 Welcome back everybody to SuperCloud 2. My name is Dave Vellante and I'm pleased to welcome Nirzuk. He's the founder and CTO of Palo Alto Networks Nir. Good to see you again, welcome. Same here, good to see you. So let's start with the right security architecture in the context of today's fragmented market. You've got a lot of different tools. You've got different locations on-prem. You've got hardware and software. Tell us about the right security architecture from your standpoint. What's that look like? You know, the funny thing is using the word security in architecture rarely works together. If you ask a typical information security person to step up to a whiteboard and draw their security architecture, they will look at you as if you fell from the moon. I mean, haven't you been here in the last 25 years? There's no security architecture. The architecture today is just buying a bunch of products and dropping them into the infrastructure. That's some relatively random way without really any guiding architecture. And that's a huge challenge in cybersecurity. It's always been, we've always tried to find ways to put an architecture into writing, blueprints, whatever you wanna call it. And it's always been difficult. Luckily, two things. First, there's something called zero trust, which we can talk a little bit about more if you want. And zero trust among other things is really a way to create a security architecture. And second, because in the cloud, in the super cloud we're starting from scratch, we can do things differently. We don't have to follow the way we've always done cybersecurity. Again, buying random products. Okay, maybe not random, maybe there is some. Thinking going into it by buying products, one of them the other dropping them in and doing it over 20 years and ending up with a mess in the cloud, you have an opportunity to do it differently. And really have an architecture. You know, I love talking to founders and particularly technical founders from startup nation. I think it was, I saw an article for, I think it was Erie Levine, one of the founders or co-founders of Waze. And he had a t-shirt on it said, fall in love with the problem, not the solution. Is that how you approached architecture? You talk about zero trust, it's a relatively new term. But was that in your head when you thought about forming the company? Yeah, so when I started Palo Alto Networks, exactly by the way, 17 years ago, we got founded January 2006, January 18, 2006. The idea behind Palo Alto Networks was to create a security platform and over time take more and more cybersecurity functions and deliver them on top of that platform, by the way, as a service, SAS. Everybody thought we were crazy, trying to combine many functions into one platform, best of breed and defense in depth and putting all your eggs in the same basket and a bunch of other slogans were flying around. And also everybody thought we were crazy, asking customers to send information to the cloud in order to secure themselves. Of course, step forward 17 years, everything is now different. We changed the market. Almost all of cybersecurity today is delivered as SAS and platforms are ruling more and more the world. And so again, the idea behind the platform was to over time take more and more cybersecurity functions and deliver them together. One brain, one decision being made for each and every packet or system call or file or whatever it is that you're making a decision about. And it works really, really well. As a side effect, when you combine that with zero trust and you end up with, let's not call it an architecture yet, you end up with something where any user, any location, both geographically as well as any location in terms of branch office, headquarters, home, coffee shop, hotel, whatever. So any user, any geographical location, any location, any connectivity method, whether it's SD1 or IPsec or client VPN or client VPN or proxy or browser isolation or whatever and any application deployed anywhere, public cloud, private cloud, traditional data centers SAS, you secure the same way that that's really zero trust, right? You secure everything no matter who the user is, no matter where they are, no matter where they go, you secure them exactly the same way. You don't make any assumptions about the user or the application or the location or whatever, just because you trust nothing. And as a side effect, when you do that, you end up with a security architecture, the security architecture I just described. The same thing is true for securing applications. If you try to really think and not just act instinctively the way we usually do in cybersecurity and you say, I'm going to secure my traditional data center applications or private cloud applications and public cloud applications and my SAS applications the same way, I'm not going to trust something just because it's deployed in the private data center. I'm not going to trust two components of an application or two applications talking to each other just because they're deployed in the same place versus if one component is deployed in one public cloud and the other component is deployed in another public cloud or private cloud or whatever, I'm going to secure all of them the same way without making any trust assumptions. You end up with an architecture for securing your applications which is applicable for the super cloud. It was very interesting there's a debate I want to pick up on what you said because you said don't call it an architecture yet. So Bob Muglia, I don't know if you know Bob but he sort of started the debate, said you know super cloud, think of it as a platform, not an architecture and there are others saying, no, no, if we do that then we're going to have a bunch more stovepipes. So you need to, there needs to be standard almost a purist view and there needs to be a super cloud architecture. So how do you think about it? Is it a, I mean it's a bit academic I know but do you think of this idea of a super cloud, this layer of value on top of the hyperscalers? Do you think of that as a platform approach that each of the individual vendors are responsible for the architecture or is there some kind of overriding architecture