Palo Alto Networks (TICKER: PANW) Palo Alto Networks Inc Panw Ceo Nikesh Arora Presents Jpmorgan 49th Annual Global Technology
Palo Alto Networks, Inc. (NASDAQ:PANW) JPMorgan 49th Annual Global
Technology, Media and Communications Conference May 24, 2021 11:00 AM
ET
Company Participants
Nikesh Arora - Chairman and Chief Executive Officer
Conference Call Participants
Sterling Auty - JPMorgan
Sterling Auty
Thanks everyone for joining us for our next session here at the 48th
[ph] Annual Technology and Media and Communications Conference here
virtually and hopefully next year back in Boston. Fortunate to have
with us Nikesh Arora who is CEO Palo Alto Networks joining us for the
next session. Nikesh, thanks for joining me. I appreciate it.
Nikesh Arora
Thank you for having me, Sterling.
Sterling Auty
Alright, let's just get kicked off at a high level. Can you give us a
sense? How did the pandemic actually impact your business both
positively and negatively?
Nikesh Arora
Well Sterling, as you are aware, we had this conversation about a year
ago, where we talked about how every company had to figure out how to
get this remote work thing going. And many of us not just as others in
the industry offered a series of free trials, expansion of capacity, or
capability for our customers. And now we saw the early adoption, in the
first three to six months, we saw a lot of customers expand capacity,
try and sort of Band Aid a bunch of existing remote security solutions
for their employees. And as you know, depending on how you've
architected it, some things are available at home, some things are not
available at home depending on whether you are using a proxy based
architecture, you're allowing access to all of your proprietary apps or
not. And what's happened is post those first six months, what you're
seeing is you're beginning to see a ramp in adoption of people actually
taking this remote work, hybrid scenario as sort of your state. So you
have to make sure that everything is accessible from everywhere. I
think we're about to get into a more interesting challenge where in the
past - everybody had worked or everybody at home. Now, you've got to
make sure how do you create that first class citizen behavior for
everyone, wherever they work from, and that really requires one to dig
deep and re architect their network stack to make sure that that
battery is achieved.
And, it's a long way of saying is impacting a remote secure home
business sort of, very positively, obviously, what we've also seen as a
consequence of the pandemic is the technology adoption curve has sort
of accelerated because a lot of our colleagues, a lot of our companies
out there relied on technology to make it work. Your physical revenues
vanished in the first three, four months. And the only way you
supplemented anything was through the technology, sort of the online
mechanism, and that's required people to increase capacity there, too.
So I think all those things have been net positive for the security
industry, not to mention the recent cyber-attacks that we've been
witnessing.
On the flip side, I'd say that, because people are not physically in
the office, anything that requires a complicated deployment, and
complicated testing associated with large scales that are going to rip
and replace, is impacted, because people don't want to go take that
risk. On the other side, there are some companies who are saying, let's
use this as an opportunity. So there's ins and outs across the board,
but I'd say net positive for the industry.
Sterling Auty
Do you think that it created any tough compares on that kind of initial
capacity spend that you worry about in the coming quarters?
Nikesh Arora
Well, there's only one way to find out, I think, like it is puts in
there, there is a secular trend. And there's a cyclical trend. I think
a cyclical trend, obviously will create a on the margin, a bump, but I
think the secular trend to overweight, the cyclical trend.
Sterling Auty
Makes sense. Alright, I want to dive both into the cloud business and
the traditional on premise business. Let's start with the cloud
business. And I think investors sometimes get a little bit confused yet
next generation security. And you have clay sack. Can you describe the
difference between the two? And, is this something that you'll
normalize the description, maybe as you get into the next fiscal year?
Nikesh Arora
Ah, but a lot of us -- have a bunch of stuff in there. So let me go
back to first principles. As companies move to the cloud, you're moving
your applications to the cloud, either on your own stack, or you're
moving, some of them do SaaS applications, right. So what used to be in
the data center as a proprietary app or on-prem is now either in the
public cloud, or in the SaaS applications. How you get there, how you
get your applications is network security. And that, to me is next
generation security is how do I make sure that I can get to my cloud
through a firewall stack would the Prisma Access in our case, or I can
put a VM against a public cloud to make sure my traffic is protected?
