Cloud Security in a highly regulated environment

Thanks for giving the stage for such an interesting topic. And obviously it's all around as well regulated environments and I, there is probably no industry which is not regulated, right? So it's pretty much all over the place. But as Mark is coming from financial background, same as I who's here from financial institutions or financially regulated environments. Okay. I would've expected a little bit more. Okay. But, but that's, but that's fine. Okay. Let's go into this and would like to run you through a little bit the Deutsche er. First of all I think give you a little bit perspective on the business we are doing and cloud strategy, our objectives, and then security often in the cloud and obviously as well an outlook. So Deutsche Za probably there is no one who doesn't have some sort of an idea what that is. So everybody knows there's somewhere building where formally people were running around and, and shouting and screaming and, and all this that still exists here in here in Frankfurt.
And for the ones out of Germany here, shortly prior to 8:00 PM there's Anya Cole normally reporting out of, out of the park, out of the floor. And it still exists and it's quite interesting to visit. There's a visitor center in there and, but obviously there's no transactions happening anymore. These are, they're all digitized and this is where Deutsche Bza is really extremely proud of because we're, we're in fact the first exchange globally fully digitizing trading. So you see here and there and still in the US like at the New York Stock Exchange, people running around, probably the last man standing over there, but from Frankfurt, it really then was exported as well globally. But trading and it's not all and it is all around the marketplace. We as bza are only providing the marketplace. So where everybody comes together and can trade and obviously providing a marketplace, you need to create trust, transparency that nothing is so to speak, happening in the, in the dark and, and be very reliable and stable, which then is obviously quite important as well for when we talk later about cloud, when we have, when we are down with birds like for one, two minutes, that's probably something that you're not going to read in the press If it's more than five minutes, you're going to read this in the press next day because always suspicion what's happening to the market.
Are we getting all the movements and all this? So this is really availability from the CIA objectives. Availability is definitely highest on our end, but we are now diversifying the, the business pre and post-trade is becoming equally important. So at the moment it is pretty much 50 50% of the business. So pre-trade is like all the indices, ducks, it's a trademark. That is something a product we sell same as stocks and, and all this. And you won't believe there are financial institutions who are ordering indices by hundreds per month, which all need to be created and calculated and, and all this. And then the post trading is actually the funds processing the entire settlement custody, quite interesting business. And through that we are diversifying because we are not only earning money or we are not earning money at all with like ducks going up. It's just by the volume of trade.
And so volatile market is, is definitely best for us. Okay, so far to to that. Now let's, let's look how cloud actually can support exactly that business model. So first is agility. I just talked about creating indices by by the hundreds and that is massive, massive data crunching because they're really not simple. You need to take a lot of data in and I think cloud is obviously made for this as well. For the agility quality we need to have geographical spread because communication is absolutely key. I today in the on-prem data center specifically now again talking about the the trading environment actually the market participants have really service in our data centers in the co-location and the cables are exactly the same length. Even if the, even if the server stands next to it or actually in the next corner or so all the cables, you wind then up the cable so that all cables have the same length to actually give everybody equal opportunity getting to the data.
So, and you need to replicate that data and that idea so far as well into the cloud cost obviously a driver and I think you can see that from, from the color of of my hair. I'm already a veteran in in it and we have been preaching standardization for and we have not really achieved it large scale but here and there making progress and I think cloud is definitely bringing us to the next step. And then future looking of course at the moment all the, all the trades, everything, all contracts actually entries in the database at the end and even at the customer side. So at the bank banking side, it's all entries in the database. And we are experimenting of course as well with blockchain, blockchain technology, which is a shift for it as well because now a trade and actually an equity could become a blockchain which is then leaving and lives on its own.
That's obviously a completely different channel challenge but but highly supported now by cloud as well. We have the first platform of this called T seven and we did some submissions already of fully digitized assets. So I think that is so to speak, really pushing the envelope here in the digitization analytics I talked about and of course machine learning and it's quite interesting to move as well into AI space now AI needs to be in in each speech, right? But I'm going to be not very outspoken on that one. But we do like predictions where the trades are being settled at the end. And of course cloud technology helps us here as well. So on the strategies, nothing new for everybody who's actually in the security industry. It's always better to be safe than sorry because later on it's going to be much more ex expensive to clean up for for that have an upfront investment is obviously everything, what we're looking for and what we are probably all together fighting for it, our boards to get the appropriate funding for that.
So we approach that first on, on our objectives with implementing security by default. I think that is, that's our mantra. Same with automation. So default and automation is definitely highest on the list and I'm coming to the secure landing zone concept then in a little bit more detail, obviously DevSecOps as well in the middle of it. And then we increase the maturity of everything, what we're doing in back checking, whether it's really securely implemented in the cloud through synap. And then we have a quite adoptable security service that's important because we all know that the, that the hyperscalers are pumping out pretty much services as well quite frequently, quite quickly and we need to be responsive as well to these efforts. So if you look a little bit compare like previously to to cloud, you won't be surprised that in the current state we have IT assets coming on the platform, you need to secure the platform and then typically it's a little bit at the last moment to apply all the security to onboard to create then like all the scenarios for for for SIEM to get all the monitoring up and running.
