Well hello and welcome to another K call webinar. My name is Alexei Balaganski, I'm the lead Analyst here at K Call. Our topic for today is achieving security and compliance across hybrid multi-cloud environments. And our guest speaker today is Dr. Nara Nna, who is the CTO for cloud security at IBM Corporation. Before we begin, just a couple of words about our housekeeping rules. You do not have to worry about the audio. Everyone is muted centrally so we don't have to think about that before we begin. We will run, well actually just one poll and of course every time you can use the QNA tool in the webinar application to submit your questions. We will discuss them in the end of the webinar during the q and a session. We are recording this and the video will be shared with all registered attendees probably tomorrow along with all the slides and other downloads.
So our agenda is traditionally split into three parts or I will start with the general kind of high level Analyst overview on the challenges and problems and their potential solutions. And then I will hand over to for his more practical hands-on review on cloud security and compliance challenges. And he will actually talk about a specific product to solve it. But before that we will actually run a, a really quick poll. I just have one question for you. As you know, does some market research and we use this opportunity to reach to our at attendees and customers just to ask you one question about some aspect of cloud security. We'll have a minute or two to think about your question to about your answers to this question.
Can we have the poll shown please? And in the meantime, let's just use a little bit on the very subject of hybrid multi-cloud. Yes, everyone knows cloud in the future there is no going back to the pre-cloud times simply because cloud is to digital transformation, what banking perhaps was to the industrial revolution hundreds of years ago. But we have quickly found out that one cloud just isn't enough. There is always something new, something fancy or available at somewhere else and most companies now have this quote unquote multi-cloud strategy thinking about combining services from different sources. You have to think however that multi-cloud normally just means two plus cloud providers. You have to include inter-cloud partnerships or sovereign clouds, edge solutions, five G networks and other technologies. All of those technologies stacks and capabilities actually fall under the same multi-cloud strategy. And even the word hybrid no longer means just leaving some of your infrastructure on-prem because now you have edge computing, you have private clouds, you have like cloud islands which could be deployed on an occasionally connected remote location and so on. So hybrid multi-cloud is actually somewhat a misnomer and it doesn't actually represent an exception. It's basically our norm for today and absolutely for our future. Alright, how did it go with the poll? Can we see the answers? Well I believe that, well first of all, thank you very much for your submissions. You will use this results in our future research publications covering the cloud security market. And in the meantime we'll just move on to the topic.
So yes, we are living in a ultimately insecure world. There are so many challenges and issues, we have no perimeters anymore. We have constant bombardment of our infrastructures by malware, ransomware and other threats. We have industry espionage, we have political per, we have all real wars happening in around the world and all of those are real life issues actually bring very specific and tangible technology related risks as well. As I just mentioned, multi-cloud is the new norm. We have to live with that. We also have to live with mobile workforce with people working from home most of the time increasingly mobile increasingly exposed to all threats and no longer hiding under your corporate central protection you have increasing adoption of software as a service and online collaboration services where you have even less visibility and control of what's going on behind the curtain. We have the growing increasingly harsh privacy and compliance regulations are just sooner or later you realize that a hundred percent cloud is simply impossible because well there are all the things you have to protect especially strongly if you will. And finally, last but not least, you have another era coming, the era of generative ai. Yeah, we probably would not think about it as a part of your multi-cloud strategy, but remember all those AI like shared GPT, they are running in the cloud and it is someone else's cloud, not yours. So you have to think about all those risks of your sensitive data being pushed into a quote unquote someone else's artificial intelligence.
No, these are actually, I would say three biggest business risks. The the things that really keep every business' management awake, awake at night. They aren't necessarily technology centric but they are very, very important because each of those can have absolute absolutely catastrophical consequences on your business. It's obviously the business continuity risk. Remember the recent outage at the MGM resource at LA Las Vegas where the entire blocks of building in casinos and hotels were completely in operational for almost two days. Think about data breaches or it's not just sensitive data lost at massive scale, it's also huge reputational risk. Think of the companies which lose billions of sensitive data records and they are obviously hit by massive fines for that because compliance violation is also a growing concern in the error GDPR and other similar regulations. But how do those risks actually translate into cloud related issues?
Well, as they say, well like they could have said with new capabilities comes new responsibility. Now that you are increasingly living in the cloud world, you have to deal with dynamic workloads. You have to deal with are completely different and proprietary or identity and access management frameworks with provisioning and access regulations. You have to maintain visibility across ephemeral short-lived infrastructure like containers and even serverless workloads. And those are operating at massive scale. You're no longer dealing with dozens of servers but with thousands or even well hundreds of thousands in in extreme cases. So we have to somehow deal with all those new or modern approaches like provisioning at scale with infrastructure as code for example. So you then you have a massive explosion in complexity and growing loss of visibility and governance across your hybrid multi-cloud environments. Why? And like what are the things which we want to highlight today?
