Session at the European Identity & Cloud Conference 2013
May 16, 2013 14:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 16, 2013 14:30
Session at the European Identity & Cloud Conference 2013
May 16, 2013 14:30
And, and the next speaker is Dr. Wolfgang Schmidt who is going to talk about compliance in hybrid cloud. So I'm going to hand over to, to Wolfgang with Switched offed my, my mobile phone. Thank you. Thank you over to you Over to me. Okay. Hello everybody. I try to get a little bit more in detail, how you can manage compliance rules in, in a cloud scenario. And just to start, can, can everybody give me a hand showing me who use in an enterprise environment already? Some cloud applications, cloud services, infrastructure services, or whatever? Okay. Half of you. Okay. Perfect.
Only applications application as a service. No one is using application as a service software as a service.
No one, no Salesforce customer in this room. It's impressing. Okay. Okay. Thank you very much. I will talk about how to reach and how to handle these kinds of compliance in the cloud scenario and to start okay. Over there. Let me introduce the ecosystem. I'm I'm representative of this ecosystem named cloud ecosystem, where dealing mainly in the German speaking country. So Germany, Austria, and Switzerland, trying to help the economy help the market from a vendor perspective.
And from a user perspective, how can I leverage all these capabilities I have in the, in the new area of cloud services, whether they are infrastructure or business processes as a service, we try to help these two parts in the market regarding help them from a technical point of view. And from a business point of view. For example, if an ISV tried to get his solution out in a, in a software, as a service scenario, he's pretty familiar with the technical scenarios. He can handle all this, but he might not know about how to handle a channel inside of cloud business.
And so that's the aim of the cloud ecosystem. And the ecosystem started in 2010 and pretty nice members already. We have big companies like Dr. Tele IBM CA or whoever Fujitsu and small, because we are mainly addressing mid-market area, upper mid-market area. How do we try to help them? Not only with our assistance as an ecosystem, we are an association. We don't earn money with it. And I do just for fun.
And, and I hope you believe this, but we also try to get some transparency and some clarity into the market. What is the scenario?
How, who is a, a trusted advisor in this area who has the right offerings, who can help me in special scenarios? And so we decided to, to bring out two kind of certifications from a practical point of view, no auditing, no formal way of doing this. We are practical guys doing practical work every day in our life. And so we decided to give consultants the possibility to certify as a cloud expert and vendors to certify their solution from a practical point of view, what does customers think about their solution via a trusting cloud scenario?
So we have a couple of certified cloud experts and trusting clouds. We started this last year. And so we are having more in the pipeline currently, as I mentioned before, I just do this for fun.
And I, my background, just to give you an idea is that I'm dealing since the late eighties in the it business and started as a mainframe developer with Cobal and Fortran who oh, great. Mike, thank you very much. And dealing with all these distributed scenarios in the last couple of years, okay. To our topic, I ask you who is using cloud services right now. And some of your, some of the people are using currently in, from an enterprise point of view, because all everyone is using cloud services from as a, as a private person, we all have our cell phones, as we heard before.
And we all use these kind of cloud services as, as, as private people, but from a company point of view, I have to deal with regulations. I have to deal with compliance rules and how to deal with them. That's exactly the topic in Germany where this Bitcom association, which shows what means cloud compliance. And it's all about to prove the compliance, the adherence of the rules, which might be internal rules. We only work together with such kind of partners or external regulations. And you have to deal with this.
There, you have to deal with the risk. You, you have some efforts and we have some requirements and, and, and you can name it. Your business can name this kinds of rules they have to follow, and that's not the problem. The problem is how to follow it in an automated way. When you want to optimize your processes, let's take an example. A customer is using a cloud E R P system.
Yes, such things exist already and used in the, in the, in the market. And he has his established on-premise legacy system, like transportation, logistic, financial services, and so on. And he has his new cloud E P system. The provider is based all over the world has different data centers. And so on the, the cloud user, sorry, I forgot to translate this cloud Lua. It's the cloud user. It's the enterprise is based in, in Germany. For example, then you have your existing risk and at identity management and, and security focused conference.
And I'm, I'm sure you are pretty familiar with all these ordinary risk, but oh, sorry for not translating it, but there are additional risk and you all are familiar with these kinds of risk from an API, from a web scenario. Since we use the internet, we all have to deal with this kind of cross height, scripting, frauds, and diverse injection scenarios. And we have to secure it. And you were able to do this because you have your on-prem system. You can build up these gateways with the fire in inside of the firewall or DMZ.
And you, you were aware of how to handle this, but if you're in a cloud scenario, there are new ones. I will try to translate it. Your cloud provider, the peer provider has software. And even sales was says, softwares, that it's still software and software. Software has errors. There is no error free software. So this software throws exceptions, and this exception data comes to a lock file. And this lock file is distributed to different through different channels.
And what we have seen in the past is that inside of these lock files, the cloud provider is providing customer data inside of these lock files. Everything is done well in an, in an, in an ordinary functional scenario where you use their software, but in a, the backlog, for example, there are some customer data which have to be handled and that's not okay from a compliance perspective. The other thing is he might start as a startup, uses my as well database for his solution. And then he gets really successful.
