Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Good morning, good afternoon, good evening, everyone. Fernando Montenegro here. Let's continue with our security session. This is a panel on the evolution of cloud security, and we're going to talk about where have we been as an industry, where -- what kind of pressures are we seeing now and where we might be going next. So I'm your moderator, Fernando Montenegro. I'm joined on this session by Garrett Bekker, Knox and Varun Badhwar. Guys, do you want to say a few words? Garrett?

Sure. Yes, I'll jump in. Hi, everyone. Thanks for joining us. I'm Garrett Bekker. And for those of you who may have joined our last session, I cover identity and access management, data security. And I co-cover cloud security with Fernando, particularly focused on security for SaaS applications.

Perfect. Varun or Knox?

Hi, I'm Knox Anderson. I'm the VP of Product at Sysdig. We're a secure DevOps company that provides visibility and security. We were originally born as an open-source company, and now we focus on applying deep visibility to enterprise container and Kubernetes environments.

Perfect. Thank you. Varun?

Yes. Hi, everyone. My name is Varun Badhwar. I head up products for Prisma Cloud, which is our suite of cloud security solutions here at Palo Alto Networks. A lot of them borne through a number of key acquisitions of companies like Evident, RedLock, Twistlock, Aporeto and PureSec. Looking forward to the discussion.