First of all, you just have too many silos and it's not just about data silos, but application services identities or infrastructure specific API stacks for example. They are increasingly numerous. They are increasingly heterogeneous and they are well increasingly out of your control. You have this continuous pressure of privacy regulations that directly affect data security. Yes, you have to encrypt your data, you have to tokenize your data, you have to ensure that nothing is leaked or addressed in transited, ideally in use as well. And you have just too many security tools to juggle to ensure all those regulations. And as we know, complexity is the enemy of security. So reducing that complexity is probably your primary, well your your top priority if you want to address this whole issue. But there is one other thing which peop people tend to talk much less, and this is extremely important in my opinion, lack of cross team collaboration.
We simply have this fact that you no longer just have security people responsible for this. You have developers, you have data scientists, you have well dedicated compliance and risk management teams. Perhaps you have business line workers directly operating with cloud services and some call is this shadow it. Some call is no code development, but you still have to deal with those issues as well. And all those teams, they, they talk different languages basically and they have different goals, problems and processes and even if they want to collaborate, they just do not have enough tools for that. And of course when you are thinking about security and compliance, you have to forget the language of technology. You have to learn to speak the language of business. You have to operate not with the notion of like how many security incidents we had this week or how many of those were successfully defeated.
You have to think about risks and financial impacts and legislation and well for all those things. You do not have to reinvent the wheel. You have to be aware of frameworks and best practices existing in your industry and across other industries. And all of this should be an enabler for your risk management and compliance, not a chore if you will. And all of these capabilities have to be somehow integrated into those tools we are discussing today. Now, I don't know if you are, you have ever heard this story about this one pike and the crayfish, but at least I hope you get the metaphor. Basically, if you have different teams or pulling the cart into different directions, even if with their best intentions and their best efforts, the cart just never moves. You have to ensure that they all are pulling in the same direction, that they all understand the strategic effort and that they synchronize the activities across different teams and organizational units.
Just a nice picture for you to consider. So how do we do that? How do we achieve those or our goals? Well, the market has so many different answers. We just, we are facing a completely crazy alphabet soup of all those technology acronyms. We have CSPM, the cloud security posture management solutions. We have cloud workload protection platforms, we have cloud infrastructure entitlement management. We had finally the cloud native application protection platforms. So whatever, what do those even mean? How do we explain to our non-technical colleagues and management why we need all those tools? Do those tools even, even work is exactly what we want to focus on today instead of our being able to tell to your boss, yeah, we have so many successfully defended cyber attacks last week. You should be able to an to or answer more business relevant questions. For example, what is actually is the risk of a successful attack next week?
How consistent is our security coverage across all of our multi-cloud inventory and systems? How strongly are we performing compared to industry peers who is responsible for all this decision making? How do we know that those decisions align with industry best practices? Those answer your questions. Can AC NP solution answer those? I guess it depends a lot on details. I can tell you that co code does a lot of research on various cloud security aspects and we are currently working on a leadership compass, a multi-vendor comparison report on cloud native application protection platforms. And we have identified this specific key capabilities we believe every CNA platform has to implement. I do not read all of them aloud, but you have to understand that basically such a platform has, has to know a lot as to integrate with a lot of third party technology stacks, APIs, accounts, services, you name them.
It has to be able to somehow normalize all those different fighting across different platforms and environments and make sense again across all of those in a, in a form that different stakeholders can understand and read easily. So it's not just about technical issues, it's not just about compliance or risk. It has to do all of this and somehow being able to integrate all those capabilities and make them speak the same language for all involved or stakeholders. Do we have those capabilities now? Well that's what we're going to find out hopefully in the second part of our presentation. But before we continue to that, I would like to give you a few takeaways if you will. If there is only one takeaway you will leave with after this webinar, I would like it to be this one. Say no to the alphabet soup, stop listening to marketing trying to sell you another acronym.
You have to understand that you are looking for specific capabilities and not all those capabilities are technical. Look for an open and flexible platform, which again speaks all those business languages which is somehow aligned or based on an industry standard framework and it it can evolve with your needs and your industry's needs. And also you should treat compliance not as a chore but as enabler because compliance is a direct measure of your business, resilience, security and efficiency, but only if it's automated and orchestrated in real time. Stop doing compliance on a yearly basis. Do it on a at the least hourly basis and then it'll become your best help not just in security but in risk management and even business efficiency. And with let, I guess we can directly proceed to the second part of our presentation. So Dr. Naraj Nna Raj the stage yours.
