(bright upbeat music) >> Welcome back, everybody, to the Supercloud 2. My name is Dave Vellante. And I'm pleased to welcome Nir Zuk. He's the founder and CTO of Palo Alto Networks. Nir, good to see you again. Welcome. >> Same here. Good to see you. >> So let's start with the right security architecture in the context of today's fragmented market. You've got a lot of different tools, you've got different locations, on-prem, you've got hardware and software. Tell us about the right security architecture from your standpoint. What's that look like? >> You know, the funny thing is using the word security in architecture rarely works together. (Dave chuckles) If you ask a typical information security person to step up to a whiteboard and draw their security architecture, they will look at you as if you fell from the moon. I mean, haven't you been here in the last 25 years? There's no security architecture. The architecture today is just buying a bunch of products and dropping them into the infrastructure at some relatively random way without really any guiding architecture. And that's a huge challenge in cybersecurity. It's always been, we've always tried to find ways to put an architecture into writing blueprints, whatever you want to call it, and it's always been difficult. Luckily, two things. First, there's something called zero trust, which we can talk a little bit about more, if you want, and zero trust among other things is really a way to create a security architecture, and second, because in the cloud, in the supercloud, we're starting from scratch, we can do things differently. We don't have to follow the way we've always done cybersecurity, again, buying random products, okay, maybe not random, maybe there is some thinking going into it by buying products, one of the other, dropping them in, and doing it over 20 years and ending up with a mess in the cloud, we have an opportunity to do it differently and really have an architecture. >> You know, I love talking to founders and particularly technical founders from StartupNation. I think I saw an article, I think it was Erie Levine, one of the founders or co-founders of Waze, and he had a t-shirt on, it said, "Fall in love with the problem, not the solution." Is that how you approached architecture? You talk about zero trust, it's a relatively new term, but was that in your head when you thought about forming the company? >> Yeah, so when I started Palo Alto Networks, exactly, by the way, 17 years ago, we got funded January, 2006, January 18th, 2006. The idea behind Palo Alto Networks was to create a security platform and over time take more and more cybersecurity functions and deliver them on top of that platform, by the way, as a service, SaaS. Everybody thought we were crazy trying to combine many functions into one platform, best of breed and defense in death and putting all your eggs in the same basket and a bunch of other slogans were flying around, and also everybody thought we were crazy asking customers to send information to the cloud in order to secure themselves. Of course, step forward 17 years, everything is now different. We changed the market. Almost all of cybersecurity today is delivered as SaaS and platforms are ruling more and more the world. And so again, the idea behind the platform was to over time take more and more cybersecurity functions and deliver them together, one brain, one decision being made for each and every packet or system call or file or whatever it is that you're making the decision about and it works really, really well. As a side effect, when you combine that with zero trust and you end up with, let's not call it an architecture yet. You end up with with something where any user, any location, both geographically as well as any location in terms of branch office, headquarters, home, coffee shop, hotel, whatever, so any user, any geographical location, any location, any connectivity method, whether it is SD1 or IPsec or Client VPN or Client SVPN or proxy or browser isolation or whatever and any application deployed anywhere, public cloud, private cloud, traditional data center, SaaS, you secure the same way. That's really zero trust, right? You secure everything, no matter who the user is, no matter where they are, no matter where they go, you secure them exactly the same way. You don't make any assumptions about the user or the application or the location or whatever, just because you trust nothing. And as a side effect, when you do that, you end up with a security architecture, the security architecture I just described. The same thing is true for securing applications. If you try to really think and not just act instinctively the way we usually do in cybersecurity and you say, I'm going to secure my traditional data center applications or private cloud applications and public cloud applications and my SaaS applications the same way, I'm not going to trust something just because it's deployed in the private data center. I'm not going to trust two components of an application or two applications talking to each other just because they're deployed in the same place versus if one component is deployed in one public cloud and the other component is deployed in another public cloud or private cloud or whatever. I'm going to secure all of them the same way without making any trust assumptions. You end up with an architecture for securing your applications, which is applicable for the supercloud. >> It was very interesting. There's a debate I want to pick up on what you said because you said don't call it an architecture yet. So Bob Muglia, I dunno if you know Bob, but he sort of started the debate, said, "Supercloud, think of it as a platform, not an architecture." And there are others that are saying, "No, no, if we do that, then we're going to have a bunch of more stove pipes. So there needs to be standard, almost a purist view. There needs to be a supercloud architecture." So how do you think about it? And it's a bit academic, I know, but do you think of this idea of a supercloud, this layer of value on top of the hyperscalers, do you think of that as a platform approach that each of the individual vendors are responsible for the architecture? Or is there some kind of overriding architecture of standards that needs to emerge to enable the supercloud? >> So we can