Perfect. Thank you, everybody. So we just want to go -- so I just want to go through an agenda. So the way we'll do this, we'll -- similar to the other presentations that you may have seen here, we're going to do a quick positioning of where we are, and then we'll go into panel discussions where we can talk a little bit on the questions. Without further ado, the first thing we want to talk about is let's define cloud security. I mean Garrett and I are on the call here. And one of the things that happened is that whenever we get on conversations around cloud security, the topic becomes, okay, which one of -- which one should we be interacting with? Who are we talking to? So one of the ways that we like to position it is we have 2 different -- we have a different view of cloud security, the way we split it up here at 451, now part of S&P. First of all is that we break it apart into 2 major areas. On one hand, you have the SaaS security angle that you see there. And then we have the other side, which I kind of made the bigger -- this is the session I'm leading so I took the liberty of making it a little bit bigger. Sorry, guys. But where we -- the slide -- this -- where we divide coverage between platform security, so in other words, security for the cloud environment themselves; and then workload security running on top of that. Now one of the things that's most notable about cloud security is that there is lots of different adjacencies, and immediate adjacencies that we have are the areas of application security, data security and identity and access security. And Garrett and I share our cloud security, but he's our lead on identity and access and data security, while then Kennedy leads the application security practice. Then surrounding those areas, we have -- there are several other areas that security fits in. We have networking, we have cloud management platforms that have been kind of jumping into security. So it's an interesting area to grow into in the context of figuring out adjacencies to security. Now I didn't make a proper introduction. Part of my coverage is the end point space as well, and I see similarities between a lot of the cloud security coverage and, in some cases, the end point coverage in that it becomes a use case for different market adjacencies. The other way to look at this is when you compare the more common industry terminology about what things fit where, here's how we see them aligning, right? So CWPP and CSPM kind of align with the workload and platform. The notion of CASB or more recently, SaaS security posture management, aligns to size, identity as a service does apply in there, and then cloud identity and entitlements is the linkage between identity straight up to the platform. So the heart of the matter is that between Garrett and I, we look at the core cloud security areas. So what have we seen happen? And I'd like to position it in the context of digital transformation. Why is that? Because we are seeing that enterprises are basically -- we've moved past the point where cloud is "new." We're now adapting it as one more environment where we're doing things. And one of the concerns we always hear is, "Oh, no. No one cares about security." Kind of like Dan Kennedy said on his session that I liked. Allow me to dispel that myth here, right? When we ask IT practitioners -- not security. When we ask IT practitioners what is their top-level business concern, invariably, security is either #1 or #2, depending on how we're looking at this. So this is a scenario where there is profound interest in applying security controls the right way to how we're going to do cloud. The other thing that I think is very interesting in the context of digital transformation is that we have -- organizations have developed a more nuanced view of what that transformation looks like. Here, we ask people how they are going to achieve modernizing their environment and we asked them in 2019 and 2020. And again, general IT practitioners, and I call your attention to 2 things. First of all, the number of people who said that they were going to primarily lift and shift workloads to cloud dropped significantly. But there was no one clear winner between modernizing on-premises and modernizing refactoring and shifting to cloud. So this already starts to point to an interesting scenario where the challenge for cloud professional -- for cloud security now becomes not only security in the cloud environment itself, fine, but also, to some extent, tying that to the on-premises environment where we can. So with that in mind, so those 2 things, let's just take a look at what we're seeing in terms of adoption trends. It's interesting that in many of our presentations, we've all chosen to use this chart independently, right? And you may have seen it on our keynote, you may have seen it during Garrett's session, here the point is similar, right? What we are seeing is that there is a majority -- or I should say, there is a clear indication that people are responding to how they are deploying their workloads in the future differently. So we have a large proportion adopting SaaS. We have a large proportion adopting IaaS and so on. So going back to that point, the idea that the work is going to be more distributed across environments. The thing I want to call out, though, and it's one chart that fascinated me when I first came across it on our research, it's this one. This one comes from our DevOps practitioner studies, right? And you may have caught Jay Lyman's session last week at the HCTS. But this here, we ask practitioners, how are they managing their DevOps processes within organizations. And when I first saw this, I was -- it was really striking because as you can see here, 49% of respondents -- and these were DevOps practitioners. These were not security practitioners only. These were not general IT. These were DevOps practitioners. They responded that we are -- that -- half of them responded that the processes are managed within the different business units and the central organization is aware of them, whereas in -- 47 indicated that it's all done centrally. This, to me, speaks to a major challenge for security professionals, which is coordination across such a large number of disparate stakeholders all over the organization. With that in mind, let's move on then to just positioning the cloud security concerns, and then we can get into our panel in a couple of minutes. So switching to how we ask security practitioners why it is that they are concerned about cloud. And this comes from the study that Dan Kennedy does with budget and outlook, surveyed late last year. The new survey is on the field now. We ask them, what are they concerned with about cloud? Think about all those work that's being distributed. Well, the question -- the top 3 areas that they respond with is that they are concerned about loss of control of sensitive data and this applies to -- and this can apply just as easily to SaaS as it can to IaaS and PaaS, right? They are concerned with lack of all visibility, in other words, validating that whatever infrastructure is out there, we don't know. They are validating that the controls are in place for that. And then the top -- and the third option is compliance related, which -- we look at compliance as how do we -- as a cloud security team, whatever, how do we then turn the information we have around and give it to a third party that wants to validate our compliance. In other words, how do we prove compliance for our own environment? And here's the question where sometimes people will say, "No, hold on a second. This is where I expect my cloud provider to come in. Isn't that the shared responsibility model?" And yes, it is. But I like to call out that there is a more nuanced shared responsibility model discussion to be had. And this is very similar to what you see across all cloud providers who present a shared responsibility model message, but the difference here is that we are highlighting that there are things that are always customer responsibility. Usually some of the shared responsibility models, they are a little more tactical about, okay, what kind of controls are the customer responsibilities? What kind of controls are ours? We wanted to call out that there is a much bigger piece that is -- strategically belongs to the customer, right? So with that in mind, thank you for the -- for sitting through the explanation. Now I want to bring in our panelists. So Garrett, Knox and Varun, let's see if the video thing is going to work. The video thing is working perfectly. Thank you. So I see Varun on the line. Knox, Garrett?

