Well, hello and welcome to another KuppingerCole webinar. My name is Alexei Balaganski. I'm the Lead Analyst here at KuppingerCole. Our topic for today is Achieving Security and Compliance Across Hybrid Multi-Cloud Environments. And our guest speaker today is Dr. Nataraj Nagaratnam, who is the CTO for Cloud Security at IBM Corporation. Before we begin, just a couple of words about our housekeeping rules. You do not have to worry about the audio. Everyone is muted centrally, so you don't have to think about that. Before we begin, we will run, well, actually just one poll.
And of course, every time you can use the Q&A tool in the webinar application to submit your questions, we will discuss them in the end of the webinar during the Q&A session. We are recording this and the video will be shared with all registered attendees, probably tomorrow, along with all the slides and other downloads. So our agenda is traditionally split into three parts. I will start with a general, kind of high-level analyst overview on the challenges and problems and potential solutions.
And then I will hand over to Nataraj for his more practical, hands-on review on cloud security and compliance challenges. And he will actually talk about a specific product to solve it. But before that, we will actually run a really quick poll. I just have one question for you. As you know, Kuping Erkol does some market research and we use this opportunity to reach to our attendees and customers. Just to ask you one question about some aspect of cloud security, you will have a minute or two to think about your question, about your answers to this question. Can we have the poll shown, please?
And in the meantime, let's just muse a little bit on the very subject of hybrid multi-cloud. Yes, everyone knows cloud is the future. There is no going back to the pre-cloud times, simply because cloud is to digital transformation what banking perhaps was to the industrial revolution hundreds of years ago. But we have quickly found out that one cloud just isn't enough. There is always something new, something fancy available at somewhere else. And most companies now have this quote-unquote multi-cloud strategy, thinking about combining services from different sources.
You have to think, however, that multi-cloud normally just means two plus cloud providers. You have to include inter-cloud partnerships, sovereign clouds, edge solutions, 5G networks, and other technologies. All of those technologies, techs, and capabilities actually fall under the same multi-cloud strategy. And even the word hybrid no longer means just leaving some of your infrastructure on-prem because now you have edge computing, you have private clouds, you have like cloud islands, which could be deployed on an occasionally connected remote location and so on.
So hybrid multi-cloud is actually somewhat a misnomer and it doesn't actually represent an exception. It's basically our norm for today and absolutely for our future.
All right, how did it go with the poll? Can we see the answers?
Well, I believe that, well, first of all, thank you very much for your submissions. We will use these results in our future research publications covering the cloud security market. And in the meantime, we'll just move on to the topic.
So yes, we are living in an ultimately insecure world. There are so many challenges and issues. We have no perimeters anymore. We have constant bombardment of our infrastructure by malware, ransomware, and other threats. We have industry espionage. We have political turmoil.
We have, well, real wars happening around the world. And all of those are real life issues actually bring very specific and tangible technology-related risks as well. As I just mentioned, multi-cloud is the new norm. We have to live with that. We also have to live with mobile workforce, with people working from home most of the time, increasingly mobile, increasingly exposed to all our threats and no longer hiding under your corporate central protection.
We have increasing adoption of software as a service and online collaboration services where you have even less visibility and control of what's going on behind the curtain. We have the growing, increasingly harsh privacy and compliance regulations. Sooner or later, you realize that 100% cloud is simply impossible because, well, there are all the things you have to protect, especially strongly, if you will. And finally, last but not least, you have another era coming, the era of generative AI.
Yeah, you probably would not think about it as a part of your multi-cloud strategy, but remember, all those AIs like CGPT, they are running in the cloud, and that is someone else's cloud, not yours. So you have to think about all those risks of your sensitive data being pushed into a quote-unquote, someone else's artificial intelligence. So these are actually, I would say, three biggest business risks, the things that really keep every business's management awake at night.
They aren't necessarily technology-centric, but they are very, very important because each of those can have absolutely catastrophic consequences on your business. It's obviously the business continuity risk. Remember the recent outage at the MGM Resource at Las Vegas, where the entire blocks of buildings and casinos and hotels were completely inoperational for almost two days. Think about data breaches. It's not just sensitive data lost at massive scale, it's also huge reputational risk.
Think of the companies which lose billions of sensitive data records, and they are obviously hit by massive fines for that because compliance violation is also a growing concern in the era of GDPR and other similar regulations. But how do those risks actually translate into cloud-related issues?
Well, as they say, or they could have said, with new capabilities comes new responsibility. Now that you are increasingly living in a cloud world, you have to deal with dynamic workloads. You have to deal with completely different and proprietary identity and access management frameworks. There's provisioning and access regulations. You have to maintain visibility across ephemeral short-lived infrastructure like containers and even serverless workloads. And those are operating at massive scale.