He has a lot of customers, and now he recognize, oops, I have a problem with my data. I have to manage the data in the different way.
So I, I have to set up, let's say, a big Oracle IBM or whatever database scenario, and have to manage it. No, I don't want to do this. I take a cloud offer for database as a service like Salesforce, for example, and I want to handle them, the data management, then that's not okay from a compliance perspective, because he has a contract with you. And maybe the customer doesn't allow that you take his data, put it to a third party, and maybe you are aware of it, or you are not. And in some kind of scenarios, you have to get the information and you can write it down in a contract.
We, we have a lawyer here. He, he he's able to do this contract.
And, and, but not every scenario can be done by a contract. There are some scenarios where you as a customer has the responsibility to check if your supplier handling your data in the right way, or does he relocate the data? Okay. I will skip some of these examples. It's all about proof. The adherence prove the compliance, how to deal the service, how to deal the data. And how can you do this? I think as I ask, there are couple of infrastructure as a service user right here in this room, but you are well of these scenarios, different layers in the cloud scenario.
So you have these platform as a service. As I mentioned before, the data base or data as a service, you have these software as a service scenarios like phase force, but what we see in the market more and more, and this is especially important for the compliance part is that this whole business processes are offered on demand. Like for example, E procurement, like for example, event management or whatever the whole business process is. And now you are in this situation dealing with business oriented compliance rules. And maybe you have to automate this in this scenario, okay.
Inside of your enterprise, it's the same different kind of line of businesses have different business problems. So they are located on their, let's say, own focus. Okay. I will use this cloud service, or I will use this cloud service. You as an it department, maybe want to use a backup as a service scenario and not interested in a customer relation management data scenario. So we have different kind of cloud services inside of an enterprise. And the business process is going through not every line of business, but some of them.
So you have different, you have a distribution of the workload into your own system and some different cloud scenarios. And you, of course, you need some kind of synchronization and you have to do it in a compliant way. Whether these compliant rules are your own internal rules or the external ones. So if you are in this kind of getting the things together, you have to automate it because no one can take hundreds of people checking all this data in a manual way.
If you want to automate it, then you have someone who has a responsibility to check whether the compliance rules and the security and so on. And so on is done in a proper way. And of course you have change in the scenarios. So from a value chain perspective, maybe you acquire some customers like CA for example, here acquired two weeks ago, layer seven, we have here in the booth area. And so now there, there are different kind of compliance rules, layer, seven have to, how is it called? Have to deal with, yeah.
And maybe as a Canadian company, they weren't aware of this scenarios CA have currently, okay, from your perspective from an it, every line of business has different scenarios. So you, maybe you lose the control of where is the data located, the control of whether, whether a user account or an identity or an access rule or whatever, if handled in the right and proper way. And since the market is evolving so quickly, you will have a lot of change. And I will show you how to handle this. Okay? Because you are aware how to do it inside of your business.
You have all these security stuff in place. You, you can handle identity in the right way. You can handle excess. I suppose you can do this. And if not, then there are a couple of people who can help you, especially in the, in the booth area.
And, and so you, you should leverage your knowledge. You should leverage your experience and try to get this also in this cloud scenario, using this in this cloud scenario, okay, doesn't work now. It works. So what concepts will help you? The main thing is put the data and put the workload in the right scenario.
So if you want to leverage the elasticity and the automation automated provisioning from cloud services, public cloud services, then of course try to use them if you have data, which for example, for some, some, some contract rules or whatever, regulatory restrictions and so on you, you should use them in your internal data center, traditional data center, not private cloud. If you want to use your traditional data center in a, in a, in a more agile way, maybe you can transform it to a private cloud scenario.
So this leads to an hybrid scenario where you have your traditional data center, workload and data, and you have the public one, and you have shared scenarios. And the advice, the best advice put the workload and the data in the right distribution scenario.
Okay, if you do this, what is the technical approach? How to deal with it. You have this elastic cloud stuff. You can prove vision it on an elastic way. Whether you have more need or left need, you can do this in an automated way. You can provide data or whole workloads into different data centers. So that's fine. You have your internal scenario. And of course, put a gateway with an attached rule management in the middle. You have these kind of scenarios already in place, because you are working with outsourcing partners. You are working with hosting partners. So you are aware how to do this.
That's not a problem. Take these gateway idea, put your compliance rules, whether they are regular to based or your internal compliance rule, put them in a rule system, whatever rule system you want to use and attach these rules to the gateway, lets the gateway check every communication from your internal and external system. If the communication is compliant and that is how it's works, what do you have to do? Mainly is okay. Take trusted supplier.
And for the German speaking market, we as a association help with trusting cloud to give you some more trust, we can't guarantee we won't suggest take this CRM system or this take this back app as a service or this database as a service, but we can help you with transparency through the trusting cloud certification, you have to do this data and service integration.
And what we have seen in the last four years, four or five years is that the main problem is user account synchronization because your sales rep gets some access via and L up entry to different functions in your SAP and different sales regions. So he's able to seize the data and the same information he will get if he works with Salesforce, because he's also a sales representative in Canada and you are based in Portugal and in Portugal you have SAP in Canada. Your Salesforce is so small. The use salesforce.com as a solution for CRM.
