean, it has to be a customer-led opportunity. So I guess the makings of any good strategy is identifying that customer opportunity and then bringing it together with strengths that Microsoft has. I mean if you think back to the very beginning of, say, EMS. If you think back to 2014, EMS was based around this secular trend of cloud apps and mobility. I think if you remember at the time, the world view was really around cloud first and mobile first. And so what was unique about our approach there was this ability to bring together identity and access management, which has been a long-time strength for Microsoft with device management and with MDM. And at the time, I think there were some pure-play identity providers and some pure-play MDM providers. But what was unique about our approach there was bringing the 2 of them together in EMS and landing this unique capability called conditional access, which has really spoken to this move to cloud apps, this move to mobility and now what's known broadly as a Zero Trust world here.

Got it.

I think on top of that, Keith, the ability that we have to see that global signal, it's multitrillions of signals on a daily basis, and to make our solutions better, to put those into all of the Microsoft threat protection suite so that we can both detect, block and respond and allow investigation. But also, it's that -- and Andrew talked about it, it's having both that best-of-breed plus best-of-suite approach. So the ability for Microsoft Defender Advanced Threat Protection at the endpoint to detect something based on all of that intelligence it's receiving, block it and then it notifies Office, and it notifies the Azure capability. So customers are truly taking advantage of having best of breed at their endpoints, but they're also taking advantage of the suite architecture that doesn't allow them to wire as they would or connect those if they had multiple third-party solutions at all of those places. And it's informed by all of the same intelligence, and it works together and communicates in near real time with each other.

Got it. Got it. So if we're going to take that framework of having that kind of unified view of the information, leveraging both kind of where you guys have existing installed base and where you have architectural and data advantage but also where the customers are trying to lead you guys in terms of what they're asking for in security, how does that framework inform what areas of security Microsoft's going to be focusing on, on a going-forward basis?

I think we always have to make certain that the first thing we're doing is securing our own platform and doing it exceptionally well. We need to then focus, and we do focus on being incredibly heterogeneous so that as we secure the Microsoft Defender ATP endpoint solution isn't just a solution that runs on Microsoft because as much as we would like every customer to be completely on Microsoft, they're not. They're heterogeneous. So we need to make equal quality and capability of solutions for heterogeneous environments. And then we need to think about what the future holds. We've seen -- Satya said recently that we've seen more digital transformation in 2 months than we saw in 2 years. With that comes the need for a really significant Zero Trust environment. In this unique world we're working in where people are remote and working from home, you actually have to have Zero Trust. It becomes necessary for companies. So the expression I usually use, Keith, is skating to where the puck is going, an old hockey reference. But that's what we're always thinking about is where are the threats, where are the bad actors coming into environments. We do a regulatory and a -- so an industry and a geographic cut of that and make certain our solutions are both really exceptional on Microsoft and really exceptional in a hetero and can hold up in that heterogeneous environment.

Got it. I mean can you give us any specific examples of some of those sort of emerging security marketplaces that Microsoft sees as very interesting today that you've been doing significant work around?

I'll talk about a couple, and I'll talk about one that's pretty disruptive. So Sentinel, which is our cloud-native SIEM solution, we saw definitely a market opportunity to be a bit disruptive there because the on-premise SIEMs were not scaling to keep up. Legacy SIEMs were not scaling to keep up with the cloud environments of customers. They were great logging engines, but they weren't necessarily like analytics engines. They weren't necessarily scalable, and they certainly weren't elastic. So we made an investment and brought to market our cloud-native SIEM, Sentinel, which is fully heterogeneous. The other thing is -- I'm just thinking to the future, right, and I'll just talk a little bit about the future, and maybe Andrew can bring it back to where we are presently. We've done some work that we've presented at the RSA Conference this year around the security of artificial intelligence, so not just using artificial intelligence to enhance our security products, but actually how do we secure our artificial intelligence, things about how do we make sure that data, by the time it goes into that artificial intelligence engine, is not compromised, right, deliberate, malicious attack on the data. So we presented some papers around -- at RSA around that, some work we're doing. We're doing some work on not just quantum-resistant encryption, but also on quantum encryption. And then more in the near term, you'll see us -- we have our Azure IoT security on fabric, but you'll see us do some meaningful work around IoT and the OT environment, as well as ICS. So those are some of the things we're thinking about, in addition to this -- the strong capability that we've already built around threat management and modernizing the SOC and Zero Trust that Andrew can talk a little more about.

