 Welcome to theCUBE Conversation here in Palo Alto, theCUBE Studios, I'm John Furrier. We're here with a special conversation with Fortinet's John Madison, Senior Vice President of Products and Solutions with Fortinet, welcome to theCUBE Conversation. Good to be here again. So you guys have some hard news today hitting, it's called the Fortinet, Fortinet, NAC, Network Access Control, Fortinet. Significant announcement for you guys. Take a minute to explain the announcement. Yeah, so about two months ago, we acquired a company called Brapa Networks. They compete, provide products in the network access control arena. Other companies in that space are things, people like Fourscout, or Cisco, or HP. We think it's a very important space because it's going to be the foundations for IoT security. You probably heard a lot of buzz around IoT security. And there's different levels of IoT security. There's that for the enterprise, there's that for the cloud, et cetera. And so for us, this is an important announcement because it gives us that added visibility now to IoT devices via the fabric. And the product is an appliance. Is it software? What's the product? It's both, so you can do a virtual machine version. It's also an appliance. It comes in different levels. The key for it, though, is scalability because with IoT devices, we're not talking 100 devices anymore. We're talking millions of devices. And so what it's able to do is look across many different protocols and devices and provide that visibility of just about any device attaching to your network. Who's the target audience for Fortinet? Is it the data center? Is it the cloud? Is it the remote? Where does, where's the product actually set? Well, it's more by industry. So certain industries will have lots more of these types of devices attaching. So I think in manufacturing, for example, those sort of, those, the medical industry as well. And so those are the real educations in the one. So it's more by vertical and it's really focused on campuses, large campuses or remote offices or even manufacturing plants where, again, these devices are attaching to your network. And they'll sit at the edge monitoring what's coming in and out. Is that the purpose? Well, that's the neat thing about it. It doesn't have to sit at the edge and see all the traffic. What it does is interrogate existing devices at the edge. It could be a switch. It could be a router. It could be an access point. And from that information, it can make an assessment of what the device is attaching and then apply a policy. So this is part of a bigger holistic picture. We've had conversations with Fortinet in the past. A few conversations certainly around security. With cloud, it's the top conversation. On-premises, it's the top conversation. You guys also have some complimentary products involved like the security fabric and the connectors. Does this fit into that? Take a minute to explain the relevance of how Fortinet works with the security fabric and the connectors. Yeah, last time I was here, I explained our fabric. And so the fabric is basically something as a set of Fortinet product solutions in a way that are very tightly integrated into the network or into the customer's ecosystem. And then once you've built that, you then provide automation systems across for protection, detection and response. And the whole idea is to make sure you're covering that what we call the digital attack surface. The digital attack surface now includes obviously IoT devices. So gaining this visibility from Fortinet, making sure the information that's available to our fabric is crucial for us to make sure we can protect the digital attack surface. And for customers that the fabric is a holistic view, the NAC has a product that sits in the campuses or within the network that kind of communicates into the fabric. Is that right? Right. And so the NAC can see all the IoT devices attaching and then it integrates back into the fabric. The fabric can then apply a policy. So the fabric can see everything now from IoT to the campus, to the WAN, to the data center, to the cloud. And if for example, those IoT devices are communicating with something in the cloud, the fabric can see end to end and apply for example, a segmentation policy when to end all the way through the infrastructure. You know what I love about having conversations with Fortinet is that you guys spark two types of conversations, use cases and then product technology conversations. So this obviously is an IoT kind of product that makes a lot of sense. Got a little SD win in there. This is the top conversation around enterprises and people looking at cloud and or looking at replatforming around cloud operations is the cloud architect, it's the network architect. These guys are really being asked to redo things. So how does the IoT fit into this? What is the product? What does the Fortinet do for IoT from a use case standpoint and then product and technology? That's a good conversation because recently, maybe the last 18 months, instead of talking about a point solution, instead of talking about a specific use case, customers want to put all these use cases together and then produce a longer term or holistic architecture. So now they have cybersecurity architects, security architects, as well as networking architects. And they want to look at their infrastructure because that's the thing that's changing the most right now. Sure, the threat landscape's out there and the cyber criminals are changing stuff, et cetera, but it's really