Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Good afternoon to everyone on the line. We're very pleased to have with us on our next presentation on our Zero Trust Architectures Virtual Conference from Palo Alto Networks, both Chairman and CEO, Nikesh Arora; as well as Founder and CTO, Nir Zuk. Gentlemen, thank you for joining us. And to everyone on the line, sorry for the delay. I had some technical difficulties on the back end.

So Nir, maybe a question to start out with for you. The theme of the virtual conference today is Zero Trust architectures, and it's a buzzword that we've heard a lot and a lot more over the last year or so. But I still get a sense that it means different things to different people. Can you talk to us a little bit what's the Palo Alto Networks' perspective on it? What does Zero Trust architectures mean? And where does your portfolio fit into that?

Sure. So we believe Zero Trust is a concept in cybersecurity, where every entity, whatever that is, an endpoint, a workload, a server, cannot trust anything that happened before and anything that happens after that. And it's responsible for its own security. So let's take an example. Let's say that the private banker Morgan Stanley gets a call from the customer. They need to go into the customer accounts through an application. It starts with, you need to trust the machine they're running, you need to trust the operating system. You cannot trust it, maybe it was tampered with. You need to trust the application that they use. It might be a web browser, a plug-in, you need to trust all of those. Then the user accesses -- the private banker, in this case, accesses a front-end server. There need to be trust established there. You need to -- the server cannot trust the user, cannot trust the endpoint and so on. And then after that, there are probably a set of microservices behind it in the form of hosts and VMs and containers and serverless functions in the public cloud, all the way to where the data is, which can be a PaaS application like a database or -- like a database in the cloud -- private or public cloud application -- sorry, environment. Then Zero Trust is at every stage of these stages. You can't trust what happened before. You need to reverify everything. So a microservice in the form of a container needs to be able to verify that another microservice in the form of a VM. So before they talk to each other, they need to verify each other's identity. You need to look at the content and so on. So it starts with endpoint security. Let's make sure that the endpoint is secure. Then you have what's called Zero Trust Network Access, ZTNA, which is really most of the vendors that you will talk to, when they say Zero Trust, they really mean that little portion between the user and the first server that they keep, Zero Trust Network Access. So verify the user, verify the content of the trust, if there's no malware and no exploiter, no command and control and so on. And then from that server, you go to the first microservice, at least to verify, again, everything that happened before and so on, all the way to pass security at the end. So it's -- to us, Zero Trust is really end-to-end. Each component, as little as possible, is responsible for its own security. And now if you -- and maybe before I talk about the Zero products, then there's another layer of the Zero Trust. The way most security organizations are set up, they have the security operations center, so -- which essentially is there to verify again all the trust decisions that have been made. So yes, I allowed you to look into a system. But I want to verify that it was okay, because if you look into a system from one place and then 3 minutes later, you logged in from another -- in other part of the planet, then something is fishy. So you have to reverify everything. And that's what the SOC does. So the SOC looks at all the trust decisions. I mean it's not the way the SOC positions, but in essence what they do is they look at all the trust decisions and they have to go and reverify them. So -- and again, when you talk to other vendors, they will have components of that being presented as Zero Trust, right? So some of the network security vendors and the proxy and the cloud vendors would say that ZTNA is Zero Trust. No, it's part of that. It starts with the endpoint then comes ZTNA, then come other pieces. If you talk to identity asset management vendors, they will say, authenticating the user is Zero Trust. No, it's not. It's part of Zero Trust. You have to take that identity and run it all the way through. They only authenticate the user at that point, but who's going to make sure that, at the end, the asset to the database is a result of what the user did and not some malware or something like that. So different vendors -- of course, I mean it's all self-serving. I mean we are also self-serving, right? And this -- when we say that is end-to-end, I'll talk about the portfolio in a second, but different vendors would look at different components of Zero Trust and say, this is Zero Trust for us. We believe that it's an end-to-end. If you look at our product strategy, it isn't, right? It starts with endpoint security, which is where Cortex fits. And then you have Zero Trust Network Access, which is where the physical firewalls as well as Prisma Access fit. And we're seeing more and more shift towards Prisma Access for Zero Trust applications. Then you have Prisma Cloud, which runs inside all these different microservices and establishes all the Zero Trust, right, in containers, and in VMs and so on. And we made a bunch of acquisitions. And so at the end, you have PaaS security, which is, again, Prisma Cloud, right? So the RedLock and Evident acquisitions that do that. And on top of all of that sits Cortex, which collects data from the entire infrastructure, reevaluates all the decisions that have been made for the SOC and automates the processes of responding back or changing things if a trust decision was an incorrect one.

