Just let them leave. So this panel is entitled Improving the Security Posture with Cloud Solutions. So I'll ask both of you just very quickly because the word security or the phrase security posture can mean different things to different people. So what would you say is your definition?
In my definition? Can, can you hear me because Okay. Yeah. Security posture is, is the ability of a system to detect and react on a, on a given security issue or, or exit it. Okay. Or security level. You can, can can name it.
And I would probably put that a bit, Prada sort of in the sense how we would use it in the bank or security posture is really looking across all of our assets and systems, how well we are protected, but that also includes people and skills and capabilities. How well we are protected against the threat that we are seeing. Okay. That's what we sort of interpret as being our security posture.
Okay. I've done this the wrong way around. I should have asked you to introduce yourselves and where you're from. So let's,
Let's do that. So I'll do that Ca Fisher, I'm the deputy group Chief Security Officer for Deutche Bank.
My name is Jeff and Schultz, I'm a solution engineer at the five and I'm a sponsor for our security area for our region.
Okay. And unfortunately Michael Shrank who should have been on this panel is not well today. So the next question then is we're not talking about this, we're not talking about securing the cloud. We are discussing cloud native problems that assist with cybersecurity, right?
Yeah. So that's why I said I would look fraud at this. Yeah. I know sort of topic is cloud, but I don't think I can look at a security posture cloud solely. So I will somebody, I think Hendrick said yesterday in a forum that he believes all of Deutsche ER services will be in the cloud in the future. I hear him.
I think for Deutsche Bank, I will not be able to see that before I retire. Okay. You have just a complex infrastructure that it will not be cloud only, so it will be a hybrid of everything. That means I need always my security posture needs to go across. To your point though, I would try as much as possible to be able to have my security tools sitting in the cloud and serving the new world in the cloud as much as the old world on-prem and only where I'm not able to cover my security posture properly or to protect my bank properly with a tool that is cloud-based, then I need to go back and saying, okay, fine, I'll use on-prem solutions for on-prem. But I see that as being the, the exception. I think most, most providers of security software that is running in the cloud, be it a SARS or something that you have directly as a product on your native environment, have fully understood that it's not all about cloud. So there are in most of the cases also able to protect your own prem environment.
And in, in your industry, FAL, there's sometimes a perception that financial services is more conservative about cloud usage. Is that, is that right?
So I think any regulated industry will always need to be mindful about the fact what is written in the regulations and then sort of look at those regulations, how you can comply with that. You can call that conservative, I would probably call it in line with regulations or maybe both. But I think the, the old school thinking, I remember 10 years ago our first seesaw sitting with a MS in Singapore and the statement of the head of that unit was very clear, cloud only over my dead body. I'm glad he's still alive and Singapore banks are using the cloud. So both can work. It's, I think that conservative thinking around, we cannot touch the cloud as a bank. I think that has gone away regulators to understand that the cloud environment by by default is likely more secure than a lot of their on-prem environment. So that's why I, I struggle a bit with the word conservative. I know how you meant it. I'm not a retailer who can do anything without being regulated, but that doesn't hinder me to make use of the cloud.
And what about from the vendor viewpoint? What, what feedback do you get? I mean, you obviously have a whole range of customers. Yeah. At least you tell me. You do. I don't
Yeah, yeah, we have for sure.
I'm one. Okay,
There you go.
I can just just add to this that we, we have customers around the globe which are using it. It's more, mostly it's a hybrid world. So we have both, we have still our on-premise applications and devices and environments which needs to be protected with, with solutions we already have since, since years. But, but, but also we have a new technologies, new new applications and, and we have everything is, needs to be fast, needs to be agile and there's mostly, there is a cloud environment, much, much flexible com compared to an on-premise as environment. But still the, the important thing here is that even if you have a good security posture or security policy and or enforcement points in place on premises, you need the same in in in any other environment, especially if it is in a cloud environment. This is something we, we just realize or we can see at our customers that, that it's, it's, in most cases it's, it's very difficult to have the same same or the consistent security level across all your environments.
This is something we, we try to address that we provide a solution which is able to, to use the same or consistent security level, consistent security policy in any environment. And that makes it easy for, for the the responsible people to, to understand we have a policy in place, we have enforcement in place, we have transparency, we can see all the data, we can see what happens in our applications and we are able to, to even, we still, we are able to move and to react on, on demands, which, which can be that they have to to, to use a different cloud location, a new cloud location or a cloud provider or just move the application to somewhere else. And we still can, can follow with this and we can apply our, our consistent and our security portfolio we have. So it's always the same always and mostly hopefully easy for the customer to use it. Okay.
I, I mentioned yesterday and, and other people mentioned the EU Cyber Resilience Act, which I believe is supposed to be coming next year. And within that there are some new regulations, one of which is the disclosure act or the disclosure of vulnerability. And I'd be interested in your viewpoint ton as a user, a customer if you think that's a good or a bad thing, particularly when you're dealing with the complexity of cloud. Is it fair? I think is is maybe,
So I think disclosure of vulnerabilities is a really good thing because if you don't disclose them, you can't fix them. I think that disclosure they're talking about is going probably beyond my appetite. Yeah. Who I want to disclose that to. But that's okay. We need to do that right now as well. There are some US regulations that have just been published that sort of are forcing us to call those things out as well. So I don't think this is a big difference to what we have seen. I do see a change of how we look at vulnerabilities though. That's why it may not be a hundred percent fair because in the past we've always looked at vulnerabilities around like the score is 10.