of standards that needs to emerge to enable the super cloud? So we can talk academically or we can talk practically. Yeah, let's talk practically. That's who you are. Practically this world is ruled by financial interests and none of the public cloud providers especially the bigger they are has any interest of making it easy for anyone to go multi-cloud. Okay, also on top of that if we want to be even more practical each of those large cloud providers cloud scale providers have engineers and all these engineers think they're the best in the world which they are and they all like to do things differently. So you can't expect things in AWS and in Azure and GCP and in the other clouds like Oracle and Ali and so on to be the same, they're not going to be the same. And some things can be obstructed maybe cloud storage or bucket storage can be obstructed and with the layer that makes them look the same no matter where you're running and some things cannot be obstructed and unfortunately will not be obstructed because the economical interest and the way engineers work won't let it happen. We as a third-party provider a cybersecurity provider and I'm sure other providers in other areas as well are trying to or we're doing our best we're not trying, we are doing our best and it's pretty close to being the way you describe the topical super cloud we're building something that obstructs the underlying cloud such that securing each of these clouds and by the way I would add private cloud to it as well looks exactly the same. So we use almost always whenever possible the same terminology no matter which cloud we're securing and the same policy and the same alerts and the same information and so on and that's also very important because when you look at the people that actually end up using the product security engineers and more importantly SOC security operations center analysts they're not going to study the details of each and every cloud it's just going to be too much so we need to obstruct it for them. Yeah we agree by the way that the super cloud definition is inclusive of on-prem you know what you call private cloud and I want to pick up on something else you said I think you're right that abstracting and making consistent across clouds something like object storage get put you know whether it's an S3 bucket or an Azure blob relatively speaking trivial when you now bring that super cloud concept to something more complex like security first of all is it technically feasible I've been furring the answer there is yes and if so what do you see is the main technical challenges of doing so. So it is feasible to the extent that the different clouds provide the same functionality then you end up then you step into a territory where different cloud providers have different PAS services and different cloud providers do things that will be differently and they have different sets of permissions and different logging that sometimes provides all the information and sometimes it doesn't so you end up with some differences and then the question is do you obstruct the lowest common denominator and that's all you support or do you find a way to be smarter than that and yeah whatever can be obstructed is obstructed and whatever cannot be obstructed you find an easy way to represent that to your users, security engineers, security analysts and so on which is what I believe we do. And you do that by what inventing or developing technology that presents that experience to users can you be more specific there? Yeah, so different cloud providers call their storage in different names and you use different ways to configure them and the logs come out the same so we normalize it and the keyword is probably normalization, normalize it and we try to, you have to pick a winner here and to use someone's terminology or you need to invent new terminology so we try to use the terminology of the largest cloud provider so that we have a better chance of doing that but we can't always do that because they don't support everything that other cloud providers provide but the important thing is with or thanks to that normalization, our customers both on the engineering side and on the user side, operation side end up having to learn one terminology in order to set policies and understand attacks and investigate incidents. I wonder if I could pick your brain on what you see as the ideal deployment model to achieve this super cloud experience. For example, do you think instantiating your stack in multiple regions and multiple clouds is the right way to do it or is building a single global instance on top of the clouds a more preferable way or maybe other models we should consider? What do you see as the trade-off of these different deployment models and which one is ideal in your view? So first when you deploy cloud security you have to decide whether you're going to use agents or not by agents I mean something working something running inside the workload inside the virtual machine on the container host attached to serverless function and so on and I of course recommend using agents because that enables prevention it enables functionality you cannot get without agents but you have to choose that now of course if you choose agent you need to deploy AWS agents in AWS and GCP agents and GCP and Azure agents in Azure and so on of course you don't do it manually you do it through the CICD pipeline and then the second thing that you need to do is you need to connect to the consoles of course that can be done over the internet no matter where your security instance is running you can run it on premise you can run it in one of the other different clouds of course we don't run it on premise we prefer not to run it on premise because if you're securing cloud you might as well run in the cloud and then the question is for example do you run a separate instance for AWS for GCP or for Azure or you run one instance for all of them in one of these clouds and there are advantages and disadvantages I think that from a security perspective it's always better to run in one place because then when you collect the information you get information from all the clouds and you can start looking for cross cloud