Good morning, good afternoon, good evening everyone. Thanks for joining this call with Alexei EMI, I'm Nara Algorithm, I'm IBM fellow and CTO for cloud security here at IBM and day in day out I work with numerous clients, customers, enterprises around the world, related industries across financial services, healthcare, government, manufacturing and so on so forth. So to the point that Alexi was making earlier in terms of kind of the approach you need to take in terms of security and compliance in this hybrid environment, I would like to share our IBM point of view in terms of how you should approach it in terms of a solution approach as well as back it up with a technology solution that we have that can help you achieve those imperatives. Fundamentally. To Alex's point, we are in the hybrid world, hybrid multi-cloud and in that context you think of security and compliance, achieving that in a consistent way, in a continuous way that you can stay at it every time is an important part of the equation. When you look at the landscape across across the globe, there are a few things that stand out.
Ultimately your the outcomes are based on the risk that you need to mitigate and the compliance, the regulatory requirements and others that you need to meet. And it's not simple with Alexy talked about acronyms of acronym, soup of technologies. If you think about the acronym soup of all the regulations out there, be it industry wise or geo geography wise, et cetera, there is, it looks complex, right? And it is complex to some extent. At the same time from a risk perspective it's an ever, especially cyber risk and cybersecurity. Every day we see reports about data breaches or ransomware attacks and so on so forth. So let's step back and look at it overall, right? From a regulatory horizon perspective or increasing focus on operational resiliency, data security, privacy, configuration management and such and across. And then how do you protect yourself from a risk? One of the key points that Alexi was making there is complaints is not a chore.
It used to be, I'll admit I've been in this industry from a security perspective over the last 25 years. It used to be a checklist, right? Hey, it's compliance, somebody's doing a spreadsheet, let them handle it. But I would say over the last five years or so, regulatory compliance, it's a reflection of the risk to the industry, to the consumer, to the particular geography and so on and so forth that caught codified. So increasingly the compliance requirements and controlled requirements even within an enterprise are a reflection of both risk and the compliance, right? So if we take, take for example, the breaches that happen are IBM exports report outlines that per breach, you're looking at $4.5 million US dollars. That's an average cost of a data breach. If that data security is top of mind for our enterprise customers, not only from a hybrid cloud perspective as they as cloud adoption comes for not just any public internal applications, but for mission critical applications.
As cloud gets adopted, cloud becomes critical infrastructure, right? So along with critical infrastructure, you need the level of safety and security that go with that. From that perspective, data security top of mind, both from hybrid cloud perspective and no, no webinars or conferences or discussions with clients is complete these days without the discussion of ai, artificial intelligence, generative ai, and how such technologies can be used to enable your business, get deeper insights and automate your workforce and all of that fantastic innovation and opportunities layer there. Data is at the core of it to get those insights for AI to to be applied and protecting the data, ensuring user privacy, security, all of that. So taking a data centric approach become important as you look at holistically in terms of mitigating risk from attacks or insider threats and so on so forth. At the same time those things get man manifested itself in terms of regulatory requirements. For instance, if you think of even just one example of a systemically important financial institution that was fined around $400 million.
When you look into the detail and when we talk to customers in the regulatory landscape, these are called matter requiring attention and so on so forth. When they do audit, when they look at the detail, it comes down to even technical controls, be it configuration management, patch management, vulnerability management, security monitoring. Do you have it right? All it takes is few seconds, few minutes of opening an object stored bucket containing sensitive data to the internet with appropriate or less access requirements, right? That's all it takes for someone to kind of come and get your data or for your virtual machine or container is to be open for a few minutes to the public port. There you go. All that takes for a hacker out there watching for these open ports to get there and compromise configuration management. If you think of those controls and protecting the vulnerabilities and vulnerability management, those could be thought of as compliant, but those are reflection of things that you need to take into account to mitigate the risk and meet those regulatory requirements.
Now if when we look at that landscape, it, it, it, it, when it, when teams don't work together, when you don't have a consistent practices in place or even when you do, it takes a long time to detect, respond to threats. For example, one of the large customers we, we have been working with, they've been innovating, it's a financial institution. They've been working with different fintechs, like 50 fintechs over the last five years and they've been trying to onboard them to innovate at speed. Guess how many of them have moved to cloud or been adopted? Zero because those fintechs have not passed the muster of the requirements of the bank. What do you do if the security teams and IT and application teams do their own things in pillars to XI metaphor, like pull in different directions and now if you mix the CTOs, the data teams into the mix in the context of ai, they all need to work together.
We need a collaborative approach to security and integrated approach to security so that as the IT and app teams look to focus on business innovation with technology and move forward from a security perspective, CISOs and compliance officers look to focus on safety, security and compliance and key to being into continuously comply with their requirements and integrated is required. No longer can the CISO team, the security team can say, Hey, these are my policies, protect data and throw it over the wall for IT and application team to say go figure out how do, what do they mean? How do I implement it? Do they really mean encryption? Do they mean key management? What do I do with logging? What is my time to prioritize my vulnerabilities and react and respond until they become prescriptive that a developer, an application developer, an architect can understand? They they can't with the security skills and gap out there cannot expect everybody to understand the level of detail.