Okay. That's super helpful. And Nikesh, from your perspective, is Zero Trust the concept that you're hearing from customers? Is that something that they're asking you about? Is this actually driving purchase decisions for Palo Alto Networks yet? Or is this more of a sort of a marketing and a buzzword we're using on the AR side of the fence?

Well, I mean, what I understand is that the gentleman who coined the phrase Zero Trust -- Nir could tell me. He came to Palo Alto Networks. How many years was that, Nir?

5, 6?

Yes. Six years ago, John Kindervag wrote the first piece -- a seminal piece of work on Zero Trust in Palo Alto Networks. So we have been presenting Zero Trust since he came to Palo Alto Networks, and he's been the champion both externally and internally. So we have been presenting our solutions as enabling Zero Trust across the board for as much time. We do hear customers, and as they're going through their security architectures, wanting to make sure that there is Zero Trust capability across every piece of the security chain. So that drives the conversation. I think there's a fallacy that any one vendor out there has a solution for Zero Trust because, great, it has Zero Trust for IoT management, what happens after your credentials allow you to get into the rest of the network? Who's making sure there's Zero Trust as zero traffic traverses through firewalls or traverses into the cloud? Or if you're an access provider, great, you secure from the point I enter to the point I exit, but what happens after you exit my infrastructure? And what happened before the point, I think, that's going to be left off or from your endpoint? So I think there's a fallacy that there is one solution, one silver bullet in the Zero Trust world and that 1 or 2 vendors are going to win the race because they installed Zero Trust. We actually need every element of your security architecture to slow Zero Trust. And it's more an architectural approach from our customer that allows them to do that as opposed to any one particular solution. And as Nir articulated, we'll try to make sure that every one of our products fills that gap, at least from the point we see a user come in, whether it is a cloud network with the branches or the infrastructure all the way through and back.

Got it. Can you talk to us on how companies actually deploy this? When is this shift toward more of a Zero Trust architecture come into the environment? Is it layering on additional sort of aspects of security? Is it -- are they taking out any elements of the security? Like, how does this come about? And does it matter the company size? And is an SMB going to go about this differently than a large enterprise?

Well, I don't think they need to go out differently, just mainly less security solutions. And if you don't have a cloud instance, you don't need it. If you don't have a data center, just go to the cloud. You don't need anything in the data center. You may find a reduction in scope of what they need to do because of the size of the business, but the more complex the business, take Morgan Stanley, you guys have a reasonably robust and complex IT architecture, you probably have a multitude of vendors providing all of this stuff and then become -- if you don't -- if you're not careful, and you have too many people solving the same problem, then the cost of stitching all that together, they're going to sit on your CIO or your CISO. And the less you have complexity, the less number of vendors you have, the possibility of using solutions that work together allows you to reduce that footprint. But Nir, do you have additional?

Yes. One thing I would add is that, especially the ZTNA, the Zero Trust Network Access, vendors are trying to present this as something new and well and something that's never been done before. Look, I'm sure you have the VPN client from your network 20 years ago, and I don't know if you ever used those secure ID cards, right, from RSA. That was Zero Trust, right? You have a VPN client on a laptop trying to access your organization, you verified who the user is, okay, so back then, it was not as sexy as Okta, but it was a secure ID card, and it was all encrypted, and you didn't let anything in that didn't authenticate. That's Zero Trust, okay? I built those systems 25 years ago for another company. So it's not something that's new. I think the concept that's new is to do it end-to-end. And the pieces that are being talked about the most are the ones that have been done for 20 years. The pieces that customers are looking for but haven't been talking about publicly are really the new ones, the part where you do it inside the organization, between workloads and between the endpoint of -- all the way to the PaaS application where the data is. That's the new part.

