Well, hello and welcome to another webinar by KuppingerCole. Our topic for today is "The evolution of encryption: getting ready for the quantum watershed". My name is Alexei Balaganski, Lead Analyst at KuppingerCole. And today I'm joined by Chris Harris, who is director of presales at Thales. And I really have to excuse myself for not probably looking into the camera all the time.
It's, it's a new experience for me just as well. And before we actually start with the webinar, let me spend a minute explaining some of the short housekeeping rules. First of all, you're on mute centrally. So you don't have to worry about these features. We are recording the webinar, of course, and it will be published on our website tomorrow. And every registered attendees will receive an email with all the necessary links to the video recording and the slides. You will have a Q&A session in the end of the webinar, but you're of course we invited to submit your questions at any time.
You then the questions too, on the GoToWebinar control panel, you probably see on the right side of your screen, the agenda for today is typical for KuppingerCole webinars. We will have three parts. First. I will kind of spend 15 to 20 minutes talking about the past present and future cryptography, kind of dive a little bit into there's some mysterious things about encryption, such as quantum computing and so on.
Then they will handle what the Chris, who will talk in a more technical detail about best practices, about adopting modern encryption solutions, the most appropriate way, or for more than complicated and hybrid it environments. And as I mentioned earlier, in the end, we will have a Q&A questions and answers session. And without further ado, let's dive into the topic as promised or let's start with a brief history of our incorruption, obviously encryption cryptography, the need to hide your communication from anybody else is just as old as the writing and communication itself.
That's as old as the humankind, but perhaps the earliest recorded use of our cipher. A method to encrypt your correspondence from prying eyes are, is from year 60 before Christ by a pretty famous guy called Julius Caesar. He used the so called substitution cipher to encrypt his private communications. And because he was pretty important, this is perhaps the first recorded use of encryption.
What kind of history in the 16th century or something, some Italian scientist, Giovanni Vellaso has come up with an idea to use a key for encryption so no longer, it was just simple substitution cipher, but you would actually have to have a secret key to decrypt the message. Fast forward to 19th century. And in 1843 Edgar Allan Poe, the famous American writer has published a short story of the gold Bug, which has really sparked public interest in cryptography.
It was immensely popular.
It was his most famous and highest paid short story until now it kind of inspires lots of people to learn more about encryption and cryptography and to study in that field in 1918 or during the first world war German scientists have invited to the first hardware encryption device, the enigma machine, which has been in youth till the end of the world war two. So it was a primary encryption system for the Nazi Germany and unbeknownst to an artist in 1939.
The team of Polish and British researchers have actually managed to crack this encryption and for years, so the British, the British were able to Snoop and intercept and decrypt over German military correspondence, which of course made a huge contribution to actually winning the second world war after the war or in 1945, an American scientist called Shannon has published a book, a mathematical theory of cryptography, which basically starts the history of modern cryptography as a science mathematical discipline.
And from that book, from that publication, the whole theory of encryption, as we know, and as we use it today, stems in 1975, the first national standard for symmetric encryption Def was adopted by the NIST, the national Institute for standards in the USA.
And of course it was also widely adopted worldwide next year, a different Hellman, okay, sorry, an American scientist, or as a method of secure key exchange between our communicating politics and he named it after different Hellman about two scientists and the next year again, the RSA post public Keybase crypto system has been published and it's actually still in use nowadays.
So everyone is using RSA cryptosystem for a symmetric encryption in the year 2000 or the STM that has been deemed no longer capable of addressing the modern rise of computing power and the demands of intelligence and, and other applications. So it was two proceeded by when you stand out the Randall cipher, which has been adopted by the U S a S a E S standard, which is still in use today.
And in 2007, arguably is the first practical quantum computer has been introduced.
And of course we will address the whole topic of quantum computer and post quantum cryptography later in this webinar. And last but not least earlier this year in 2020, I've done some investigation has finally confirmed what scientists and experts have suspected for decades. That's the famous Swiss company to gate, which was our largest provider of cryptography hardware for the Western countries for decades since probably early seventies was actually a secret project operated by CIA and those machines it's all embedded back doors.
And the CIA actually was able to read people that might've communications of many Western countries for decades, I guess gives you a nice lesson out crypto agility, another topic, which we'll be addressing later in this webinar.
So why, why is encryption so important or obviously because nowadays the world is hyper-connected, you have so much data everywhere, but digital data and digital data is no longer stored in a safe, it's no longer hidden in a castle with a wall in the mode. It's basically everywhere. Okay. Let me click once again. Yeah.
The data can be found anywhere on prem in the cloud, anywhere on the move in between in your manufacturing plant or anywhere in of course, anywhere it can be attacked. It can be snooped or it can be intercepted manipulated. And the primary goal is to protect the sensitive information. And this is where incredibly huge role, okay, what this digital transformation has brought us. If the overwhelming complexity of this digital data, we have so many different databases or relational, North Carolina, data lakes and warehouses. We have data in the cloud.
We have data anywhere else.
