Good afternoon, everyone. And welcome to this KuppingerCole webinar sponsored by Thales on information protection in cloud services. My name is Mike Small, and I'm a senior analyst with KuppingerCole. And my co-presenter of this webinar is Gary Marsden, who is senior director of data protection services of Thales.
So, first of all, we will do some housekeeping. KuppingerCole is an analyst that focuses on the security area, and we have some very interesting live content coming up, and you can see some of the, the events that we're expecting to run in the next few weeks in this slide.
And in terms of the housekeeping, the audio is controlled centrally. And so all the participants at the moment are muted. And so there's no need for you to try and mute or unmute yourself. The slides will be recorded and you should be able to get a podcast or a copy of a replay of this from the, within the next 24 hours.
You'll find that there is a QA screen or a QA option in your little control panel. And if you have any questions that you'd like to ask, please put them in there to start with. So the agenda that we're going to follow today is that I will start off with a, an outline of why you need information protection for cloud services and how the information protection lifecycle helps with this. Following that Gary will explain the importance of access control and encryption and show which forms of encryption or not.
Right, for which risks that then we will have a Q&A session. So to start off, what I'd like to do is to say that it's interesting to me that the cloud has been around for some years and the beginning, everyone was told that everything was going to move to the cloud and that the cloud was going to take away all of the challenges and the problems that people had of running their it systems.
Now, certainly it's true that many organizations have moved. Some of the it to the cloud. One of the particular areas has been in that of software as a service, and that is sort of office productivity and CRM type tools, both of which were very painful to manage. And didn't count a great deal in terms of intellectual property.
However, if you look at the th the take-up of moving your Caucasians to the cloud, your business critical applications for your business, correct.
That's another story entirely the, to it said something like 80% of the, the workloads still have yet to move. So what I'm going to do is to examine what is driving cloud adoption now, and what are the tensions and problems around it and how we consulted.
So, whereas in the early days, the cloud, or at least infrastructure as a service was taken up by the development people, because they could get hold of that, the service system, they required in very short order and with a credit card that was not necessarily a business imperative, however, the competitive nature and the ubiquitous availability of data that's come from the car means that organizations are now having to, to respond to the digital interlopers who have come in and are stealing that customers product, using new products and so forth.
And organizations are trying to replicate this, creating more attractive apps, new products, things to optimize their operations.
And when you look at what you need to do that you actually find that these services are based on the use of enormous amounts of data, new computing, paradigms, like machine intelligence and an agile development approach, which is quite different to the traditional righteous specification will to build to that. And things depend upon cloud services.
Machine intelligence is such that requires such computing that you couldn't contemplate it without large capital outlays. The same is true of big data.
However, if you exploit accounts cloud service, you can try these things out and you can get them at a very reasonable price. And so that's what led to this business driven use of cloud.
Now, a third thing that has happened is COVID and the impact of COVID has been to both organizations to try and work remotely where, where they can, since human Kuppinger person to person contact has become dangerous.
The use of working with from home has become much more ubiquitous, and that has introduced its own challenges. And those challenges are really all around the data.
Now it's bad enough when you think of your, your office productivity to, and th the, the data that flows through those, but you've now got people that are doing development, people that are doing other kinds of business, critical activities, using their own devices at home, that that has introduced another dimension of risk. So if we look at what has happened, we can see that the business has decided that it was going to go for a digital transformation.
And so they will be a leader of that program, whose job is to get it done, but that will almost inevitably involve the use of the cloud and outsourced development. However, this starts to cause internal tensions because when the, the, the, the CIS oh, previously, okay, understood the security posture, because he knew the processes, the technology and the tools that were being used internally.
And he's now using a, he or she is now using and responsible for services, which are delivered by third parties over whom he has no direct control and equally the risk and compliance people.
Also, shall we say concerned about this? Because they used to understand the, how the control we're in the organization mapped to the contractual and compliance obligations that they have. That's certainly that confronted with a third party being involved in this mix, and they no longer understand exactly what, what the, what controls and how they all mapping. So this is not a reason to avoid the cloud, but it is creating tensions. And it makes it all the more important for who is using cloud services to understand the answers to these questions.
