So I'm going to start off with an example that on April the 27th, 2021, the Portuguese data protection authority gave the Portuguese census survey 12 hours to cease and desist from using an American cloud service provider for their, for their, their analysis of the, the census. Now that is a pretty, pretty dramatic thing to happen to you if you are a business. And so could your business weather a storm like that? And this is why my talk is called a cloud for all seasons, because basically in the past, many organizations have been doubling with the cloud.
Their development groups started to use the cloud. The cloud provided a way of delivering certain services that were bought by business leaders, without thinking any, any further. And fortunately for most businesses that use had a limited business impact if it failed, but what's actually happening is that where now starting to transform our businesses using the cloud and the working from home and the COVID epidemic has in fact, driven this working from home even more acceleration.
And the problem with this is that as we become more and more dependent upon these cloud services, the more and more the impact of failure it will be. And that is why, what I believe organizations need to be thinking about is how they are going to get a cloud for all seasons. And so to look at what it is that in fact is limiting the enterprise cloud. And to give you an idea, although the cloud has grown enormously, according to many analysts that do quantity analysis, it, it seems like only about less well, less than 10% of enterprise critical workloads have actually been moved to the cloud.
And yet organizations are engaged in digital transformation. They want to get closer to their customers. They want to deliver new services and they want to smooth their supply chain. And so the, the, the chief technical officer, the blinds of business are desperately trying to move to the cloud.
But from the security point of view, the C I S O says, well, I understand how our systems put our security posture, but I don't understand what this does to the cloud.
And the risk and compliance people are concerned about the impact of how the cloud controls, which are often very obscure, actually map onto the business obligations. And so in effect, the risks of compliance and security are in fact, the limiting factors on the uptake of the cloud and where organizations are just buying the cloud.
Anyway, often they don't realize the risks that they're con concerned with. And so when you look at what the three major concerns are, they are failure to comply, which in many cases can lead you to large monetary fines. They're concerned about data breaches because as you move your stuff to the cloud, you increase the risk surface. And they're concerned about business continuity, and certainly being told by a data protection authority that you have 12 hours to cease and desist is not good.
And ransomware is also another major concern.
So when, why is this happening? Well, part of the problem is that there is a shared responsibility between the cloud service provider and the cloud service tenant over who should do what with respect to security and compliance. And so we all, as security professionals know we have our approach to cyber security, and I've just put a little picture there of the missed framework.
We know that in order to secure things, the delivery stack of any kind of application is very complicated, which starts off with your data center and runs through the servers, the virtualization layers, the middleware, the application tools, and so on, write up to the data and access. Now, all of that needs to be secured. And the problem is that depending on how the cloud is delivered and how the services are delivered, you have a different set of responsibilities. But what you have to note is that in all cases, it is the tenant that is responsible for access and for the data.
And so that is a key point to hold onto.
Now, when you look at what this means, this shared responsibility raises concerns about governance, because you are trying to deliver a service, which it meets a set of business needs, and that those, those business needs set the levels of security that the service must deliver. But if you have multiple clouds and multiple delivery methods, then this leads to inconsistent tools and capabilities where each cloud has its own way of doing things. And each cloud provides its own tools.
And not only that, but you probably have some on-premises components that you manage in your own way. And the net outcome of this is that you find that people in this hybrid cloud world, that we find ourselves today have a very inconsistent approach to governance. And so these tools are illustrated in here where you can see what we have outside the cloud is almost certainly going to be a set of different tools inside the cloud.
You then find to use cloud services.
Suddenly you introduce new things like cloud security, posture management, and sassy, which is the, the latest invocation of things like cloud security, posture management. But in fact, what is needed is a common governance approach where you can see in a common and consistent way, what the security posture of all of your services, however they are delivered. And this depends upon a, an a, a proper and consistent way of giving you identity governance and data protection, as well as things like network security and vulnerability management.
So these are the first problem to a, an all weather cloud, an an all seasoned cloud is to have a common governance approach. The next thing is that in fact, yeah, and that common governance approach gives you all of these things in one place with, with support from AI, for automation of many of your things, which is something that is a really important development that we believe is going to make a big difference to how well people can manage things.