And you put your user account information from your L app or whatever system you have to, to deal with it, to, to Salesforce manually, you change something in the L app or wherever you will forget it in, in, in Salesforce or in your cloud service. And that's, that's, that's the reality. We thought we see it every day. Okay. How can you do this? And this is the last couple of slides I have. What are the ways of dealing in an automated way with this process scenario? It all depends on the need for agility, because there are a couple of scenarios how you can deal with this.
First of all, you can write code. You can do it in a self-developed homegrown base doing this integration with your gateway, checking the checking, the rules in a let's say database or whatever, and do it all manually. If you have in place already an established enterprise application integration suite or ESP or whatever, then you can use these kind of technologies to, to link the rule based system together with the integration scenario and, and checking all these communication. Of course there are special solutions, special purpose solution in the market.
Some of these vendors, or even one is here or at this conference, and there are more and more cloud services for these kind of things. And I will go through everything in short. I think that if you are able to do this in a programmatic way, then you can do it. If you don't need agility, if you don't mind developing all these stuff in a manual way, it's okay.
But what I really recommend is that you should do it in an synchronous way because of latency between the systems you need to get back to your rule system, your database, where you have your rule with the compliance scenario, checking it for every transaction. So it has to be quick. It has to be reliable.
And it, it, it can't depend on, on access problems via the internet. The better way is use your existing in an enterprise. I assume you have it, let's say SAP PI or whatever. IBM message broker MQ or whatever. Typical you name it. Use this. If you have it already in place, they are able to do all this integration stuff. And they are mostly able to link a rule based system where you can put your compliance rules and check the whole communication. When your SAP is providing data to Salesforce or data is trying to get data from SAP system. There are special solutions like SOA appliances.
There are seven is one here at the booth. You can talk to, they are pretty well in the scenario when you have to deal with XML data. So if you have no legacy systems and have all your data provided via web services through XML, then it's a, it's a really good scenario because these kind of appliances can use. And there are a couple of companies in the market like IBM, data, power, less seven, or whatever you name it. These kinds of scenarios are able, appliances are able to do the think and the security work both.
So they are able to, to provide all the security staff in a web service call or rest call or whatever, and, and provide some security for escal injection, cross size scripting, and so on. And so, and you can put your compliance rule also in place. They have special scenarios like cloud integration solutions in the market who are already aware of this problem. So they are template based. You don't have to program these kind of solutions. There are already some templates for typical communication scenarios between the partners on offsite.
And of course, since they are working, not only in the us, but also in the U, they are well of this compliance and security problem. So they have redefined some hooks where you can put your compliance rules in place and you will get quicker to the solution. And last but not least, these offerings are also involving in the market as a Service himself or itself. So you can use it on demand. That's okay. If the provider is providing the right template and the right process to you.
And since it's an early stage in the site of the market, it won't happen so often that exactly easy scenario you need, let's say have a compliance integration thing scenario between your CA clarity or whatever with a mainframe based application, but have a look for it in future times. So what we've talked about is mainly that we have these risk and challenges from an it perspective, but also from a value chain perspective, from a business perspective, I've told you a little bit about the concept, how to provide your data and workloads in different scenarios.
I try to get you an idea and I'm sure it's, maybe it's a little bit difficult to understand the details, how to combine these on off premise scenarios in a compliant way. What are the right architectures? What are the right ways, depending on your situation. And so I hope I, I reached my point that you can do Compliance work in hybrid cloud scenarios, and you are able to integrate processes in a compliant way. And so you are able to spread the different kind of process tasks in a hybrid scenario and how to start.
I hope this talk about these kind of scenarios like enterprise application integrations or appliances or whatever was a little bit helpful, if not, and if you are able to reach German and for every other it's well encrypted. If I know, yeah, I have a white paper from the cloud ecosystem in place, and, and I'm happy to, to share it with you if you're interested in getting a little bit deeper into this topic. And so thanks a lot.
Thank, thank you very much. So I think we've got time for one question. If anybody's got a question, it's very, yes. A question from there. So let's pass the mic over to you. Excellent presentation. Thank you. Thank you. Does this organization that you talked about have any international affiliations outside of Germany? There are some other associations working in different regions and we are working closely together with them.
Yes, but that, but cloud ecosystem is only present in the German speaking markets. But if you're interested, I, I can get you in contact with the right people in the states or in Asia Pacific as well. Okay. Thank you. Yes. Thank you. And perhaps to follow up on that question, to what degree are you related to place people like the cloud security Alliance? For example?
Yeah, the one really good question. Of course there are some special topic associations like cloud security agency or association. And especially those both association focused on, on specific task in this business, we are working closely together with them. So they are asking us, what are your from your da region experience?
What, what are the security problems? What are the compliance problems in integrating these hybrid scenario scenarios? So that's our idea of dealing with it from a more us based perspective. And what do you think EU customers are thinking about? And so we try to, to have this conversation with those kinds of special association for special purposes.
Thank, thank you very much. Thank you, Mike. Thank you very much. Indeed. Wolf. Thanks a lot.