What is my security posture in the world of hybrid cloud? And I'll do my controls luck onto this cloud.
So if we then see what, what is in the market, there are a lot of vendors and service providers who are using this as an opportunity to sell their services by convincing people of the enormous technological risks. Yeah. It's very involved. And so you see all that, of these kinds of statistics, about the different ways in which the malicious outsiders and malicious insiders. And so of course, we'll attack your systems.
Now, these are important, but in order to, I understand what you need to do about that. You need to take a, not a technological viewpoint, but to understand what it is that this means in business terms, these are you all about technology and about attack vectors and so forth. But what does it mean to the business? Yeah. So my position on this and my thesis is that nearly all of the business risks that matter, or does that involve some form of compromise, no data, either you lose your data or your data is misused or stolen, or you can't access your data.
And the, the position that is being taken by organizations is that right. They believe that in their organization, they understand what data they have. They own it, the threats to which they stationary subject. Then they have these controls and everything is really fine.
Now, my view is that that isn't in fact, a correct picture. First of all, without moving any further, you find that in nearly every organization, there is an awful lot of unclassified data. The days when data was created by data entry, clocks are gone, you have vast numbers of employees creating own data, containing all kinds of different things. Not only that there is data that you didn't know or didn't know it was being used in particular ways. And in particular, yeah.
You know, what we see in organizations is that a lot of the digital transformation is outsourced to announce development organization who asks for test data.
And so somebody gives them a copy of some kind of internal data for them to, to use it. And once you've done that, you've totally lost control of that data. And you may not know where it is and may not even realize it's going like that. And the other thing is working from home has made that work.
And this is leading to vulnerabilities that you weren't aware of, which are for uncontrolled and vulnerabilities for which your existing controls or not particularly effective. And the result of that is that you may lose compliance, may suffer fraud or intellectual property loss, or you may not be able to continue to run your business because your data is not accessible, or your systems are not accessible, for example, through ransomware or through all the forms of loss.
And in terms of the business perspective, those, all the consequences, which, which actually mutter, not the, the details underneath it, but what do I have to do to avoid those things controls, do I really need, in order to mitigate and prevent?
Now, this is made worse by this shared responsibility model that lots of cloud sales in the early days were, shall we say, don't in the airplane at the golf course by the cloud salesman, who basically said, look, I can take care of all of your problems. Your it group are not giving you what you want. Just give it, we look after everything.
Well, in fact, that isn't actually true. What you have is you have multiple service providers with multiple control sets and you have a complicated delivery stack. And when you look into that delivery stack, you see that depending on exactly the kind of service you have, the services provider is responsible for more or less. So for example, an infrastructure as a service provider, yeah.
We'll say, well, we, we, we deliver basically up to the hypervisor level and from the OSR was it's your problem.
And even as software, as a service provider, whilst they're responsible for the infrastructure, we'll say, well, if you delete your data, yeah, mistake, that's kind of your problem. And so the key thing to remember from this is that however, the service is delivered. You are responsible and liable for what happens to that data.
And that is what you need to focus on to control the data because that data is what or the misuse or the loss of, or the own permission to you solve will be what leads you to those business consequences. Now, when you drill down into the risks, in some more detail, you can find from a fan perspective, there's a lot of things you can write out, but ultimately they come down to controlling access or controlling the data.
So for example, insider abuse of privilege is either the service provider or your administrators coded misuse that access to the systems and compromised things in not going to the way that if you look at malware, well, malware can prevent you from being able to use your services. So you need to protect your data against that. If you don't properly control your identity and access management, then that convened that people can use the atrial or misused HR access data incorrectly.
If you don't take proper backups, even though they're in the cloud, you may find that you can't deal with the situation where you have mistakenly deleted data. So if you look at the research that we provide, we can show you how, what you need to do about all of those things, but they all lead to business consequences.