You're no longer dealing with thousands of servers, but with thousands or even hundreds of thousands in extreme cases. So you have to somehow deal with all those new or modern approaches like provisioning at scale with infrastructure as code, for example. So then you have a massive explosion in complexity and growing loss of visibility and governance across your hybrid multi-cloud environments. Why? And what are the things which we want to highlight today? First of all, we just have too many silos.
And it's not just about data silos, but applications, services, identities, infrastructure, specific API stacks, for example. They are increasingly numerous. They are increasingly heterogeneous and they are increasingly out of your control. You have this continuous pressure of privacy regulations that directly affect data security.
Yes, you have to encrypt your data. You have to tokenize your data. You have to ensure that nothing is leaked or addressed in transit and ideally in use as well. And you have just too many security tools to juggle to ensure all those regulations. And as we know, complexity is the enemy of security. So reducing that complexity is probably your primary, well, your top priority if you want to address this whole issue. But there is one other thing which people tend to talk much less, and this is extremely important in my opinion, lack of cross-team collaboration.
You simply have this fact that you no longer just have security people responsible for this. You have developers, you have data scientists, you have dedicated compliance and risk management teams, perhaps. You have business line workers directly operating with cloud services. And some call this shadow IT, some call this no-code development, but you still have to deal with those issues as well. And all those teams, they talk different languages, basically, and they have different goals, problems, and processes. And even if they want to collaborate, they just do not have enough tools for that.
And of course, when you are thinking about security and compliance, you have to forget the language of technology. You have to learn to speak the language of business. You have to operate not with the notion of how many security incidents we had this week or how many of those were successfully defeated. You have to think about risks and financial impacts and legislation and, well, for all those things, you do not have to reinvent the wheel. You have to be aware of frameworks and best practices existing in your industry and across other industries.
And all of this should be an enabler for your risk management and compliance, not a chore, if you will. And all of these capabilities have to be somehow integrated into those tools we are discussing today.
Now, I don't know if you have ever heard this story about the swan, the pike, and the crayfish, but at least I hope you get the metaphor. Basically, if you have different teams or pulling the cart into different directions, even if with their best intentions and their best efforts, the cart just never moves. You have to ensure that they all are pulling in the same direction, that they all understand the strategic effort and that they synchronize the activities across different teams and organizational units. Just a nice picture for you to consider. So how do we do that?
How do we achieve those goals? Well, the market has so many different answers.
We just, we are facing a completely crazy alphabet soup of all those technology acronyms. We have CSPM, the Cloud Security Posture Management Solutions. We have Cloud Workload Protection Platforms. We have Cloud Infrastructure Entitlement Management. We have finally the Cloud Native Application Protection Platform, so whatever. What do those even mean? How do we explain to our non-technical colleagues and management why we need all those tools? Do those tools even work? This is exactly what we want to focus on today.
Instead of being able to tell to your boss, yeah, we have so many successfully defended cyber attacks last week, you should be able to answer more business relevant questions. For example, what is actually the risk of a successful attack next week? How consistent is our security coverage across all of our multi-cloud inventory and systems? How strongly are we performing compared to industry peers? Who is responsible for all this decision making? How do we know that those decisions align with industry best practices? Those are the real questions. Can a CNAP solution answer those?
I guess it depends a lot on details. I can tell you that KUPA.io does a lot of research on various cloud security aspects, and we are currently working on a leadership compass, a multi-vendor comparison report on Cloud Native Application Protection Platforms. And we have identified these specific key capabilities we believe every CNAP platform has to implement. I will not read all of them aloud, but you have to understand that basically such a platform has to know a lot, has to integrate with a lot of third-party technology, stacks, APIs, accounts, services, you name them.
It has to be able to somehow normalize all those different findings across different platforms and environments, and make sense across all of those in a form that different stakeholders can understand and read easily. So it's not just about technical issues. It's not just about compliance or risk. It has to do all of this, and somehow being able to integrate all those capabilities and make them speak the same language for all involved stakeholders. Do we have those capabilities now?
Well, that's what we are going to find out hopefully in the second part of our presentation. But before we continue to that, I would like to give you a few takeaways, if you will. If there is only one takeaway you will leave with after this webinar, I would like it to be this one. Say no to the alphabet soup. Stop listening to marketing trying to sell you another acronym. You have to understand that you are looking for specific capabilities, and not all those capabilities are technical.
Look for an open and flexible platform, which, again, speaks all those business languages, which is somehow aligned or based on an industry standard framework. And it can evolve with your needs and your industry's needs.
And also, you should treat compliance not as a chore, but as a neighbor, because compliance is a direct measure of your business resilience, security, and efficiency, but only if it's automated and orchestrated in real time. Stop doing compliance on a yearly basis. Do it on a, at the very least, hourly basis, and then it will become your best help, not just in security, but in risk management and even business efficiency. And with that, I guess we can directly proceed to the second part of our presentation.