Hello, everybody. So in our sessions, we were -- sorry, just a second. Let's switch over to questions. And the first question I want to throw out -- and Garrett, I'll -- if you have something with a SaaS perspective. What -- we've been covering this space for a while. What key lessons do you think we have all learned from the beginning in terms of the evolution of cloud security? I'll go to -- Garrett, I'll let you go first, and then Varun and Knox, if that's okay. So we have about 5 minutes. I budgeted about 5 -- I'm going to try to do this as a moderator. I'm not cutting anyone's mic, right? But I'll gently prod people along if we start running long. I know we'll have a good conversation. Sorry, guys. Go ahead.

Yes. No, I think -- it's a tough one. I think there's a couple of challenges that I've seen. One, I'm glad you pointed out. I think initially, there's confusion of what cloud security means, right? Is it for the cloud? Is it from the cloud? That's been one of the challenges. I think the other one is if you look at -- I mentioned in my session and I can elaborate on a little bit more. It's been fairly common throughout the security industry for the last few years to talk about the number of tools that the average enterprise has to use for security, right? They've got firewalls and AV and all these various things. And anecdotally, we've perhaps all heard examples of the enterprise that's got 30 different security tools or 40 different security tools. For me, I think one of the biggest challenges is that, again, despite all the wonderful benefits of the cloud, cloud security and securing clouds is an additive problem, right? It's not mutually exclusive. So if you're dealing with 30 or 40 different vendors for on-prem, we've got tons of data that shows -- and I think you mentioned earlier, most firms are hybrid. Well, that means whatever you need to do, your cloud security is just additive on top of that. And I think that's been one of the challenges historically so far. I think for me, within SaaS, it's a slightly different problem than in the public cloud world because you've arguably got 10 different -- sorry, 10,000 potential different SaaS apps out there, right? And since you can't touch that, securing them all becomes a really big problem. And I'd say it's been one of the issues that I think has plagued a lot of the SaaS security vendors so far, is how to get coverage across different vendors. So I think that's part of it. And then again, it's just how can you cover all of it, and part of it becomes a discovery issue, too, right? I mean at least on the SaaS part of things, discovery is a big issue, just knowing how many different SaaS apps and solving that so-called shadow IT problems has been a big issue, right? Now the proverbial example is a CSO. You go into a CSO and you run a scan, and he thinks he's or she thinks is running 10 different SaaS apps and it turns out it's about 800. So don't want to go -- I'll stop there.

Yes. We see some of that with -- on the IaaS and PaaS side now. I think that Varun or Knox, like, to the extent that we see, containers scroll or cluster scroll or GM scroll. So Varun, any thoughts?

Yes, sure. So I think the first evolution for cloud -- kind of the early cloud migraines was just understanding the notion of shared responsibility and where to draw the line, right? I think in a lot of the sales pitch from the cloud providers, they were hearing that, oh, look, the whole stack is taken care of, security is taken care of. But as we saw the inversions of a number of different cloud breaches, you realize that majority of them were based on configuration errors by customers, by users. And I think there's a misconception. I mean to your point, on the data you see, people are very nervous about cloud security, but all the data we have to show so far, the cloud providers have done a fine job of providing the capabilities for customers to consume. But unfortunately, the consumers of cloud platforms like AWS are struggling because of a few different reasons: One is lack of education. There's a lot of excitement to move into the cloud and do it very, very quickly. But you don't understand all the implications of these new cloud architectures and how security groups work compared to how your traditional firewalls work. So that's kind of one set of problems. I think the other is just speed of change. I think traditionally, a lot of customers thought security would be handled the same way as it was on-prem, there would be a SOC stock, it would receive alerts, it'd be a single same dashboard where you'd see all of it. And you quickly realize that the velocity at which you're going to receive alerts from the cloud because of the speed of change is way too high than you prepared to understand and react. And Part B of that problem is the SOC analysts aren't cloud experts. They don't have the application context. So what do you do with these alerts, right? So I think kind of the industry has really quickly had to evolve to figure out: a, what are the things I need to care for about security; and b, actually how do I deploy capabilities for cloud security in a manner that scales with my business and my growth in the cloud.

Perfect. Knox, I'll go to you and then we can speed up on other questions.