talk academically or we can talk practically. >> Yeah, let's talk practically. That's who you are. (Dave laughs) >> Practically, this world is ruled by financial interests and none of the public cloud providers, especially the bigger they are has any interest of making it easy for anyone to go multi-cloud, okay? Also, on top of that, if we want to be even more practical, each of those large cloud providers, cloud scale providers have engineers and all these engineers think they're the best in the world, which they are and they all like to do things differently. So you can't expect things in AWS and in Azure and GCP and in the other clouds like Oracle and Ali and so on to be the same. They're not going to be the same. And some things can be abstracted. Maybe cloud storage or bucket storage can be abstracted with the layer that makes them look the same no matter where you're running. And some things cannot be abstracted and unfortunately will not be abstracted because the economical interest and the way engineers work won't let it happen. We as a third party provider, cybersecurity provider, and I'm sure other providers in other areas as well are trying or we're doing our best. We're not trying, we are doing our best, and it's pretty close to being the way you describe the top of your supercloud. We're building something that abstracts the underlying cloud such that securing each of these clouds, and by the way, I would add private cloud to it as well, looks exactly the same. So we use, almost always, whenever possible, the same terminology, no matter which cloud we're securing and the same policy and the same alerts and the same information and so on. And that's also very important because when you look at the people that actually end up using the product, security engineers and more importantly, SOC, security operations center analysts, they're not going to study the details of each and every cloud. It's just going to be too much. So we need to abstract it for them. >> Yeah, we agree by the way that the supercloud definition is inclusive of on-prem, you know, what you call private cloud. And I want to pick up on something else you said. I think you're right that abstracting and making consistent across clouds something like object storage, get put, you know, whether it's an S3 bucket or an Azure Blob, relatively speaking trivial. When you now bring that supercloud concept to something more complex like security, first of all, as a technically feasible and inferring the answer there is yes, and if so, what do you see as the main technical challenges of doing so? >> So it is feasible to the extent that the different cloud provide the same functionality. Then you step into a territory where different cloud providers have different paths services and different cloud providers do things a little bit differently and they have different sets of permissions and different logging that sometimes provides all the information and sometimes it doesn't. So you end up with some differences. And then the question is, do you abstract the lowest common dominator and that's all you support? Or do you find a way to be smarter than that? And yeah, whatever can be abstracted is abstracted and whatever cannot be abstracted, you find an easy way to represent that to your users, security engineers, security analysts, and so on, which is what I believe we do. >> And you do that by what? Inventing or developing technology that presents that experience to users? Could you be more specific there? >> Yeah, so different cloud providers call their storage in different names and you use different ways to configure them and the logs come out the same. So we normalize it. I mean, the keyword is probably normalization. Normalize it. And we try to, you know, then you have to pick a winner here and to use someone's terminology or you need to invent new terminology. So we try to use the terminology of the largest cloud provider so that we have a better chance of doing that but we can't always do that because they don't support everything that other cloud providers provide, but the important thing is, with or thanks to that normalization, our customers both on the engineering side and on the user side, operations side end up having to learn one terminology in order to set policies and understand attacks and investigate incidents. >> I wonder if I could pick your brain on what you see as the ideal deployment model to achieve this supercloud experience. For example, do you think instantiating your stack in multiple regions and multiple clouds is the right way to do it? Or is building a single global instance on top of the clouds a more preferable way? Are maybe other models we should consider? What do you see as the trade off of these different deployment models and which one is ideal in your view? >> Yeah, so first, when you deploy cloud security, you have to decide whether you're going to use agents or not. By agents, I mean something working, something running inside the workload. Inside a virtual machine on the container host attached to function, serverless function and so on and I, of course, recommend using agents because that enables prevention, it enables functionality you cannot get without agents but you have to choose that. Now, of course, if you choose agent, you need to deploy AWS agents in AWS and GCP agents in GCP and Azure agents in Azure and so on. Of course, you don't do it manually. You do it through the CICD pipeline. And then the second thing that you need to do is you need to connect with the consoles. Of course, that can be done over the internet no matter where your security instances is running. You can run it on premise, you can run it in one of the other different clouds. Of course, we don't run it on premise. We prefer not to run it on premise because if you're secured in cloud, you might as well run in the cloud. And then the question is, for example, do you run a separate instance for AWS for GCP or for Azure, or you want to run one instance for all of them in one of these clouds? And there are advantages and disadvantages. I think that from a security perspective, it's always better to run in one place because then when you collect the information, you get information from all the clouds and you can start looking for cross-cloud issues, incidents, attacks, and so