So, Dr. Nataraj Nagaratnam, Raj, the stage is yours. Good morning, good afternoon, good evening, everyone. Thanks for joining this call with Alexei and I. I'm Nataraj Nagaratnam. I'm IBM Fellow and CTO for Cloud Security here at IBM. And day in, day out, I work with numerous clients, customers, enterprises around the world, regulated industries across financial services, healthcare, government, manufacturing, and so on, so forth.
So, to the point that Alexei was making earlier in terms of kind of the approach you need to take in terms of security and compliance in this hybrid environment, I would like to share our IBM point of view in terms of how you should approach it in terms of a solution approach, as well as back it up with a technology solution that we have that can help you achieve those imperatives. Fundamentally, to Alexei's point, we are in the hybrid world, hybrid multi-cloud.
And in that context, we think of security and compliance, achieving that in a consistent way, in a continuous way, that you can stay at it every time is an important part of the equation. When you look at the landscape across the globe, there are a few things that stand out. Ultimately, the outcomes are based on the risk that you need to mitigate, and the compliance, the regulatory requirements and others that you need to meet. And it's not simple with, Alexei talked about acronyms of technologies.
If you think about the acronym soup of all the regulations out there, be it industry-wise or geography-wise, et cetera, it looks complex, right? And it is complex to some extent. At the same time, from a risk perspective, it's an ever, especially cyber risk and cybersecurity, every day we see reports about data breaches or ransomware attacks and so on and so forth. So let's step back and look at it overall, right?
From a regulatory horizon perspective, there are increasing focus on operational resiliency, data security, privacy, configuration management and such, and across, and then how do you protect yourself from the risk? One of the key points that Alexei was making there is complaints is not a chore. It used to be, I'll admit, I've been in this industry from a security perspective over the last 45 years, it used to be a checklist, right?
Hey, it's complaint, somebody is doing a spreadsheet, let them handle it. But I would say over the last five years or so, regulatory compliance is a reflection of the risk to the industry, to the consumer, to a particular geography, and so on and so forth that got codified. So increasingly, the compliance requirements and control requirements even within an enterprise are a reflection of both risk and the compliance, right? So if we take, for example, the breaches that happen, our IBM exports report outlines that per breach, you're looking at $4.5 million US dollars.
That's the average cost of a data breach. If that data security is top of mind for our enterprise customers, not only from a hybrid cloud perspective, as cloud adoption comes for not just any public internal applications, but for mission critical applications, as cloud gets adopted, cloud becomes critical infrastructure, right? So along with critical infrastructure, you need the level of safety and security and then go with that.
From that perspective, data security is top of mind, both from hybrid cloud perspective, and no webinars or conferences or discussions with clients is complete these days without the discussion of AI. Artificial intelligence, generative AI, and how such technologies can be used to enable your business, get deeper insights, and automate your workforce, and all of that fantastic innovation opportunities lay out there, data is at the core of it. To get those insights for AI to be applied and protecting the data, ensuring user privacy, security, all of that.
So taking a data centric approach become important as you look at holistically in terms of mitigating risk from attacks or insider threats and so on and so forth. At the same time, those things get manifested itself in terms of regulatory requirements. For instance, if you think of even just one example of a systemically important financial institution that was fined around $400 million. Then you look into the detail, and then we talk to customers. In the regulatory landscape, these are called matter requiring attention and so on and so forth.
When they do audit, when they look at the detail, it comes down to even technical controls, be it configuration management, patch management, vulnerability management, security monitoring, do you have it? All it takes is few seconds, few minutes of opening an object store bucket, containing sensitive data to the internet with appropriate or less access requirements. That's all it takes for someone to kind of come and get your data or for your virtual machine or containers to be open for a few minutes to the public port.
There you go, all that it takes for a hacker out there watching for these open ports to get there and compromise. Configuration management, if you think of those controls and protecting the vulnerabilities and vulnerability management, those could be thought of as compliant, but those are reflection of things that you need to take into account to mitigate the risk and meet those regulatory requirements.
Now, when we look at that landscape, when teams don't work together, when you don't have a consistent practices in place, or even when you do, it takes a long time to detect, respond to threats. For example, one of the large customers we have been working with, they've been innovating, it's a financial institution, they've been working with different FinTechs, like 50 FinTechs over the last five years, and they've been trying to onboard them to innovate at speed. Guess how many of them have moved to cloud or been adopted? Zero.
Because those FinTechs have not passed the muster of the requirements of the bank. What do you do? If the security teams and IT and application teams do their own things in pillars, to fix this metaphor, like pull in different directions, and now if you mix the CDOs, the data teams into the mix in the context of AI, they all need to work together.
We need a collaborative approach to security and integrated approach to security, so that as the IT and app teams look to focus on business innovation with technology and move forward, from a security perspective, CISOs and compliance officers look to focus on safety, security, and regulatory compliance and keep being able to continuously comply with their requirements, an integrated approach is required.