Yes. And that speed of change really goes back to the organizational shift that has to occur as much as it is a technology shift and moving to the whole way that you build and deploy apps is completely different as well. So when change management used to be one of security's best friends, that doesn't exist anymore. And so you need to do more things like make security into your pipeline, get developers involved, get operations teams involved. And it's more of a kind of organizational-wide holistic approach that you're taking versus security being in different silos. And so that's something we've -- that speed really is pushing more of a secure DevOps approach that everyone really needs to buy into.

Perfect. That's -- we see some data -- too bad we can't show all the data that we have, but we have some interesting data on how stakeholder -- how security is being more collaborative with others and so on. With that in mind, what have you seen in terms of more immediate pain points as customers are coming to you? I'll -- Knox, I'll ask you first and then Varun in terms of what are -- when customers are coming to you, what are -- what's common in terms of pain points for them?

It's -- on the container and cloud side, it really starts a lot with visibility. So I don't know what's running inside my containers. I used to use Odyssey and these Linux environments. How is this going to work in my container environment? And then the application level context is something that also really needs to carry through to your vulnerability management teams, like Varun mentioned, your SOC teams. So now every finding needs to be surfaced against a cluster, a name space, the cloud region, a pod. So that whole enrichment process and how do you actually make sense of all the alerts that are coming in, tie those to the proper teams, flow that back is a huge pain that we see as this Kubernetes platform grows, where you could have hundreds of different teams on the same set of shared resources. So that's a clear pain point that's only getting worse as I've seen kind of Kubernetes platforms grow.

Thanks. Absolutely. We've seen it with -- we've seen lots of growth on -- sorry, Varun, go ahead.

Yes, no, I'd like to expand on that. I mean I think we've talked on containers. But you expand the visibility problem, it occurs everywhere. I mean I've talked to hundreds and hundreds of security teams and not one has been able to confidently answer a very simple question I ask, which is do you even know what workloads and applications are running in the cloud, whether those are at 3 buckets or how many databases do you have running in the cloud? How many users and access keys do you have floating around for access information to the cloud? People just don't have a system of record and fundamentally, you can't secure what you can't see. So this whole asset problem is something that is actually not very glorious. Back in the day, we used to talk about a configuration management database. Well, what's your CMD for the cloud? Like what's your source of truth? And you know what makes it harder is a source of should -- there's no steady state. What happened this morning at 9 a.m. is very different than what's happening now at 11:30 a.m. in your environment. And so you've got to have an asset inventory system that continues to be evolving. The second piece is really auditability of these environments and compliance. Like none of the compliance standards besides CIS were ever written for the cloud world, right? GDPR, CCPA, PCI, HIPAA, like nothing was. So who's responsible for taking abstract control framework and making them specific to every cloud provider in every service. That's extremely difficult to do. It takes an army of people to do that if you try to do it yourself. And kind of extending on this problem is the auditability. When your auditors come into your environment, they're not asking you, "Show me what's happening." Now they say, "My period of performance for an audit is last 6 months. Prove to me that you had the controls in place working effectively back then." Again, I need to be able to answer those fundamental questions. So I think going back to the basics, customers are asking for a CMDB for the cloud. Customers are asking for somebody to make it really easy, give them the easy button on compliance and auditability. And last, but not the least, they're asking for guardrails for the developers. I think they have recognized they can't stop their development team from moving fast in the cloud. So now the question is, how do I put those kind of bowling alleys and bumper lanes so you don't have a gutter ball in cloud security because if you try to make a mistake, I'll bring you right back on course.

Yes. I think that the gutter ball thing resonates with me. I -- we should not bowl together ever, right? Garrett, I think we've talked about this in the past as well. I think you like the topic as well, right?