that infrastructure that's changing the most because they're moving to flexible WAN systems or cloud. And so they want to integrate it end-to-end over a long time period. So what they want to be able to do is to automate. That's the key word is automation is to make sure all these devices attaching are part of the security automation architecture and then they comply that security policy automatically to that device. You know, one of the things that's a big trend in the industry is having network guys and people who are managing infrastructure move from a command line interface, CLI to automation, mentioned that. How does the Fortinac extend the security fabric? Because you guys essentially have that holistic view with the fabric. So now you have this IoT capability. How is that device extending the security fabric and what's the benefits to the buyer? Yeah, and so the fabric had visibility, obviously, the next generation firewall. We also have deployments of access points and switches, but obviously there are other companies with vast deployments of switches, I can name a few and access points. So if they weren't our switches, we couldn't necessarily see those devices attaching. And so what Fortinac does, it comes in and provides us that now complete visibility, it doesn't matter if it's our infrastructure switches and APs, it could be somebody else's, Fortinac can interrogate and talk to those devices and not only gain that visibility, but if we decide there's a certain security posture when you apply to some IT device, we don't know what it is, we want to segment it, restrict its access, then the fabric can then tell the Fortinac device to provide control and segmentation back to it. So they're working together? Working together and it gives us now complete visibility of the IT devices. Let's talk about some of the trends around segmentation. We heard certainly recently at VMworld, about micro segmentation has been one of the key things. A lot of top architects, both network and cloud and software, looking at micro segmentation or segmentation in general around the network. Why is it important and what are some of the use cases that you guys are seeing around segmentation? It's extremely important, but it's a very complex problem in that even though customers have bought a lot of different security products from different vendors and different infrastructure, one of the things they don't always realize is they bought a lot of different orchestration systems, a lot of command and control systems and those are key in the future because those systems determine what the infrastructure looks like. Your NAC system is kind of an orchestration system allowing different devices to come on off the network. SD-WAN has its own orchestration system. You talked about micro segmentation, things like VMware and NSX and Cisco ACI, all the clouds have their own orchestration systems as well, AWS as your, and so what's interesting is none of them really talk to each other, they're more focused on looking after their part of the infrastructure. Now to do segmentation end to end, you really need to have end to end orchestration across all the systems. If I want to orchestrate, as I said, that IoT communication with a select application in the cloud, I need to orchestrate all the way through these orchestration systems. You need an orchestration for the orchestration system that you have in the cloud. Well, you need a mother of all orchestrators in some way, but I don't think that's ever going to happen. And so what's going to happen really is your security architecture and segmentation will be specific to a platform or fabric as we're building and then your fabric has to connect into the orchestration systems to tell it what's going on within that section of the orchestration. So if it's, again, if it's a NAC system, I could just explain, I know these IoT devices are attaching, let me apply a policy to those. If I know the WAN links of the certain type, then I apply that policy. And this is the benefit of a holistic fabric because that's kind of where it ties together, right? It is, so you build an holistic security fabric and then you let the different infrastructure orchestrators like VMware or an SD-WAN vendor or a NAC vendor do their job really focused on the infrastructure. As you guys help those guys out big time with the orchestration side of it. Well, we can connect into the orchestration systems and we just use it to make sure the security component is doing well. They're more focused on making sure the infrastructure delivers the applications to them. They do their job, you do your job. Exactly. Take a minute to explain for the folks out there. Explain segmentation and what it is and why is it important for networks? Very simple example of segmentation. A couple of years ago there was a bank that got hacked in one of the countries. I think it was the Philippines or something like that. And what they found out was that in that particular country they didn't have the same security infrastructure in place. So they got in through that particular branch and came all the way back into the core network. So a very simple segmentation policy put in place was that I'm going to segment my countries. So I'm not going to let this country's network access the core data center if I give it a certain trust level. So segmentation can mean physical countries. It can mean I'm going to segment my intellectual property off. I could be segmenting by functions. Don't let those salespeople anywhere near