No longer can the CISO team, the security team can say, hey, these are my policies, protect data, and throw it over the wall for IT and application teams to say, go figure out, what do they mean? How do I implement it? Do they really mean encryption? Do they mean key management? What do we do with logging? What is my time to prioritize my vulnerabilities and react and respond? Until they become prescriptive, that a developer, an application developer, an architect can understand, with the security skills and gap out there, cannot expect everybody to understand the level of detail.
So more prescriptive the policies are, they can then be codified. So defining a prescriptive set of controls that reflect risk and compliance is first and foremost, that they agree on. Once you define it, ability to implement that, implement them consistently, across the control set, be it network controls, identity and access, data protection, monitoring, endpoint and application security, and so on and so forth. Implement them, and more importantly, with the speed, automate them at scale.
How can you provide blueprints and deployment architectures to your development team that they can consistently do security, right? In a easy button. Once you implement, then how do you assess that? You need to continuously assess. It's no longer, hey, after six months, I'll come and do a look at your audit posture and you're good enough.
No, not really. You need to keep at it. How are you doing every day, every week, even every minute, right? In terms of your security posture, compliance posture, how is your workload protection, methodology and approach so that you protect against the threats? How do we bring them together so that you can detect and respond and remediate to these things?
So define, implement, assess. When you look at that as a holistic approach that the teams need to work through, now it becomes even more complex, if you think of it, to consistently do that across hybrid multicloud environments. It could be on-premise. It could be running on power systems, x86, Z, mainframe systems, right? Or IBM Cloud, Amazon, Azure, Google. It could be on multicloud and even SaaS properties.
When you look at that holistically, approaching this and having an integrated solution that brings the team to collaborate and ability to define, implement, and assess those controls in a continuous manner is foundation to addressing the challenge and achieving this at speed. This is where, from an IBM perspective, we have introduced and we have a set of capabilities under IBM Cloud Security and Compliance Center. This is for hybrid multicloud environments. Think of it as like a SaaS, right?
As you have workloads in IBM Cloud or on-premise, or maybe just on Azure or on Amazon, and you want to manage security and compliance posture across this environment, you can have a single pane of glass that your C-SERVs can define their policies on an enterprise level. For example, we have one of the large customers that we work with, a large European bank. They define these policies at an enterprise level. Then their IT and application teams implement them and automate them. And their C-SERV and compliance team are able to continuously assess them using this platform.
I'll show the solution in action in a minute, but it comprises of not only compliance in this posture, like not just visibility, it provides protection, but it also provides a security. Not just visibility, it provides protection. It enables IT teams to automate and integrate their control implementation tools so that they meet the business objectives. Can do threat protection from a cloud container perspective and more and more in that context, right? As well as data security and data protection, because everything takes a data-centric approach.
So when we look at this holistically, this is where the solution approach that you need to take and solution like End-Use Security and Compliance Center plays a key role. Let me quickly show this in action to a quick demo.
So, like I said, the ability to define, implement and assess a platform that enables the teams to work together in that context, where IBM Security and Compliance Center can help. And this can do from a hybrid cloud perspective when you look at Red Hat OpenShift as an implementation across, it can also do that. Let's look at define, right? The first phase. Typically a security and complaints officer or a security team member will come and define it. So they go to IBM Security Compliance, ACC, in short console. We have a large set of profiles and policies that are baked in.
It ranges from industry standards, like NIST 853, that can be done across hybrid multi-cloud or CIS Benchmark, which are like cloud internet standards that speak to the best practices that you need to implement in IBM Cloud, Azure, AWS, or Kubernetes environment that you may be deploying across a hybrid multi-cloud environment. You want to bring them together in a consistent way. So predefined set of profiles across many of these that are available out of the box across our ACC and workload production product set, or industry standards like PCI, DSS, and so on.
Another thing that we did is not only the standards defined at a particular level, which are good, but we have been working with large set of customers, financial service clients, because when it comes to financial industry, the risk appetite from their perspective is high, meaning they can, they want to mitigate risk. They want to, they are conservative from a risk perspective. They have not put all the sensitive data and the critical data to the cloud yet. So we work with a hundred plus clients are part of our council.
We work with large banks who have adopted our cloud in this technology, like BNP Paribas, Kaisha Bank, and many others. Not only about, hey, protect the data, but how do you do that in a consistent way? So I'll take an example in the context of an industry cloud and industry defined, co-defined control set. So it's called IBM Cloud Framework for Financial Services, and it's based on NIST standard, 853 standard. So if you look at one of the controls, SC28, like secret communication, that particular control says information system need to be protected for confidentiality and integrity.
Even the guidance it gives is good, but at high level. But the detail, imagine you have sensitive data like payroll information, your credit card information in an object store, or customer information that you put in your database systems. How do you, making sure they encrypt it, they manage the keys, that they have full control of the keys is an important part of it. So you can actually define and codify, hey, your object store need to be encrypted and managed by the, the keys managed by the customer.
Your databases need to be encrypted, your VMs and block storage need to be encrypted and so on and so forth. This is just an example, right?