Yes. Yes. So just on the SaaS side of things, I think, initially, the big pain point, I think it still is, to a large degree, is data, right, because it's a different model, shared responsibility. One of your biggest concerns on the SaaS side is your data, right? And I think initially, it sort of shifted over time. Initially, the problem was, hey, let's throw encryption into the SaaS app, right? And I think there were 2 problems there. One is, it didn't work very well, right. It tend to break app functionality and so everyone hated it. And for two, nobody really wanted to pay for it because I think what they realized there wasn't as much of an appetite for encryption of data and SaaS apps as we initially thought. But I think over time, it shifted a little bit. Your data point showed, right, loss of sensitive data, still one of the biggest issues. And if we look at CASB, which is one of the biggest security controls for SaaS apps, our survey data shows, you may recall, pretty consistently that DLP is one of the top ways to deal with that. And I think it's partly, it goes a little bit to Varun's point, is people are concerned, first and foremost, about where my data is, right?

And what they have.

Exactly. And a lot of people just don't have a handle on that. So I think that's a necessary first step. I think it also -- same with apps, right, again, talking earlier about the shadow IT problem. A lot of firms also don't know what sort of apps are out there. But I think, yes, getting control over that sensitive data in the SaaS world, I think, is one of the biggest pain points. And to some extent, it's also shifting a little bit too to permissions, right, and access is becoming a bigger issue as well. What have I done to potentially accidentally expose data in Salesforce or something like that. So that's basically my thoughts on that.

No, that's perfect. And then we'll get into the -- where things are going towards the end here. Now as -- and as both of you have indicated, all of you have indicated, really, the interaction between different stakeholders within a particular organization, right? How are you seeing this effect? How customers are procuring? And how customers are purchasing technology for doing that? What kind of changes are you seeing on the stakeholders in terms of security for cloud environments? Varun, I'll just...

Yes, yes, yes. Happy to kick things off. So there's a few things happening, right? Again, kind of what I call the cloud security 1.0 buyers that started maybe 3, 4 years ago, they were still very verticalized, meaning you had somebody just looking at compliance, you had somebody looking at network security for the cloud, somebody looking for vulnerability scanning for the cloud. And the cloud security 2.0 buyers are integrated into what commonly is being called Cloud COE, Cloud Center of Excellence or cloud engineering teams or cloud operations team, where what organizations have quickly discovered is a siloed approach to making decisions, implementing tools doesn't work. You don't have the time to do it. The level of automation you're going to need to support and deploy these tools is just -- the requirements are way different today. And so I'm really happy to see this advent of the cloud engineering and Cloud COE teams. I think what we're seeing is there are representatives from security, there are representatives from operations, DevOps, all of them. And I think this is kind of leading to what commonly is used and sometimes abused as the term DevSecOps. Is it a title? Is it people? Is it a graduate degree? I mean I think it's a combination of things that is bringing responsibilities for development, operations and security into a common organizational framework to do it. So that's kind of what we see. I think interestingly, in cloud security, the purchasing decisions we see are really -- primarily 1 of 2 starting points anyway. It's either cloud security posture management, which is that visibility, guardrails, governance, at least get me started with cloud fundamentals. Those decisions typically still be part of the security architecture within the CSO org. And then we're seeing, obviously, more container and application security-centric conversations, which are very heavily kind of DevOps-centered. And I won't steal Knox' thunder. Maybe, Knox, I'll pass it over to you.

Yes. So Sysdig, because we kind of come in a unique place where we handle both monitoring and security use cases, we're interacting with those DevOps buyers a lot. And I totally agree with the room, where you're now seeing this cloud org or this cloud team. And specifically within Kubernetes, you're starting to see this new persona called the cluster operator, who's in charge of the health, the compliance, the security and the reliability of these Kubernetes clusters. And so they really need to go in and get a tool that says, all right, if a cluster role with right privileges is created that maps the PCI 10.2, mentioning a lot of the easy guardrails around compliance. So it's the same types of problems, but you need to solve it really in a more holistic fashion because one of the things that we're seeing a lot of within Kubernetes is many, many different side cars being deployed. And so if you're going to get visibility, why not use that visibility for both security instrumentation, monitoring instrumentation and kind of solve that cluster visibility problem on the DevOps and the security side.

