And welcome to my presentation on clouds for all seasons. The, the, the, the challenge that organizations have is that many of the cloud, the use of cloud has really been experimental. And that this has led to what I would describe as a, a fair weather cloud. And the problems from this are that the governance and transparency of what is being done is not as good as it could be. That data protection problems have arisen. And that what is needed is in fact, a cloud that will cover the storms as well as the sunshine. So I like to start with real concrete cases.
And many of you may have heard of this data breach the capital one data breach, which occurred in 2019. Now it's interesting because, because it was, there was an indictment, there is actually evidence that is filed with a court that helps us to understand what has happened and in effect, what the problem was was that there was a misconfigured web access fire wheel firewall that was exploited to pass on requests to a backend resource, which was actually a virtual machine.
And that virtual machine had privileges. And those privileges were in excess of what was really required.
And it, this allowed the hacker to gain access to the customer's S three buckets, which contained files and even encrypted files, which in turn led to an 80 million fine. So this is amazing. So when I was allowed, as they say, a server sat in a room and its privileges were determined by its physical location and who could access it. So in effect, this illustrates the challenges that are faced when as was described by Martin in the opening keynote organizations, try to make their businesses fly.
Digital transformation depends upon this just in time infrastructure, which is provided by software defined and software described infrastructure services and applications. And that when in fact you are using this just in time infrastructure, a static security and compliance model, which was appropriate for the physical world is no longer appropriate.
Now there are various solutions that are being put forward to this. And one of the things I'm going to lead to is, is cloud infrastructure and entitlement management.
The answer because many people are running around and many vendors are basically saying, this is the next best thing since slice spread well to summarize my position is that it's part of the answer, but it needs something that is more comprehensive. So when we look at how people have, how organizations have been using their fair weather cloud, they used it experimentally in places where they believed there was limited business impact of failure. And the result of this is that, that there hasn't been a great deal of voluntary transfer of business, critical workshops.
Digital transformation became dependent upon the ability to very quickly get hold of resources and very quickly exploit these to try out new ideas.
And that's fine. You could control where it was. And then COVID 19 occurred, which suddenly put many organizations under enormous pressure. And this in fact, led to this digital transf, this acceleration of this transformation, you know, retail businesses had to go online, manufacturing businesses had to change their shop floors. And basically everybody had to do work in a different way.
And so what is really needed is a cloud for all seasons that will weather the compliance and security storms of this just in time hybrid it. Now, when you look at what it is that really matters to organizations, there's all kinds of technology. Risks are sort of described by people, but ultimately it always comes down to one of three things. Either you fail to comply with obligations, and that usually is costly. You can end up with data breaches, which certainly lead to costs and to, to loss of reputation.
And finally, there is a whole host of ways in which natural disasters and cyber attacks can lead to business continuity failures and everything ultimately comes back down to one of those three things in terms of the impact on the business.
So what we need to do is to make sure that whatever solutions we have cater for those issues and what is made more difficult by today's multi-cloud hybrid world is the fact that you have a set of shared responsibilities and these lead to confusion and inconsistent governance for the cloud, for the cloud service, there are all of these different layers for which the different parts of cybersecurity need to be implemented. And each of the cloud services provide, do these in slightly different ways and provide slightly different tools for the organization to do it.
And depending on what kind of cloud service you are using, you are responsible for different layers in this complex infrastructure.
So it isn't at all surprising that there is all kinds of confusion and not to mention the fact that there were these other sets of privileges, which are related to the code as infrastructure and the software defined elements within the infrastructure. And so what we really need is some kind of proper and consistent way of looking at governance and in effect, governance is something that helps you to meet business needs.
The technology delivers this and governance. In fact, if effectively says, in order to meet these needs, we need these service levels.
And you, as the deliverers have to meet these service levels, and this is not helped, where in fact, you have lots of different inconsistent tools and capabilities. Now, in a sense, the world has gone round that when people move from the mainframe to distributed systems that was seen as a problem and was resolved by various kinds of management systems.
And now we've gone through it all again, where we now have all of these distributed systems in all kinds of distributed and different services.
And in effect, most organizations are really driven to a form of ad hoc governance and to sort of illustrate this, that in a sense, all of the things that you need, that you used to have on premises, identity governance, protection of your data, network security and vulnerability management, you need them in the cloud as well, but all of the cloud services do them in different ways and provide you with slightly different sets of tools in order to, to actually do that now. And what's more to add to the complexity and confusion.
You find that there are now other tools that have appeared that, that are supposed to help you with this. What was SBI are being absorbed into soft, secure access service edge, that there's now a set of tools that are going to try and allow you to see what your security posture is around all of this.
And this creates a very difficult environment for having a common way of managing your service because nearly every important service now depends upon components that are distributed. Some of them are on premises. Some of them may be in one cloud and some, maybe in another cloud.
And what we really need is some way of bringing all this stuff together so that we have a way that provides a consistent approach to hybrid government governance with a common way of dealing with these different elements across all of this environment.
And to a large extent, this is now depending, and will depend upon a lot of support from artificial intelligence or rather machine learning, because in a way, one of the areas that is most appropriate for the application of machine learning is in fact, the management of systems, because we, we actually have a, an enormous body of knowledge of how to do it.
Much of it is written down. A lot of it is rule based. There is lots and lots of data to help us to do it. So really we should be looking for this strong level of AI support in all of our tools.