One of the big problems with the cloud is this lack of transparency of the cloud service providers controls.
And this, the current approach is that CSPs allow some tenants, but not all tenants to allow them to mutually use a trusted third party, to look at the, the controls that they offer. But most people, most organizations are, have to rely on a, an assurance kind of approach. And what that means is that for this to work properly, you need to have a, a, an understanding of what laws and regulations you are trying to, to work with, what obligations you need to meet and what the controls that you need should be in order to, to, to do that and what it is that the cloud is providing.
And so in order to give us this transparency, what we need is common frameworks.
We need an understanding of the obligations, the regulations, and the controls in a way that we can map them into cloud and non-cloud, and that we can see, and we can measure what the cloud service provider is doing, because at the moment, those things are opaque and service certification, which is often the approach, which is taken is not actually sufficient for many highly regulated organizations, where in fact, they have a fiduciary responsibility to, to, to make sure that the service is delivered in a compliant manner, particularly in the financial services area, as well as pharmaceuticals.
So the transparent cloud controls would give us this way of being able to see in a common way, based on an agreed framework, understood by the regulators that what we do and what the cloud does is in fight all consistent. And that we have visibility into what the cloud service providers are doing.
Now, there's been an awful lot about zero trust, but I'm going to talk about zero trust data protection. And the, the example that I gave at the beginning comes from the recent Shrems two judgment, which has led to a, a set of recommendations by the European data protection board, which basically say that when you are using a service provider in a third country, that contractual controls are not in fact sufficient. And that's because government interception is not bound by contracts. Now you might say, well, this is only about Europe, but in fact the same is true.
If you are in the us, or if you are in other countries and you try to work in China. So the EU is not alone in building these kinds of regulations. So contractual clauses are not sufficient to protect you against government interception. And what is needed is technical measures.
And again, you might say, well, that only applies to personally identifiable information or personal data.
Well, what about your business critical data? Because governments have been known to try and get hold of this data. And here's an example of, of this, where in, in indeed there is an indictment that is lodged in the state of Pennsylvania against the Chinese Republic army, claiming that in the, in, in the last few years, they had in fact been attempting to steal intellectual property. So you cannot rely entirely on, on contractual things to overcome this.
And one of the key approaches to doing this is in fact, confidential computing and confidential computing is intended to give you protection during processing. We all understand encryption in transit. We all encryption in storage, encryption of data at rest, but there are lots of tools that you can find that will take out of a realm out of the processing memory of a computer can steal data.
And so you need to have a way of being able to do that. And obviously there is one way, which is encryption.
The other is access governance, but access governance doesn't prevent government governments from being able to get in via back channels. And finally, on top of that, you can say there is data governance, but what is actually needed for this is confidential computing to be able to protect the data while it is being processed. And none of this is in fact new stuff, because the way it can be done is through trusted execution environments like Intel SGX and AMD infinity protection, infinity guard.
You can also use pseudonymization, which is the most practical game in town at the moment homomorphic encryption is put around where he'd fight encrypted data can be processed, but the problem there is you probably need to change the code and it will take an awful lot longer.
Za is 40 times as long. And another interesting system that is growing up is multiparty computing. And that is another story which I can talk about on another day.
So what this really comes down to is that what we need to avoid the kind of disruption that I started off in the example that I gave is we need a cloud for an all season, which means there is a consistent way of governing hybrid it, the cloud and the non-cloud and all the different clouds that, that depends upon transparency of controls, which in turn means clear frameworks that are agreed not only by the tenants, but by the regulators and are exposed by the cloud service providers, that there should be much more AI support for the tenant to, to stop them from making the silly mistakes which everybody repeatedly does, and to help them to navigate the more complex regulations to make sure they're doing the right thing.
And finally, you need to have a zero trust data protection, which in effect means that if you are going to export your data, then you should never trust your service provider. So with that, I'll say thank you very much. And I've got a couple of minutes for questions. So over to you, Annie,