Yes. Thanks, Ann. I think maybe nearer-term time horizon, Keith, we've certainly seen that COVID has driven even more demand for engagements around Zero Trust. We've seen that customers moving to Zero Trust have actually been in better shape as they've had to deal with the majority of their workforce working remotely. Zero Trust, of course, is not a product. It's an architecture, but we've seen it drive demand for our identity and access management solutions and also for our endpoint protection, in particular. On the identity and access management side, we've seen more and more customers now actually want to start to proxy their on-premises applications up through the cloud and use Azure AD for authentication. So I think Zero Trust is a big one that just sort of keeps going. The other one that I would flag is that a newer category for us around cloud security. As you know, we acquired a CASB back in 2015. We now have a leading and the most broadly deployed CASB, Microsoft Cloud app security. But we're seeing a lot of interest in cloud security as people move more and more of their assets to the cloud, driving demand not just for CASB, but also for a lot of the protections that we have built into Azure with things like Azure Security Center.

Got it. One of the -- a lot of the areas that you talked about, CASB is one of them, but particularly in Sentinel, like a SIEM solution. The -- one of the central premises of SIEM solution is the ability to pull data from multiple environments, to be kind of the center of gravity for all the security data coming from multiple different types of security solutions as well as different vendors. One of the common pushbacks we hear from competitors about Microsoft Security solutions via that like Microsoft only works to secure their own solutions. How do you work to combat that perspective or sort of that competitive flood, if you will, out in the marketplace and ensure to your customers that when you're doing security with Microsoft, you're securing the entire environment, not just the Microsoft environment?

Yes. That's a great question. Look, it's a matter of education for our customers. If you think about our CASB solution and the fact that they have 16,000 applications in their data store, and you think about Azure Active Directory, and you think about what we've done with Microsoft Defender ATP and announcing it for Mac and Linux and extending it out to Android and iOS, and then Sentinel, right? Sentinel was actually built -- born in the cloud, built in the cloud to be a fully heterogeneous SIEM solution. So a lot of that is just purely customer education, that we need to show up and show them that we are a heterogeneous platform and can secure the parts of their estate that they're most concerned about being secured, and that is our intent. And Sentinel, on top of things like CASB and AAD and even our Defender solutions, are the platforms to do that. And if you think about Sentinel purely, it is built to be that full SIEM analytics, bring your own AI, use our AI machine learning platform to interrogate all of the signal in the environment, whether it's coming from Microsoft or not. If you want to do something that's really purely a Microsoft threat investigation, the best tools to do that is Microsoft Threat Protection. And then you can bring those signals into signal -- into Sentinel and you can interrogate them with anything heterogeneous you get across platforms. So, Keith, we're educating our customers regularly and our partners regularly on that part of the story because that certainly is the common feedback from the competitors out there.

Got it. And Andrew, just from like a marketing perspective, what are some of the types of programs or gauges that you use to sort of kind of assess that market perception and how to sort of push that forward?

Yes. I mean we're driving above-the-line advertising for Microsoft Security now to explain that Microsoft is really in the business of protecting the entire estate or treating the whole patient. To Ann's point, a lot of this is a lagging perception in customers, and frankly, some thud thrown in there as well. And so the best way for us to address it is with facts about what the solution is actually protecting. On the identity side, we've been doing an increasing amount of work with other SaaS ISVs, and so you'll see more and more of our integration with third-party SaaS. And to Ann's point, there are thousands and thousands of apps in our gallery today in Azure AD. So I think anyone who's actually using the solutions and has evaluated them recently will see that we're doing a good job now of covering the broader set of assets that customers need to secure.