Got it. Got it. So you guys have been investing a lot in the new part. And we can talk about that sort of the -- a lot of the acquisitions have been sort of building out the Prisma Cloud, that's enabling you guys to secure the assets in a PaaS-type environment, Twistlock, that's enabling to secure these new microservices as well as building out a Prisma Access over time. I think the question I get most from investors is about the other side of the equation, the stuff that's persisting in the data center. What does this mean for traditional firewalls? Are traditional firewalls still an important component of the security architecture? Do they rise or fall in their sort of importance or sort of where they position as the central part of the security architecture?

I'm going to give you the commercial context and then Nir can give you the technical context. But look, I think if I read your software for the view of your colleagues, they're telling me that they expect 30% to 50% of the IT infrastructure customers out there moves to the public cloud in the next 5 to 10 years, right, in such and such context. If you believe that is true, it's somewhat of an issue where we shut down most of our data centers in the last 2 years, and we moved a lot of it to Google and Amazon on the back end as a public cloud. We don't buy -- we don't have that big data centers, so we would not be buying many firewalls if we were or we will not be deploying many firewalls if we were 2 years ago because we're sending less traffic to the data center. We're sending it to AWS and GCP. And what we've done is we've put a virtual firewall in front of our GCP and AWS instance to allow us the same capability to monitor the traffic now going towards public cloud. We replaced the blocks with the software instance. The firewall feature is still there. We still would have somebody pay for the loss, that they paid for that. And we -- all of our employees use Prisma Access to get access to those applications there in the public cloud. So we don't have a physical firewall sitting in many of our offices. We can use Prisma Access to do that. So I think the form factor change will continue to happen in the next 5 to 10 years as we go from hardware to virtual firewalls or firewalls delivered into the cloud to Prisma Access or virtual machines. I think the need for firewall capacity in the industry will continue to grow at 6% to 8%, as I said. If you look at what's happening in the COVID world, the thing that's working is technology-based capabilities, whether it's -- you're selling something, whether it's Nike or whether it's Walmart, everybody is doubling down on their technology infrastructure and the need for your customers to log in or faster services in the online world, which means you need more capacity. Capacity keeps going up for IT, technically, and you start deploying and using the cloud for more data centers, you'll need more capacity to do firewalling. How do you do it with this hardware and software becomes the second question. As long as that entire category is growing, we believe we need -- we continue to need to take share of that. But Nir, do you have more technical...

I think you got all of it. I think the one important thing is that we think it's going to remain a hybrid world for quite a while. It's important to have physical firewalls, virtual firewalls as well as cloud-delivered firewalls for access that are completely compatible with each other. So you can make a decision, what's good for you at every location. In some locations, you want physical. In some location, you want virtual. Some -- in most locations for access, you want remote accessing. In most cloud locations, you want virtual. In most physical data centers, you want physical. In large headquarters' campus, you want physical if there's still campuses. And we believe that one of our advantages is that we have all of them and are the same team, managed the same way and you can interchange them technically from one to another in a matter of seconds.

Got it. So the advantage that you would hold, having sort of multiple form factors for the same kind of underlying firewalls means a common rule set across all of them, common administration, you get visibility, a common data set coming from all the different firewalls, whether they're virtual, whether it's Prisma Access, whether it's a physical firewall, and that gives you a more holistic view on what's going on, on that network?

And it simplifies the customer environment. You don't need many vendors. And we have the subscription services that run on top of all of it. So if you want to do threat -- IDS, it's what we called IDS, right? If you are filtering across all of them, it's the same. And we recently launched our IoT security service. If you want to do IoT security, it's the same across all of it. It doesn't matter which form factor you use. So that's another advantage we have, is that our architecture is that it's really subscription services, security services running on top of physical, virtual and cloud-delivered, and it doesn't matter which one you use. It's the same function to everyone. So also migrating from one form factor to another is technically very simple.