the intellectual property. You can also segment by identity. So segmentation means many different things. You have to apply I think different levels of segmentation depending on your applications. And this is proven too. We've heard this in many countries in the queue. We had one guy from the U.S. governments and we have these critical infrastructure pieces in the United States. Why would anyone outside the United States access it? That's a great example. Well I mean if you go to critical infrastructure you're even more dangerous. So I mean most of those, most of the infrastructure has been air-gapped. It's been totally air-gapped. You can't get at it. But that's changing as more of those devices become IP and you have to let some access. And this where IOT is a challenge that we're seeing. This is one of the problems. IOT and that category is often referred to these days as OT operational technology. Talk about endpoints. We're hearing endpoints being discussed. Like hey, connect the endpoints here. Endpoint strategy, network strategy. Kind of elusive for some. Describe why networking the endpoints is an important feature. Or is it? I mean how should, when people think of it the endpoint of the network, what are they really talking about? Well I think it's become more important. It's interesting if you go back 10 years or so in 15 years you have a lot of endpoint vendors who are semantics, macrophies, trend micros. Even Microsoft I think is now the largest endpoint security vendor. And then you have a different set of networking vendors. You know ourselves and some other names out there I can't remember. But they're totally separated. And so to look at your network, give your visibility, topology and segment, you need to be able to see the endpoints and the network together. And so the security fabric makes sure that you can at least see the endpoint. You may not provide the full stack of security, you may leave that to your endpoint vendor still. But your network should be able to see your endpoint and vice versa. And you should be able to see what's communicating between the two. I'd like to talk about SD-WIN, but before we go there just to kind of close out IoT. Talk about Fortinet's differentiation and advantage when you talk about converges between IoT and access technology. Well so the base technology is NAC, Network Access Control, which is in place there. But our advantage really is now scale. We can see huge amounts of IoT devices which are attaching and then take action not only at the access level, but all the way into the cloud. SD-WIN has become a really hot topic. It's a huge market into the billions in terms of spend. It connects, you know, devices, I mean campuses and devices. But Clouds had a big renaissance within the SD-WIN market. Talk about what's going on with SD-WIN and how the security fabric and the Fortinet fit into that because it's not your grandfather's SD-WIN market anymore as the expression goes. Well, it's in that class of everything's being software defined, fair enough. But I think this marketplace you could go even three years ago was dominated because all the, you know, two marketplaces you've got what I call the retail which is distributed in a prize, thousands of thousands of site which already went to a UTM infrastructure. And then you had the branch office which was more connected, the fact it just had a simple router in there. It was connected back to the data center which then go into the internet. And so what's happened is these branch offices, they need more and more access to the Cloud, the more Cloud applications are running. You need to provide QOS against those applications. And then also these large corporations have decided they don't want to pay, it's a lot of money to get certain high quality MPLS circuits when they can get faster circuits through DSL and other mechanisms. And so they wanted more flexibility around the wide area network. So commodity network access which is, you know, Cloud non and MPLS or high priced, secure. You get now more Cloud access. This is translated in more traffic or is it? Is that the driver? Well it happens and then you get more traffic going through there. It's the same with the next gen firewall right now and people are saying there's a refresh going I don't know why. The reason for it is when you're in your office you're more unlikely to communicate with the Cloud versus your local databases. And so the same for the branch office. There's more traffic going through there. It's more encrypted. They want flexibility. They want HA modes and that goes down now. You've got a big productivity problem where the employees there. And so this whole market sprung from nowhere only three or four years ago and it's already in the billions, as you say, in the billions of dollars. There's a lot of acquisitions already happened and consolidation. In our mind it's very important but what's just as important as all those elements is security. So if I open up my branch office now to an internet connection I need best of breed security or something like that device. And so we've been building SD-WAN what I call core functionality for some time inside our fabric. It's quite a natural integration now of security into that. And in fact in some recent tests we did in SS Labs we got highly recommended for not only the SD-WAN features but that core security. Today SD-WAN vendors will say, well I'll just go and get some security solution from somewhere and bolt it on or attach it on, provide it through the cloud. And