So more prescriptive the policies are, they can then be codified. So defining a prescriptive control set of controls that reflect risk and compliance is first and foremost that they agree on once you define it, ability to implement that, implement them consistently across a control set, be it network controls, identity and access, data protection, monitoring endpoint and application security and so on and so forth. Implement them and more importantly with the speed, automate them at scale. How can you provide blueprints and deployment architectures to your development team that they can consistently do security, right? In a easy button. Once you implement, then how do you assess them? You need to continuously assess. It's no longer, hey, after six months I'll come and do and look at your audit posture and you're good enough. No, not really. You need to keep at it. How are you doing every day, every week, even every minute, right?
In terms of your security posture, compliance posture, how's your workload protection methodology and approach so that you protect against the threats? How? How do we bring them together so that you can detect and respond and remediate to these things? So define implement as is mainly look at that as a holistic approach that the teams need to work through. Now it becomes even more complex if you think of it, to consistently do that across hybrid multi-cloud environments. It could be on-premise, could be running on power systems X 86 IZ mainframe systems, right? Or IBM Cloud, Amazon, Azure, Google, it could be on a multi-cloud and even SaaS properties. When you look at that holistically approaching this and having an integrated solution that brings the team to collaborate and ability to define, implement and assess those controls in a continuous manner is foundation to addressing the challenge and achieving this at speed.
This is where from an IBM perspective, we have introduced and we have a set of capabilities under IBM cloud Security and Compliance Center. This is for hybrid multi-cloud environments. Think of it as like a SaaS, right? As you have workloads in IBM cloud or on premise or maybe just on Azure, on Amazon and you want to manage security and compliance posture across this environment, you can have a single pane of glass that your CISOs can define their policies and an enterprise level, for example, with one of the large customers that we work with, a large European bank, they define these policies at an enterprise level, then their IT and application teams implement them and automate them and their CISO and compliance team are able to continuously assess them using this platform. And so the solution in action in a minute, but it comprises of not only compliance in this posture, like just not just visibility provides protection, it enables IT teams to automate and integrate their control implementation tools so that they meet the business objectives can do threat protection from a cloud container perspective and more and more in that context, right? As well as data security and data protection because everything takes a data centric approach. So when we look at the holistically, this is where the solution approach that you need to take and solution like IBM Security and compliance center plays a key role. Let me quickly show this in action through a quick demo.
So like I said, ability to define, implement and assist a platform that enables the teams to work together in that context where IBM security and complaints center can help and this can do from a hybrid cloud perspective. When you look at Red Hat OpenShift as an implementation across, it can also do that. Let's look at define, right? The first phase, typically a security and compliance officer or a security team member will come and define it. So they go to IBM security compliance, AC in short console. We have a large set of profiles and policies that are baked in. It ranges from industry standards like NIST 853 that can be done across hybrid MarTech cloud or CIS benchmark, which are like cloud internet standards that that speak to the best practices that you need to implement in IBM Cloud, Azure, AWSA Kubernetes environment that you may be deploying across a hybrid multi-cloud environment.
You want to bring them together in a consistent way. So predefined set of profiles across, many of these are available over the box across our ACC and workload protection product set our industry standards like P-C-I-D-S-S and and so on. Another thing that we did is not really the standard standards defined at a particular level, which are, which are good, but we have been working with large set of customers, financial service clients because when it comes to financial industry, the risk appetite from their perspective is high. Meaning they, they can, they want to mitigate risk, they want to, they're conservative from a risk perspective. They, they have not put all the sensitive data and the critical data to the cloud yet. So we work a hundred plus clients or part of our council, we work with large banks who have adopted our cloud in this technology like BNP, Paraba, Keisha Bank and many others.
Not only about hey protect the data, but how do you do that in a consistent way? So I'll take an example in that context of an industry cloud and the industry defined co-defined control set. So it's called IBM code framework for financial services and it's based on missed standard 853 standard. So if you look at one of the controls AC 28, like secure communication, that particular control says information system need to be protected for confidentiality and integrity. Even the guidance it gives is good but at high level, but the detail, imagine you have sensitive data like payroll information, your credit card information in an object store or customer information that you put in your database systems. How do you making sure they encrypt it, they manage the keys that they have full control of the keys is an important part of it. So you can actually define and codify, hey, your object store need to be encrypted and managed by the, and the keys managed by the customer.