We have unstructured file stores and like S3 buckets and other objects, a level of storage. We have data manipulated in applications. So it's extremely complex. It's extremely complicated. There are multiple stacks of infrastructure, which are supposed to protect with data in different environments, but there are so many of them. So the industry has been looking, I've been looking for an alternative approach to find this complexity, because if you are targeting infrastructure, if you're targeting Emory data silo separately, you are quickly overwhelmed.
You cannot keep up with this huge exponential growth of data, the quote unquote data's problem. And of course this data is not just stored somewhere. It's actually constantly on the move it's been processed. It's been analyzed. It's been streamed in real time from smart devices around the world. And on this slide, I've just listed a few technologies, which are intended to protect that data, not just rest, but also in transit and in use.
It's mindbogglingly complicated. You have to not just think about data protection itself.
You have to think about identity and access management, user behavior, monitoring, data, virtualization, leak prevention, and so on. It is crazily complicated. That's why a few years ago, maybe a decade ago, this alternative approach was introduced to this whole call data centric security. This is a major paradigm shift to data protection on its surface. It sounds really easy instead of protecting your infrastructure, let's protect the data itself. So your data, let's not just be digital. It has to be quote unquote smart. It has to be self describing and cell defending.
It has to be compatible somehow in a theoretical way with your security and compliance policies introduced across your enterprise. It has to be able to account for business context. It has to be constantly protected at rest in transit. And then you so long its whole data life cycle consistently.
The only problem is that it basically just doesn't work, et cetera, in a nice theoretical concept. But how do you even begin implementing it?
You've heard about so many different, the projects, information, rights management from Microsoft, a good idea of course, or on the large scale on a high heat or genius scale, if you will, or what if you options, which the technical, it can support you in doing this. You have to start with data discovery and classification, obviously because you cannot take what you just don't know, even exists. You have to know where your data is all the time, and then you have to encrypt your data. You have to make the sensitive data inaccessible by any illegal authorized party. Inscription is Anthem.
When we fall into the technical detail, you just quickly mentioned one concept that KuppingerCole has been pushing recently. It's a so-called information protection lifecycle.
It's a comprehensive approach to securing managing monitoring, containing protecting your data through the whole life cycle, from the acquisition that that's creating or discovery all the way, all this archival or delusion when the data is not what we need it. We have quite a lot of research published in the website or this concept.
And I really urge you to visit KuppingerCole dot com and read a little bit of theory on this topic. But again, encryption is perhaps the most ubiquitous or the most widespread, the most popular method to ensure your data, confidentiality, integrity, and availability, the theory tryout of data protection. The problem I love the encryption alone. It's pretty complicated. As I mentioned, it has to be applied at rest in transit and in use. And each of those three pillows actually incorporate multiple levels of encryption.
Your data has to be encrypted like on the full disc level, the lowest level, or maybe you need to encrypt individual files and folders, or maybe you want to desensitize anonymize some sort of data fields in your database, or you want to ensure that messages and objects in your applications are encrypted think applies to in transit.
You not just need TLS HTTPS and the lock icon in your browser. You actually have to look higher and deeper. You have to encrypt your messages. You have to encrypt your API payload. You have to apply application level encryption and encrypted emails.
As mine protocol is just one of thousands of different protocols available for that. And of course you have to protect your data. You have to encrypted in use. If it's been processed, there are many solutions ranging from full memory encryption to secure enclaves in your computing systems to still largely academic material, interesting homomorphic encryption developments, where you can operate directly on encrypted data and receive encrypted results.
And of course, secure multi-party computation is something which arises as soon as your applications become modern and distributed and loosely coupled like those microservices, key management, even another thing which normally should forget because your data is only safe after the encryption key, there are multiple approaches towards managing your encryption keys.
And I hope Chris will provide you a slightly deeper insight into that, but basically it all ranges from letting your cloud service provider, for example, a third party, manage your keys for you.
I think in software or in a hardware based security module or managing your own keys again, probably in our hardware security model, which you are consoling yourselves, hold your own key. If another, even more secure approach when you're not just managing the keys in a device, operated by someone else, but you actually operate the device yourself. Yeah. For example, you keep your encryption keys on prem while your data resides in the cloud.
And every time your cloud application has to decrypt, the data actually has to go back all the way to your on-prem device and holds the key sort of, and fetch that health key. And of course, leaving with full audit trail of all those traffic operations.
Because if you are not able to have this tamper-proof and complete audit log of all the variations, you basically can never guarantee that your data is actually secure encrypted last, but at least bring your own encryption.
That approach where you either client over quota with, for example, is completely responsible for not just managing the keys, but actually encrypting your data. This can be implemented in multiple ways with cloud encryption gateways, or again, I'm looking for Chris's input on that topic as well, but basically you really have to assess your own risks or compliance requirements and so on and choose the most appropriate level of key management. And probably in a real world scenario, you will have to combine multiple options for multiple projects.
Going back to this crypto agility topic, crypto agility is a relatively new term, but of course the idea is really old. You have to be able to modify your encryption technology without multi major changes in your infrastructure because those cryptographic standards, even those which are not yet broken like this, for example, the Des, they will become obsolete eventually.
