So this presentation and this session is really about a theme that has been running through the conference. And indeed I can see in the audience, Elena rich, Richard who gave a, a, a, a, a talk on a similar aspect of this theme that 10 years ago, AWS and other big cloud providers were telling us that the cloud was going to make things simpler, that everyone was going to junk their existing on premises systems and move to the cloud. Well, in fact, it hasn't worked like that what's happened is the cloud has become yet another degree of complexity in delivering it.
And so what I'm going to do through this talk is to talk about how this extra complexity has introduced challenges particularly to do with trust. And what is really needed is some kind of unified security fabric along the same kind of lines that Elany was talking about and how this will meet the challenges. So I think we've all seen what has happened with digital transformation that effectively the pandemic has forced organizations to change the way that they do business. They have had to do an awful lot more online and some have done it rather successfully, and some have done it pretty awfully, and that they've had to do this because they've needed to compete. And they also have to differentiate and the, the digital world and the accumulation of data that they have has made it more and more practical for them to exploit that data.
Now, in order to do that, we've moved from a development system where somebody wrote a specification, it said they couldn't do it for five years. And six years later, a, a system was delivered that was out of date and didn't do what they originally wanted. We've moved to a world of DevOps, a flexible development that allows you to develop systems with a lot of digital flexibility. However, that is not sufficient. You have to be able to secure these things because your customers want to be able to buy their flight or use your product with a reasonable certainty that they're not going to have their data hacked or their, their, their credential stolen. And so it's important in order to succeed in this, that you have a secure digital experience. Now I'm saying that, and well, you'd expect me to say that because I'm an Analyst and I hope you'll pay me, but actually there are lots of surveys and I've picked on one, which was cloud migration stats from Flexera.
And basically what's happening is now we've got these organizations that are in this race to digitize, but in fact, 85% of the organizations that responded to that survey said that security was a challenge in this complex world. That then on top of that, 76% said that compliance risk and compliance was an issue. And surprisingly cost 80%, 81% of organizations were saying that cost was a problem. And this is almost exactly the opposite of the message that was being given 10 years ago, by the big cloud providers who were saying, come to cloud, and it'll all be cheaper, and you won't have any cap capital expenditure and so forth, but now people have virtual machines spinning that are, that, that they're paying for. And they don't know what they're being used for, why they're being used for, and they don't kill them. So let's look at what has led to the back of this in, in a little bit more detail.
The first thing is that the, well, when I, when I was a development manager, I spent most of my time trying to find the computers that we needed in order to be able to do the development because you needed different environments, which was different computers, and I'd have cut my right arm off for something like VMware. However, this virtualized environment has moved from just being good for developers to have different environments. It is in itself, something that is incredibly useful because the cloud gives you this resource when you need it for just as much time as you need it, that it enables this flexible development that I talked about, where you can use these new techniques and these new ways of building applications like containerization so forth to provide a, an application that matches the business need and can be changed in, in the, in the light of feedback.
And so this gives you a responsiveness, which actually depends upon the responsiveness of the infrastructure. And so the infrastructure is becoming flexible, but it is also this flexibility is becoming part of the challenge. And so if you look at these trust challenges that come from this, that what's actually happened is that the cloud has introduced yet another set of silos that you have some, some apps in AWS, some apps in Azure, some apps in, in, in Google, and not only that, but you've actually got software as a service as well. And many of these will also be calling back to the, the, the legacy systems that you've not been able to migrate. The, the value that comes from all of this is being able to share the data that you have amongst these platforms. But it's not just a question of sharing it. It's how you can share it and ensure that you achieve compliance, particularly in the area of privacy, and certainly that you achieve security.
And so in order to do this, what, what we ha, what we find is that there are all of these different tools and capabilities, which I think Martin is going to talk about calling it a zoo of, of, of the different things that, that, that you, you, you get from the different providers and all of this leads to a kind of ad hoc service governance. So let's just look at what people are actually using at the moment. So if you look at this, you find that some people have just sort of said, well, I'm going to try and solve the problem by using some form of private cloud tools. So if you use VMware on premises, you can also use VMware in the cloud. And that's good because that's, that gives you a consistent set of tools and environments across the two, providing you like VMware.