Your databases need to be encrypted, your VMs and block storage need to be encrypted and so on and so forth. This is just an example, right? Similarly you can imagine controls like network port should not be open, it should only be on private endpoint. You should have multifactor authentication enabled for identity and access, you should have logging enabled. So all those controls are pre codified and defined within the set all the way to the ability that you can actually readily take them and apply across this control set. And an example of that implementation is data security, right? When you look at not just bring your own key, there are customers from a financial services perspective, they want to ensure that you have complete control of the keys, like keep your own key. That's what we have what we call where you have a complete technical assurance from the chip, from a hardware security module to key management et cetera, that you, you can prove to your regulators that you can be confident that even the cloud operator cannot access your data, right?
That level of capability when you look at it along with the ability to take prioritize, your vulnerability management, getting your posture across all of that are codified. So when we say define the enterprise team can select all of these policies and profile and tell their teams to say, for these set of workloads and data, this is what you need to do. And hand it over to the CIO team, the application team, a line of business and say, now you go implement. Then what happens if you're an architect on this call, a picture like this will be familiar because as an architect, I've been an architect, a developer in my career, we will do like our deference architecture diagrams and look at it and say hey, we need to put workloads. And there are requirements in regulated industries like hey, you need to segment value on your control plane, your management consoles and application that should be separate from your data plane or the workloads that actually serve your users and customers, right? Segmenting them, encrypting and key management. All this needs to be logged and hooked up to your central logging management system, security operation center. When you look at various of these services that need to be used in a cloud environment and hooked up your enterprise that you need to have a direct link and a secure connectivity.
Imagine an architect taking this and then spending days and hours trying to understand the security controls and implemented this. What happened when we worked with fintechs for example, initially it took them eight weeks to understand the controls and then figure out how to go implemented in each of these. But when you look at repetitive patterns of architectures, it could be virtualized workloads, it could be containers, Kubernetes applications that could be deployed or VMware applications, prescriptive deployable architectures with codified security is kind of a nirvana for them, right? All you need to do is take such a reference architecture, not just an architecture that's in picture but codified automated terraform based automation capability, right? Set of terraform providers for example that has security built in. That picture that you saw is now codified that you can deploy at location of choice whether your patterns and outta the box you can have security and compliance.
So from the eight weeks I talked about, it's now done in one or two days. The click doesn't take two days, but the point is you need to kind of customize it and understand the parameters and which location to deploy, et cetera. Once you have that policies codified as parameters, then it's automated and hooked into your DevOps and DevSecOps. Pipeline implementation is just not about automation as we all know. There are controls. I talked about data security as an example. We even introduced a product recently called Data Security broker where sensitive data like PII email address, credit card, information address, right? So our account or social security numbers or health information, if you want to encrypt those fields instead of doing it an application level, wouldn't it be great that you can actually do with no code change? We can actually do that with data security broker.
Similarly, when it comes to vulnerability management, how do you prioritize them? How do you protect workloads and containers? So these kind of implementation or are kind of pulled together in integrated fashion, so somebody defined it, right? Security teams, now it's implemented by the IT teams. No, you need to continuously access, think of it as day zero, day one, day two, day two. Operations need to continuously access your posture. The security teams need to do it, application need to be in in the mix to continuously have that. So as part of our security compliance center, you have the ability to look at, hey, what's my posture out of all my controls that I need to manage across my workloads? How am I doing? For example, this is like N 853 control set cetera, hybrid deployment. I can actually get a consistent view of N 853, be it an IBM cloud, Amazon Azure, Google, et cetera, integrated in to a single pane of glass.
This way you don't have specific tools for each cloud or on-prem, you actually get an integrated view from a security posture perspective. That's an example of the capability right now. In addition to that, the other part of it is when it comes to workload protection, vulnerability management and things like that, you will need to have a unified view of your vulnerabilities. Not just say that will be thousands of vulnerabilities, but what is priority? What are critical ones that need to fix that are riskier business because it's a vulnerability on which your critical applications is being hosted or a critical fix that has been identified in the industry can actually prioritize them, get a prioritized view across this environment so that you can focus on what to fix and have remediation kick off as part of your dev and DevSecOps process that can be automated and your development and application teams come together and as part of the, due to the acronym soup of technologies that Alexei mentioned, instead of thinking about these as which technology and a vendor to go through, you are trying to get insights about what's going on.
You are trying to look at a comprehensive view, vulnerabilities that you want to manage. You want to know about your posture, a security and complaints posture across hybrid multi-cloud environment, an ability to define your policies in a single consistent way so that you can have them codified. So from a business perspective to mitigate risk and achieve continuous compliance, this is where a single integrated platform, a single pane of glass, when I say glass is just not an ui, it's APIs and automation built in that brings them together is a key part of what we offer as security and compliance center. And in that context, just to quickly summarize, we'll share the slides as Alexei said, but this technology platform and the solution called I Cloud Security and Compliance Center, able to address the ability to define industry policy frameworks. You can implement automation that I showed workload protection, be container workload protection, VM workload protection, ability to vulnerability management and scanning data protection from an encryption key management and field level encryption and tokenization as well as assess across your risk posture, ability to manage your cloud entitlements and identity and access in that context so that you, you don't want over permissive permissions given to users because that's also a risk because if a credential will get compromised then it may come back and bite you, right?