So in order to manage this, we believe that what you need to do is to take an information protection, lifecycle approach to protecting your data in the cloud on premises or wherever it is.
And the first step of that is knowing what you have when it was created, acquired, and knowing how sensitive it is, which in turn determines what you need to do about it. When you are using that data, there are then a series of mitigations that you can take, which are listed here. You can control access, you could take steps to secure it. A lot of people forget that you need to be monitoring and detecting what is happening as well as dealing with the need to contain any issues and to recover from them.
Increasingly there is now tools which will help you easily to deceive attackers, to lead them the way.
And finally, when you have finished with your data, you need to be able to dispose of it. So I'm going to look at some of these things in a little bit more detail. So no most of your data is either from the cloud or in the cloud. And so a lot of the data that people are relying on is acquired from internet of things, from all the sources of data, many organizations don't know where it's coming from. Do you have clear understanding of the source of that data?
How can you be sure of the accuracy of the data? Are you sure you have permission to use it? GDPR really brought this out with people getting terribly worried because they knew they had all of these marketing email lists that they had bought and acquired, which were, they didn't know whether they had permission to, and they were floating around in terms of spreadsheets, that that then leads you on to being able to discover the data that you have.
What are you actually holding? And this is particularly a problem in the area of the unstructured data.
Like I say, the spreadsheets somebody acquired once, which contain a, a list of personally identifiable information or so details of some acquisition or merger that might be going on. I do need to know how it was acquired, how it was created, what permissions you have or where it's being held, and whether that is appropriate. And having got that, you need to then classify it in terms of its sensitivity, because the only reasonable approach is to understand what your risks are, which come from sensitivity, what your obligations are around that data and blend take the appropriate steps.
And the first of the steps is to control access. Now, once again, inherently, the whole nature of the cloud is that it means that since it's remotely accessible, potentially anybody can access it. And so access controls are really your, your perimeter today. They are essential, but they're only as effective as you government. And so if you don't have proper control over things like separations of duties and so forth, then you don't have control over identity and access.
And there are particular areas like privilege separation of duty that matter, they protect the data that you know, you have, but they don't necessarily protect the data that is being created that you didn't know you have, or isn't it classified. And they certainly don't help. If somebody manages to get hold of your data, if you can get hold of a database of the original file, unless there are additional controls, access controls, aren't really going to help.
Now, one area that's particularly interesting in this is data leak prevention tools. Now these are not new, but they're actually very useful for the cloud. And indeed they're becoming almost a something that you really need certainly for unstructured data, which helps you to discover and classify. You have under control over the movement and use of data, and they already increasingly integrated with encryption.
So for example, typically now you will find that these tools will say, well, if you want to move this data with this classification to a cloud service, it is going to be at cryptic, whether you like it or not.
And finally, they, there is a cloud access security brokers, which again are seven or eight years old. They were originally focused on discovering cloud use, but they have multiple find themselves because of the difficulties of controlling access by employees to unsanctioned cloud.
So an employee moving that data out to their own personal cloud services is something that can help you with. Also start to solve the problem of the multiple hybrid cloud, where they provide a single point of control for multiple control over multiple cloud services.
However, there is still no. So overarching single access governance approach, which covers both cloud. And non-cloud zero trust. A lot of talk about zero trust. Now it's an old idea. And in terms, because of what I'm talking about today, I believe this comes from zero trust means that you have to identify what it is that you are talking to or connecting to.
And that has moved from what you had in your data center to now include what you have in cloud services and just to make it even worse container yes. And the internet to things as well as the individuals.
Now, how do you verify the identities of these things? Well, the best game in town seems to be certificates. The problem is that whereas people were using certificates on premises. Many of them were making a complete mess of it because I've seen organizations with thousands, if not hundreds of thousands of self-signed certificates use for internal records, and nobody knew who signed them, there was no proper control mechanism.