Similarly, you can imagine controls like network port should not be open. It should only be on private endpoints. You should have multi-factor authentication enabled for identity and access. You should have logging enabled. So all those controls are pre-codified and defined within this set, all the way to the ability that you can actually readily take them and apply across this control set. And an example of that implementation is data security, right?
When you look at, not just bring your own key, there are customers from a financial services perspective, they want to ensure that you have complete control of the keys, like keep it on key. That's what we have, what we call, that you have a complete technical assurance from the chip, from a hardware security module to key management, et cetera, that you can prove to your regulators that you can be confident that even the cloud operator cannot access your data, right?
That level of capability, when you look at it, along with the ability to take, prioritize your vulnerability management, getting your posture across, all of that are codified. So when we say define, the enterprise team can select one of these policies and profile and tell their teams to say, for this set of workloads and data, this is what you need to do, and hand it over to the CIO team, the application team, and line of business to say, now you go implement. Then what happens?
If you're an architect on this call, a picture like this will be familiar because as an architect, I've been an architect, a developer in my career, we will do like our different architecture diagrams and look at it and say, hey, we need to put workloads. And there are requirements in regulated industries like, hey, you need to segment where you run your control plane, your management consoles and application that should be separate from your data plane or the workload that actually serve your users and customers, right?
Segmenting them, encrypting and key management, all this needs to be logged and hooked up to your central logging management system, security operation center. Then you look at various of these services that need to be used in a cloud environment and hooked up to your enterprise that you need to have a direct link and a secure connectivity. Imagine an architect taking this and then spending days and hours trying to understand the security controls and implement it. This is what happened when we worked with Fintechs.
For example, initially it took them eight weeks to understand the controls and then figure out how to go implement it in each of these. But when you look at repetitive patterns of architectures, it could be virtualized workloads, it could be containerized Kubernetes applications that could be deployed or VMware applications. Prescriptive deployable architectures with codified security is kind of a Nirvana for them, right? All you need to do is take such a reference architecture, not just an architecture that's in picture, but codified automated Terraform-based automation capability, right?
Set of Terraform providers, for example, that has security built in. That picture that you saw is now codified that you can deploy at location of choice, whether your patterns and out of the box, you can have security and compliance. So from the eight weeks I talked about, it's now done in one or two days. The clip doesn't take two days, but the point is you need to kind of customize it and understand the parameters and which location to deploy, et cetera. Once you have that policies codified as parameters, then it's automated and hooked into your DevOps and DevSecOps pipeline.
Implementation is just not about automation. As we all know, there are controls. I talked about data security as an example. We even introduced a product recently called Data Security Broker, where sensitive data like PII, email address, credit card information, address, right? So our account, our social security numbers, our health information, if you want to encrypt those fields, instead of doing it in application level, wouldn't it be great that you can actually do with no code change? We can actually do that with Data Security Broker.
Similarly, when it comes to vulnerability management, how do you prioritize that? How do you protect workloads and containers? So these kinds of implementation or orcas are kind of pulled together in an integrated fashion. So somebody defined it, right? Security teams. Now it's implemented by the IT teams. Now you need to continuously access. Think of it as day zero, day one, day two. Day two operations need to continuously access your posture. The security teams need to do it. Application need to be in the mix to continuously have that.
So as part of our security compliance center, you have the ability to look at, hey, what's my posture? Out of all my controls that I need to manage across my workloads, how am I doing? For example, this is like NIST 800-53 control set. It's a hybrid deployment. I can actually get a consistent view of NIST 800-53, be it an IBM cloud, Amazon, Azure, Google, et cetera, integrated in to a single pane of glass. This way you don't have specific tools for each cloud or on-prem. You actually get an integrated view from a security posture perspective. That's an example of the capability, right?
Now, in addition to that, the other part of it is when it comes to workload protection, vulnerability management, and things like that, you will need to have a unified view of your vulnerabilities. Not just, hey, that will be thousands of vulnerabilities, but what is priority? What are critical ones that need to fix that are risky of business? Because it's a vulnerability on which your critical applications are being hosted or a critical fix that has been identified in the industry.
You can actually prioritize them, get a prioritized view across this environment so that you can focus on what to fix and have remediation kick off as part of your dev and DevSecOps process that can be automated and your development and application teams come together. And as part of the acronym soup of technologies that Alexi mentioned, instead of thinking about these as which technology and a vendor to go through, you're trying to get insights about what's going on. You're trying to look at a comprehensive view of vulnerabilities that you want to manage.
You want to know about your posture, a security and complaints posture across hybrid multi-cloud environment, an ability to define your policies in a single consistent way so that you can have them codified. So from a business perspective to mitigate risk and achieve continuous compliance, this is where a single integrated platform, a single pane of glass, when I say glass, it's just not an UI, it's APIs and automation built in that brings them together is a key part of what we offer as security and compliance center.