And detecting threats not only posture, that may be malicious behavior happening in your container environment that you need to respond to and maybe quarantine them to take action so that you can actually remediate and response and doing that consistently across hybrid multi-cloud is the challenge in front of you and the solution that we are able to offer. With that, happy for any of you to reach us as well to the IBM team to help, but we'll get back to the webinar for Alexi and I to take on your questions and share our thoughts. Thank you.
Wow, thank you very much Raj. That was really interesting and insightful and yes, we are definitely going to jump directly into the q and a session. Just a quick reminder, please submit your questions through the webinar panel on the right under q and a. You can just type in your questions and we already have the first one and that's a really nice one because if nobody would have asked about it, I would have asked myself. As I mentioned, we are currently working on our leadership compass on cloud native application protection platforms. So watch our website to be published sometime later. So yeah, how does IBM actually position itself? How does it compete in this market? Do you consider your solution like a, a quote unquote pure play synapse solution or does it go into a slightly different direction?
Great question. So for enterprises who are embarking into this, consider security and compliance or compliance center as a turnkey solution that you can use to get your posture, protect your workloads, protect your data so that you can bring all that together. On the other hand, we do know large enterprises have already invested in like vulnerability management tools and other tools that they may have, but still we know and working with them, you know, they're struggling with getting an integrated view that they can be ready for audit from a compliance perspective, the ability to continuously monitor. So this is where an open and flexible platform that we provide addresses these use cases. So think about the entry points, the key problems that you're trying to solve and that will enable the use case to be addressed by our security and compliance center.
Right. So as you just rightfully mentioned, such a person has to be open. So how does it work for, for your solution? Because it's also what, what I mentioned in my part and I firmly believe that even the greatest and the largest software vendor cannot do everything, at least not quickly enough for all the customers to behave. So how do you address those kinds of requests when you just or don't have it yet?
Yeah, no that's a great question. So we approach open from multiple dimensions. Firstly from an IBM perspective overall from a hybrid cloud and ai, we are fundamentally a, our approach and strategy is about openness, right? Be it red Hat OpenShift with built on open source or Kubernetes strategy built on that. It reflects our openness as an example and the kind of platforms that we provide in IBM cloud across nitrogen set of X 86 to power and Z and so on that that's there. But if on the security and compliance specifically think about it, a couple of levels, the standards that we support, be it from an identity perspective or APIs that we open up for others to integrate, these are all open APIs, there's no proprietary thing about it and we work with the industry to evolve them like ability to do NIST scale standard has been evolving. We have spearheaded that along with our research and supported in our products. Then we have API and open integration with vendors for example with cavi. There are various vendors that are also partnering with us to send their data in. That has been part of our set of capabilities. So we will continue to expand that because ecosystem is fundamental part of our IBM strategy as well as successes for AEC. So we provide few integrations outta the box and we provide APIs for others to integrate readily and easily.
Okay. Okay, great. While we are waiting for the next question from our audience, I think I'll kind of continue or first of all I'll continue shamelessly advertising our upcoming events. So if you are just listening, maybe have a look at our screens now 'cause there are some additional information. Information. So one thing I believe or you have not actually mentioned in the webinar, but I, I know since I, I'm actually writing a review of the solution now, the strong focus on industry specific compliance frameworks, can you maybe go into that area a little bit more because this is one of, again, one of those key differentiators I have tried to highlight in my part that it it it, it should not be just a technology solution. It has to be speaking the the language of business.
Great question Alexei and thanks for taking the top. As an industry, we worked through best practices and standards like CAS benchmark and so on. But when we embarked on working with mission critical workloads helping regulated industry address and move workloads to cloud, they were not moving clouds and data to cloud. They were not confident. So when we worked with Bank of America, BNP, Paraba, Kaisha Bank, many others across the world, what dawned on us is the, the reflection of the risk. It need to be codified in the set of controls. There's no set standardized set of controls in the industry like new state network three is good set, but the ability to talk about what are the control implementation like the level of depth for encryption and key management level of continuous monitoring that need to be implemented and so on so forth was not existing.
So we created a set of control framework for the industry we started, we have started that and we have a framework for financial services but I want to be very careful here and when we say financial services, while that is the first industry and work with regulators, those controls are applicable to any and every industry. Any and every regulated industry that are risk covers and have regulatory requirements can use it and we see them using it like healthcare and manufacturing and telco. So what we have done IBM has foray into and defined the first industry cloud three, four years back. It's not just about having set of fintechs running on the cloud, anybody can do that. We do that as well. But implementing security and compliance built in because for example, one of the large banks in North America told us they've been investing $3 million in one of the other public clouds and still they have not finished their security work. So they've been bolting on security and spending a lot on it. What we have done in IBM and IBM cloud is to infuse that security and controls built in and then make it easy for the customers to protect their data and their workloads on IBM cloud using technologies like scc. So that's the approach we have take to address industry pain point, especially regulated industries to address their risk and compliance needs through an integrated solution.