Got it. Got it. I want to shift gears a little bit and dive into a couple of the key solution areas for you guys, and I think Azure Active Directory is a great place to start, if nothing else, just because of the -- how resonant that secular theme of Zero Trust architectures are -- is right now and how central identity has been to that -- to Zero Trust architectures. Can you -- Ann, maybe starting with you. Could you give us a little bit of a perspective on kind of what you're hearing from your customers about kind of where they are in trying to assess Zero Trust architectures? I know Zero Trust architectures, overall, are very slow moving. And then to any extent that this COVID crisis is kind of pushing customers to move even faster towards that new architecture.

It's so funny because I did an interview last week, but it was a media organization. And I just said, "Everyone's on a Zero Trust journey, whether they know it or not." And what I mean by that is that they were forced -- folks were forced when their employees start working from home en masse. They suddenly have to think about controls that didn't involve folks being inside the corporate network or being inside the firewall. And some organizations had greater maturity on that than others, right? And I wouldn't even give that a geographic or an industry lens about who had greater maturity than others. It more had to do with just the maturity of their digital transformation, the maturity of the security program. So now we are seeing just a lot of customers really move rapidly and say, "Look, we have to actually secure folks who may -- we're segmenting our employees, and some of them may never come back to the office. Some of them may come back sooner, some later. So please help us make sure that we can have the right adaptive security controls that can provide the same level of security and trust and also potentially monitoring of our data, monitoring our customer behavior or our employee behavior, wherever they are." So they are all thinking about their Zero Trust journey right now. And the good news is we have a lot of building blocks to really help them get there because we, as a company, have been on the Zero Trust journey for a while. We were pretty early to identify password with some Zero Trust as necessary for our folks internally.

Got it. And can you talk a little bit about some of those building blocks? A lot of -- I think a lot of people look at identity as the center point but don't really have a good idea of what the building blocks around identity are that sort of make Zero Trust happen. Can you talk to like the Microsoft vision as kind of what those building blocks are?

Yes. I'll start, and then I'll turn it to Andrew a bit. So one of the first things, and I say this a lot, is you have to use multifactor authentication, right? That's actually one of the first things to doing any type of remote access-type solution, if you want to use the legacy remote access terms. But any type of solution where you're doing remote work, you need to use multifactor authentication. You also need to have the -- have a cloud-based identity store like Azure Active Directory, right, because you need to be able to be dynamic to be able to be -- when you're thinking about provisioning, deprovisioning but also conditional access. And conditional access is the thing that gives you the snapshot. If you think about -- and I'll compare it because I'm sure some of your investors are familiar with online banking fraud solutions where they're taking a snapshot of the behavior of the person, the device, the location, the data, everything and are assigning a risk score. Conditional access works in a very similar way. It's taking an analysis of the behavior -- of the human behavior of the device, the authentication method, the data you're trying to access, those type of things. So conditional access, multifactor authentication and being in a cloud-based identity store like Azure Active Directory are the 3 of the things that are really baseline for moving forward with your Zero Trust strategy. Andrew, what else did you want to add?

Yes. I would add on that we've seen increase around sort of device management as well. Like with Zero Trust, as you remove the notion of a trusted network, as the name suggests, then it comes down to a couple of things, right? It comes down, to Ann's point, to the identity of the human and making sure that you can reliably ensure that it really is the person that you think it is. But then it's also about establishing is that endpoint healthy? Or what are you doing to ensure that you're insulated from that endpoint, if not? And so, in addition to Azure AD, it drives a lot of interest around device management, things like Microsoft Intune for mobile device management and mobile application management. And then I would say, as I mentioned earlier, given the move to Zero Trust, customers are trying to move more and more of their apps to this model. Now I think if you're a new company and you've got all your apps in the cloud, that's fine. If not, and you have legacy apps on-premises or applications that use different authentication protocols, then you're really going to be looking at technologies like our app proxy to bring those on-premises apps to the cloud. And then perhaps the final thing that I would add is Zero Trust also puts a lot more pressure on having a broad and ubiquitous telemetry so that you can actually understand what's happening on those endpoints. And all of that activity gets journaled and can be processed, and you have access to all of that data. And so it really does lead to interest in more integrated threat protection solutions and then also in technologies like Sentinel, where you're able to apply cloud technology to really reason over all of that signal, all of that telemetry that you're getting from devices and from your identity system.

