Peter Lassig, CISO, Hypo4einsbank, Commerzbank Just to introduce myself, my name is Peter Lassig. I know Berthold from back then Deutsche Bank days.
I myself, I was 18 years with Deutsche before I joined KPMG, McKinsey, became the CISO for Hypo4einsbank, and then now I am the CISO of Commerzbank just as a very brief introduction. But it's not about me today. The first speaker of this evening is Mike Small.
Mike, would you like to come to the stage? 40 years of IT industry experience. So you started with computers and tabulators. We chatted a bit before, right?
Yes, tabulators. A long time ago. A long time ago. And then you were transferred, you explained me, to Computer Associates, right? Yes. There you run the product line for EMEA, right? Yes. And you developed the whole access strategy, right? Yes. For distributed systems. That is correct. But today's presentation is about future-proofing of cloud security from CSPM to AI SPM. And it's about how AI transforms cloud security. Is that right? That is correct. Thank you. Okay. Then the applause is for you. Thank you.
So, thank you very much for that introduction. So, I worked for CA. And those of you that know the history of CA will understand perhaps why I got interested in cloud computing. But what I would like to do...
Ah, there we are. When the cloud first arrived, people were worried to begin with that the cloud infrastructure was not secure. That they could not trust the cloud service provider to do a good job of trusting the infrastructure. Then they decided that, well, they could trust the infrastructure, but they weren't sure whether they could be compliant. Because maybe the cloud service provider was not compliant. But the reality is that most of the things that have gone wrong with people using the cloud has been due to mistakes made by the customer.
And on this slide, there are three examples of those mistakes. Now, at an organizational level, at a business level, organizations boards are not interested in all the nitty-gritty detail which I'm going to talk to you about. What they're interested in is what was the impact on the business. And the three negative impacts are that I couldn't continue with my business. Things were not available. That I was going to fail a regulatory compliance. Or that I was going to have my intellectual property, my data, stolen. Now in this case, two of these examples here were basically a compliance failure.
That Toyota exposed the sensitive data that they held about all of the cars that effectively was what was the data about your car that they held. And it was basically due to misconfigured access rights. Misconfigured by the user. AT&T had a breach which affected millions of customers. And the reason for that was they had an issue which could simply have been avoided if they had been using multi-factor authentication. Now the final one is an example of a potential breach which did not occur. But which was identified by some of the security researchers.
And once again, this is a thing which would have manifested itself had the user of the cloud not properly configured and not used all the capabilities that the cloud provided. So cloud service providers provide a lot of capabilities. And there are a lot of products that can help you to configure your cloud correctly.
But sadly, the majority of problems have come about because organizations did not use those things. So why does this matter?
Well, why it matters is that actually organizations have been going through a period of transforming their operations towards the use of digital. To get closer to their customers, to become more efficient, and to get closer to their suppliers and their partners. But that digital transformation has now moved on a step. And in fact, it's basically starting to use artificial intelligence or what we would call Gen AI capabilities to take them even a step further forward. And this is providing a lot of new opportunities as well as bringing some new risks.
Now, one of the interesting things is that according to IBM, they announced at their Think Conference that they expect there to be a billion new apps will be developed in the next five years. And the reason why they say that is that because Gen AI gives this capability to create code, which means that more organizations can produce more apps that are more suited to their particular need. And that each of those apps is going to be different. And each of those apps is going to need its own way of being secured.
Now, all of this is based on the cloud. Very few people are primarily running their business applications based on Gen AI on-premises. A limited number may be, but the vast majority are using the capabilities in the cloud because it's more scalable, it's cheaper and so forth.
So, this is bringing back these three challenges that I talked about at the beginning, which are, is my organization still compliant with all the regulatory obligations that I have? How am I going to avoid having data breaches? And how am I going to ensure business continuity?
So, the challenges that come from this is the cloud was portrayed as being simplification. But unfortunately, like so many of things in the IT industry, it's just become another layer of complexity upon everything else, which hasn't gone away. And we don't just have one cloud, we have many clouds. And each of these clouds are very good, but they're actually inconsistent. They don't have exactly the same tools or the same capabilities. And on top of that, we have this concept of shared responsibility for security and compliance.
On top, and in addition to all of these things, we have the added complexity, the added risks that come from the use of Gen AI. So, what are these risks that come from this new technology?
Well, the first risk is the data. And effectively, you cannot disconnect the idea of Gen AI from data. The purpose of Gen AI is that it exploits data. It can use data. It can find patterns in data that the ordinary human couldn't do. In order to make it do exactly what we want it to do, we have to train it. And that training involves training data. But when you've trained it, the data you trained it on may have contained information which was intellectual property or it was privacy-controlled data. And you don't want that to escape in any way.
So, you need to understand and control what training data there is and how it is used. There are techniques you can use to anonymize it or to make that more safe. But you have to use them. The second thing is that you have effectively a development pipeline for the development of the AI. Are your folk using the approved services or are they using whatever service they can get hold of? Are those services properly secured so that you know who can access them?
And effectively, this has become another challenge of shadow computing that organizations are using or exploiting Gen AI, but they don't know exactly which ones are being used, which are the ones that are sanctioned, and so forth. Then you have a supply chain risk to do with large language models. That there's lots of LLMs floating around in the world. And people may be using ones that you haven't approved that may not actually be totally secure. They may have some kind of loophole in them. They may be poisoned or there are techniques that can be used to exploit them, such as prompt injection.