And you have to prepare in advance because your cryptography hardware or software isn't actually updated that often, especially if it's somewhere in the manufacturing plant or radiant system where the upgrade cycles are so long that you have to think about challenges will probably arise in 10 years, and you have to think about them now. So be tension here are your crypto infrastructure, your cryptographic software, not just your own, but of all the third parties involved in human business processes has to be placed under centralized crypto lifecycle governance.
So you have to know what's going on, what every piece of your cryptographic infrastructure capable of how flexible it is, how quickly, for example, can you increase the lengths of your encryption keys will require weeks of re encrypting your data in place, or is your solution, is your cryptographic platform capable to do it on the fly without any major performance or not so many questions here, but the goal is obvious. So you have to be agile regardless to cryptography.
Just you have to be at the child with regards to your core business goals, because without agility, you cannot survive in hearing of course come finally to the topic of quantum computing. It is a really complicated topic and a very controversial topic. And many people are still not entirely sure how far are we from actually having a real life working quantum computer managers don't know at all, what is, what is it all about to really kind of put it into layman's terms to try to simplify it as much as possible.
Quantum computers are based on a fundamentally different principles and a classical computer. So it's not just a matter of creating the computer, which is like million times faster when your current laptop or sober, it's a totally different approach to what's computing. And it's based on the quantum mechanics, quantum theory, maybe our listeners can still vaguely remember all of those things started during the physics classes in high school, maybe the right time, Mount quantum mechanics as the inherent properties of our universe. This is how the subatomic particle level physics work.
Basically those particles, they're no longer governed by the same physical laws as the microscopic level universe, if you will. And they, for example, can be in a superposition of states, meaning that a quantum, this tiny beat or a particle can be, or both in one and zero state at the same time. And you will never really know the actual state that it's currently in until you try to absorb it and you, we try to measure it state.
And as soon as you measure the particle, you basically let it crash into one of those states.
And the, the, the, the final reason you'll be random. And the idea that theoretical idea of feudalism or quantum beats, if you will, the cubits to implement a computer isn't that new, it was suggested in 1980s and to kind of the mathematical operators or the rules and algorithms have been designed for decades already. The only problem with that, how to implement those methods in hardware, in actual working devices and idea is that since every cubicle, it can be in more than one state at the same time.
And by agent another cubit to a system, you can actually represent two in the nth degree, stayed single tenuously. The theoretical computing power of such a computer would increase exponentially linearly. So in theory, if you design work in quantum computer, and if you design a quantum algorithm specifically for this quantum computer, you could probably solve a problem which is infeasible for traditional algorithms.
So for example, a popular mathematical problem of vectorizing a large prime number might require millions of years on a traditional computer, even the really much, much faster ones than we have currently, but that will only need maybe minutes on, on the proper working quantum computer. And of course that RSA sumatriptan system, it heavily relies on the fact that a factoring, a large prime number is extremely computationally difficult. And the question is obviously, are you already to be actually have those quantum computers that can do this? And the question is yes and no. Okay.
Current state of quantum computing is described as noisy, intermediate scale quantum, meaning that now are already existing devices. And I've put a few photos of the real computers on the slide. And for example, I've actually seen the IBM one with my own eyes, pretty impressive site. And they actually kind of work already that they are extremely small their scale.
So they probably have like 50 to 100 cubits quantum elements.
Now it we'll probably have like a thousand a few sounds in our foreseeable future, but they do not possess any technology Penn state, well that quantum decoherence thought extremely high probability an error cause those hardware cubits are usually implemented with really complicated and expensive technologies like superconducting materials or lasers. And they require extremely low temperatures and extremely careful manufacturing, hugely crazily, low tolerance. So basically current quantum computers break a lot in the end.
We are still useful enough if you design algorithms specifically for this class of computers. And those definitely are enough to demonstrate the so-called quantum supremacy, meaning that you can actually today run a problem on the quantum computer, which will be solved faster than the same problem on a classical computer. And apparently yeah, in 2019, Google was the first company they want straight it quantum supremacy for the first time.
So if the end of cryptography doesn't mean that you can already today correct your existing RSA based encryption system.
And so short answer is nobody knows for sure the evidence is kind of conflicting in the expert. Predictions are conflicting as well. What we know now for sure that quantum computers are actually, they already exist. They are being worked upon as we speak. And that's a challenge. Another challenge is also long upgrade cycles. I mentioned earlier, and of course the general complexity of modern it and cloud and hybrid environments, which makes to the limit crypto agility. And of course, quantum computer is actually not the only problem you have to deal or crypto agility.
On the other hand, it will probably take another decade to develop the properly error corrected quantum computer. And some experts say that those computers will have to have millions of cubits, not even solvent, but millions.