Got it. And if we think about the competitive environment, maybe narrowly for Active Directory or more broadly for Zero Trust, is there anybody in the marketplace, like when you guys are presenting your vision of Zero Trust architecture, that has the -- as many of the components as you guys bring to the table that you're competing with on a like-for-like basis? Or is it kind of this Microsoft perspective versus a collection of piece parts, if you will, or collection of other best-of-breed solutions?

I think everyone, like a lot of things in security, hear a lot of marketing and messaging about how companies enable folks' Zero Trust journeys. And to a certain extent, there is a little bit of an ecosystem there, Keith. There's things like on the network layer that we partner with some companies to make sure that we have this ability, too. So I think from a completeness of solution, I'm very comfortable where Microsoft is, but I do think there's a lot of competitive solutions that do one or part of what we do and perhaps 1 or 2 that may have a fair amount of completeness around their offering also.

Got it. Shifting gears a little bit, I want to talk about Microsoft Defender ATP. It is a great example of a solution that evolved from -- if we were talking about 6, 7 years ago, you just got it for free. And sometimes, you turned it on, on your Windows laptops. But now Windows Defender is -- really compares well to the leading endpoint solutions in the marketplace. Market share has definitely picked up, if you look at like at Gartner. Can you talk about how you guys are positioning Defender ATP versus kind of other endpoint solutions in the marketplace? And maybe give us some kind of view on sort of the market penetration you've seen in the commercial environments.

I'll start, Andrew, and then I'll turn a bit of the detail over to you. So our positioning with customers is pretty straightforward, which is we're not just the -- Microsoft's vendor ATP does not just run on Windows. It runs on Windows, Mac, Linux and quickly to iOS and Android. The second thing is we've introduced the Microsoft Threat Experts as part of the solution, so -- and I'll talk about a couple of other things as far as solution, but threat expert does that managed hunting capability, which is competitive with other folks who have endpoint solutions that have a managed hunting capability. We also brought to market a threat and vulnerability management capability within the Microsoft Defender ATP. So part of what you're seeing is there's accrued value into the solution. How much value can we accrue into having a customer standardize on Microsoft Defender ATP that we can -- because when you talk to customers sometimes, Keith, and I'll give you the worst case I saw. I had a customer that had 25 agents on their endpoint. It was taking them like literally an average user 10 to 20 minutes to boot, so we're trying to accrue as much value into that endpoint solution and also make it heterogeneous, so customers can really reduce that endpoint footprint that they have and standardize more on Defender ATP. But Andrew, did you -- I'm sure you have more you want to say there.

Yes. I would add on by saying that, Keith, there hasn't really been any substitute just for the hard work that the Defender team has put in with customers to move the product along with things like test scores, and then as you've noted, the progress that we've made with analysts across Forrester and Gartner. And so it's been a very important journey for us to get to that leading spot in EDR, Endpoint Detection and Response. The thing that I would add on here is that the team is now thinking beyond that, though, and it really comes back to this notion of integration in addition to being best of breed. And so what the team is spending time today is something called Microsoft Threat Protection, which brings together not just the Defender capabilities on the endpoint, but also our e-mail security and Office 365 ATP and then our UEBA solution for detecting malicious behavior or threat behavior in your identity system with Azure ATP. And so this idea of Microsoft Threat Protection is bringing multiple threat protection technologies together in the same console experience for SecOps. And so instead of having to navigate between multiple different consoles or portals, instead of having to stitch together alerts from multiple different products, there's a way to do that now in an integrated place inside Microsoft 365 with this Microsoft Threat Protection. And that really gives SecOps people an integrated experience, an integrated time line for any particular incident and also allows them to automate the remediation of that as well. So it's not just detecting threats, it's actually remediating them across the infrastructure, and then to Ann's earlier point, doing things like threat and vulnerability management as well to improve go-forward posture. And so it's been solid progress as you've noted on Defender, but the next place we go here is to integrate across multiple different products for our customers across identity, e-mail, endpoints all in one place.