issues incidents, attacks and so on the downside of that is that you need to send all the information to one of the clouds and you probably know that sending data out of a cloud costs a lot of money versus keeping it in the cloud so theoretically you can build an architecture where you keep the data for AWS in AWS Azure and Azure GCP and GCP and then you try to run distributed queries when you do that you find out you end up paying more for the compute to do that then you would have paid for sending all the data to a central location so we prefer the approach of running in one place bringing all the data there and running all the security, the machine learning or whatever the rules or whatever it is that you're running in one place versus trying to create a distributed deployment in order to try to save some money on the data the network of data transfers. Yeah, thank you for that, that makes a lot of sense and so basically should we think about the next layer building a security data lake if you will and then running machine learning on top of that if I could use that term of a data lake or a lake house is that sort of where you're headed? Yeah, look the world is headed in that direction not just the cyber security world the world is headed from being rule based to being data based so cybersecurity is not different and what we used to do with rules in the past we're not doing with machine learning so if the past you would define rules saying if you see this, this and this it's an attack now you just throw the data at the machine I mean, I'm simplifying it but you throw data at the machine and tell the machine find that in the data it's not that simple, you need to build the right machine learning models it needs to be done by people that are both cybersecurity experts and machine learning experts we do it mostly with ex-military offensive people that take their offensive knowledge and translate it into machine learning models but look, the world is moving in that direction and cybersecurity is moving in that direction as well you need to collect a lot of data like I said, I prefer to see all the data in one place so that the machine learning can be much more efficient pay for transferring the data save money on the compute I think the drop the mic quoted ignite that you had was within five years your security operation is going to be AI powered and so you could probably apply that to virtually any job over the next five years I don't know if any job certainly writing essays for school is automated already as a and potentially other things by the way, we need to talk at some point about chat GPT security I don't want to think what happens when someone creates spends a lot of money on creating a lot of fake content and teaches chat GPT the wrong answer to a question we start seeing chat GPT as the oracle of everything we're going to we need to figure out what to do with the security of that but yeah, things have to be automated in cybersecurity, they have to be automated they're just too much data to deal with and it's just not even close to being good enough to wait for an incident to happen and then go and investigate the incident based on the data that we have it's better to look at all the data all the time millions of events per second and find those incidents before they happen there's no way to do that without machine learning I'd love to have you back and talk about chat GPT I know they're trying to put in some guardrails but there are a lot of unintended consequences, aren't there? Look, if they're not going to have a person filtering the data then with enough money you can create thousands or tens of thousands of pieces of articles or whatever that look real and teach the machine something that is totally wrong We were talking about the hyperscalers before and I agree with you it's very unlikely they're going to get together band together and create these standards but it's not a static market it's a moving train if you will so assuming you're building this cross-cloud experience which you are what do you want from the hyperscalers? What do you want them to bring to the table? What does a technology supplier like Palo Alto networks bring? In other words, where do you see ongoing as your unique value add and that moat that you're building and how will that evolve over time vis-a-vis the hyperscaler evolution? Yeah, look, we need APIs the more data we have, the more access we have to more data the less restricted the access is and the cheaper the access is to the data because someone has to pay today for some reason for accessing that data the more secure their customers are going to be so we need help and they're helping by the way a lot, all of them in finding easy ways for customers to deploy things in the cloud access data and a lot of data very diversified data and do it in a cost-effective way And when we talk about the edge I presume you look at the edge is another just another data center or maybe it's the reverse maybe the data center is just another edge location but you're seeing specific edge security solutions come out I'm guessing that you would say that's not what we want edge should be part of that architecture that we talked about earlier do you agree? Correct, it should be part of the architecture I would also say that the edge provides an opportunity specifically for network security whereas traditional network security would be deployed on premise I'm talking about internet security but have network security market and not just network security but also the other network intelligence functions like routing and QoS we're seeing a trend of pushing those to the edge of the cloud So what you deploy on premise is technology for bringing packets to the edge of the cloud and then you run your security at the edge whatever that edge is whether it's a private edge or public edge you run it in the edge it's called SASE Secure Access Services Edge pronounced SASE Nair, I got to thank you so much you're such a clear thinker I really appreciate you participating in SuperCloud too Thank you All right, keep it right there for more content covering the future of cloud and data This is Dave Vellante for John Furrier We'll be right back