Now we'll be having a panel discussion for the next 20 minutes. Please welcome the panelists. We have Aus Alzubaidi, Carsten, and Michael. So the panel is The Cloud Conundrum, Balancing Agility with Security. And I would like to make this panel discussion interactive. So first you will introduce yourself and then have a few questions here. But if anyone from the audience would like to ask something specific, just raise your hand and I'll bring the microphone.
Okay, so maybe we can start first with Michael. Sure, so I'm Michael. Nice to meet you folks. For those who don't know me, I've recently been the Adidas CISO. I'm currently on parental leave, that's why I say recently. Prior to that I used to run the show for Daimler. So for long years now, experience in the security field obviously, but also right now working for a cloud-first company, which is quite an interesting challenge in itself as well.
Carsten, I'm the Deputy CISO for Deutsche Bank. Long year experiences in Deutsche Bank and in cyber security, helping to get him crawl before he moved to Daimler. And that's why I'm wearing Adidas sneakers today. I'm Group CISO for NBC, Middle East Broadcasting Center that's based in Dubai. It's a large media organization with TV channels, video on demand, and news operations across Middle East and North Africa.
Well, thank you for the introductions. Maybe I'll start first with the first question that is, I guess, very relevant with the title of the panel. So how can organizations effectively balance the need for agility in cloud adoption while maintaining security? Are there any specific frameworks or methodologies that you recommend? Maybe we can start first with Michael.
Yeah, so I think in principle, looking at that question, I think for me it's not a dilemma actually, but rather I think the cloud and the rapid development that we do nowadays in modern cloud environments actually helps us. So I'd rather do see it as a chance right now to get that agility and also on the security side, because now with the modern security means that we have, we can properly embed them in the software development lifecycle. We can enable the developers to see early if they are making mistakes, etc.
Plus also making sure that whatever ends up in production is secure to a certain extent. And so I think we have a lot more modern controls around it if we use the right ones. And so from my perspective, it rather enables agility and we also have a real opportunity there. With a slightly different spin, I'd say, yeah, because the cloud is more secure from a get-go. Great opportunity.
We've all built an on-prem environment that was not secure when we started to build the environment and then we needed to catch up on the controls, whereas the cloud gives all of us an opportunity to build a secure platform. So that's why my second point would be spend your time in building the platform right before you become agile. Spend time on cross-platform tools, tools that embed security so that you have the basics right.
And then to your SDLC point, that's what we're currently looking at as well, where can you then improve speed, means agility, in adding controls into platforms that are not yet there or new platforms that you're building. So always keep the control in mind whilst you are developing your platform. That will allow you to be really agile with your releases at the end of the day, I think. I think 10 years ago there has been a common stereotype, I would say, that cloud is not secure because your data sits somewhere else.
And then recently cloud is very secure because Microsoft and Amazon invest millions of dollars, billions of dollars in R&D. But I think the right answer is a shared responsibility model.
I mean, cloud is as secure as you configure it. I mean, what is risky for me is you have all your data sitting in the cloud, but then a single misconfiguration, a single checkbox, means your entire blob storage or S3 bucket gets exposed to the internet. So it is risky, at the same time it does allow you to move at a faster pace.
Yeah, and as we are a big cloud, Google cloud partner, I just want to say he forgot Google. But adding to your point, I love the fact that you bring in also that data view, and I see that as one of the big enablers now in that cloud world. Because in the past, and I remember the banks did it long years ago already, if you wanted to discover where your data actually is and classify it, etc., it was a hassle to do that. Now in the cloud environment, you take a snapshot of the whole environment, check the snapshot, and then it can tell you where your customer data resides, etc.
And then you can check whether the right security controls have been applied there, or whether a developer just made a copy of everything and put it, like you said, on an S3 bucket where it shouldn't be. So again, I see a lot of opportunity there. You mentioned, Carsten, that it's important to get the strong foundation, getting the basics right before this transition. But once you make this transition, what are the current cyber threats that you see now in the cloud, specifically in your own industry, your own organization? Anything that comes to mind?
So in all honesty, I don't see any other threats that we have seen before as well. I think you made a very good point. Ten years ago, we all believed that cloud is a nightmare. I remember the head of the MAS financial regulator for Singapore saying, cloud only over my dead body. He's still alive, and we're all using the cloud. But if you look at the threats that we are seeing with the cloud, then they are very similar to those that we have seen on-premise as well. At the end of the day, you have a parameter that is going out.
That's your concern from the outside perspective, whether that's sitting in your data center on Google or Microsoft or Amazon's data center doesn't really matter. In fact, they're probably better in managing the perimeter than you are. All the hacks we have seen on cloud environments are usually happening in where you do your own customization. That's definitely a threat. How do you customize that properly that you need to manage? And the insider threat is pretty similar like it is on-prem.