Now, just to confuse the issue. If you step beyond this, you then find that there's another tool or another set of capabilities that organizations are being told that they need, which is called cloud infrastructure and entitlement management. And our view in KuppingerCole is that what is needy goes beyond this? It goes beyond this and we are calling it dynamic resource entitlement and access management. And in order to manage dynamic, it, you cannot manage a dynamic thing by individually setting controls on fixed services.
But if a service appears within milliseconds, then that service has to come from a template using policies that we know, and those templates and policies have to define entitlements and lead to the just in time controls that are needed to enforce least privilege of not only the applications and the infrastructure elements like operating systems and firewalls that you understand, but also the entitlements of the services and the co-defined things such as servers and virtual discs, as well as the virtual software defined network itself.
And these lead to a need for intelligent monitoring that captures what is happening on these ephemeral trans systems to allow you to have some kind of real time response. Now, people used to say that world Wari will be over before you knew it had started well, in a sense, we are already in that position in the it world. And indeed yesterday, we had the gentleman from Brazil who was describing how you can, you can, as, as you obtain a PDF document, it's already too late. So in this just in time world, we have to have just in time security.
And that has to be B based on some kind of policy, some kind of pre-planned actions, which are implemented and supported by strong technology using artificial intelligence. Now, in terms of compliance, the other problem we have is transparency that when we had all our services on premises and under our control, we understood our obligations.
We created controls that we believed were effective and we knew existed.
However, when we're using a cloud service, we find ourselves in this position of the cloud service provider wants to assure us that everything is well, but doesn't want to tell us in detail about what they're doing, because that is a risk. So we really have a challenge with all of this. So this illustrates the position that I described, that we believe on premises, that we understand the controls, and we can measure their effectiveness to make sure that we are all right. What we have to depend upon with, with the cloud is that they may or may not tell us more or less about their controls.
And what is really needed is a much more transparent system where there are properly agreed control frameworks, which are validated and verified by regulators, which can be adopted by cloud service providers and can provide automated implementation of measurement so that a customer can actually interrogate the system without necessarily divulging what is happening on a, but on a real time basis, understand that the controls are in fact, available existing and operational and effective.
And so what we really need is a much more transparent set of systems that goes beyond simply saying, well, I've got a certificate that I, I, my, my cloud was validated by a, an auditor 18 months ago that says the time in, in compliance, and indeed some of the cloud service providers are starting to do that. Some of them have come up with frameworks that have been approved by financial regulators and more and more, they are providing audit frameworks, which allow auditors to, to do, to look at this.
Now, what about data? Now? Here's another one in March this year, the Portuguese data protection authority suspend the, or told the Portuguese census office that they had 12 hours to cease and desist using a, a us based cloud service provider. So where has this come from?
Well, this is the beginning of what people have not realized is coming that tsunami that follows from the Shrems two judgment, where basically in the Shrems two judgment that this basically said that the processing of EU personal data in the clear outside of the European union is not permitted.
That contractual clauses are not sufficient because government interception is not bound by contracts. That organizations that are in that situation should and must implement technical measures.
So could your business deal with 12 hours notice to cease and desist using a us based cloud service provider? So one of the things that is coming out of this, and indeed, let me just say that it's not just the EU, that many countries, including China in particular leading the way are coming up with similar things. So we've got used to the fact that we can protect data in transit and in storage, but protecting data while it is being processed is more challenging indeed. And why does this matter?
Well, it matters because you can now find many readily available hacking tools, which allow you to scrape Rams and to look for data in the clear within those rums.
And for most simple applications, processing data needs it to be in the clear. So the traditional methods of encryption access governance and data governance need to be extended to include a way to protect data while it is being processed. And there are basically four approaches to this, some of which are more practical than others.
And the most commonly mentioned one now is trusted execution environments where both AMD and Intel have effectively a hardware protected area where the code will run and data is only ever held within that decrypted within that area. And there are hardware guarantees on its inaccessibility other than to the trusted code. The other practical approach that is being pro pro promoted by the data protection authorities is pseudonymization.
And one of the good news pieces of pseudonymization is that it's actually, it works pseudonymized data can be processed using artificial intelligence for both or machine learning for both learning and inference.
Homomorphic encryption has been around for some time where effectively you can encrypt data in a way that allows it to be processed without it being decrypted.
However, it is still very much more compute intensive and somewhat limited in the functions that it allows. And another interesting thing that is coming along is secure multiparty computing. And in effect, pseudonymization is a form of secure multiparty computing, where you can process different parts of the data separately without being able to put it all together.
Now, all of these things together are leading to what is needed for a cloud for all seasons. So first of all, that what is needed is something beyond cloud infrastructure and entitlement management just in time security is needed for just in time.
It, you need to have integrated security codes controls for both clouds and for cloud tenants across the board.
And this is needed to provide some kind of consistent governance across the whole of this multi-cloud hybrid it, that there needs to be greater transparency of controls through properly verified control frameworks that take account of today's just in time dynamic environments of computing with tenant visibility in real time of the existence and effectiveness of the controls that they depend upon for compliance that services should be providing much more in the way of machine learning, supported tenant tools to help them to avoid the simple things and to detect in real time what is needed in this ephemeral dynamic just in time it environment.
And that needs to come be combined with zero trust data protection, which gives you proper protection of the data throughout its life cycle with access governance, tenant controlled encryption, and confidential computing. So with that, I'll say thank you very much. And I think we have a couple of minutes for questions. So back to you, Mathia.