that's fine. But long-term again, if you come back to that coordination, that orchestration across two different systems it's going to become hard. And the other complicating factor in this outside from the infrastructure component is that a lot of the SAS applications that people are buying, whether it's shadow IT or just off the shelf whether it's Dropbox or any services that are SAS-based, cloud-based that's creating less of a perimeter. Yeah, well it all comes back. So technology called CASB is providing that interface into that world through APIs. And it all comes back to making sure that all the mechanisms of protection, detection, control are available to all your systems. So if I need to, if I've got some SD-WAN device somewhere and I need to check where this is going I can use my application database or if I need to check if I'm going to this cloud is that I use my CASB API. And so it comes back to a platform approach, a fabric approach. John, what's the SD-WAN approach for Fortinet? How do you guys do it? Why should people care? What's the differentiation? Why Fortinet for SD-WAN? What's the approach? Integrated in one word. And that is you don't need two boxes. You don't need two VMs. You don't need a box plus a cloud. It's all integrated on the system. Best of breed, SD-WAN functionality. Best of breed tested by third party security which allows you then to have a much more cost-effective solution. I think our TCO in the test was a tenth, a hundredth of some leading vendors outside there because you bring in two vendors together and it gets very costly. All right, I'm going to put you on the spot. I'm going to put my cynical hat on. So you're saying integrate security with SD-WAN. I'm going to say, hey, why not just keep it separate? Why integrate? Because the two functions need to work together. So where's the file we're going to go? Is it going to go in the cloud? Or is it going to go here? Who decides on the policy? If something happened, segmentation, who's deciding on segmentation policy? These usually are two different companies that don't really talk apart from maybe as an API linking the security capabilities. But to our mind, again, it comes back to that end-to-end segmentation. And that's what a lot of the, I would say the larger infrastructure vendors are trying to do. I want infrastructure all the way to devices being added through my campus, through my SD-WAN, data center and cloud. And if you've got multiple vendors again all over the place, there's no way you're going to be able to coordinate that. All right, so I'll put my IT practitioner hat on. Okay, so I get that. So probably less security manual risks for human error. But I really want to automate. My goal is to automate some of these IT functions, get better security end-to-end, does this fit that requirement? Yeah, and so from an automation perspective, we're building in some tools of our own, but what we're finding more and more is that from an IT, as you said, they've gone out and built some DevOps capability, Ansible's a good example there. And so what we're doing is making sure that, in fact, a lot of our partners and our SCs have already built these scripts and put them on GitHub. Well, now Microsoft Hub or whatever you want to call it. And so we're taking those in and we're QAing them, making sure they're a high quality and then making them available to our customers and our partners through there. So that just DevOps world, especially with cloud moving so fast has become very important. And to us, it's a very important area we're going to make available to our partners and customers. One of the things that's talked about a lot is SSL inspection. Is that important? What do you guys do there? I think it's extremely important in that a lot of enterprises have switched it off. And the reason they switched it off is because when you switch it on, it almost kills your performance. There was a recent, again, SNS Labs test that was doing machine firewall testing for SSL. And some vendors' performance decreased by 90%. And basically it was useless. You just turned it off. And so a lot of enterprises want to switch it on. To switch it on, you need a system that has the performance capabilities. Well, I think we decreased around 15%, which is, I mean, the law of physics say you've got to decrease in some way, but 15% is a lot better than 90%. And you've got to switch that on because otherwise it's just a giant hole in your firewall. John, how about the cloud? This cloud now has multiple tracks to it. It used to be straight, public cloud. Obviously on-premises is hard hybrid cloud. Multi-cloud is the center of the countries that's been validated. We see Amazon Web Services announcing something with VMware validation that you're going to start to see an on-premises and cloud. And some cloud native born in the cloud companies will be out there. How do you guys extend the security fabric for those two cloud use cases? How does the Fortinet products scale to the cloud? Yeah, two good points. So again, a few years ago, that's customers about cloud and say, yeah, we're going to take some steps into AWS. Now it's, I've got four clouds. What's the next cloud I'm going to put inside there? I've got global clouds around the world. It's kind of interesting that there's this mad rush and it's still going on into public cloud. But then I still see some people trying to do a hybrid cloud and put some stuff inside their data centers. Some customers don't want that daily leaving regardless. Some people can't move