And finally, what this really boils down to is that you need to include your AI posture as part of your security posture. You need to know what you've got. You can only secure if you know what you've got. You need to have visibility of that. You need to be able to measure it. And you need to be able to report it about risks and how well you are meeting your compliance obligations. In terms of the cloud shared responsibility, this diagram kind of illustrates for only for infrastructure as a service, how these cloud controls that you need are divided.
And interestingly, when a cloud service provider says to you, we've got an ISAE 18 SOC 2 type 2 compliance, one of the things that that includes is that the auditors have measured whether or not the service provides the capabilities that you, the customer, need to secure your use of the cloud. But it doesn't include whether or not you've used them. So you have to remember that your organization using the cloud is always responsible for these complementary user entity controls that they're described as.
And ultimately, that means your responsibility is who can access your apps in the cloud and who can access your data in the cloud and how you use the cloud. And the vast majority of security incidents relate to the misuse or the misconfiguration or the non-configuration of these controls.
But, of course, remember, they're all different. The controls you have on AWS are different to the controls you have on Google Cloud, which are different to those that you have on Microsoft Azure. But they all cover the same things, which are how do you control the identities? How do you protect your data? How do you manage the vulnerabilities that are in the parts that you're responsible for? And how do you configure your in-cloud network to meet your policies or your zero trust? And so organizations need to monitor and manage and understand what they have.
And this is even more difficult because the cloud is dynamic, that resources are brought up, brought into existence and destroyed as they're needed. So the old method of having a nightly scan for vulnerabilities is not actually sufficient. And so what's happened is the market has created this alphabet soup of tools. You have things like, we can see them here, which have become ultimately brought together in something called a cloud native application protection platform.
Of these, one of the critical ones is this cloud security posture management. And this has led to an ad hoc approach to cloud security with a focus really on DevOps as the primary thing that everybody's interested in. What we actually need is some kind of security fabric, something which ties all of these things together so that you have a common way of managing and understanding what your posture is, managing your posture, managing your security and managing your compliance through all of this.
And you'll notice if you look carefully at this, that you'll see some of the little icons that I've put in these hexagons have changed. That what we now need to consider when we're looking at encryption is what is your plan to be quantum ready? We had a talk earlier in the day saying that it will take 10 years for the deployment of quantum ready techniques if we started today. So that's number one problem.
The next problem is that you're going to have to include in all of this what you're doing with artificial intelligence, so that you're going to have to understand your inventory of the LLMs that you're using, as well as control over the AI development pipeline. And so this set of applications that we've currently got is going to have to extend from being effectively a cloud native application platform version one into a version two.
And really what we need to do is to bring all of these things together so that we have a consistent and single security fabric, which brings together our management of all of these things so that we do it and we can govern the things and show how we meet those business objectives of availability, of compliance. And protection of the data. So that's what we see as the future.
Now, in fact, we've just recently announced, in fact, I think it may be being announced today, an updated leadership compass report on cloud security posture management. So I'm going to quickly go through some of the capabilities in this. And those of you that know our leadership compass reports will know that we measure leadership in these four areas of product, market, innovation, and overall leadership. And for cloud security posture management, we take account of all of these different areas, which we see as being critical to understanding the security posture of your use of the cloud.
And the vendors that we have rated in this include all of the major vendors, the ones that you will recognize like Checkpoint, Cisco, and Microsoft and so forth. As well as some of the new vendors, the ones that are the potential disruptors, the ones that have come in from nowhere from the left side and are likely to alter the position of the existing incumbents.
In fact, one in particular is Wiz, which was founded by a group of people that had left Microsoft. And we put these in a position, and here is an example of the overall leadership that we worked out for that market, which shows the leaders, the challengers, and the followers in our estimation in that market. And we then look at individual vendors in order to be able to help you to see what are the strengths, the particular strengths, and the particular match of that vendor towards your particular needs.
And this is matched with a set of challenges as well as a set of key capabilities that we think are good. And in addition to that, this is a very rich market, so we cover a short sentence to highlight all of the other vendors that we think are in the market, and here are some of the ones that we can see.
So, in order to future-proof your use of cloud security, your business, which is becoming AI-enabled, needs to meet those business challenges of business continuity, of compliance, and security of the data. And it needs to do that in the context of the multi-cloud with very inconsistent controls, and includes an inventory of not only the virtual resources of the cloud, but also of the things to do with the use of AI, and covers the AI threats and risks.
And we need to move away from this cloud acronym soup of multiple little solutions that are supposed to fix individual point issues to having some kind of AI cloud and security fabric, which provides a complete and comprehensive access and management and control. Over the cloud, which includes an AI and includes dynamic guardrails so that you don't need to scan afterwards, but you can be sure that when things are created, they are created and used according to best practices and policy.
So, with that, I'll say thank you very much, and if there are any questions at any time, I'll be very happy to answer them. Okay.
Well, thank you very much. I don't know what you think, but for me, it's amazing how Mike explains and references item by item, describes the solutions, right? It all sounds so easy, but we all know it's not that easy, right?
So, but thank you. Thank you for that, right?