That to me is next-generation; including hardware business that to me
is next generation security.
And when I look as a cloud business, there is one time on the public
cloud, how do I protect all the applications that are on the public
cloud? So that was this Prisma Cloud. And, AI application is, to me is
transformational songs. So in our business world, there's the network
security stack is getting replaced, the clouds needs to be secured. And
you need to make sure that you may that as the security evolves, we get
more and more images in our ability to remediate and detect what's
going on in your infrastructure.
So those are the three parts. We take the secondary parts the cloud and
AI business and collectively call it ClaiSec because that's kind of
falling in that new pattern, net new rhythm something new for us. The
existing business of network security is going through its own
transformation. As we highlighted, we have managed to in the last three
years convert 40% of our network security business software which
continues to grow over 20%
Sterling Auty
That's great. And then maybe before we go deeper into ClaiSec, you have
the target of the $1.15 billion in ARR, from next generation security
for the fiscal year, what are the things that give you the confidence?
And yeah, I know, you're smiling, because I think there was there was
that concern coming into this quarter right back end loaded the whole
nine yards, you reiterated the targets, you've got confidence that
you're going to hit it, you know, what are the elements that are
driving that confidence?
Nikesh Arora
Well, Sterling, we did 977 plus 973, plus seven, which we announced a
video on the first day of this quarter. So at 980, $170 million away.
Collectively, last quarter, we did about 140. So if you look that we
expect our Q4 billings to grow by 20% or 30%, from Q3, that 170 to 140
doesn't seem infeasible in the context of that compare. Having said
that, there are more importantly, what's driving that ARR business,
obviously, is our Prisma Access business, which is doing gangbusters
from our perspective, the business we were not in three years ago. And
we, partly luck, partly preparation has allowed our teams to be able to
really build that business, relative to all that growing out in the
market.
Our virtual firewalls are the best in the industry; they continue drive
growth, both in the cloud side and the data center use case side. We
can receive traction, the XDR space with; we made it to the Forrester
wave fastest any products ever gone from a standing start to making
this drop, right. On the first sort of wave report, we see continuous
traction with all the cyber activity going on at our expense business
we acquired. We're seeing a lot of interest in our Crypsis business,
although not all that falls into ARR.
So there have been cloud, if you add it all up, that is the next
generation of cyber security. And so far, so good. And again, there's
only one way to find out, but our teams are confident they see the
pipeline, they see the business upcoming, and we think we should, we
should be able to get as a target.
Sterling Auty
Alright, great. Just as a reminder for investors that are watching, if
you want to ask a question, there is a ask a question button on your
screen, you can click type in your question there; it will come through
to me. So diving into ClaiSec, can you give us a sense, what are the
biggest contributors to that ClaiSec revenue?
Nikesh Arora
Well, it's pretty simple. I know, ClaiSec is driven by Prisma, Cloud
and Cortex. So as Prisma Cloud, Cloud Security, it's kind of
fascinating. Two and a half years ago, we acquired RedLock, the
industry is like what is follow just networks doing cloud security.
What are we doing in RedLock purely on evidence and I can't tell you I,
every day I wake up, there's another company that's getting funded an
absurd valuation. We crossed $250 million in ARR this past quarter in
our cloud security business. I think that's about on a conservative
basis, 15 times to 20 times, anybody, our nearest competitor was a pure
play cloud security player, not counting obviously, whatever, AWS Azure
or GCP. Starting with the security business, but people have funded,
phenomenal, phenomenal valuations. So we feel vindicated in our last
strategy have Prisma Cloud. We are in our second or third version,
entire platform, we have an integrated strategy to container security,
workload security, the fragmentation that existed in enterprise
security, is what we're trying to stop from happening in the cloud.