Got it. It's hard to have a discussion nowadays and not bring COVID-19 into the equation and sort of the -- because these huge disruptions and huge changes in the way that people are working, at least from a user population in the near term. And we think it's going to -- we're not going to all revert back working in the office anytime soon. There's probably going to be a more permanent change. And it does seem like digital transformation is taking place faster, like you were talking to, Nikesh. What's the security implication? Does this accelerate sort of shifts away from physical towards virtual? Like what's the implications for security broadly, or more specifically, for Palo Alto of where you're seeing demand for your portfolio?

Look, what's happening, I think, out there is, as I said earlier, people are getting: one, everybody realized their employees need to work from both the office and their home in an effective manner. So in the past, if you would have provisioned 8%, 10%, 15% of your employees to be able to work from home, now there is serious need to make sure that 100% of employees can work remotely, and you can guarantee them the response times from your corporate data center or your cloud instances back to them in a way that makes it seamless and secure. So you are going to see this continued trend. I think we have not seen that trend so far aggressively in the numbers because a lot of us, including us and many of our peers in the industry, offer free service capacity for all customers to make sure that the customers could make this happen without having to go run through a purchasing process or a contracting process. And those trials, those search capacity offers are about to terminate roughly in the next 2, 3 weeks. So people have to go back and think about, do I need this extra capacity on an ongoing basis? Or am I done? And most likely, most people are not done because I don't see any people going back to the office yet. So they are going to have to rethink of how do they want to think about remote secure access for their employees. Some of them will just increase capacity for their existing solutions. Some of them will step back and look at the architecture and say, maybe it's for me to upgrade that solution to a different vendor or not. So we think that trend is going to continue. I think the -- it's becoming visible that more and more customers are contemplating moving a lot of their back-end infrastructure to the cloud as evident in the success of the cloud service providers. And I think that trend continues and that the margins will probably accelerate that, which for us is good because it creates the need for a comprehensive cloud security platform, which Prisma Cloud is. So that's kind of helpful on the cloud front. But there's a lag because as people go, get on the cloud, then they realize they're putting stuff in production that can go and make this happen. And once they actually move their stuff to the cloud, they just go back and say, wait a minute, why am I bringing all my traffic back to my data center because my -- all my data centers now are in AWS, GCP or Azure or Alibaba. That's when you start seeing the MPLS replacement with SD-WAN start to happen. So I think all these 3 trends are going to get accelerated with what's happening out in the world right now. I think it's good for security. I think you have to couple that with the fact that there is still 20 million people filing for unemployment benefits on a weekly basis and there's still a lot of people who are not going back to work. So there's going to be some companies who will have to downscale or rightsize their businesses and don't have the visibility or have the balance to do, but I think the long-term trend is accelerating. And in the short term, we're going to get muddy data.

Got it.

So we have maybe one more trend that we're seeing is around automation. So I think that the move of the security operation center from being 10, 20, 50 people sitting in a room or in multiple rooms and running the infrastructure to all of them sitting in different homes in different places and trying to run the infrastructure is leading to a lot of need for automation. So we're seeing certainly a lot of deals around automating security operations centers.

Got it. This is actually a question that we've got off the webcast that's pretty interesting. But as your business is shifting more towards the cloud, I think the -- if we think about the newer businesses, $800 million run rate business now with your cloud businesses, how does that shift the competitive environment for you guys? Are you still running up against your traditional kind of firewall peers of a Check Point or a Fortinet or is it a new competitive environment out there where you're competing with Prisma Access or Prisma Cloud and the like?

So it's both. We have customers out there who are still upgrading their firewalls or refreshing their firewalls, and we will run into the traditional firewall vendors over there. There are customers who are reevaluating their endpoint strategy with the coming of EDR and XDR and looking at, say, how do I get to the next generation, which is where we see a lot of our business with Cortex XDR. We see a lot of automation with Cortex XSOAR. And in the cloud security space, we don't see many people. We see a lot of customers. There's more of, honestly, some evangelical job right now because there is this illusion that I've just got my cloud service provider, give me cloud capacity. I'm sure they'll take you to security. And all of them make the point saying, look, we're guaranteeing the security infrastructure, but it's the application on top that you build. And when you put them in production, the firewalling you need, that's still your responsibility as a customer because we don't have visibility into how porous or how robust you're making an application. That's where Prisma Cloud comes in. It's not protecting Amazon servers, it's protecting the applications that you as a customer are putting into public cloud.