And in that context, just to quickly summarize, we will share the slides as Alexi said, but this technology platform and the solution called IBM Cloud Security and Compliance Center, able to address the ability to define industry policy frameworks.
You can implement automation that I showed, workload protection, container workload protection, VM workload protection, ability to vulnerability management and scanning, data protection from an encryption, key management and pre-level encryption and tokenization, as well as assess across your risk posture, ability to manage your cloud entitlements and identity and access in that context so that you don't want over permissions given to users because that's also a risk because if the credentials get compromised, then it may come back and bite you, right?
And detecting threats, not only posture, that may be malicious behavior happening in your container environment that you need to respond to and maybe quarantine them to take action so that you can actually remediate and respond. And doing that consistently across hybrid multi-cloud is the challenge in front of you and the solution that we are able to offer.
With that, happy for any of you to reach us as well to the IBM team to help, but we'll get back to the webinar for Alexi and I to take on your questions and share our thoughts. Thank you.
Well, thank you very much, Raj. That was really interesting and insightful.
And yes, we are definitely going to jump directly into the Q&A session. Just a quick reminder, please submit your questions through the webinar panel on the right under Q&A. You can just type in your questions and we already have the first one. And that's a really nice one because if nobody would have asked about it, I would have asked myself. As I mentioned, we are currently working on our leadership compass on cloud-native application protection platforms. So watch our website, it will be published sometime later.
So yeah, how does IBM actually position itself? How does it compete in this market? Do you consider your solution like a quote-unquote pure play Synapse solution or does it go into a slightly different direction? Great question. So for enterprises who are embarking into this, consider security and complaints center as a turnkey solution that you can use to get your posture, protect your workload, protect your data, so that you can bring all that together.
On the other hand, we do know large enterprises have already invested in like vulnerability management tools and other tools that they may have. But still we know and working with them, we know they're struggling with getting an integrated view that they can be ready for audit from a compliance perspective, the ability to continuously monitor. So this is where an open and flexible platform that we provide addresses these use cases. So think about the entry point, the key problems that you're trying to solve and that will enable the use case to be addressed by our security and compliance center.
Right. So as you just rightfully mentioned, such a platform has to be open. So how does it work for your solution? Because it's also what I mentioned in my part and I firmly believe that even the greatest and the largest software vendor cannot do everything, at least not quickly enough for all the customers to be happy. So how do you address those kinds of requests when you just don't have it yet?
Yeah, no, that's a great question. So we approach open from multiple dimensions.
Firstly, from an IBM perspective overall, from a hybrid cloud and AI, we are fundamentally, our approach and strategy is about openness, right? Be it, we've had OpenShift built on open source or Kubernetes strategy built on that. It reflects our openness as an example and the kind of platforms that we provide in IBM cloud across heterogeneous set of x86 to power and Z and so on that there. But on the security and compliance specifically, think about it a couple of levels. The standards that we support, be it from an identity perspective or APIs that we open up for others to integrate.
These are all open APIs. There's no proprietary thing about it. And we work with the industry to evolve them like the ability to do NIST OSCAL standard has been evolving. We have spearheaded that along with our research and supported in our products. Then we have API and open integration with vendors. For example, with Sysdig, Cavionics, there are various vendors that are also partnering with us to send their data in. That has been part of our set of capabilities. So we will continue to expand that because ecosystem is fundamental part of our IBM strategy as well as success for FEC.
So we provide few integrations out of the box and we provide APIs for others to integrate readily and easily. Okay, okay, great. While we are waiting for the next question from our audience, I think I'll kind of continue or first of all, continue shamelessly advertising our upcoming events. So if you're just listening, maybe have a look at our screens now because there was some additional information.
So one thing I believe you have not actually mentioned in the webinar, but I know since I'm actually writing a review of the solution now, the strong focus on industry specific compliance frameworks. Can you maybe go into that area a little bit more because this is one of, again, one of those key differentiators I have tried to highlight in my part, but it should not be just a technology solution. It has to be speaking to the language of business. Great question, Alexey. And thanks for taking that up.
As an industry, we've worked through best practices and standards like CIS benchmark and so on. But when we embarked on working with mission critical workloads, helping regulated industry address and move workloads to cloud, they were not moving clouds and data to the cloud. They were not confident. So when we worked with Bank of America, BNP Paribas, Kaisha Bank, many others across the world, what dawned on us is the reflection of their risk. It needs to be codified in a set of controls. There's no standardized set of controls in the industry.
Like new state network is a good set, but the ability to talk about what are the control implementation, like the level of depth for encryption and key management, level of continuous monitoring that need to be implemented and so on and so forth was not existing. So we created a set of control framework for the industry. We have started that and we have a framework for financial services. But I want to be very careful here.