If you see most of the attacks, I think the attacks will get faster,
they'll get harder to remediate if you're not on top of it. And you've
got to make sure this stuff works together. Now, in a way, the Cloud is
a lot easier to secure than the enterprise. The enterprise has 60 or 70
vendors that you have to deploy for the largest customer Matt [ph] had
110 vendors deployed the smallest at 25. Now they're sort of
downsizing, consolidating, and down to 10 to 15 vendors, there's still
a lot. So how do you make sure you don't make that same mistake in the
public cloud? Because you're relying on one AWS, or maybe two AWS and
Azure or AWS and GCP. You're relying on one or two public cloud
providers? Can you put a security construct that sits on top doesn't
require to have 40 different security vendors trying to secure the
cloud because that's the kiss of death, it's not going to work
together. So what we've tried to do for the last two and a half years
is built a platform that actually allows you to see what's happening in
your workload. What's happening, to your containers, are you doing
micro segmentation across the entire public cloud, do you have a way of
rasp against it? You know, are you managing identity access across that
stuff? So some of the some of the public cloud mistakes today are still
rudimentary, people are still making fundamental mistakes as they
deploy the cloud. And they don't realize they're leaving the crown
jewels exposed on the internet.
Sterling Auty
So you, but I was going to say you touched upon it, because I
fundamentally feel that investors are still lacking a good
understanding of the key components that really make up a cloud
security platform and you touched on a couple of them there in terms of
Identity, web etcetera. How would you kind of complete that stack and
within that stack, what do you want to hold?
Nikesh Arora
Well, I think the way it works is the best way to think about is when
you go from your on-premise, where you're using your own trading
application, you're using your own HR application, you're using any
proprietary application, you want to lift and shift to the cloud. You
don't look and shift to do re-architecture obviously. Now, when you
design that new application, you have to make sure any call you make to
the internet is restricted, it's protected. So it's not, it's only
available to sanction applications or sanction functions. So when you
do that lift and shift process, you have hundreds of developers working
in your company who are trying to build this application.
First and foremost, you got to make sure that as the developers are
developing, they are constantly doing security checks. This is the
acquisition made recently called Bridgecrew. As you move that stuff
into production, as you move that stuff into AWS, or into GCP, or
Azure, you want to make sure that that transition that you allow you
allows you to scan everything you're doing, make sure there are no
security vulnerabilities, as you put that in production. Once in
production to make sure that nobody's left the door open to S3 buckets,
nobody's not used encryption; people are making sure that there's not
over provisioning of IDs. So you literally have to look at the entire
workflow from the left to the right, all the way from development to
production, and make sure you're consistently securing all aspects of
it. If you don't, then you're in trouble. And once you're there, you
got to make sure that whatever is out there, databases, applications,
they're all sort of secured in a way that you know, you don't leave any
vulnerabilities. Because today, I can easily rent public cloud and come
looking for your vulnerabilities. That's how easy we made it.
So you're going to wait in a sock and try and take all that data. And
just to figure out where the mistakes are, it's too late. So all those
aspects go into go into making sure that you're secure going to the
public cloud. So that's got nothing to do with how you get there.
That's kind of you know, zero trust access or Prisma, access, all that
stuff. Just getting there. The question once you are there, how are you
being productive?
Sterling Auty
So again, we within that, could you see Palo Alto playing in the
identity portion, the web application firewall portion?
Nikesh Arora
We do. We're very new Sterling. There's a module we've launched last
quarter go laughs fast. And Prisma Cloud, we have IAM with AWS and
Azure going to GCP soon. So we already have them, we have seven modules
in Cloud. Worker protection, container security, IAM, WFAS, DLP, Shift
Left we have we have all of that already. That's why we get to
[Indiscernible].
Sterling Auty
But in terms, I want to make sure because that may cause some confusion
that wait a minute. IAM are you going to go compete with Okta? So maybe
that line?
Nikesh Arora
Yes. So what happens is I am in the organization is how you and I
access 100 applications? I am the context of cloud is what access? What
control rights do I have my AWS ID. Is it all provision as it have
access to too many things? That's a security risk. So it's actually
post entering into the cloud. Okta is kind of getting you to the cloud
or taking it from there and saying, what rights do you have inside? And
we're only doing that for the public cloud, because that's where it
makes sense for us from a cloud security perspective.