You now, and the cloud service providers are all providing you with our own cloud certificate management systems. And you then have the third issue of what are you going to do about the millions of internet, of things, things.
So managing those certificates is a serious, serious, and corruption is, can you trust the CSPs assertions? They often say we encrypted data, but do you believe them? And could you be sure that they will not be subject to some local subpoena, which would allow them, or force them to give your data away?
You need to encrypt data, I'm set, but make sure that you use the right level of transport, less security if you're doing it or IP sec. And the best thing really is to use some kind of application level and corruption such as, as mine, which can verify the identity of the person, accessing the data in terms of data arrest. You put a lot of data in the cloud. Do you believe the cloud service providers certainly that they will encrypt that properly? If you don't, then you have to encrypt it. Every cloud service provider provides something different.
So having a tool that works across many is good, but the issue is managing the keys, which takes you back to key management protocols and places where you store the key security like hardware security modules. So make sure that you're using those encryption. All data at rest does not protect against attacks whilst it's in use. And unfortunately, people are still writing applications, which do not verify data as it passes from input, which makes it subject to things like a secret rejection attacks.
And as well as cross-site scripting and there's various other approaches, which can be used, but which are not practically being used. If you are going to process data, which is subject to privacy legislation, you are much better to anonymize it. If you are going to share it, there's a quote from the information commissioner on this. And there are different ways of doing that depending on whether or not you need to be able to recover the data in one way or another.
So if you have to use data for tests and, and development, it's much better to have anonymized data than to use real data.
If you are going to do you analytics where you may have to be able to prove that what you do did is in fact, correct for them example in pharmaceuticals and so forth, you may find that you, you need to have a way of making that reversible to choose your method carefully. And finally looking at protect, detect and receive.
Now, many people mistakenly believe that if you are using a cloud service, you are data is being backed up and protected against all eventualities. Well, that's not true. If you delete an S3 bucket, it's gone. If you missed it. Yeah. It can be deleted. And office 365 file. After 30 days, he's gone. If you are cared about that, you need to, to take some action.
Unfortunately, most organizations are told about the data breach either by their customers, through social media or through the, through the law enforcement agencies or the national cyber security center, because they all love it, the drink, what is happening. And increasingly there are tools which are being used, which provided equivalent to the honeypot to draw the line tacos away from what is really matters and make it, make it more attractive for them to go for this fake day.
So if you look at what this means here, I've given a perspective on the importance of these controls for the different risks and unique to take a risk-based approach, where you look at what the risks are to you, and then to choose the controls that are appropriate for your particular use case. And so in summary, what my position is that clouds security and compliance depends upon securing your data yeah. In the cloud.
And the information protection lifecycle provides a framework within which you can judge the risks and decide upon the appropriate controls and enabled you to in-store a secure and compliant use of the cloud services. Now. So at this point, I'm going to hand over to Gary who will then tell us what foreigners is doing in, in respect of this. So how would you
Thank you very much, Mike, and thank you for some very interesting, interesting points there.
I think the one thing that I was very interested in was the, the talk about, and you mentioned it a couple of times that the fact that the insider threat is, is just as, as important and as critical as the, the external breach threat. And a lot of us forget about that. A lot of us forget that we need to have a, a wide view of what is going on in our businesses, because increasingly the, the assets that we have in our business are digital. Those business consequences mean that we, we can lose our business. We can pay millions of dollars in fines as a business if we don't get this right.
So, absolutely having our, our eyes open and, and looking at that from a 360 degree perspective is, is going to be increasingly important for us.
And I think the, the use case pieces is incredibly important is looking at what other business consequences, because businesses are no longer buying technology for technology's sake.
I think that that's a big change that I've seen over the, the last last couple of years, as, as CSOs look increasingly towards the cloud, they look increasingly away from technology and looking increasingly at what are the business consequences of, of what might happen or what might happen to me? Should I lose data? Because most organizations are still very much expecting a breach, 60 some 63% of businesses expecting to be breached within the next 12 months. And that's a scary statistic.