Well, that's another reassuring thing to, if you will, on the other hand, the quantum of wisdom algorithms are already being developed now for, they're not sure that even with a properly working quantum computer, it will be a strong enough resistance enough to not being able to, for you to be able to crack it in a foreseeable time. And of course, when there are already working on interim solutions, they don't, you don't have to wait till 2022 when needs to publish the final standard. You can start today.
And when those like tellers are already working on solutions to help you increase your crypto agility starting today. And this is exactly why I will hand over the stage to Chris Harris, Chris, you're welcome.
So thanks for that background, or it was really useful actually to what I'm going to be speaking about. I'm going to be taking an alternative look if you like it, the history of encryption, but, but one that's really focused on, on businesses and how the attitudes and use of the technology has changed.
And so I've worked in the encryption and data protection business for quite some time. I started out with some of the earliest PKI and identity smart cup products, and then moved into, moved into smart cards, moved into HSMs kind of, as I made that interesting transition from directly connected to network appliances from there, I got involved in encryption solutions and then really the wider data protection and cybersecurity landscape.
Now over that time, I've seen some real fundamental changes, really not just in how companies transact, but in also what they expect from the solutions that they use. And I thought it might be interesting in this presentation to kind of chart some of those changes so that you can perhaps map that onto your business evolution. And then as we get closer to the present day and then kind of go beyond, we'll talk about a glimpse into what's coming next and things that we can do today to ensure that we are planning for that future.
So if you think back then, the perception is very much that things used to be simpler and perhaps it was the case. You know, organizations used to secure themselves with the tried and tested approach to building a big wall around their data. Companies generally had their own data centers and they surrounded that perimeters with, with defenses first kind of network firewalls, but then content scanning, application, firewalls, gateways, and more.
And if you wanted to get insight, you, you came in through the VPN or you came in through an application server, you know, both of which were locked down and, and hopefully had logs, which were very carefully monitored. And it was very much the idea that you kept the bad guys out and, and all would be good. And with that mindset, you know, relatively few organizations chose to implement additional defenses.
And so once you were past these walls, or if you were already inside them, then, then you had a pretty free reign of the, the network and the data through fairly straightforward, you know, physical or logical attacks against those internal servers.
Now for organizations that were looking to sell security, you know, if you weren't speaking about that perimeter, then you really had to begin from the very basics.
You had to explain what an encryption solution did, you know why a company might want to consider it and then make them aware of the risks that were out there, which perhaps drive them towards it. And, you know, some took the initiative and others chose to fortify that, that big external wall, because they felt that that was where the, the money was best. And now the catalysts that really started to change the way that companies thought about encryption was regulation.
You know, if organizations weren't going to do something for themselves and they needed some encouragement and for encryption, it came along in a nice document from the payment card industry standards, canceled PCI. And so their standard PCI DSS, the PCI data security standard dictated to organizations of a certain size, what protection they should be applying to sensitive data.
And this was particularly about credit card information. Now we know how many organizations will kind of voluntarily comply with standards and I'll give you a clue. It's not many.
And so the carrot kind of came with a stick. If the organizations chose not to protect their information and they got breached, then the liability shifted from the payment provider to the company itself and alongside a deadline that was issued for, you know, you can imagine that that started to catch people's attention. So now we saw encryption starting to become mainstream.
You know, organizations were, were still mostly the same big walls and lots of focus on the perimeter, but now they started to implement encryption solutions inside their network so that they could be awarded their, get out of jail free card in the event that they, they had a breach.
Now, if you thought about it, encryption solutions of the day, you know, they weren't, they were often pretty complicated, particularly if a company started to build something themselves, encryption uses keys as Alexa was talking about.
And, and the management and security of those keys is, is really the, the cornerstone to the security of the overall solution. If you do the key management wrong, you may as well not have bothered with the encryption at all. It's a little bit like leaving the front door key to your house underneath your front door map. A few companies tried to make this easier. And certainly, you know, we started to see appliance-based encryption solutions springing up that were designed to help organizations implement this complicated solution in an easier manner, but, but everything's relative, right?
It was definitely easier, but it wasn't necessarily easy along slide this, this new regulatory landscape that the threat landscape started to change as well.
We started to see a big increase in attacks and breaches and these old perimeter defenses just, just weren't enough any longer. And so we encourage companies to secure the breach and that's really a message, which, which still resonates today. It's the idea that it isn't if you'll be breached, but it's when, and it's all about the protections you have in place to protect your data.
And of course the simplest way of ensuring that an attacker doesn't get away with your sensitive information is, is really, to me scripted now for many years, Tyler's has commissioned an annual report called the data threat reports, and I'm going to be pulling some figures from it throughout the presentation. This is one of the longest standing annual security reports in the industry and contain some, some real insights into what companies are thinking and doing about data security within their companies.
And so the reports compiled after speaking to over 1700, it executives from across the world in a really wide range of roles, C-level execs CEOs, CFOs, chief data officers, data scientists, security, architects, systems, administrators, you name it, they were included.