Sterling Auty
So if I put it simplistic Okta proves that you're in the cache Palo
Alto controls, once you know, it's in the cache what you can do.
Nikesh Arora
That's right.
Sterling Auty
Okay.
Nikesh Arora
There are API's available AWS, GCP. I just want to make sure that the
developer has similar rights across the board, and he or she doesn't
have access rights compared to others in their same role.
Sterling Auty
Who do you see as your primary competition and in the cloud space as
you move forward?
Nikesh Arora
Honestly, I think approximately a third or so maybe even half that
market over the long term is going to be occupied by the cloud service
provider i.e. Amazon, Google, GCP, etcetera. Because if you're going to
be a single cloud company, which I think is going to be hard anyway,
because people eventually end up in multiple clouds. But if you start
with a single cloud, you don't need the tools of anybody else. It's
just make it work with your, with your own toolkit. And that I think
that applies to the midmarket and the lower end of the market as you
get up to a stack of over 2000. I don't think you can avoid it on-prem
plus public cloud scenario. And the moment we get there, you need
something that spans across both. I think it's really one of this gets
underappreciated like to say that because I run the company, but the
one thing that does get under appreciate is every one of those 20, 250
plus Cloud customers you sold to, we had a natural competitor in the
CSV in their infrastructure, right? They bought AWS GCP, Azure, they've
got to go prove our capabilities to sit on top of that security stack.
So something was working.
Sterling Auty
But listen, I, I really appreciate all the companies that compete in
some form or fashion in the cloud, we always ask them about competition
with the underlying service providers. And usually they're all saying
why they're not. I really appreciate that you kind of quantify where
you think they fit. So I think that....
Nikesh Arora
It's truly; it's a highly fragmented industry. If I can get close to
40%, 50% of any vector. I'm very happy.
Sterling Auty
Yes. How does the pricing work in this versus kind of the legacy parts
of the business. I'm sorry, like the net...
Nikesh Arora
Enterprise Security business, they'll be calling you and me legacy
Sterling, Watch out.
Sterling Auty
That's a whole different discussion.
Nikesh Arora
That's right. So in terms of how the pricing works, obviously, you buy
hardware, like you always have, and you add subscriptions to it, which
is how the traditional Enterprise Security business works. In our
Prisma Access business, it's partially consumption based and partially
based on number of seats, and number of branches. In the cloud
business, we have tokenized, the business. Either you buy tokens, it's
not a Bitcoin, it's just tokens. It's Prisma, cloud tokens, and it's
not going public. So you tokenize our cloud security consumption, and
once you bought the tokens, then you can keep using as many modules
from Palo Alto Networks as you need. Our intent is to create more
consumption. Because once customers are consuming, we know that they're
seeing value from our product. And as consumption rises, which I think
it will, and think about it, this 200 plus billion of public cloud
being sold almost every quarter, all that needs to get deployed, I
think we're 18 to 24 months on a lag cycle of sale to deployment in the
public cloud.
That lifecycle as it covers the gap in a store to start recording 2% to
5% that spend in public cloud security. So we see as we build the
consumption model, our job is to get into as many customers out there
to make sure they understand the value of our products. Once they do,
as their public cloud deployment, deployment increases, our consumption
should go up. That's how you tokenize it and as we create more modules,
consumption should go up. So we've got two vectors and consumption. One
is more and more workloads deployed as a cloud. Second, more and more
modules comes to you.
Sterling Auty
Got it? Got it. You touched upon this really quickly in your comment
there. You mentioned in the quarter that you've decided not to create,
an equity around the ClaiSec part of the business, what kind of drove
that decision?