We've, we've seen some of the breaches over the last few months. We've seen a number of issues related to people being breached, whether that's in internal or an external. And what that triggers is that, that desire for organizations to say, how do I reduce my risk profile?
What can I do?
And, and clarity is a natural way of doing that in, in looking to see whether can pass off some of that risk to a managed services provider or a cloud provider, whether that's AWS or Google or Azure, but you get to that point. And, and if we think about some of the practical examples that we've seen over the last last 2, 3, 4 years, we, we see that that risk needs to be really considered for you as an organization.
And the, the, the conversations I have with many of these cloud providers is that they, they do operate a shared responsibility model. And that means that they will take absolute responsibility for making sure that what they provide the infrastructure, the capabilities are up to the task and are secure, but it's still the responsibility of the, the enterprise, the customer to ensure that its data as at the right policies and the right controls in place, just as Mike was saying, you know, you cannot absolve responsibility for your data.
You have as a CCSSO or as a CEO, you know, wherever the buck stops at, you have a responsibility for making sure it's your data that is secured because you, you take that responsibility. So we see a lot of that. We see a lot of organizations still worried about what could happen, but very few organizations have done a lot about it.
And I wanted to, to perhaps reiterate some of the comments that might made in terms of some of the steps, but perhaps elaborate on some of them as well as I, as I talk over the next few minutes, because it's, it's really important as we look at using clouds that we don't also forget that we're not just going to be using one cloud. It all comes down to those environments where we are multi-cloud.
So every single one of those, those providers that are on here could well be one of the many cloud providers that organizations are using our recent Talis data threat report that shows that most organizations having at least a seven, 12 at 15 different cloud providers, I've worked with, with banks who have many hundreds, even thousands of cloud accounts that they have to look after.
And, and so making sure that you don't just put all of your eggs in one basket is really important to your organization, making sure that you are having the right level of controls and, and you're securing your data appropriately is, is incredibly important. And I, I kind of wanted to, to explain one, one area that I feel is quite important, a great example. It's quite important.
It's just one of many, many use cases that we come across and over the next couple of days, talus is running a cloud summit where we're talking about all of the different types of solutions that are available, but really focused on use cases. Because as you said, right at the beginning, it's use cases that are really driving businesses now to look at what they do. And I take this as a internet of things, as a, as a, as an example might mention it earlier, internet of things means that software devices, identities are everywhere that that threat continues to grow.
As we have more devices with software, we have more people working remotely using devices with software.
How do you make sure as an organization that either of those don't device identities are secure, such as using PKI, making sure that the people that are getting access to your network are secure using certificates or, or PKI, but also as we increasingly rely on software and software running on devices, smartphones, remote devices, whatever they use, those may be, but particularly as our workforce gets more remote, then how do we make sure that the software that has been deployed is secure?
And it's a real issue for a lot of organizations that, and I'm sure many of you on the, on the call are in this situation where you're now using IOT or you're using remote devices, but those are then open to threat. There's a really interesting website called MITRE attack.
And that, that shows all of the different threats that are we're facing code signing here is just, as I say, just one example, and, and there are simple responses that you can take to these.
So, so for example, a code signing is, is, is a big risk. You can actually provide a set of authenticity for all of the software that are on your devices by assigning that with, with an HSM. And that verifies that, that, that the source of that software is, is known and, and valid. And it validates the integrity of the code that is being deployed. So there are some very simple things, it's a very simple use cases. I could produce a whole list of these and, and quite happy to discuss them in more detail.
But this is just one example of, of how we need to think differently because our spirit has changed and we need to take that more 360 degree view of, of what is happening in our world and what do we need to do to address it.
And that's really where I'd like to spend just a few minutes, as I say, perhaps reiterating some of the things that that Mike has said, but from a, also from a practical example in talking with CSOs and it security directors, I hear all of the time that too many organizations have not actually done the research.
And they've not actually got to a point where they do know where their data is. There are now some very, very simple tools that could be used, might mention caspase, but there are also some really good data discovery data classification tools that you can get access to that will actually show you where your data is now a really good practical example.