And when we say financial services, while that is the first industry and work with regulators, those controls are applicable to any and every industry, any and every regulated industry that are risk averse and have regulatory requirements can use it. And we see them using it like healthcare and manufacturing, telco. So what we have done, IBM has forayed into and defined the first industry cloud three, four years back. It's not just about having a set of fintechs running on the cloud. Anybody can do that. We do that as well.
But implementing security and compliance built in, because for example, one of the large banks in North America told us they've been investing $3 million in one of the other public clouds and still they have not finished their security work. So they've been bolting on security and spending a lot on it. What we have done in IBM and IBM cloud is to infuse that security and controls built in and then make it easy for the customers to protect their data and their workloads on IBM cloud using technologies like HCC.
So that's the approach we have take to address industry pain point, especially regulated industries to address their risk and compliance needs through an integrated solution. Okay, okay, great. We do have questions coming. The next one is hopefully easy for you to answer. So how does your solution compare to Microsoft Defender cloud?
Great, great question. So when you look at Microsoft Defender and some of how they've been addressing the capabilities, in addition to what they do with endpoint, vulnerability management and so on so forth and posture that we also do, some of capabilities that we have enabled in addition to being a CSPM or an endpoint protection capability, couple of things stand out. Number one, we have hybrid multicloud. So it can be on premise, it can be an Azure, it can be an Amazon, it can be an IBM cloud. Our solution works across that.
Number two, building on our hybrid cloud strategy on Kubernetes and OpenShift, when you have these deployed on any cloud, the ability, the depth of posture and workload protection and threat protection and management that we can provide is unparalleled in that context. And third, we have taken a data centric approach. The data security and privacy capabilities like keep your own key.
We are the only industry provider to provide such a single tenant key management system built on 5th 140-2-level-4-HSM combined with unique capabilities like data security broker where you can do privacy PII protection with no code change. That's integrated into our platform that you can use. And fourth, to reduce the complexity for the developers so that they don't need to be security experts, we have blueprints of deployable architectures with security built in. So when you look at these set of capabilities, this provide an ability to differentiate.
So think about your entry points, the use cases, the workloads and data that you're trying to protect. That way, the use cases can be addressed with ACC and that's where you can take a competitive view compared to other vendors there.
Okay, okay, makes total sense. And by the way, one of the points you mentioned that you are hybrid multi-cloud compatible, whatever, it's possible to deploy.
So, and the next question we actually have asked specifically about that. So like, why, like how, maybe let's rephrase it. Like how exactly can you improve this whole experience of deploying it across a hybrid to multi-cloud environment? How does it work? So the way we have done that from an integration platform perspective is looking at customer requirements, the capabilities that they're looking for to address this complaint.
For example, when you look at your configuration posture so that your bucket is not open to the internet and encrypted and your logging is enabled, et cetera, across the hybrid multi-cloud environment, we have integrated with cloud native APIs in those environments so that we can actually check them, right, across them.
Then when it comes to deeper integration like container workload protection, we have the ability to do that like containers and VMs that it can be deployed within agent model that it can actually get malicious behavior, the configuration, the runtime policies that can be detected and responded and implemented in each and every one of them, that you can localize it while the results and policies can be centralized. So bringing that together across these areas are important.
And another example I would use similarly is when we, as part of our key management technology, we have the ability to manage your keys across hybrid multi-cloud. Even if a key orchestrator is able to manage keys be it on Azure or Amazon and so on and so forth. A good example is a bank in Germany only had Office 365, but hundreds of branches, thousands of keywords, and they need to consistently go through and they want to prove to the regulators or scrims to another requirement that they have complete control of the key.
So they use our technology to manage keys that protect the data in even other clouds. So we have taken an approach to solve the problem and the technical solution that supports it behind the scenes.
Okay, okay, right. And again, we have new questions coming in and I really like this one. How could your solution address and protect or how could your solution address and protect AI-enabled workloads? Everyone is talking about AI, so let's protect AI as well. How would you do that? Great question. And we are passionate about it as well. So let me put it, data, when you think of hybrid cloud and AI, data is the glue.
Therefore, taking a data-centric approach to data privacy, the data that, for example, that you may use to train your models or data that you're doing to do inferencing, they are stored in your repositories, your databases or moved to object stores. Those are patterns that we are seeing.
Therefore, many of the controls, all the controls that are relevant here that I talked about across IT are applicable right there. Then at the same time, things like data residency and privacy also leads into AI.
For you, for an enterprise to apply AI, they're trying to make sure the data stays local, that is used by the AI in a particular region or a particular data center or a country. You can enforce those residency rules, your privacy rules. So data sovereignty enables that as part of an AI discussion. Then there are additional enhancements that they can do when they apply modeling, when they use Watson X, IBM Watson X capabilities, then they can govern their data and saying, hey, for sensitive data, what's the data lineage? Where does the data come from?
There are AI ethics and transparency requirements that can be done on top from an AI perspective, but from a pure deployment of data, AI workloads in a hybrid cloud infrastructure, all these controls that I talked about are definitely relevant that we are working with customers to enable that. And applying that to the models and the data on top are the next steps that you all can take on top of this that we will continue to enhance as we move forward.