Nikesh Arora
When we, we started the conversation, we had a bit of a suspect cloud
stock envy when we did that, because we figured we would be locked out
of the market, which is still true, because lots of lots of companies
get funding, getting funded absurd valuations, you don't want to take
shareholder money at fault and our stock prices, and go and trade that
into very high valuation companies. It requires so he said, maybe
that's a reasonable thing about it, which we did. And as we went
through the preparatory work in the last few months, and years, we
showed a slide which is very telling 70% of our customers had bought
two platforms from us, between Prisma Cortex and, and Strata, 40%
bought all three. And we went through it in a deal by deal basis,
turning our accountants and legal team starters to get on every deal,
because you're going to be parking in two different public entities,
you're going to have to have a contractual discussion across every
deal, two pieces of paper execution at the sales point, web system, and
went through that, it logistical complexity of executing that, we
figured that it would create more friction and take away the agility we
have associated with being able to sell all of our platforms. And
that's why we decided to put that on the shelf until we believe this is
truly a scale business, which starts to deserve its own sort of stack,
it would be premature to go down that list.
Sterling Auty
I think the idea of the power of one goes right to that the efficiency
that you keep, by this format, I think makes makes a ton of sense.
Question for investor. And it's a good segway into talking about
NetSec, which is, how would you say that your competitive position has
changed over the over the last year versus Zscalers and the other kind
of similar cloud vendors?
Nikesh Arora
Well, three years ago, we were not in the Prisma Access business. We
had a VPN product, which worked off of our firewall stack. We have over
15,000 customers using a VPN. In the last three years, we have become a
contender in SASE, Secure Access Secure Edge where, we have, we think
we have the best SASE stack in the industry. And that's borne out by
the fact that our largest deal last quarter was north of $20 million on
SASE. We haven't done a trillion dollar firewall deal in a while. So
you can see that's where the trend is remote security and that that's
only half the deal. That's only for half the employees in the company,
once we deploy that there is possibility of the second half showing up
six to nine months later.
So I think from our perspective, we have become a player in SASE, we
think it's relevant that we've deployed as large as 650,000 employees
and a customer 3000 employees in the customer. We have a contract for a
million employees and a customer so that's that's sort of validates and
indicates that we are a big player in the SASE space. We think that
continues to grow. So we are competitive now to people who were
claiming to be SASE players in the market. We believe you have a better
stack.
On the XDR front again, we were non-existent two and a half years ago.
We launched a product, in fact we were the first company launch XDR.
Prior to that the industry was called EDR Cortex 60. It was the first
XDR prior to the launch. Now we have the privilege thanks for our
product team to be in the top right corner next year. So we know there
are players out there who are in the XDR space, but if you look at the
latest mitre results, we beat most of them hands down on the technical
capabilities, you'd have to go execute on the go-to-market capabilities
to scale that up, XSOAR, we were irrelevant. Two years ago, we acquired
Demisto. Today Demisto is the choice if you're not a Splunk. Customer,
you end up with Demisto on something else.
So across the board Prisma Cloud, we were non-existent in Prisma Cloud,
there was no there was an industry called Cloud Security. People
confuse the Cloud Security industry with the Secure Access industry.
Today, this is this soon to be a fully developed cloud security
capability industry. And we're, we think there's nobody else in the
market with the seven modules we have. So from nowhere to run into
Prisma Cloud. So I'm nervous relevance and SASE with the acquisition of
CloudGenix. And also puts us squarely with SD-WAN. And they were
already a leader there, from nowhere to Relevance and XDR, relevance
and XSOAR. And to top it all up last week, we launched our next
generation refreshable hardware and our software, we make that end to
end zero trust on our network stack. And we've put out the hardware
that is internally called Palo Alto security for net prices.
Sterling Auty
That's great. That's great. So it not to kick the hornet's nest thing
and take us too far down the tech discussion, but proxy versus
firewall? When we talk about Zscaler? Do you think that this becomes
irrelevant in terms of the discussion? What, because I think your
product has really evolved over the last 12 months in particular. But
now, how do you see the market evolving along those lines?
Nikesh Arora
Well, the good news Sterling is, you haven't paid attention. We
deployed onboarding proxies in Prisma Access, so that debate is over.
So proxies can be used for two parts; One is for on-boarding, which we
already deployed as part of as Prisma Access so Prisma access to Dotto
[ph], which is just all of our customers by this weekend. As onboarding
proxy capabilities, you don't have to worry about it. Proxy is not the
issue, go talk to your IT team, they will not apply a proxy based
architecture to your proprietary trading app. So, which means you can't
use them when you're at home because nobody wants to send a proprietary
app, it can't go through a third party IP server.