And very often this is even done after go live if there's always business pressure to get faster live and then apply this a little bit later than you have the typical fight of compliance levels and run behind it and asset owner to get this appropriately secured. I think as well one of our day-to-day businesses. So going forward in the cloud, we are currently in the process of creating what we call secure landing zone, which you won't be surprised because we have public announcement of GCP as our preferred hyperscaler. And so that we are using terraform for these for for this, for actually creating the, the landing zone. So actually moving quite strongly with, with the policies in order to support on the DevSecOps cycle very early in the process and then deploy securely. And then on the right hand side, again you see even if you have deployed it securely, you don't know what's happening at all times.
And for that reason the back checking and the permanent compliance checking is done then through synap. So that is our, our focus. And then obviously we are having a couple of challenges and I would like to divide this into two areas. One is security of the cloud and security in the cloud. So security of the cloud, of course we all know it needs to work hand in hand with us, but this is pretty much in the hands of the hyperscalers, but when you talk to regulators actually there's no no forgiveness. You need to be in full control of the security. How we are doing this of course through all kind of certificates we are looking at and we are getting as well from, from the cloud providers, but even that is not good enough. Simply a selection of certificates is not good enough because they want to see really that you take your own policies and standards and look into the certificates because you get as well certificates where things are not completely outlined in all this.
So you need to go into the very, very detail and compare everything to your, to what you have in your own standards, what your own ambition level is. And with that comparison, I think that's absolutely key. Don't think that having certificates and all this is is actually good enough. And of course then we talk about security in the cloud, this is something then we as CSOs are pretty much responsible for because that's not entirely in the hand and there's obviously a gray zone in between specifically when it comes to cloud native services because here we, we are as well obliged to to secure them, create secure baseline before they actually allow it to be used. But going into a little bit more detail on the, on the off the cloud, I just talked about the certificate handling that is of course embedded in the management of the wider ecosystem and not only Dora but as well in the regulated environment, they want to see you managing the security of the entire supply chain.
So we have ramped up now over the last two years a quite significant program to manage that ecosystem from a security perspective as well with the SaaS service. So where we, for each of the, the, the vendors, the suppliers we have and even for the subcontractors there, we sent them of course our standards and say, do you comply with these? And you get all kind of answers yes, no or go to hell and, and then you need to compare this to with the answer to your standards and really document all this and each deviation needs to be considered in the risk management and then you need to be make a security risk-based decision whether you wanna continue with that vendor or not. So enormous work and I everybody is now of course asking everybody, so we see this coming up specifically from financial institutions in the US coming over.
They're a little bit more advanced than, than we are in Europe, but it's coming a big wave and then you actually need to deal with questionnaires where questions go actually in the hundreds and with hundreds and thousands of vendors. So I think that's going to be interesting and I'm really interested to see what kind of market will develop here because I hear I'm not so much in the automobile industry, but they, it seems that they have created already a little bit of a platform where they agree on, on how they deal with that. I think in financial institutions, I haven't seen something like this, but there's a big wave coming. So that was a little bit sidetrack of cloud is of course part of this and we are solving that issue as well through cloud service. But obviously that's only one aspect but keeps us quite busy.
The other is of course then auditing. We are auditing as well the, the cloud service provider ourselves with onsite visit with questionnaires as just mentioned in, in all this. And we as well founder of the CCAG, the collaborative cloud audit group, that's our third line. So that would be co-founded by our, by our audit group so that the auditors coming as well together and develop joint efforts on how to audit. Then cloud service providers going to be quite interesting, has been just recently being founded. And is there any other founder here in the, in the here we go from 26 and 26. Great, great. So I think a really great approach and I think that will definitely make life easier. So that was off the cloud. Now let's look in, in the cloud and guess what, of course shift left. DevSecOps is in the middle of it and so security is here pretty much secured as well through baselining.
We need to create baselines, don't take baselines or don't take services without security and then here comes as usual in insecurity. The hard thing, block it if it's not approved, otherwise you're in trouble. So that is, that's definitely important. DevSecOps, I see Mark already coming up so I need to speed up. You probably know we are using HashiCorp for the terraform, for the sentinel policies. We are going through the lending zone and and implement very, very clearly the, the, the policies so that only fully compliant workload is actually moving then into the cloud. And of course then through the landing zone you have then secure workloads in the cloud. But we all know specifically like vulnerabilities and all they come up, they simply come up and you don't deploy them per se. So the back testing whether everything is always in a compliance state is then being done through synap, which we are in the process of implementing pretty much start off next year.
So very early talking as well to other financial institutions and all this, it seems to be that this is on the cloud journey rather later. We pull this pretty much upfront so that I understand at all times the the compliance level. Good with that, I, I touched on the, on the Synap side of, you know, I'm, you've experienced, I'm, I'm hurrying up at the moment a little bit and then the outlook of course is as I mentioned as well leverage of of ai that's a support tooling. But we see this of course as well on the adversary side. So we are predicting this fight of bots against bots quite soon and I think we are probably already seeing first, first outcomes of that and quite important for us as well, how to secure our digital assets, which will lose, we will leave our platform and will be sent out to the world and I think that's definitely one of the next challenges. So with that, I would like to close here, but open for questions.