on. The downside of that is that you need to send all the information to one of the clouds and you probably know that sending data out of the cloud costs a lot of money versus keeping it in the cloud. So theoretically, you can build an architecture where you keep the data for AWS in AWS, Azure in Azure, GCP in GCP, and then you try to run distributed queries. When you do that, you find out you'd end up paying more for the compute to do that than you would've paid for sending all the data to a central location. So we prefer the approach of running in one place, bringing all the data there, and running all the security, the machine learning or whatever, the rules or whatever it is that you're running in one place versus trying to create a distributed deployment in order to try to save some money on the data, the network data transfers. >> Yeah, thank you for that. That makes a lot of sense. And so basically, should we think about the next layer building security data lake, if you will, and then running machine learning on top of that if I can use that term of a data lake or a lake house? Is that sort of where you're headed? >> Yeah, look, the world is headed in that direction, not just the cybersecurity world. The world is headed from being rule-based to being data-based. So cybersecurity is not different and what we used to do with rules in the past, we're now doing with machine learning. So in the past, you would define rules saying, if you see this, this, and this, it's an attack. Now you just throw the data at the machine, I mean, I'm simplifying it, but you throw data at a machine. You'll tell the machine, find the attack in the data. It's not that simple. You need to build the right machine learning models. It needs to be done by people that are both cybersecurity experts and machine learning experts. We do it mostly with ex-military offensive people that take their offensive knowledge and translate it into machine learning models. But look, the world is moving in that direction and cybersecurity is moving in that direction as well. You need to collect a lot of data. Like I said, I prefer to see all the data in one place so that the machine learning can be much more efficient, pay for transferring the data, save money on the compute. >> I think the drop the mic quote it ignite that you had was within five years, your security operation is going to be AI-powered. And so you could probably apply that to virtually any job over the next five years. >> I don't know if any job. Certainly writing essays for school is automated already as we've seen with ChatGPT and potentially other things. By the way, we need to talk at some point about ChatGPT security. I don't want to think what happens when someone spends a lot of money on creating a lot of fake content and teaches ChatGPT the wrong answer to a question. We start seeing ChatGPT as the oracle of everything. We need to figure out what to do with the security of that. But yeah, things have to be automated in cybersecurity. They have to be automated. They're just too much data to deal with and it's just not even close to being good enough to wait for an incident to happen and then going investigate the incident based on the data that we have. It's better to look at all the data all the time, millions of events per second, and find those incidents before they happen. There's no way to do that without machine learning. >> I'd love to have you back and talk about ChatGPT. I know they're trying to put in some guardrails but there are a lot of unintended consequences, aren't there? >> Look, if they're not going to have a person filtering the data, then with enough money, you can create thousands or tens of thousands of pieces of articles or whatever that look real and teach the machine something that is totally wrong. >> We were talking about the hyper skills before and I agree with you. It's very unlikely they're going to get together, band together, and create these standards. But it's not a static market. It's a moving train, if you will. So assuming you're building this cross cloud experience which you are, what do you want from the hyperscalers? What do you want them to bring to the table? What is a technology supplier like Palo Alto Networks bring? In other words, where do you see ongoing as your unique value add and that moat that you're building and how will that evolve over time vis-a-vis the hyperscaler evolution? >> Yeah, look, we need APIs. The more data we have, the more access we have to more data, the less restricted the access is and the cheaper the access is to the data because someone has to pay today for some reason for accessing that data, the more secure their customers are going to be. So we need help and are helping by the way a lot, all of them in finding easy ways for customers to deploy things in the cloud, access data, and again, a lot of data, very diversified data and do it in a cost-effective way. >> And when we talk about the edge, I presume you look at the edge as just another data center or maybe it's the reverse. Maybe the data center is just another edge location, but you're seeing specific edge security solutions come out. I'm guessing that you would say, that's not what we want. Edge should be part of that architecture that we talked about earlier. Do you agree? >> Correct, it should be part of the architecture. I would also say that the edge provides an opportunity specifically for network security, whereas traditional network security would be deployed on premise. I'm talking about internet security but half network security market, and not just network security but also the other network intelligent functions like routing and QS. We're seeing a trend of pushing those to the edge of the cloud. So what you deploy on premise is technology for bringing packets to the edge of the cloud and then you run your security at the edge, whatever that edge is, whether it's a private edge or public edge, you run it in the edge. It's called SASE, Secure Access Services Edge, pronounced SASE. >> Nir, I got to thank you so much. You're such a clear thinker. I really appreciate you participating in Supercloud 2. >> Thank you. >> All right, keep it right there for more content covering the future of cloud and data. This is Dave Vellante for John Furrier. I'll be right back. (bright upbeat music)