The answer from the cloud service providers is, well, we'll give you a cloud in a box so you can buy an Azure stack, or you can buy an IBM satellite, or you can you've, you've now even got the big hardware manufacturers, such as Dell are ask, are selling you effectively a server as a service where you pay without any CapEx, but you pay on, on a rental to have them provide a maintained managed server in, in a data center of your choice in terms of managing this, the tools that the public clouds provide, provide lots of different things. Like they'll say, well, you can be really secure because we can give you a template as to how to be secure. And we will provide you with vendor monitoring tools. But the problem with these is that what works on AWS, largely speaking, doesn't work on Azure.
And what works with others is, is the same. Now what is happening is there is some of the vendors are trying to solve that problem with, like, for example, the Azure arc and IBM satellite, but there's still an element of lock into this. Now, another solution that, that you find is, well, if you just, re-engineer your applications, all these problems will go away. So if you build it using containers, and especially if you use GCP and Kubernetes, then everything will be well managed because we've got all these tools to do with containers. And, and certainly there are many advantages which have been discussed to refactoring your applications, but can you afford it? You know, many businesses are, are still running on applications that are on the mainframe because they can't afford to transform them onto what would be previously been called distributed systems. So refactoring has many benefits, but is also a very costly approach.
Now, nearly every organization has all these legacy tools because you have on-premises, you have tenable, you have all of the identity management tools that you had working on premises, but how do these interact and how do these work with the, the, the, the, in this hybrid world. And so finally, the, the, the horseman from the vendors have come along and said, we've got the solution here. And this Ackerman soup of, of the different things, cloud security, posture management, cloud workloads, protection, cloud, native app protection, and cloud infrastructure, entitlement management. So are these actually what we need? So let's just look at some of the, the challenges, because none of these are satisfactory. One of the big challenges and through another theme that you can see that has run throughout this conference is the one of privacy. And how can you ensure privacy enabled data protection?
And I, I mean, it's, it's this data protection. In many cases, people that have moved to the cloud have just forgotten about backups. And so data protection starts with simple things like backups and having a disaster recovery plan, because you can still have your, you can still lose your stuff, but do you have the same backup processes? Do you have the same backup tools for that? Then you have the question of protection protecting the security of the data while it's in transit while it's at rest and during processing. And although there are common answers to these, many of these answers are still somewhat lacking. Indeed, only yesterday, we had a, a, a super presentation by a chap who was describing about the problems with having signed and properly encrypted end to end HTTPS communication, because you can't sign an HTTPS message because it gets changed as it goes along.
And, and the other problem, which was highlighted through the Shrems two judgements, which has been another issue is that there are all kinds of ways that you can steal data while it is being processed. So it's not sufficient to be able to simply encrypt the data while it's re it is at rest. The application stack that is commonly used has data unencrypted being processed often in multiple layers within, within the application stack. So all of those things need to be taken into account. And so the challenge that we have is this inconsistent set of tools that we have, these functional things that everybody realizes they need, like protecting your data, managing vulnerabilities, both in the infrastructure and in the code that you are producing, that you need to be able to secure your network, not only between the cloud and on premises, but within the cloud and between the clouds.
And you need to be able to manage identity in a consistent way across all of these different things. And the problem is that the, the ways in which you do that and the tools which you are offered are often either different, or you have to find some way of integrating them across the different environments and what this leads to is this problem of ad hoc service governance, which in fact, is in, in fact, an increase in costs and an increase in risk. So, as I said, the horseman of the vendors has come along with all these solutions, which they say are the answer to your prayer. Let's have a look at whether they really are. So CASBY has been around for some time. And CASBY is a very useful tool in that it can give you an inventory of what software is a service, largely speaking you are using from within your organization.
It can also give you control over what you'd call unsanctioned apps. So you can stop people from on-premises using things that you would prefer that they didn't use. But in, in fact, it adds to the complexities of identity and access governance. And indeed only yesterday evening, the, the keynote on access management, the final frontier, you know, I've, I've said to people, there is no common governance model for access to a software as a service to what you are using in your IASS apps to what you are using on premises. So CASBY is useful, but incomplete, secure access service edge, well, here's a network based approach to access control. And this has sort of been pushed by the, the, the, the VPN vendors, the secure gateway vendors, as a way of saying, well, we can control everything by putting the right kinds of network controls on.