And so if we look on the screen at some of the data from this later latest report, you can see that that even with the security of today, and this report was talking about last year, 26% of organizations admitted to having been breached within that past year 49% of respondents said that they'd experienced a breach, some point within their history. And 47% said that they'd been breached or failed a compliance audit in the past year. And so you can see it isn't there it is when, and it starts to become apparent, you know, just how important it is to start securing your sensitive infant.
And so back to our encryption timeline, you know, back to our history, we were at the stage where organizations were still focused on protecting the perimeter, but, you know, encryption started to creep in now regulation didn't stop at PCI DSS and organizations, you know, were being encouraged more and more often to take the protection of their information more seriously. And then along came the cloud, you know, businesses started to realize that they could cut costs. They could scale more easily if they didn't have to rely entirely on their own resources.
And so, you know, with baby steps at first putting simpler or less sensitive services into the cloud, these walls of the perimeter, it really started to crumble. And so if we jump ahead to the current day, obviously there's this trend to move to the cloud has been continuing accelerating if anything. And it's one of the things that we also ask about in our data throughout reports.
So 97%. So virtually all of the respondents said that they were using software as a service applications.
And if we look back to past years of that report, you can see that's grown dramatically in only a really short space of time. So if you go back two years, only 65% of organizations said they use software as a service applications.
And again, last year they said 97% said they were what's perhaps even more surprising number is that this year 83% said they were using 11 or more software as a service providers, which for me, I found it an extremely high number. You can also see that 81% of organizations reported using two or more platform as a service providers at 81% using two or more infrastructure as a service providers. And that two or more is an important things as well.
An important thing as well, because what you can take from this is that organizations have transitioned from what's a fairly simple architecture where, you know, sensitive information was held in their own data center to a very complex kind of multicloud and, and often hybrid design.
So at the same time as organizations making them move to the cloud vendors, looking to, to kind of catch up with security solutions, that we're gonna keep companies safe.
Now, all too often, this meant taking a product that they already had and sticking the word cloud in front of it and kind of hoping for the best, but that doesn't really, that doesn't really take you very far. It doesn't give the customers really what they need, because you've got to think the cloud, isn't no data center in a different place, which is how many people view it.
You know, it brings with it a whole bunch of complexity and risk that, that didn't exist before you're running on shared services. You've got a shared architecture. You're no longer the person who's responsible for the control of the management of the servers that you you're running on the responsibility for backups taken out of your hands.
But then the location of those backups is a mystery to you.
You know, your data is geographically vague. Let's say you may think, you know, where it resides, but is that really where it is?
Has, has it moved? How many copies of it exists? How do you communicate with the cloud service? How does data move between your organization and the cloud? How are your services secured?
You know, and the list goes on and on and on, and alongside that as well. It's really important to be clear about the shared responsibility that organizations have when they start to use cloud services. Because when you move to the cloud, whether it's infrastructure as a service platform, as a service software, as a service, or, or indeed anything in between or, or all of the above, you never give up responsibility for your data. If the data is lost, then you need to do a breach notification.
Then it's only your company. That's going to be footing that bill.
If there's a fine, the cloud provider is not going to pay. It's the data owner that's going to pay that fine. And the reputation that's going to be hurt is only going to be the reputation of the company, experiencing the breach.
And so we, we find ourselves with a very different picture in front of us. You know, organizations are geographically dispersed data's everywhere, and the perimeter is, is just so large that you can't protect it. So instead you need to have a focus on protecting the data, you know, solutions to help you do this, have evolved. If you take a modern cloud centric encryption offering, then you'd expect it not just to come as a physical appliance as it used to in the old days.
But, but also as a virtual one that you can run within the cloud itself to help secure and control the protection of your data.
And ideally, that's going to be tied to a root of trust, which is usually a hardware security module, which perhaps is also offered as a cloud service to underpin the security of that solution. Managing multicloud environments, of course, is going to add complexity. Each cloud provider has a completely proprietary key management solution, which your administrators need to control, and this makes life much more difficult.
And in fact, in the data threat report, when we asked about barriers to implementing data security complexity was by far the largest issue that the respondents identified with, I think, budget and impact on, on business processes, being, being the next two in that list. And that kind of makes sense.
You know, if you think about it, if you have a solution which is less complex, it's going to mean you've got more visibility, easier management, if you can, and make use of a centralized solution, perhaps even a single pane of glass that allows you to orchestrate your, your data security across multiple cloud platform vendors, then that naturally is going to lead to tighter control, better monitoring and better implementation.
We know, you know, I I've said, Alexa said it's sensible to make use of encryption, but one of the main challenges that organizations face now is you can't secure it.
If you don't know where it is. And again, I'll actually touched on this, you know, part of the challenge in moving to this new operational model that this world of multi-cloud and hosted solutions is watching your data gets spread everywhere.
You know, allowing parts of your organization to create services as they need, which is fantastic for the business because it allows them to stay agile and to move quickly. But it creates, you know, potentially tens of thousands of databases and data stores. And it has no idea where they are no idea if they're properly secured, you know, no idea if the sensitive data all over these environments, you've got snapshots, you've got backups further spreading them out and, and do you need to get control?