Got it. So you guys create like a common architecture and a common data model for sort of identifying and managing threats across multiple vectors, not just the endpoint, but also sort of what you see within Office and e-mail threats and sort of also on Azure, and you're able to analyze, look across and then sort of work with that data more easily? Is that the right way to think about?

Exactly. Yes. No. That's correct. That's exactly, yes.

And I think one of the concepts that investor sometimes find difficult, I'm using investors but -- as a euphemism for me, is the difference between kind of that sort of EDR model of giving the security analyst a unified view of the data that they need to be able to do detection or remediation. How does that differ from fundamentally what you're trying to do with Sentinel? Because it seems like a similar kind of value proposition that you're bringing together a bunch of data to be able to analyze and remediate across. So how do those 2 either align, overlap or complement each other?

They brilliantly complement each other because the Microsoft Threat Protection suite of solutions, which is what Andrew just talked about, is the most robust tool that you're going to want to use for doing your hunting and investigations within the Microsoft environment. When you start to want to tie in third party from maybe your third-party SaaS apps or your cloud providers, that's where your -- or even third-party network detection, that's where you're going to want to move to Sentinel because then you can take that feed from everything Microsoft Threat Protection piece, and then you can add in all of the other things you have in your environment that Microsoft Threat Protection potentially doesn't see, and you could do some really interesting work within Sentinel. So the 2 are completely complement -- were built to be completely complementary solutions. So if a customer was just concerned about something happening within the Microsoft estate or within Microsoft Threat Protection estate, they can do that work there. But if you really want a SIEM to go through everything in the environment, look at logs and look at analytics truly from across the entirety of your enterprise and then bring in that threat protection data, that's the place. You would do that in Sentinel.

Got it. Got it.

It was purpose-built for those 2 things.

Right. So Sentinel's a good example of a security technology that you guys now have been able to sort of create like a next generation of the security technology, utilizing the capabilities of your cloud, utilizing the capabilities of Azure, but it's not necessarily security of the cloud. It's not -- securing the cloud is one vector it secures, but that's just like a fundamental piece of security. If we shift gears to cloud security like the fundamental security of the cloud, you guys have been working in the space for a while. I think Adallom was the big kind of security acquisition that got you into the space. How is the security -- the cloud security portfolio evolved since then? And how do you think -- like how do customers think about buying cloud security solutions from their infrastructure vendors? Shouldn't there be some like separation of church and state of the guy who's giving you the underlying infrastructure, you usually get a third-party to ensure that the security is good?

Andrew, I'll give this to you.

This is one, Keith, where, following the Adallom acquisition and growth in CASB that you talked about, we've invested heavily in building capabilities as part of Azure Security Center. And to your point, all of that is first party, right? So if you're protecting VMs or you're protecting containers or SQL stores, et cetera, the Azure security team is going to continue to innovate first party on Azure to protect all of these new types of workloads and apps, right? And this is starting to go beyond infrastructure services into pad services on Azure. At the same time, we're doing everything we can to enable a vibrant third-party ecosystem on Azure to protect customer workloads. And so if you go into marketplace, there's a number of different security vendors there who are selling their security capabilities on Azure, again for customer workloads that are in Azure today. And so there'll always be this first party, third party on the cloud, on Azure as customers decide what they want to use to secure what they're doing in the cloud.

Got it. We're coming up on the end of the hour, but I have a lot more to go through. But -- so I'm going to focus on 2 questions, one of mine and one that we actually got on the webcast that I thought was pretty interesting. The first of mine was as an analyst and as an investor, a lot going on in security. We see a lot of it within sort of the product portfolio. Where should we be looking on the income statement for this? Like if we look at that kind of revenue segment, how much of this security innovation, security solution is actually resulting in like a stand-alone SKU? How much of it just gets sort of -- this is what's pushing other SKUs to -- people to up-level maybe from like an E3 to E5 on Office 365. How should we think about the monetization of all this security investment?