In fact, to Michael's point, probably easier to spot than it is on-prem. So I don't see necessarily major new threats coming with cloud. It's probably the same that we have seen.
On some, we need to be a bit more careful. On some others, we can probably be a bit more relaxed. I have to agree with you. But maybe something else to add here is when it comes to the cloud specifically, the attack surface is massive.
Today, you mentioned Google, by the way. I have workloads on five public clouds, including Alibaba and Huawei. So we use every single cloud vendor because we operate on five continents. And you would be surprised that some basics that are covered with GCP and AWS might not necessarily be relevant to Alibaba and Huawei. So the attack surface is massive. The fact that you have APIs everywhere communicating with thousands of applications means your supply chain parameter does not exist anymore. Every single software is a new attack vector. That's very true.
How can organizations implement a zero trust approach within their cloud infrastructure? What are some of the practical challenges that you believe should be addressed or taken into consideration? Maybe we can start with Michael.
Yeah, I would try and answer first, maybe. I think, again, first it would be about how do you define zero trust for you? So what do you include in it? And I think we are all thinking about two main things in there. One is identity, obviously. The other one is network. From an identity perspective, yes, obviously there are certain challenges. You need to manage the access to those cloud workloads in a different way. You need more modern ways to do that, et cetera. But I think the number one challenge that we all still have, and I think in those cloud environments, it didn't get easier.
When we think about our old data centers, we might have done some sort of micro segmentation in there. Why? They didn't change a lot.
I mean, there wasn't thousands of servers being carried in there and removed every day, but we are literally doing in the cloud right now. And that more static environment, from my perspective, enabled more easily a micro segmentation. In the cloud environment, you can do it technically in a very easy way. But the problem is every developer or every DevOps team would need to understand that it's their duty to do it. It's just two clicks away for them, but they would need to do it.
And for me, quite honestly, the bigger challenge when I think about zero trust in our cloud environments is not on the identity side when it comes to personal identities, machine identities. Yes, absolutely. But it's also on the network side, how to ensure that you can do a proper micro segmentation where you only allow zero trust based access into those different segments and keeping that in shape. And that's nothing I can add. That was a pretty good answer. I'd like to open now the floor to questions from the audience. Is there anything specific? Now is your chance. Don't be shy. Not?
Well, I have another question. Well, we already mentioned that maybe we don't see any emerging threats that come to mind now, but any other, let's say, trends that you see evolving for the next few years in cloud security? You want to start? So I think what we've recently seen and that maybe sort of I need to eat a little bit my words that I used earlier, but if you look at the Microsoft attack, one of the threats that we will see in the future is that they're trying to attack those cloud providers and trying to get into their cloud environments.
So Microsoft was able to show to all of us that they didn't hit their client environment, only their internal environment. But what happens if they hit their client environment? And then this can impact a lot of us at the same point in time. And out of a sudden you have a completely different industry risk than you had before. You could now argue if you had an IBM data center to name one and we were sitting on that and you were sitting on it, then you have sort of the same risk, but more physical risk than a virtual risk. So I think that will be one of the threats we may be seeing.
And that would be in line with what we've seen over the last five years, that the attacks on our third party providers are probably more worrying than the attacks against us, because they're more looking for those third party providers to infiltrate them to then have a route to you, to me, to him, something like this. So I think that's one of the things that I think will further accelerate.
I mean when it comes to AI, forget the hype whether AI works or not, but the fact that there are platforms like Hugging Face today, which means you have open source large language models that can somehow operate within your cloud, within your tenant, but you don't completely control. This is a major attack surface as in poisoning your data. I mean I see this all the time and if you're saying trend moving forward, you mentioned this yesterday Michael, that runtime security is important. You cannot have EDR on a cloud workload. You need to think about this differently.
But something else that is extremely helpful is you need to democratize cloud security. Ideally you need to shift left every single developer, engineer, architect uses a CNAP product on databases. You cannot have a cloud security engineer managing CNAP all the time. I fully agree and since you were referring to yesterday, there was an amazing talk about SaaS security and I think just answering your point as well. I truly think that we all forgot a bit to look into SaaS more deeply, especially the integrations between SaaS applications.
What we have found when we started looking into that is it's so easy, always just one click away to connect your Salesforce to another SaaS solution and all of a sudden that other SaaS solution has access to your consumer data. For me that is one of the really upcoming threats as well that we need to look into more deeply from a technical perspective. How to make sure we configure the SaaS solutions in the right way so that our data doesn't just move away without us knowing it.
I'm curious to know since you work for a very big organization that is covering multiple continents, you know what Carson was referring to that how can we ensure that all of these attack vectors don't happen in some third party? How do we ensure that doesn't happen? Honestly I would say it's impossible to have complete confidence but I think we have to start covering the basics. I mean back to your point Michael, identity. How do you manage your contractors and suppliers? Do you make sure that you have a unified identity?