I, I worked with a bank probably about 18 months ago, maybe two years ago, time flies when you're in a, a COVID time war, but I talked to this, this bank and they, they were explaining that they had a couple of thousand cloud accounts that they just hadn't realized that, that they had, and they they'd got a used a CASBY to, to go out and find those.
I then met up with them six months later thinking, you know, well, they would have solved those issues. They would have done what they needed to. And the first question was, how do you get on with those 2000 accounts?
And it, it turned out that in six months, it had escalated from 2000 to 7,000 accounts. Now for me, that that really shows that things are escalating a lot more.
And that, and that, that was pre COVID times. I have to say.
And, and, and I do know that many of those, those banks that I've spoken with over the last couple of years have deployed so many more collaboration tools and are using software as a service a lot more than they were pre COVID. So, so making sure that you do take those practical steps, as Mike said, is absolutely critical because you just do not know where people are downloading a software from what they're subscribing to and how they're subscribing.
The next point is, is take control of, of that data.
Now taking control of, of data is, is one thing, but actually then putting the right security policies in place and making sure that you're using encryption and realization again, is something that a lot of organizations have not adequately, adequately done. Most people have not actually classified their data. And so a lot of the data that they've they've looked at has been the wrong type of data. Some 60% of data in organizations has not been encrypted.
And that leaves those organizations, a risk for the Mo those threats that I showed a short while ago, maybe not the code signing threats, but some of those other threats that the MITRE attack website will, will show. And so a lot of the organizations that I I've been speaking with are worried that they're now they've got multiple data silos. They're looking at trying to manage a data across multiple cloud providers.
Plus they're actually having to do that with their on premise solutions, because they've not migrated everything yet, or maybe they have migrated and stuff, but they've actually repatriated some of that data. And now they find they're in a hybrid world. So using the appropriate type of encryption is, is, is incredibly important and knowing where that data is and how to classify it.
The, the next step that I find organizations talking to to us about here in talus is managing access to data. Now, again, Mike, Mike talked about that, that level of access management, but again, what I found over the last last 12 months really is that organizations have said, I'll just use the access management solution provided by my cloud provider.
And, and they've done that and they've implemented that, and that that's great, but then they find out that they've got a few more cloud providers, as I said, it's a multicloud world that we live in these days. And so they, they find that they're the, that control of who, what, where, when, how is, is really uncontrolled, there's no single pane of glass or control over. Who's getting access to what and how. And so looking at some form of cloud neutral tool is where most people end up because those, those cloud provider tools are great.
If that's where all of your data is, but very few organizations have only one cloud provider. So the, the practical step there is to really look at what is it you're going to be doing, and how do you protect that information?
The next step that we, we, we go through is how do I secure my data?
Now, Mike might mention that, and I'll talk about this again in a few minutes, but adequately securing your data. Again, comes down to what is it? Your cloud provider can give you, they, they do actually encrypt data. And we've seen a lot over the last couple of years of organizations, big cloud providers and collecting data, and then providing a key management and then providing HSMs.
But again, if you're repatterning BBB penetrating data, or you're in a hybrid model, then you become unstuck. And so finding some way of using the native encryption that's provided by those cloud providers and using something like bringing your own key capabilities is quite important for, for many organizations.
In fact, we see bring your own key and hold your own key, really rising up as, as, as clouds get deployed more and more.
And the final point here, I think Mike May have mentioned confidentiality, integrity or availability, but also auditability is a critical point for compliance.
And we've seen a massive increase over the last few months of organizations realizing that as they start to use these keys from, from providers, or they actually need to start locking away those keys in HSMs, or as I said, a practical guidance earlier using HSMs to do code signing, using HSMs for example, to, to help manage keys in a, in a PKI environment, very few organizations have done that so far because the complexities of implementing HSM has may have been too much. So maybe cloud HSMs are the right way to go, but how do you find the right type of HSM, the right type of cloud HSM?