Yes. It's in 2 spots, to your point. I mean we have primarily per user-based capabilities in Microsoft 365, and those start with EMS. EMS and even the EMS E3 offer today delivers conditional access, so it delivers identity and access management. It delivers MDM. And so it starts people on that Zero Trust journey, and that's E3. As you bump up to E5, we are using security to drive that premium E5 value, so a number of our threat protection capabilities. For instance, to fully realize Microsoft Threat Protection and the included products, we have customers who will be purchasing E5 to do that, either the full Microsoft 365 E5 or one of our E5 security SKUs. And then, of course, the individual products are available separately, too. And so that's how we're doing it on the M365 side of the house. As you look at new capabilities in cloud securities, you look at things like Azure Security Center or as you look at the SIEM solution that we've talked about today with Ann on Sentinel, those are driven on a consumption basis. And so those products then are driving Azure-consumed revenue.

Got it. Got it. That makes sense. So -- and then the question from the webcast I thought that was pretty interesting is given sort of the moves that we're seeing towards Zero Trust architectures, what segments of the security market do you think strongly will not need to exist anymore or will be deemphasized because of where we're heading and where security architectures are heading?

I never procrastinate about security because what you find is customers have -- an enterprise customers have north of 50, 75 security solutions. They also have decades' worth of technical debt that will take them years to clear, so it accretes. It's a great question, but it's going to be a long time before a certain segment of the security market goes away because of Zero Trust. Maybe some of the legacy controls get less important. But until customers actually modernize the entirety of their infrastructure, and a lot of those folks are in 100-year-old companies, as I mentioned, with decades of legacy infrastructure, that isn't going away anytime soon, and it has to still be secured.

Got it. Got it. I think we have time. I'm going to sneak in one last question of my own, and this is kind of on future technologies. You talked about AI earlier and how not -- Microsoft is not just using AI to sort of make your security better but also to -- you're going to secure the AI itself. But I wanted to talk about kind of the first part. Microsoft talks a lot about AI. It talks a lot about automation of business processes broadly. And obviously, you guys are pointing that towards the problems of security to automate the security business processes. There's been some pushback from security practitioners that basically handing over the keys to a black box, handing over the keys to automation and AI, and they want to keep the human element within there. To what extent are CIOs willing to push more and more of that control from their security analysts to the machines, if you will, to identify and respond to threats?

Yes. That's a great question, Keith, because it's such a psychological concern for them, right? So we are investing as much as we can in automation at the endpoint, when we talked about like Microsoft Defender ATP using AI to actually detect previously unknown version of malware and then do as much automated remediation as possible. What we encourage the CSOs and we feel fairly aligned with them in that we want to make sure that those really expensive security professionals that are hard to hire are working on your highest-value tasks. You're still going to need them, but you don't want them doing remediation on really low-level things. Those things should be automated, the very repeatable things. And that's what we're focusing our investment. And as we work with the CSOs we talked to and security admins and SOC admins we talked to, we're really focusing on figuring out, making sure that they are equipped to handle those high-value tasks because we're removing all of those mundane tasks and automating them.

Got it. Excellent. Unfortunately, that takes us to the top of the hour. But Ann and Andrew, thank you very much for joining us this afternoon, definitely a very interesting topic, very topical part of the business to be delving into right now. So we very much appreciate you spending your time with us to learn a little bit more about what Microsoft's doing in the security markets.

Thank you so much, Keith.

Thank you, Keith.

Excellent. And thank you to all our clients taking the time to join us this afternoon. If you have any other questions about Microsoft Security business, how we're looking at that security business, feel free to give myself or my team members a call to talk about it further, or if you want to talk about anything else more broadly around Microsoft, you can reach out to us as well. Everybody, stay safe out there, and we'll be talking to you soon. Take care.

Thank you for participating in today's conference. This concludes today's call. You may disconnect at this time.