Sure. So looking at data in a more -- looking at telemetry in a more holistic way kind of thing, right? Okay. Moving on, now one of the things that always happens with providers is that we see the cloud providers themselves, right? They are very vocal about adding the capability that they feel they need. And they do partner with organizations such as yours, and there's certainly a role for multiple stakeholders in this ecosystem. How have you seen the -- where do you see the providers providing a capability and you adding on top or you adding differently? How do you work alongside the providers as they move along on this? And Knox, I'll start with you if that's okay.

Yes. So there's some interesting things that providers have been doing. So if you look at each provider, like they basically are all trying to build their own SIEM now. The security hub. They've moved cloud security [ infrastructure ] and that's a place where kind of it's just an additional place where you can send findings, similar to what you have done with Splunk or QRadar in the past. So one of the nice things is there's a lot of good remediation workflows that then you can build on top of the data that you're sharing with those cloud providers. So that's where it's kind of been augmenting and extending what the cloud providers could provide. One of the other interesting things that you've seen a lot in the past couple of years is just cloud providers taking open-source tools, repackaging them. So if you look at like Amazon and what they're doing for container scanning, it's running layer under the hood, but they have similar coverage for non-OS packaged vulnerabilities. And so that's where both Sysdig and Prisma will come in and kind of give you those additional workflows and capabilities on top of kind of -- some of the bare minimum coverage that the cloud provider gives you.

Okay. No, that's -- Varun?

Yes, sorry. I was just going to pick up from there. The way I like to describe it is we pick up from where the cloud providers leave off. And what I really mean is cloud providers are really good at providing a lot of raw feeds and feeds of data, telemetry, analytics and other things. But it's really left up to the customer to convert those to enterprise solutions that solve different use cases, right? Take AWS. You have VPC flow logs. Flow logs, if anybody's looked at it and appreciate it, are painful to understand. So when correlated correctly with a lot of other types of information, it provides a lot of meaningful information. So that's kind of one area, which is cloud providers are good at providing data, but not enterprise-class security solutions. The other part is multi-cloud, right? Frankly, I think we've seen the data. 8 out of 10 enterprises are 2 or more -- in 2 or more clouds. So nobody wants to go develop a stack for one cloud. And we talk to a lot of customers. They will spend like 2 years, 3 years developing on 1 stack. And then over time, realizing, "Oh, shoot, my -- we just acquired a company that's now in GCP or Azure and my tools don't work there. What do I do? Do I spend another 2 years kind of porting over?" So I think it's a problem that most enterprises are recognizing. And we love to partner with the cloud providers and take what they give us and build from there.

Yes. No, I understand it. It's too bad that we don't have more time. We have more data on how that usage is distributed. Garrett, you had a comment as well on this? We talked about this before.

Yes. Just a quick one, too. I was going to mention, too. And I agree, the multi-cloud one is a big one for me, right, as that's the biggest challenge, I think, and the biggest need for the separate, independent, neutral third-party cloud security vendor. Just a minor point, too. I think to some extent, we tend to be fairly North American-centric when we look at this, right? It's -- we only talk about GCP and AWS and Azure, right? I get how big they are, but don't forget also we got Tencent, we got Ali Cloud and other stuff out there as well. And I think that just magnifies the problem a little bit.

Yes. No, I think that, yes, the global nature of providers shifts a bit and that forces us to make choices. I'll just move quickly. Knox, you brought up open source as a capability. One of the things that we feel a lot of is interest in open-source technology. I think that we've had pickups recently on OPA and others and BPF. And I know that, for example, in the case of Sysdig, you have Falco as well. So how are you seeing this transition between an open-source interest into the broader -- into the supported commercial type of offerings? How are you seeing customers make that transition?