There are, there are simple ways of doing that. And we'll, we'll take a look at that in a couple of moments and think, Hey, to the future.
Because as I say, some 64% of organizations that put stuff in the cloud actually repeat repatriated, they actually bring it back to on premise solutions.
Now, whether that's for compliance or security reasons or performance reasons, I wouldn't like to say, but we are seeing a massive trend in people putting stuff into the cloud and then bringing certain types of data back. So think about future needs, think about what you need to do to protect that information and that data as we go forward. So our cloud landscape has changed. Our cloud landscape has moved away from the typical it stack of from the network to, to the applications layer and it's moved across and, and we started to, to put that into the cloud.
It means that we're moving away from the highly customized environments that we we've been familiar with across to more repeatable environments. And that repeatability needs to consider what happens when you build those hybrid environments, because it's not easy.
You, you need to find ways of find vendors that can support those, those hybrid environments. So you've got practical capabilities to, to back up everything that you're going to do.
And, and, and to allow you to leverage some of those things that Mike talked about earlier.
And, and the journey that we we've been on for the last couple of years is to actually take that view that the world is not going to be 100% cloud. It's going to be very, very hybrid. So looking at the, the roots of trust, where does that fit? I mentioned cloud providers providing roots of trust, providing HSMs and key management solutions, but they are really specifically focused on securing their environment. I talked about the shared responsibility model, that shared responsibility model.
They are going to provide the tools that mitigate the risks from their side. That's fine. But if you find yourself with three or four or 12 different cloud providers, does that mean you're then managing 12 different types of HSM, managing 12 different types of key management, setting up policies and different policies across all of those? The whole idea of cloud was to get rid of all of those overheads.
And if we're not careful, we proliferate those, those challenges. We proliferate that the total cost of ownership.
So finding ways of doing that in a hybrid way, maybe looking for a cloud neutral way of providing HSMs and key management is going to be important, finding ways of delivering and correction, not only for a specific cloud provider, we mentioned cloud native encryption a couple of times over the last, last few minutes, but finding ways of bringing your own encryption, if you think you're going to need to move your data around is going to be really important for you as an organization.
So it's getting that right mix and finding those rights solutions that actually provide you with those capabilities, either from the cloud or for the cloud in a hybrid world. And that's something that we we've spent a lot of time doing a talus working to those steps that I've just mentioned.
I think Mike mentioned many of them earlier, but pulling together some practical ways of taking each one of those steps, making sure that every single one of those steps is matched with a location, independent solution.
So having solutions that can either be run in the cloud in, in, in, in, in Google or in Azure or AWS, that can be run on premises, or they can be run from a trusted cloud provided by, by Talis, for example, so that you can then take those different solutions and build something around the responses to all of those suggestions that Mike said earlier. And to answer some of those practical examples that I've talked about over the last few minutes.
So some very simple ways of doing those things from bring your own key and hold your own key capabilities, whether that's cloud hosted or on-prem through to taking HSMs, that can be launched and run on your own premises.
If you need to wrap your hands around them for compliance reasons or for security reasons, or just, just running those from a cloud agnostic position to ensure that you can reduce your total cost of ownership. So taking a final look, there are kind of three steps that, that I see that organizations are taking.
There are those organizations that are quite happy to work with their cloud providers and use those cloud native encryption key management services. And that's great. It's kind of horses for courses. It works. You don't have the personalization, the customization, and all of the controls that you may want, but for smaller organizations maybe, or those of those organizations that are just gonna use the one cloud provider works fine.
There are those organizations that were with solutions that provide them with those absolute controls, but they use bring your own key to blend with native encryption services.
So they've still got the customer supplied encryption key, or bring your own key or whatever you want to call it. So they're using their customer specific controls over and above those cloud and cloud agnostic views, but using stuff from their cloud providers in terms of cloud native encryption and getting the benefits from ease of access and ease of integration.