And so, you know, some of the latest data discovery solutions are able to, you know, not just search and locate that sensitive data within your environment, but also provide some automatic remediation to, to manage and then protect that found data with strong, centralized key management, an increasing trend we're seeing as well to help retain control is for organizations to bring or hold their own keys. And we saw that BYO K or H Y, okay, or even bring your own encryption as well.
As I mentioned, each cloud provider and, and many of the client services provide proprietary key management solutions, which you need to use to generate the key material, which is going to protect access to your services. In several cases, you're able to go a little bit further as well and make use of some rudimentary encryption within those offerings. But the problem is all of this is completely under the control of the cloud.
You retain no influence and, and very little ownership of the key material, which, you know, if, if for example, you wanted to move cloud provider, or if you had a, an audit or an audit requirements, you know, that could be an issue for you, bring your own key BYO K allows you to generate your own master keys, which would be then done under your control. You'd know they were strong keys. You'd be happy with the key ceremony around them, the controls around that. And you'd also have your own copy within your own physical or cloud HSM.
And then you take these to the cloud providers and they use them to secure the rest of the key hierarchy. And this gives you, you know, additional control and certainly additional confidence, H Y okay. And bring your own encryption as well. Take a step further.
And it, as you to retain control of the use of these keys. So the cloud provider, or the service reaches out to hardware that you own, or you control to perform operations with those keys. And this is really the highest level of control and security you can have them provides you with some real separation between the key ownership and the usage of those keys within the infrastructure. Gotcha.
Now we've talked a lot about that protecting data, and, and obviously that's going to be the main reason that an organization would choose to use an encryption solution, but, but I wanted to pull out as well. A couple of examples where encryption actually provides benefits beyond just that one of the challenges in this new cloud or hybrid way of working is it's really easy to lose control of your data.
In the event, you want to remove access to a service, or if you want to delete data, because you're, you're migrating to a new cloud, then you're completely reliant on that cloud provider to do it for you. Only they know the, the physical location of all of the copies of your data. Only they know which backups contain the data. Only they know which machines or which storage pods contained copy of copies of your information.
And so data shredding or data destruction is, is virtually impossible to guarantee.
You know, you can hold your hands up. You can say, look, I've done my best, but it's impossible to be completely sure that the data you were using has gone. And isn't going to show up again in a months or even years later, one of the nice side effects of encryption is that if the data's encrypted, then all you need to do to remove access to that data to forever is to destroy the key, which protects it deleting the key. It is going to render the data permanently irreversibly unreadable, you know, without the key, nobody can access the data.
So it doesn't matter if there's coffee left on a backup tape somewhere it's just meaningless zeros and ones. Of course it does mean that you need to have in place a strong and robust key management infrastructure, probably making use of a hardware security module, because you need to protect those keys until you delete them.
And then when you do delete them, you need to provide some audited affirmation that they're, they're really gone.
And, and this is another good reason as well to kind of consider, bring your own key or hold your own key solutions. When thinking of the cloud. Another interesting use of encryption solutions, which we're seeing growing is to be able to help protect you against ransomware. In the past six, we've seen a huge increase in the proliferation of malware and ransomware fueled by, you know, our global first for news around COVID-19. We've seen very many examples where we're payloads are hidden in news or applications that are trying to offer information to you.
And we've, you know, our attention already overstretched by this crisis. It's led to examples where people, you know, perhaps answers as vigilant as they would usually be. And modern encryption solutions today are more than just utilities that protect your data.
You know, with some careful applications of policies, you can actually provide some defense against ransomware and the effects of ransomware products, such as our cipher trust manager.
They allow you to implement, you know, really robust data access policies, you know, alongside the encryption, which can restrict the malware's ability to spread and access data. You've got the ability to add trusted applications to an allow lists. So you can determine, you know, which binary's or approved to perform encryption or decryption. And it can also help you identify changes in those applications.
If a malware attached itself through application signatures, and then alongside this, you've got the ability to implement fine-grained access control to really precisely define which users and groups have access to which protected folders. And that can block the malware at the lowest level of the operating systems, which is where these controls run. And then finally the kind of belt embraces is making sure you've got a data at rest encryption policy, because a lot of these attackers choose to take data from an organization and then hold it to ransom.
Obviously, if that information's encrypted and protected and your keys are held in a, in a device like a hardware security module that the attackers can't get into, then they've got information, which it's, it's much harder to, to hold you to ransom over.
And then finally we'll move to the future. And so we see a lot in the news about the advances in quantum computing, Alexa talked about it at the beginning of this presentation.
You know, whether it's from IBM or Google or Microsoft or others, and indeed nest has selected now finalists to move forward into the next phase in their search for post quantum or quantum safe algorithms. Now, the concern about quantum computing is its ability to make use of, you know, efficient use of certain algorithms, which leads to the possibility of, you know, the encryption that we use everywhere today, being broken.
And, and this is encryption that we depend on, you know, to establish trust between our machines and our users to protect transactions and to protect data. And what's worse is that in some cases, there's, there's the possibility that a bad actor could be capturing information today, which they can't encrypt, but which in the fullness of time, they hope to be able to break with these advances in technology.