And by the way, we can sort of say to you that if you use these tools, you can have something called zero trust. And this is another one of these areas, which has been explained by various presentations to be something that means different things to different people. The latest, the latest kid on the block is cloud infrastructure and title management. Now, when I was a developer, a server was something that sat beside your desk and it didn't have permissions. It couldn't actually on its own decide that it was going to access a database. But when you get a virtual machine in a virtual environment, that virtual machine has to have permissions for it to be able to exist in this world. It is an entity, a virtual dynamic entity. And so the capital one hack is the great example of this, where hackers were able to exploit the inherent excessive privileges of a virtual machine to steal data from an S3 bucket.
Well, so this is an answer to this problem, and here's a real problem, but cloud infrastructure, entitlement management is not the complete solution and cloud workload protection and cloud native application protections is in fact more tools that are aimed towards helping DevOps to try and avoid some of the security pitfalls that they would otherwise find. So none of these are completely correct and completely sufficient. So what is needed is in fact, some form of unified security fabric, and this is something that CA that, that KuppingerCole has been very, very successful in helping people with, in the area of identity management, where we have an identity fabric, what is needed is something more than simply an identity fabric, but a security fabric, which in fact gives you a way of integrating, governing and managing all of the different aspects of the, of, of the security world, around what I would call the missed major functions of being able to identify, to protect, to detect, to respond and to recover from cyber attacks.
And in order to do this, you have to have a way of integrating and orchestrating all of these different tools in all of these different places, so that you can choose the tools and you can optimize the tools that are relevant for you. It would be nice to be able to say that we will have a single new grand set of tools, but for most places, that is not a practical approach. What we need is some way of being able to work out what is best for you for each of these different areas. If you've got quals, if you've got tenable, then that's what you may be happy with. If you've got Sally's encryption, then that may be something that, that you can, you can use and you can work out what the right things are. A network management is a particularly big issue there that, that the way in which the in cloud network is managed, maybe different from the way in which the, the extra cloud network is managed.
But again, you need to figure out how you're going to do this to get consistent policies and so forth. And so all of these different areas that we are talking about need to be orchestrated together so that you have a unified, consistent and cost effective approach to all of this. And to give you another example here, if we look at data protection and I talked about data protection at the beginning, data protection is something that seems to have just been forgotten by people who've moved to the cloud. They believe, or there seems to be a belief that if you put your data in the cloud, you don't need to back it up because somehow or other it's become in vulnerable. Well, that just isn't true. It isn't true. If you're using software as a service, it isn't true. If you're using infrastructure as a service, if you look at what Microsoft do with office 365, then if you delete all your data, or if a malicious actor deletes it all, it's gone.
If you look at AWS and S3, they claim this nine, so many nines availability of your data for every bucket. But if you delete the bucket, it's gone, it's, it's not their problem. If you've deleted it it's gone. So if it gets deleted through mistake or through malice or through misuse, then in fact, you, you need to be able to recover from it. That encryption is this next challenge. And the challenge that I, I is particularly the case when data is being processed by a third party, is to be able to make sure that it is, it is completely secure throughout its processing life cycle. And so there are now a whole series of approaches, which includes pseudonymization, trusted enclaves, and even homomorphic encryption, and going into the future. There is now a nacent threat of what will happen when quantum computing is able to crack RSA, RSA encryption within a reasonable length of time.
And there is a NIST project going on with this. So if we look at pseudonymization, then there are lots of different ways of pseudonymization. And I, I really recommend you look at Anissa pseudonymization. There's a report on this, which is, which is good. And in effect, all of this takes us back to identity because the, the real issue, the issue of privacy and the issue of security come back to identity. Security is about preventing the people that shouldn't have access from accessing your data and destroying it. That privacy is about making sure that only the people that should have access can access your data in a way that is allowed because of consent or because of regulation. So all of those things need to be brought together as part of your security fabric. And so looking at how we would meet these, these challenges, we have this in, in co call this notion of a security fund break, which is going to cover all of those different things.
And this helps you as a customer to have, and take a unified approach to all of the types of data and all of the types of systems and all of the types of deployment models for all of the types of services that it supports you through your journey to privacy enable data protection, and it can be implemented in a practical and an incremental way to give you an optimized view of risk that you can control your risk whilst also optimizing your costs. And that has to be driven by the business. So that is the message that I've got to say today. So with that, I'll say thank you very much. And if there's any questions, I'd be welcome to.