Okay. Okay, great. We do have questions coming. The next one is hopefully easy for you to answer. So how does your solution compare to Microsoft Defender Cloud?
Greg, great question. So when you look at Microsoft Defender and some of how they've been addressing the capabilities in addition to what they do with endpoint vulnerability management and so on so forth and posture that we also do some of capabilities that we have enabled in addition to being A-C-S-P-M or a endpoint protection capability. Couple of things stand out. Number one, we are hybrid multi-cloud. So it can be on premise, it can be on Azure, it can be an Amazon, it can be an IBM cloud. We, our solution works across them. Number two, building on our hybrid cloud strategy on Kubernetes and OpenShift. When you have these deployed on any cloud, the ability, the depth of posture and workload protection and threat protection and management that we can provide is unparalleled in that context. And third, we have taken a data centric approach, the data security and privacy capabilities like keep your own key.
We are the one only industry provider to provide such a single tenant key management system built on FIPs one 40 dash two, level four HSM combined with unique capabilities like data security broker where you can do privacy PII protection with no code change that's integrated into our platform that you can use. And fourth, to reduce the complexity for the developers so that they don't need to be security experts. We have blueprints of deployable architectures with security built in. So when you look at these set of capabilities, this provide an ability to differentiate. So think about your entry points, the use cases, the workloads and data that we're trying to protect. That way the use cases can be addressed with AC and that's where you can take a competitive view compared to other vendors there.
Okay. Okay. Makes total sense. And by the way, one of the points you mentioned that you are hybrid, multi-cloud compatible, whatever it's, it's and it's possible to deploy. So, and the next question we actually have ask specifically about that. So like why, like how, maybe maybe let's rephrase it like how exactly or is it how, how exactly can you or improve this whole experience of deploying it across a hybrid multi-cloud environment? How does it work?
So the way we have done that from an integration platform perspective is looking at customer requirements, the capabilities that they're looking for towards security complaints. For example, when you look at your configuration posture so that your bucket is not open to the internet and encrypted and your logging is enabled, et cetera, across the segment multicloud environment, we have integrated with cloud native APIs in those environments so that we can actually check them right across them. Then when it comes to deeper integration like container workload protection, we have the ability to do that like containers and VMs that it can be deployed within agent model, that it can actually get malicious behavior, the configuration, the runtime policies that can be detected and responded and implemented in each and every one of them that you can localize it while the results and policies can be centralized, right?
So bringing that together across these areas are important. And another example I would use similarly is when we, as part of our key management technology, we have the ability to manage your keys across hybrid multicloud unified key orchestrator is able to manage keys, be on Azure or Amazon and and so on so forth. A good example is a bank in Germany only had Office 365 but hundreds of branches, thousands of keywords and they need to consistently manage and they want to prove to the regulators for scrims two and other requirements that they have complete control of the key. So the user technology to manage keys that protect the data in even other cloud. So we have taken an approach to solve the problem and the technical solution that supports it behind the scenes.
Okay, okay. Right. And again, we have new questions coming in and I really like this one or how could your solution address and protect AI enabled workloads? Everyone is talking about ai, so let's protect AI as well. How would you do that?
Great question and we are passionate about it as well. So let me put it data, when you think of hybrid cloud and AI data is the glue therefore taking a data-centric approach to data privacy, the data that for example, that may, you may use to train your models or data that you are doing to do inferencing, they are stored in your repositories, your databases or move to object stores. Those are patterns that we are seeing. Therefore, many of the controls, all the controls that are relevant here that I talked about across it are applicable right there. Then at the same time things like data residency and privacy also leads into ai. For you, for an enterprise to apply ai, they are, they're trying to make sure the data stays local, that that is used by the AI in a particular region or a particular data center or a country you can enforce those residency rules, your privacy rules.
So data sovereignty enables that as part of an AI discussion. Then there are additional enhancements that they can do when they apply model, like when they use Watson XIBM, Watson X capabilities, then they can govern their data and saying, hey, for sensitive data, what's the data lineage? Where does the data come from? Right? There are AI ethics and transparency requirements that can be done on top from AI perspective, but a for, from a pure deployment of data AI workloads in a hybrid cloud infrastructure. All these controls that they talked about are definitely relevant that we have been working, we are working with customers to enable that and applying that to the models and the data on top are the new next steps that you all can take on top of this that we will continue to enhance as we move forward.