And then we find organizations that really do decide that they need that cloud neutral approach. And, and, and I see this happening more and more, and I think this is a really important change that we've seen in the marketplace that more organizations are moving for those cloud neutral approaches for all of those reasons that Mike and I have talked about over the last few minutes and, and making those those decisions to, to remain neutral.
So that, that was really where I, I kind of wanted to leave what I've just been talking through. And we, I think move on now to answering some questions from, from the audience. I think Mike and how the KuppingerCole team have been monitoring those questions.
So Mike, are you, are you still there?
Okay. Thank you very much, Gary. That was very interesting. And so we're now back with my screen. So now we have a chance to have some questions and if the audience want to ask any questions, then they come do that through the, through the question. So here is a question, Gary, what you just described predominantly is PR is what you described predominantly a European situation. And there's a lot of talk about, bring your own key or BYOK. Okay. What is this and who would use it? So is this just a European view of things? And what about bring your okay.
Okay. Interesting, interesting questions. Let me kind of jump in with the, bring your own key question.
First, bringing in cases is quite interesting. There's a lot of changes happening to that.
I, I, I remember talking about three years ago with Salesforce and Salesforce had a, a capability that would allow you to, to bring your own key and it works with their, their encryption capabilities and allows you to, to manage the keys and the key rotation and the policies so that you're in control of your data within Salesforce. I've recently seen some moves by, by Google.
They've introduced an initiative and we've been working with them very, very closely for an external key manager, which does things in a slightly different way, and is perhaps a little bit more secure and a little bit more control than what was being done three, three years ago by many of those cloud providers.
So a lot of organizations are using it because it allows them to define their policies, define their rotation policies, move keys, delete keys when they need to audit their keys, but make sure that nobody has got access to those keys other than their organization.
And I think we'll see further advancements over the next, the next month, just to ensure that as we look at organizations today having to have policies, for example, to rotate keys, just to make sure that they can remain in control of things like legal subpoena and those kinds of things. I think we'll see more and more proactive ways of, of managing bring your own key capability. It's estimated some 20% of organizations at the moment in 2020 superly, we'll be, we'll be using some form of bringing your own key, hold your own key or a customer supplied it, encryption keys.
But the interesting point is that it's been quite complex. And I mentioned this a short while ago that some of these technologies have been quite complex to manage and set up and configure. So organizations are looking for easier ways of delivering that, bring your own key capability.
And, and that's something that we've been very focused on for the last few months. And you'll, you'll see some, some of those initiatives coming out to help the 60% of organizations that think bringing your own kids. You're complicated.
You'll, you'll see some exciting things happening over the next next few weeks. The first part of the question though, Mike was, was also very interesting.
I, I, B bit pre COVID. I was lucky enough to be able to travel the world, whether it's Australia or Japan or Singapore, or the us or Canada or wherever. And so a lot of what I've talked about and, and a lot of what I've seen and a lot of the steps being taken, which are some of the things you mentioned, Mike, a lot of those are global, very, very much a global risk protection view. Definitely not European, just cause I've got a British accent.
I mean, here in Europe doesn't mean I'm European, but they, they are very much being used around the world, particularly in, in, in large financial services organizations.
Okay. Okay.
Well, I think we're nearly at the end, but perhaps I could just take Ari. If you had one simple piece of advice that you could give to organizations around this subject, what would it be?
I would absolutely say one thing is take control. However you read taking control, whether it's taking control of knowing where your data is taking control of employing encryption or managing your keys or securing your keys for me is do something about it. Too many organizations are getting caught short because they've not actually taken those practical steps that you and I have talked about. Mike.
And I think the sooner people do that, then the less risk we'll have in our world and the fewer breach reports that'll they'll come out and the fuel fines that will be there for people who have been breached.
Brilliant. Thank you very much, indeed. So Gary's advice is take control. Thank you very much to our audience for joining today. And thank you very much to Gary for giving is a very interesting presentation or what Sanders is doing around this area. So with that, I'll say thank you very much for everyone. And we'll now close the webinar.