And this is obviously a concerning is there's a lot of valuable information out there, which is protected for very good reason and has a long, useful life span, you know, data isn't only useful for the next month year or even 10 years. It can be useful beyond that.
And so, you know, we know that advances in quantum computing have to drive changes in how we're going to implement data security. And although, you know, I agree, we don't know the exact timescales when we're going to reach a point of specific risk that the view of the organizations in our data threat reports. So these 1700 organizations we surveyed, was it 69% saw it affecting their cryptographic operations in the next five years with 93% expressing concern and 30% being either very or extremely concerned about that risk. Now you might see it as a future risk.
You know, 20, 25 seems a long way away given the year we've had, but we need to remember that in, in many cases, perhaps in most cases, we're going to be putting in place infrastructure today. That's still going to be in use in five years time. And so what people often don't realize is that you can already make use of some of this technology today. We have a quantum random number generators, which work with our products to help generate truly random chemos serial.
We use quantum key distribution to distribute keys within our high-speed networking cryptos, giving you absolute certainty that the key exchange has happened without any third party observing it and for the encryption and the PKI products. It's about that crypto agility that likes, I mentioned, it's about you choosing solutions today, which already have support for some of these nest candida algorithms.
And I've got the flexibility to be updated in the future during the lifetime of the product as things develop or as these, these algorithms get finalized or come along, it's all about planning for the future today. And that's absolutely something you can do even with the technology of today.
And so to wrap up, you need to think about how you operate in a zero trust world.
You know, it's not just about not trusting the users, it's about not trusting anything. And that kind of has to be your starting position. You have to know where your sensitive data is located. It needs to be classified so that, you know, it's adequately protected. You have to secure the data once you find it. And you need to make sure that the encryption keys that do that are properly protected and ideally very, very separate from the data they're protecting. Otherwise the strategy can just fall apart. And of course you have to control user access.
So only allowing users to access what they need to access and no more than understanding where they're accessing from how they're accessing it and assuring that what they're doing constitutes normal behavior.
Because if not, you very quickly need to react to protect your business.
You know, organizations need to look at how the world and their business is evolving, especially now and make sure that they're keeping up, you know, ideally that they're one step ahead. So that another company is always the easiest target, not yours. ATAR is we helped with data security. It's what we do.
In fact, we, one of the largest data security companies in the world, we offer all the data security capabilities a business might need, whether it's a, a platform to encrypt tokenize or implement a privileged user access control of your data or deliver strong and proper Phipps compliant, key management using our enterprise key management solutions together with our hardware security modules with these technologies, you've got the ability not just to build a foundation of trust for your PKI environment, but to deliver it in a crypto agile way today, so that you can already start to bake in some quantum threat resistance into your infrastructure.
And as things change and evolve, as they will, you can adapt and update the solutions to keep ahead of the curve tolerances as well. The number one supplier of general purpose HSMs. And by far the number one provider of payment HSMs used for both kind of traditional and emerging payment use cases, we've got a cloud HSM offering data protection on demand, which is perfect for underpinning this multi-cloud security that I've been talking about and ensuring that segregation from the cloud of the most critical keys for wireless encryption. It's the same.
If you've got multiple sites, including, you know, virtual sites or cloud environments, and you want to ensure that the communication's high-performance and secure and even quantum resistant, then we're the number one provider of tools to help you to do that with our, our range of high-speed networking corruptors. And finally, we're a leader in the access management solutions as well, both for the cloud, as well as traditional solutions.
And that's just a short list, you know, whatever use case you've got around data security and, you know, a lot of the stuff that I've been talking about today, it's likely the Tyler's is there and able to have a conversation about it. And with that, I'll hand the presentation back to you, Alexa, thank you very much,
Chris. It's really great to see and hear that.
Not only we agree on a conceptual level sort of thing, but the actually binders like Talos, I actually already ready to assist or the end user serving their customers with practical solutions, which absolutely follow all those conceptual guidelines and best practices. And let me remind you that we now have some time left for questions and answers. And before we actually go to the first real question, let me just quickly address one very rightful comment from our listeners.
They had to explain of the acronyms, which you'll see on the screen now, or just quickly ATS data encryption system, but the obvious RSA, whenever Shamir Edelman is our three inventors, the authors of the estimator conscription system, which you have to use now and obviously AEs advanced encryption standard. So I'm leaving that behind. Let's go up to the first real question if I may. Okay. What do you see as the most important security issues faced by businesses and individuals today? Would you take your choice?
Yeah, it's
I think it's a very pertinent question, to be honest. You know, I think that the, the change in behavior for employees that we we've seen in this past kind of six or eight months is, is certainly a focus for companies, you know, at the start of the pandemic. Everything happened, you know, very quickly. And I think that organizations where we're very much focused on putting solutions in place to, to help their users to work remotely.