Got it. And Nir, maybe for you. I'd love to get your perspective, particularly when we talk about that Zero Trust Network Access part of the equation. There's a big industry debate going on. Do you need a proxy up in the cloud? Or do you do it without a proxy? What's your take on that debate?

You want me to repeat what I said in Analyst Day a year ago? I would actually do that. I already killed 2 generations of proxies in the past, right? For Check Point, we killed the old Secure Computing, Raptor, TIS and so on. And then at Palo Alto Networks, we killed Blue Coat and their competitors. Proxy is not a good solution. Proxy is an easy solution. It's not a good solution for security. It's the easiest way to deliver security, but you can't really deliver good security with it and you cannot deliver good networking with it. And customers will look for alternatives and proxy if there is one. You cannot run a Zoom call through a proxy. If you look at our proxy competitors, they will give you -- their latency commitment is 100 millisecond average over a month. Our latency commitment is 10 millisecond over an hour. So it's just -- if you can avoid a proxy, you will avoid a proxy. That's been proven twice already in the past, right? Check Points and others got special firewalls killed the proxy, and then we killed Blue Coat. It will happen again, I'm sure. And just -- there was never really a good reason to use a proxy other than it's easy to deliver basic functionality with that.

Got it. I want to dive a little bit deeper into the PaaS solution portfolio. You guys just rolled out a new PAN-OS, I think it's 10.0. You're calling it more of a machine learning-powered next-gen firewall. Can you talk to us about sort of what are the -- what's the new, new stuff in here? What makes this a meaningful development for Palo Alto Networks?

Sure. There are a few things there. The first one is, there's always been the debate of whether signatures are good or bad. And everybody realizes that signatures are -- their ability to prevent things has diminished over time because things change very, very rapidly. And so far, the alternatives to signatures in the network has been to do things outside of the firewall because running something that's not a signature at 10-gig is very, very difficult. So the way it would work until recently, until we made the announcement last week is you run signatures inside, and then whatever you cannot stop with the signatures you send to the cloud, you process things there. And then you find something bad, you send the signature back to the firewall. That's a good process, but it's not the best process. We think that the best process is to bring machine learning into the firewall itself. So you can do a lot of the things that traditionally were running outside of the firewall in the firewall itself, in PAN-OS 10.0, through the use of the hardware that we have on the physical -- the software plus hardware that we have on Intel. In the virtual firewall, we're able to bring machine learning into the firewall itself such that we can do machine learning in real-time versus signature in real-time and machine learning off-line. And there are really 4 major things that we put into that, that we believe are disruptive, at least as disruptive as what we've done 13 years ago with the next-generation firewall introduction. The first one is machine learning internally. Inside the firewall we do machine learning. There are still things that require machine learning that there's not enough power in the firewall. So we have the capability of sending information from the firewall to the cloud while holding the data packet, and within 10 milliseconds receiving your reply and then sending it forward. And in many cases, that makes sense like DNS, for example, security, where you hold the DNS request, you send it to the cloud, you look for DNS attacks. Within 10 -- using machine learning, using the compute in the cloud, within 10 milliseconds, you have an answer where you send the packet to. The third thing that we introduced that is very important is for things that do take longer, as I said, the process is we send it to the cloud, we process, and then you send back signatures. Most of the industries are 24 hours. Every 24 hours, they'll send signatures back from the cloud. Over the last several years, we brought it down from 24 to 5 minutes -- 24 hours to 5 minutes. In PAN-OS 10.0, we're doing it in real-time. Meaning once the cloud has an answer, within a few seconds, 0-delay, the signatures are in the firewall, and the firewall is able to stop them. And the last thing that we added is collection of telemetry data from the firewall so that we can automate the configuration of the firewall and the use of the firewall through machine learning. One of the biggest complaints we hear from customers of ours, not complaints, but when you ask our top customers what keeps you up at night, the #1 thing is always configuration errors. I have the best technology in the world from Palo Alto Networks, whatever, but people still make mistake when they configure it. So what we added is the ability to collect -- we collect information that enables machine learning to go and figure out that things are configured correctly across customer base, things like that.