Okay, okay, great. And by the way, data security is also like a major topic for Kuping and Cole to cover as well. I've done quite a lot of writing on that and I know kind of IBM is also doing a lot in this area with other tools like Guardium, for example.
Like, do you have any kind of like holistic approach with your, like, do you work with those teams? Do you collaborate on this? Absolutely, absolutely we do. We do every day working with clients. So clients will deploy, for example, Guardium to do data optimity monitoring. For example, when they do on-premise, DB2 or Postgres and use that on-prem or cloud, they use the data activity monitoring tool while they will use our encryption and key management tools to protect.
So if you think of protect, they can use some of the tools that I talked about as part of security complaint center, as well as when it comes to detect and respond, they use Guardium tools in that context. So absolutely, and similarly, various of our logs that you deploy as part of a holistic environment, you can feed that into Qradar as your security and threat management platform. So we do that for our customers. We work together, absolutely, yes.
Okay, great. Next question, I think, kind of, again, goes back to this story about the financial industry.
Like, the question is, how does, or like, how do security and compliance requirements commonly translate across industries? I think you've touched upon it a little bit. So can you maybe talk a little bit more?
Like, how do you go from a financial industry to a similar highly regulated one? Yeah, that's a good question. So let me start with the financial service example. So even there, every bank has their own control frameworks. So what we have done is ability, we can map their controls into the control set that we have. And typically, with many banks that we have done, it's around 95, 97% success rate in the mapping. Then you can only figure out what are the missing ones or different ones that you need to address.
Then we have done that now, mapping to industry standard frameworks, like Cloud Security Alliance, CCM Matrix. We have done that with CRI, Cloud Risk Institute, as an example, and so on and so forth, and mapped that to regulatory requirements. This is based on MISC-853 control set, which is the industry standard. Then as we look at and work with clients, we have seen clients in healthcare, for example, take their controls. And many enterprises are made in MISC-853, so they can readily map those, their security and compliance policies, codified as control, into the control set that we support.
Because we also provide out of the box, the PCI and MISC and CIS and so on. So some of industry standard frameworks and standards that we support, which are all out of the box, then industry specific ones that we support, and then customers that can do their own mapping, and we can help them in their journey as part of the enterprise control mapping support. And by the way, even those standards, they aren't actually all best practices. I'm not certain still, they evolve all the time, right?
So would you help your customers to kind of adopt those changes automatically, or is it something that they have to do themselves? How does it work?
No, we help them do that. For example, on one end of the spectrum, like MISC and PCI, et cetera, as those standards evolve and versions come out, we incorporate them into the profiles and policies that we make into the product. That's one side of the equation. The other side is when you look at industry regulations that are ever changing in different geos, we have the best of mind in terms of complaints and regulations, the promontory, which is an IBM team with X regulators. They continuously watch all these regulations.
Then they map to saying what changed, what regulatory obligations have changed, and how does it translate to control requirements? And then we have the ability to map that and evolve these controls. That's part of our strategy as well.
So yes, specific controls and versions we'll provide out of the box. We'll continue to watch for regulatory update and keep at it and work with clients on such engagements to help them in their journey as well.
Okay, okay, great. Fundamentally part of it, you can use Security Complaint Center as that solution platform to achieve those same goals.
Okay, we have one minute left and one question left, which I'm afraid would probably take like another hour to answer properly, but maybe we can just kind of try to shorten it to what like top one industry best practice you would recommend to our listeners to consider to achieve continuous security and compliance? From a best practice perspective, things like CIS benchmarks, right? You can even start with that because rudimentary many of the attacks are not because of sophisticated maneuvering or navigation within an environment. They are as simple as your ports are open to the internet.
You don't have your data encrypted. You are not watching and logging and monitoring, right?
Simple, what we all security experts think as simple steps that one need to do, you need to deploy them, continuously monitoring them. So start from those industry standard best practices. If you don't have them, start with at least CIS benchmarks to implement them consistently in a hybrid multi-cloud environment and take a consistent approach and integrated platform that you get visibility across so that you don't need a swivel chair to go across a multiple tool set. So two-pronged approach, best practice control start with at least basic minimum with like CIS benchmark that you can implement.
Number two, have one integrated platform across your multiple set as opposed to a hundred different tools. All right. So if I might to kind of reformulate it slightly, it's better to start small today and to spend a year on developing the greatest strategy ever rather than being too late to actually implement it because you will be hacked by the time already.
Okay, awesome. Thank you very much. I believe in Cloud Security and Compliance Center, of course.
Right, right. Thank you very much. Thanks to all our visitors for their attendance and questions and poll responses. I hope to see you all at some of our later webinars or maybe even at our conference in two weeks in Frankfurt, Germany, Cyber Revolution. And thank you and have a nice day. Goodbye. Thank you. Bye.