Yes. One of the things that we see from a lot of DevOps teams is, "Hey, try something open source first. And if that doesn't work for you, then look at a paid solution." So that's one where really kind of -- the future is open source. There's a lot of people building workflows around either -- whether it's Prometheus on the monitoring side, Falco, OPA, Anchore for image scanning. So many different open-source building blocks. And then kind of when you get to the enterprise level, just doing something simple, like, okay, I need to have [ RVAC ] enrolled across who can set up a Falco policy or how do we want to have single sign-on to the dashboards? And things like that, where building that in-house, someone like Uber might do it, your traditional enterprise mall. And open source really kind of gets you going and is a good way to kind of share and augment those communities. So Falco, for example -- AWS has seen a lot of interest from end customers to run Falco and party. And then -- so they'll do work to make sure that Falco can work in those environments. So it also provides kind of a good way to get instrumentation anywhere that anyone can use and kind of have a single engine that works across clouds or in different environments.

Bringing back to multi-cloud use case, for sure. Yes. Varun?

Yes. There's no good healthy panel without some level of disagreement. I'd say that...

It's perfect.

The part of that is, I would say, yes, I agree, right? I think a lot of open source is experimental in nature. And I'll take an example, Netflix. Security Monkey was a very, very popular open-source project way back when before people started thinking about cloud security. And when multi-cloud came in and scale challenges came in, it kind of -- it was sunset. And so I think open source was a great thing to get started. I agree with Knox on that. But I think very quickly, when you're looking for enterprise-class solutions, enterprise-grade solutions, there's just a lot of work that needs to get done, whether it's around compliance, whether it's around tracing, policy, automation, remediation that then customers need to go find commercial equivalents for.

Fair point. Yes, there's -- you don't -- customers don't know what they don't know early on, right, kind of thing. So they did progressively. So making sure we are okay on time. I'll hit you with -- each one of you specifically for -- okay. 2020, I'm not going to -- the fact that you didn't mention COVID, I think it's relevant in the context of cloud security. We see some effect, but it's more of a smaller bump. Projects are still going on. My question to you is, what's next? What do the next -- what does the next little while looks like in terms of evolution of cloud security in your environment, Varun?

Yes. I think a couple of things. One is most organizations are embracing multi-cloud and avoiding vendor lock-in, right? So Kubernetes is very popular because it avoids vendor lock-in. And so I think just like people are avoiding vendor lock-in, they're also avoiding kind of security tooling lock-in. So I think most are embracing organically or through M&A to have multi-cloud environment. So that's one part of that. I think the other's really the full life cycle part of security. For the last many years, people were pushing to go through console to the cloud provider and then pushing kind of infrastructure that way. Now everything is getting codified with Terraform, with CloudFormation. And so traditionally, when we talk about shift left, we think about application security. I think today's shift left needs to be application plus infrastructure security. And just like you want to bring code scanning and image scanning and everything left, you need to put in infrastructure's code scanning left and have visibility engaged across the entire life cycle from a developer's laptop to the CI/CD tools all the way into run time.

Okay. So a more comprehensive life cycle thing. Knox?

Yes. So as much as people focus on shift left, I think a lot of people have forgotten about the right side of the equation. So when -- one of the questions we always ask customers, and similar to what Varun has said earlier, you never get an answer to it, what's your incident response strategy for containers and cloud environments? That no one really has a good handle on. If, okay, there's an incident in my container environment, what do I do in terms of collecting data, performing forensics? So definitely seeing an increased focus on that. And as these environments get to a larger scale, that's going to be something that you really need to have as part of your strategy. And then the second thing that COVID has definitely pushed is deploying on-prem software is something that no one's going to want to do as far as consuming security solutions. So what you're looking for on the customer side is, "I need SaaS for security. I don't want to have to deploy anything to use your product," and that's something where SaaS will win 10 times out of 10 going forward.

Okay. Garrett, a couple of thoughts?