Got it. Got it. I want to touch on CloudGenix, the most recent acquisition that you guys have made, getting further into the SD-WAN space. SD-WAN for me has been a confusing market. There's people coming at it from sort of the pure networking side of the equation. VMware is in this marketplace. Fortinet is in this marketplace. And now you guys have doubled down with CloudGenix. Why does Palo Alto Networks need to be in the SD-WAN space, number one? And number two, what's the customer reaction been thus far to that acquisition?

Sure. So what is SD-WAN? SD-WAN is just the more efficient way of running things on top of the Internet versus just selling traffic to the Internet. So if you want to move away from private networks, like MPLS, either because of cost reason, more importantly, because your applications are now in the cloud and you don't want to use MPLS to send your application traffic to the cloud. You want to move to the Internet. The Internet is not that great. You probably are seeing when you use the Internet, every now and then it gets stuck or it gets slow or latency is very high, right? You type something and then you get an answer in 2 seconds. That doesn't work for enterprise applications. So SD-WAN is a technology, in general, to make that better. How? You -- first, you can connect to the Internet with multiple Internet connections, one from one service provider, one from another. And then SD-WAN is making decisions as where to put the packet. Is it better to send the packet from here or it's better to send the packet from here, and sometimes, which path should I take and so on. Now that sounds great in theory. In practice, even if you put the packet on the right lead, a few hubs down the road, a few routers down the road, decision doesn't matter. You end up in the same router and then you have congestions and things like that. So we're seeing more and more SD-WAN architectures move from we'll send the traffic from this point to this point using SD-WAN to we're going to create hubs. We're going to create hubs of SD-WAN, connect them with probably private links and then use SD-WAN just to get to the hub. So I'm going to use the Internet for the first month, and then the actual network is either private or semi-private and has guarantees around that. And that's what we're seeing customers are doing with SD-WAN equipment in general. Some vendors don't have the capabilities of doing it. Some vendors provide the capability to doing it. And what we said is, yes, that's okay, but then you have to manage those hubs and you have to buy private links and pay for private links, and there's -- it's very difficult to get private links that will cover the entire planet between all the hubs that we need across all continents and all countries. Let's provide it as a service. That's called Prisma Access. So Prisma Access to us is for the case -- use case of SD-WAN are really the hubs and all the connectivity between them. And now the question is, okay, how do you connect from the branch office to Prisma Access to the house? And there are 2 ways to do it. One way is with the physical firewall in the branch that has SD-WAN embedded in it, and that's what we've done first. And the second way is you forget about the firewall, you just put a simple SD-WAN device in the branch, bring the traffic to the cloud and do the firewalling in the cloud, which is what CloudGenix was doing for us. And by the way, we support other SD-WANs as well. You can use VMware's SD-WAN, you can use Cisco's SD-WAN to get into Prisma Access. But from us, you have the full firewall and you have the stand-alone SD-WAN, and both are valued use cases. We also have customers that still say, you know what, Prisma Access is nice. I want to build it myself. So they buy either the firewall or CloudGenix for the branch office, and then they buy our high-end 7000 Series Firewalls. They put them in data centers. They buy private links. They build their hubs. Basically, they build Prisma Access themselves using our physical firewalls or virtual firewalls in something like Equinix data centers around the world.

Got it. Excellent. I had to tell more questions, but unfortunately, this is -- that takes us to the end of our 30-minute time slot. I want to be respectful of your time. Fascinating conversation. Thank you very much both for joining us. And thank you to all the clients on the line. Please stay tuned for the rest of the programming this afternoon. We have a couple more companies to talk to. If you have any questions about this presentation or anything that we're talking about today, please feel free to reach out to myself or anyone else on our team. Thank you very much for everyone for joining us.

Thank you, Keith.

Thank you.

Thank you, Nikesh. Thank you, Nir.