Okay. Okay, great. And by the way, data security is also like a major topic for keeping a call to cover as well. I've done quite a lot of writing on that in a non kind of IBM is also doing a lot in this area with other tools like Cardium for example. Like do you have any kind of like holistic approach with your, like do you work with those teams? Do you collaborate on this?
Absolutely, absolutely We do. We do every day working with clients. So clients who deploy, for example, guardian to do data activity monitoring, for example, when they do on-premise BT to DB two or Postgres and use that in on-prem or cloud. They use a data activity monitoring tool while they will use our encryption and key management tools to protect. So if you think of protect, they can use some of our, the tools that I talked about as part of security compliance center as well as when it comes to detect and respond, they can, they use guardian tools in that context. So absolutely and similarly, various of our logs that you deploy as part of a holistic environment, you can feed that into QRadar as your security and threat management platform. So we do that for customers. We work together. Absolutely, yes.
Okay, great. Next question I think kind of again goes back to this story about the financial industry. Like the question is how does, or like how do security and compliance requirements commonly translate across industries? I think you've touched upon it a little bit, so can you maybe talk a little bit more like how do you go from a financial industry to a similar highly regulated one?
Yeah, that's a, that's a good question. So let me start with the financial service example. So even there every, every bank has their own control frameworks. So what we have done is ability, we can map their controls into the control set that we have and typically with many banks that we have done, it's around 95, 90 7% success rate in the mapping. Then you can only figure out what are the missing ones or different ones that you need to address. Then we have done that. Now mapping to industry standard frameworks like cloud security, A and CCM matrix, we have done that with CRI, cloud Risk Institute as an example and so on so forth and map that to regulatory requirements. This is based on missed 853 control set, which is industry standard. Then as we look at and work with clients, we have seen clients in healthcare for example, take their control that many enterprises are made in the state 53. So they can readily map those, their security and complaints policies as control into the control set that we support because we also provide out of the box be PCI and NIST and ci, ci ci IS and so on. So some are industry standard frameworks and standards that we support, which are all outta the box. Then industry specific ones that we support and then customers that can do their own mapping and we can help them in their journey as part of the enterprise like control, mapping support.
And by the way, like even those standards, they aren't actually, or best ing are not set in stone. They evolve all the time. Right. So like would you help your customers to kind of adopt those or changes automatically or either something that they have to do themselves? How does it
Work? No, we, we help them do that. For example, on one end of the spectrum like NIST and PCI, et cetera. As those standards evolve and versions come out, we incorporate them into the profiles and policies that we bake into the product. That's 1 1, 1 side of the equation. The other side is when you look at industry regulations that are ever changing in different geos, we have the best of mind in terms of complaints and regulations with Promontory, which is an IBM team with ex regulators, they continuously watch all these regulations. Then they map to saying what changed, what regulatory obligations have changed and how does it translate to control requirements? And then we have the ability to map that and, and evolve these controls as part of what our strategy as well. So yes, specific controls and versions we'll provide over the box, we'll continue to watch for regulatory updates and keep at it and work with clients on such engagements to help them in their journey as well.
Okay, okay, great.
And fundamentally part of it you can use security and compliance center as that solution platform to achieve those same goals.
Okay. We have one minute left and one question left, which I'm afraid would probably take like another hour to answer properly, but maybe we can just kind of try to shorten it. What like top one industry best practice you would recommend to our listeners to consider to achieve continuous security and compliance
From a best practice perspective? Things like CIS benchmarks, right? I mean even start with that because rudimentary, many of the attacks are not because of sophisticated maneuvering or navigation material environment. They're as simple as your ports are open to the internet, you don't have your data encrypted, you are not watching and logging and monitoring, right? Simple what what we all security experts think as simple steps that one need to do. You need to implo deploy them, continuously monitoring them. So start from those industry standard best practices. If you don't have them, start with at least cis benchmarks to implement them consistently in a hybrid multi-cloud environment and take a, a consistent approach and an integrated platform that you get visibility across so that you don't need a swivel chair to go across a multiple tool set. So two-pronged approach, best practice controls, start with at least basic minimum with like CS benchmarks that you can implement. Number two, have one integrated platform across your multiple set as opposed to a hundred different tools.
Right? So if I made to kind of reformulate it slightly, it's better to start small today than to spend a year on developing the greatest strategy ever, but then being too late to actually implement it because you will be hacked by the time already. Okay, awesome. Thank
You much ly start with IBM Cloud security and complaints center of course.
Right, right. Thank you very much. Thanks to all our visitors for the attendance and questions and poll responses. I hope to see you all at some our, our later webinars or maybe even at our conference in two weeks in Frankfurt, Germany, the Cyber Revolution and Oh, thank you and have a nice day. Goodbye.
Thank you. Bye.