Your attack radius, the blast radius when something happens with Snowflake? Are you able to disconnect Snowflake out of your network within seconds? So covering the basics just like on-premise would help. Any questions? No? Still not. I pay for questions. All right so what criteria do you think vendors should take into consideration when selecting a service provider let's say or some product in order to remain safe in this area? How much time do we have? Yeah we have five minutes. Take your time. So again it's a bit like the AI hype. AI isn't something really new.
The cloud isn't something really new though we try to invent the wheel again. Our criteria to look for vendors hasn't really changed. You look for a certain functionality. You look for certain use case to be solved. You're looking at financial stability of the company. You're looking at majority of the company. You're looking at innovation, creativity of solution, simplicity of solution and then on top of all of that we are looking we personally we're looking for ecosystems. For years and I think we had that discussion at one of the conferences a year ago or so.
For years we have looked at the best product in the market to solve a certain use case and I think we've all we're all grown up by now and we know that that doesn't get us anywhere because then we're ending up with 300 different tools that we can't manage and that don't talk to each other.
So we just had a discussion outside with Sergey and another colleague on how bad can an embedded functionality in an ecosystem be that you go to look for the best solution in the market for that single problem and the answer is not really bad enough and if it's so bad then you won't pick that ecosystem either. So I think the criteria hasn't really changed a lot. The architecture that you want to deploy across your environment will drive how you look at this differently whether it's cloud or AI or on-prem or whatever.
Maybe just adding a bit another perspective as well but fully in line with what you said Carsten.
If I go talk to our enterprise architecture folks who really look into the solution before we introduce them but from a general technical perspective our head of enterprise architecture would very often say are you sure it's a cloud and the reason for that is we had and I can share that example we had one provider that was doing supply chain management for us so really logistics and things like that and that provider claimed to be a SaaS provider so you would purchase it as a SaaS service and it's ultra scalable and so on super agile.
Well it turned out to be an outdated server standing in a non-secure data center in one country and that was their SaaS platform and that goes back to what Carsten said we just need to do our due diligence like we always did it in the past properly and not just believe if somebody says yeah we are hyperscale and so on that they really are. And it's really looking at what are they offering.
I mean literally we have an email trail right now between two of my peers and I on a major cloud provider that are calling a module a SaaS module and now we're having a debate with our architects because out of a sudden that SaaS module should be deployed to our tenant and it's not the SaaS. So we have a discussion with our model risk people about the fact that we may need to record some of the models that cloud providers or security providers are doing as a model within the bank from a regulatory perspective.
And we're now facing an issue because one of the vendors is trying to sell that they're doing AI and when we're asking for the details to be provided we learn that what they're doing is just a binary search on oh it's not Michael it's Carsten and then if it's Carsten then it's correct and if it's Michael then it's even more correct. But that's not AI that's just binary so we need to be careful that all the hype and bullshit bingo we are playing is not sort of taking us away from the real problem of we need to solve a security use case.
I can't agree more and for us we follow a very simple approach. I mean yes cost is important, financiality is important, but back to your point compatibility with your current stack or flexibility are you able to have APIs to integrate the product vision? I mean ask for a meeting with the CPO of that company, see what they plan for the next five years, the next two years. It's nice to understand where the product is heading and ease of use. I mean if you have 1,000 engineers going to use the platform is it useful? Is it easy?
Yeah all right so if there are no more questions I'd like to ask maybe for some concluding thoughts. I know we covered pretty much everything but maybe you can share some some fun fact or some real case scenario from your own job that maybe it would be nice to to share. Well I think I shared one yesterday and I want to keep it on a positive note so I want to end on a positive note. I really think that those cloud environments are an opportunity for us as security folks to do our job in a different and I think better way.
But I also twice so in two companies when deploying runtime protection broke all of the environments they were deployed in and so still stay vigilant and be careful what you're using, understand the technology and work with those folks that need to use it on a daily basis like you said. But again it's an opportunity and we can do things in a smarter way so let's do that.
We had a town hall yesterday I think and we were talking about our achievements and all of that and part of my team is also the red team and I called them out as being caught twice in the last exercise by the by the threat detection team and I think that speaks to the quality of a red team. As better a red team is as more often they will get caught because they're helping to educate the organization to get better. It's that continuous improvement process that a couple of folks were talking about this morning in the first sessions in the plateau room.
How do you constantly improve security and I think this should really drive us. How can we constantly improve, continuously improve because the hackers do that as well. So we need to keep up with that pace. My only advice is to don't be a perfectionist when it comes to cloud security. Start small, high impact, focus on visibility, identify the crown jewels, tag your assets that have PII data for example and then move on towards more complex topics as you improve your maturity. You're free to go now. Thank you for your time. Thank you.