And, you know, the, the thing at the top of their list, the concern that their top of their list was speed of delivery rather than security of delivery. I, I imagine, I know in some cases that a lot of organizations are now looking over their shoulders, you know, wondering what additional exposure that these solutions have brought, you know, with bring your own devices and, and, you know, remote access and remote working solutions.
And, and so, you know, organizations need to catch up, you know, they need to take a look back, they need to go through the due diligence that ordinarily they would have done before they put these solutions in place that they did. They didn't have time to do. Given the situation we found ourselves in, you know, an organization I think needs to today adapt to what is the new normal. You need to be able to offer flexible solutions, but solutions that maintain their security posture, you know, they should be questioning who's connecting.
Where are they connecting from and, and is a behavior usual. I think that beyond that probably multi-cloud also poses a challenge.
You know, I, I think you saw from the statistics I gave in the presentation, you know, it's not, it's not me imagining that companies are using multiple clouds. It's, it's happening.
You know, organizations are telling us that they're using these solutions and keeping control of data, you know, across these multiple proprietary cloud environments is, is a huge task. And, you know, companies should be making sure that they're applying consistent policies and protection logging and inspection across all their data, you know, no matter where it resides.
Okay, great. If I just my, the few words, so this is basically this whole multi-cloud and hybrid environment. The challenge, not just in security or data protection, that's probably the single biggest challenge for any field directly or indirectly related to the cloud. Right. And we see that actually the industry has struggled for years, for example, to find the convenient and uniform solution for cloud computing. And now we have containers and accumulators, which basically is almost the ultimate solution to the problem.
I really hope that the industry also come up with a similar, the ultimate solution to the encryption problem. And I believe that Talos is probably one of the leading windows tool for us. And to expect to believe that you have not just the technology, but also the market penetration, anthropology, the power to persuade the customers, to adopt some kind of a, a theme yet convenient obstruction layer, which what could have, make all your visibility and management operations on the encryption level uniform across any cloud on prem environment, right?
Like this is the ultimate challenge probably now the toll, but it will be addressed sooner than later, or hopefully before the quantum or the chair. Right. Next question. Okay. Let me just quickly read it well, taking into account this whole complexity and ideal environment. So how realistic is a single pane of glass for a multi-cloud solutions?
I think the realism and the need for it are two different things. I think the need for it definitely exists.
You know, I think that the simplification that would bring is, is obvious. You know, there's, there's a lot of sense in organizations using multiple clients, you know, they do it for good reasons. Maybe one provides something the other one doesn't or they're providing redundancy or fail-over capacity in, in the event of an, you know, an issue with one CSP. And the problem is, you know, you're naturally going to end up with a collection of, you know, very disparate and proprietary administration tools and interfaces, which means your administrators and your operators.
You know, they really need to become experts in, in what are very complicated systems. You know, they need to have scripts for automation, they need to script the deployment. And there's a real risk of things getting overlooked, just because of the complexity of both of these things, you know, maybe a policy set on one cloud isn't set on the other, and that that's, you know, it could have a range of effects from, you know, annoying to dramatic depending on what it is and what you've missed.
And there's a lot of different levels, you know, but, but looking at the spec perspective from key management and control, which is, you know, really what underpins the whole security of the infrastructure. If you're doing your key management properly, you know, you can make other mistakes without costing your business. But if you do your key management wrong, you're exposing yourself as an organization.
We, we, you know, as, as you said, you know, we are at the forefront of many of this, we've got a new product to market, the cypher trust cloud team manager, which allows an organization to, to have strong control over encryption keys and policies, even across multiple cloud platforms from a single interface. So, you know, office 365, Salesforce, Azure, or AWS, or, you know, so on all kind of consolidated into a, a single tab where you can, you can make sure that your policies are being, being applied in a uniform fashion.
I think it's harder for other elements, but, you know, companies can and should, and, and probably are looking at, you know, abstracting some of the common activities to a higher level. So, you know, you run a deploy scripts to deploy your, your instances to infrastructure.
And then, you know, something underneath manages, whether that's a Zuora or whether it's AWS or whether it's Google cloud, you know, but yeah, I, I think as I said, I think it's realistic. You know, I think there are products out there today, which can really help organizations, but you know, whether it's sensible, whether it's needed. I think there's no question, you know, I, I just don't think people can keep control of these complex environments without some form of consolidation and centralization.
All right. So we'll just start at the top. In a few words, it definitely is possible.
And to a large extent, it's already possible today. Nobody besides you.
I mean, you are the extract, a company or a potential customer or potential KuppingerCole customer, nobody besides you is able to properly assess your current risks today and future tomorrow, and actually make the decision to go as a project. And the earlier you make those decisions, the easier your life for the next 10 years, long ago, it will be so crypto agility, if not yesterday, today is your last chance to start a properly don't don't wait for tomorrow. Start today will be my last takeaway if you build from this webinar.
And I think we have already reached the top of the hour and we don't have any further questions. So thank you very much, Chris, for being with us today. Thank you very much for all the attendees and for people who will be watching this as a recording, stay safe, they healthy and hope to see you in one wall, future webinars. Thank you very much.