So for that, you will have to drive it through a tunnel into a firewall
stack in the on the cloud. That's why we do well in the upper end of
the enterprise stack. Or the lower end of the stack, it doesn't matter
because you're not using a lot of proprietary applications using mostly
SaaS applications and using cloud applications. So there it's easier.
But as you go up the complex stack, and you have your own SD LAN
capability, you need your own firewall stack. So that debate is moot
even though I'm sure you have nears, I'm really excited about talking
about proxies. But now...
Sterling Auty
How is your partnerships in the service providers helped in that kind
of go-to-market?
Nikesh Arora
We follow up there hasn't been strong in the service part of the
segment for a while. So it takes a while to go. I spent 13 years of my
life on that side of the world, working for service providers or being
boards and they're amazing. But the onboarding ramp to become a service
provider partner is long and fraught with lots of diligence and
perspiration. So we are going to the diligence and perspiration phase.
But there is no panacea. It's going to take us a while we have had some
success in partnership with AT&T, Verizon, Comcast dishes you saw
recently. So we are working at it. But it's a long game.
Sterling Auty
You talked about -- you alluded to in one of your earlier questions,
firewalls or platform. So basically, cloud delivered or subscription
delivered firewall, where are we in that transition? How much of your
install base do you think ends up on that type of opportunity?
Nikesh Arora
Look, I think if you play the five to 10 year view, I think most large
companies, barring what I would say, high throughput applications if
you're running transactions for financial services company as your
heavy data center, you'd run in tons of transactions. If you're an
e-commerce company, you may have a data center may not may stay in the
public cloud. Those applications lend themselves to having data centers
and require you have your own hardware stack. A lot of the born in the
cloud companies are being born in the cloud. They're born in the public
cloud. They don't put data centers together. All this 10s of billions
of dollars are spent is in the public cloud must come from somewhere in
the long term. Right? So, my personal view is you end up in a 50:50
60:40 scenario or 60:40 is 60 software, 40 is hardware, or 70:30, as
time evolves, because I think, once you're in the public cloud, you're
going to need software based stacks to protect you. Once you move your,
your computer to the public cloud, you're going to start to re
architect your network architecture. So if you do that, you're going to
end up with a 60% 70% form factor, which is cloud based. Over time,
you'll still have, a reasonable number of companies data centers,
either for legacy reasons, because they were there, and that's where
they're going to stay, or for the fact that they have better throughput
and better price performance in high throughput applications, which
require hardware because hardware is cheaper on throughput basis,
versus software, software has own benefits from a TCR perspective, and
in a security perspective, but hardware from throughput perspective is
cheaper.
So I think I end up in that scenario, I think 40% in three years, is a
gigantic move, for any company to be able to execute. And hopefully we
can keep down going down that path, over the next few years and get to
that 60% 70% number, which to be honest, is phenomenal from a
resilience of our business perspective, because software is more
predictable, it's more radical, obviously. And it's actually a lower
the TCO and leaves a customer more secure.
Sterling Auty
So when you look at that combination of the rapid growth of the
software and the subscription component, and then, the impact that you
have from the appliance side, when you roll it all together, what does
that mean for that kind of NetSec business as a growth profile as you
move into the future?
Nikesh Arora
Well, I think if you look, the disclosure we did this quarter was it
showed you that over the last two years, we have been able to transform
from zero to 40, pretty much or than 40. And we've done that by
sustaining operating margins over 25% 28%, our free cash flow margin is
42%, that business we're growing at 20 plus percent. That's it in my
mind, it's a dream financial profile. If you can conduct an industry
transition without burning that profitability, you are at scale.
Sterling Auty
So you but I think the component that myself and investors have both
not focused on is that growth that 20% growth, you think that 20%
growth in that segment is sustainable.
Nikesh Arora
We've shown you that we have been able to generate between 13% to 20%
growth in that space, we always got it to 16% to 19% in the past. And