mainframe applications out there. So there's always going to be a hybrid world for some time. But the key is multi-cloud security in that more unlikely your AWS security systems are not going to work inside your Google cloud and not going to work inside your Azure cloud, not going to work inside some of the data center pieces. And so hybrid cloud and multi-cloud security are really important. And so for us, the ability to support all those clouds and it's not just saying, well, I can put my VM inside, my firewall VM inside AWS. There's a whole set of deep integrations you need to do to make sure you're inside their automation systems. You can see visibility. There's a lot of practices around compliance, et cetera. So it's actually a big task for each of us to make sure that we're compliant across the set of functions for each of those clouds. My final question is going to be around customer impact. If we zoom out, look at the marketplace and I'm a CIO or CXO, I'm a big time, busy enterprise architect or CIO. I'm so busy. I've got all the stuff going on. Why Fortinet? Explain to me, why are you important in my world? What should I be thinking about? What are some of the opportunities and challenges that I might face? What should I look at? I want to go to the cloud as much as possible because it's some benefits there. I want on-premises to be as seamless as possible to the public cloud. I want rock solid security. I want to have the ability to use SaaS apps, have programmable networks and have a great development team building top line revenue for my business. How can you help me? Is that all? I think CIOs and CISOs are happier dealing with less vendors. The trouble is with some very large vendors, they just slow down the development side. So I think what we bring to the table, and by the way, we're now the third largest cybersecurity company out there. What we try and bring is a broad approach, a broad product set so you can have different things from us as well as integrate into your current set. But we try to keep very agile and fast with our developments because otherwise you'll fall behind the infrastructure, you'll fall behind the cyber threats. You know, GDPR, for example, when the last year you got to be keep up with that. And so what we bring to the table is now a reasonably large company with five and a half thousand employees, a very large R&D budget. We try and move very fast, a large product set, all integrated through our fabric. But again, we try and stay as agile and as fast moving as possible. Well, we can't do it organically. We try and do it organically so our systems integrate very well. Well, we can't do it, then we'll go and make small acquisitions. Bradford Networks was an example of that for IoT. But I think we're building now a much better relationship with the CIO and CISO level and becoming one of our strategic partners going forward. Tell about the community that you guys have built. Because I've noticed that, and I've seen you guys certainly over the past couple of years that RSA, I think a year and a half, two years ago, you're working with a lot of industry partners. It's not just Fortinet's by themselves. You work within the industry itself. Yeah, because people have built their ecosystems and they've made some decisions and they want you to integrate inside there. So we have about 50 partners now where they use our API to provide integrations. They build to our API. And although we've mentioned Fortinet today, we have APIs, for example, for Fourscout and other NAC vendors. So if they've chosen that specific vendor, then we're fine. We'll integrate that inside of Fabric. We'll have the level of integration that we have, probably not, but at least you can see, have visibility, for example. But I think the technology we've been building in the last year or so is something called Fabric Connectors, which is a much, much deeper integration into the platforms. So we have connectors for VMware NSX, for Cisco ACI, for AWS. And this provides a two-way communication. And that two-way communication is important for one word and that's automation. So once you can see things, once you can direct policy backwards, then you can start stitching together these objects and provide that end-to-end automation. Final question for you. A lot of the leading enterprises and businesses out there that are using technology to build digital business, whether it's from developers all the way down to the hood and to the network, are all betting on multi-cloud. Clearly, that's obvious to us and that's pretty much being picked up by mainstream now. So early adopters that are leading the charge are multi-cloud. If I'm betting on multi-cloud, why Fortinet? Why should I be working with you guys? Because we're committed to supporting all those clouds. And as I said, it's no easy task to support. Well, I think we support six clouds now to go through all the different items and integrations across that. We're committed to that. We've got probably the most expensive integration across the most security products inside the industry and we continue to do that going forward. John, thanks for spending the time. John Madison, Senior Vice President of Products and Solutions at Fortinet here inside the special CUBE conversation with the big news today, the Fortinet new product integrating with the security fabric, IOT, SD-WAN, cloud solutions for multi-cloud and IT. As automation comes down the road really fast, we're here in the CUBE bringing it to you. I'm John Furrier, thanks for watching.