Yes. Real quick on the SaaS side of things. I think the main thing, the biggest initiative in the past few years has been CASB, the cloud access security broker. And I think arguably -- maybe it's not controversial at this point. But arguably, CASB is going away as a stand-alone category. And I think a lot of the CASB vendors have already been acquired by bigger security players. But I think the CASB category is slowly getting the Zero Trust thing or, dare I say, the new buzzword that's been popular this year, SASE. I'm blanking here. I mean what's -- SASE means Secure Access Service Edge. There we go. And I think the essential idea there is that in this highly distributed world, right, where apps are highly distributed, users are highly distributed, et cetera, how do we somehow think about enforcing policy? And do we push that out to the edge along with access and what have you? But I think the other big one is one that you and I have talked about beyond CASB is this idea of managing all the permissions that you can have in a SaaS app, right? There can potentially be hundreds of thousands of permissions and it's very easy to miss a setting or a config that can lead to some exposed data. So I think that's an emerging area. And I think that's going to be one of the next battlegrounds sort of akin to we had CSPM for public cloud, IaaS and PaaS, and I think we're seeing the same thing on the SaaS side as well.

Yes. No, I think that it points to that chart we showed earlier with different areas popping up in terms of how we're doing entitlements, how we're managing permissions in a more complex environment. We had a couple of questions coming in the queue, but I noticed that Varun was -- kind of preempted the questions he's answering. I think we got to the -- so the people are -- seem to focus -- thank you for commenting on Varun's response. Gentlemen, we're just at the end of time. I want to thank you all. Thank you both for the collaboration. I want to thank you both for the conversation. I think that we did -- the fact that we covered different elements of both SaaS and IaaS and PaaS, and we touched on a number of different technologies, it speaks to the complexity that customers are dealing with and the kind of effort that they have to put. Before I wrap up, again, I want to thank everyone for attending. I will now pass it on to Eric Hanselman, who is going to bring the closing remarks for the day. Eric, all yours.

Thanks, Fernando, and thank you to you and your panelists for a great closing session. This has been quite a day, and it does close out our third day of the 451 Research hosting Cloud Transformation Summit. We covered a lot of ground today. And I hope that you had a chance to catch all the sessions. To recap, Scott Crawford and Dan Kennedy looked at how security is becoming less of an inhibitor to cloud adoption. One of it's actually heard in the panel just now as there's a better understanding of the realities of shared security models. They also looked at the complexities of VPN use. 77% of Voice of the Enterprise respondents were indicating that at least some security controls aren't in place when users are actually outside of a VPN connection. Interesting perspectives in some of the balance between VPN capacity. Aaron Sherrill's panel explored some interesting points around the infinite game that is security. That included the idea that security technology is advancing so rapidly that service providers as well as managed security providers need to expect that they'll have to partner for at least some of their offerings in order to be competitive. There are a whole set of other things they dug into in that panel as well. Some really interesting ideas got kicked back and forth. Actually, in Garrett's panel, just prior to this, the fog around the definition of Zero Trust was cleared at least a little bit and especially talking around work-from-home access requirements. It's not cut and dried, but there is a transition towards Zero Trust from traditional VPN that's well underway and various aspects about how long that's going to take and what that transition is actually going to be composed of. And of course, you just heard, cloud security approaches are evolving and the debate is whether or not they're evolving as rapidly, as necessarily as they need to, or at the level at which enterprises need to deploy them in order to keep themselves secure. If you missed any of this, they are all available on replay in the auditorium. We have 3 more days of insightful presentations, enlightening panel discussions and opportunities to connect with your peers. Join us the day after tomorrow, Thursday, 15th of October, where I'll pass the hosting baton to my colleague, Csilla Zsigri, who'll lead you through a day focusing on data analytics. The 2 final sessions are Tuesday and Thursday of next week, covering edge computing, customer experience and digital transformation. Be sure to mark your calendars. Also, please complete the feedback surveys for today for each of the sessions you've attended. This is our first year going virtual, and we want to get your feedback to ensure that we're getting all the information that you need. We'd also like to thank all of our sponsors who have made all of this possible. I hope that you have a great rest of your day, and look forward to seeing you on Thursday.