What we forget is that the score is made by human beings and then by vendors who are selling their software. So if you have a vulnerability that is high, you will likely try to make it even higher because if you don't, there may be a liability issue at your end one point in time. So there are different aspects going into vulnerability, judgment. What I think we need to overcome, and we had seen yesterday in the presentation that was done around how do you look at your attack path. We've seen from Deutsche bza, I think in this room yesterday from Illa, how they have looked at vulnerabilities and try to make sure that they're judged. We hear from from enforcement groups, law enforcement groups in the US that they are going away from looking at, you have a 10, you need to remediate that more towards is that critical for you environment and do you need to focus on that?
So if we do it on this basis, I'm absolutely fine. I am though conscious about the fact that more European driven regulators are still thinking in the, in the sort of narrowed view around like if it's a 10, you need to remediate that. No, it's, if it's sitting on my taxing booking system, I don't know to re I don't need to remediate that at all, even if it's a 15. Yeah. So this is why I, those regulations and, and I mean we are all feeding back into this process obviously, but they're, I think they're always falling short a bit on that risk-based few. Right. So what do I want to
Solve? Yeah, so it's, it shouldn't just be if it's a vulnerability, but it's not you would say
Critical for my system. Yeah,
Yeah. Okay. I mean I think one, the reasons they did it was because they were, well for CUS and EU is usually focuses on customers privacy, et cetera, which is a good thing, but
By, by the way, we do that as well as a bank.
Okay. And Oh, good. Good to hear. Good to know. And the, the thing was that they, some people say, well, if we say there's a vulnerability, then it encourages hackers to, you know, target us. What is that realistic, do you think
It's a yes and no? I believe yeah. At, at this, at the point we, this, this, this vulnerability is, is is discovered or is is exposed and it, it, it might already be a bit late to because someone else was already on it, but
Exactly. You Yeah. Just because you found it.
But still, if there is something which looks attractive, it'll attract people and they will try. Of course. And I mean to be honest, and, and this this time it is not that hard to, to, to try a vulnerability to, to look for it and just try out what is possible and, and what is not possible. You can use even AI engine already for this to, you don't have to know, have to have a good understanding of how to, to hack or how to interact with a system to, to use vulnerability. Yeah. It's, it's very easy and if, if someone tells you there is something which is critical and, and, and allows you to get access to like, like in our, in our case to our system for example, and the customer, our customers have not patched it, have not fixed the, the vulnerability then it's, it's, it's attractive for some people and they will try. Sure. Of course
A lot of red team are, are in the meanwhile not using vulnerabilities. I remember looking at Alexei, who, who did that? We have, we have in the past, even given the guidance to our red team, don't leverage vulnerabilities because we wanted to find out where we have weaknesses despite the vulnerabilities because we know we have vulnerabilities. So then the question comes back to the point you made and, and I made earlier, if I have a fully segmented network, if I have my crown jewels, micro micros segmented, why would I care about vulnerabilities of 10 or nine in the surrounding that may not impact my crown jewels at all. That's the attack path thing we have seen yesterday by one vendor. But I know many vendors are working on that same problem because that can then show you, okay, this is what I need to protect. Then we're talking, because then we're saying the vulnerabilities on that stream, I want to be remediated. So that's why I think the regulation is good, but it's probably a bit premature in an environment where we haven't yet finally clarified how to deal with all those vulnerabilities. Yeah.
Okay. It's anyone question?
Just, just one one comment to this. Okay. Even, even the, if there is no direct impact to a system based on, on, on a given vulnerability, as as soon as someone get access to, to any system or to any, any environment, they can look for new, new things. And this, this is a nice, nice phrase for this lateral movement just, just to see what is possible, even if there's no direct way to, to your crown reveals. But there might be a way in the future,
But that's what I mean. So then you have segmentation in place, then you have detection controls in place, then you may have some boundaries in place, you may have some blocking in place and that's what I would call security posture. But I would also then call it, that's my risk appetite. Yeah. If my risk appetite is saying I don't want any lateral movements, good luck.
Nice try,
Good luck, then that's, this is a 3 million investment and a high 3 million investment every time, probably every year. There is nothing like zero risk for security. Yep. And I'm happy to pay five euros for this, but there is no zero risk for security. So it's all about your risk appetite and then things like an attack path, things like crown jewels will help you. And then you need to determine do I allow that lateral move and sort of work on the basis that I'm able to detect it, not necessarily to prevent it and somebody's moving from my taxi booking system to my contain booking system, to my room booking system. That may be absolutely within my risk appetite. Yeah. Maybe if they're able to move towards my high value payment system, I have different, a different risk appetite for my high value payment system. That's different
Story. Yeah.
Okay. Well, okay. Anyone got a question for the, for the guys here? We have a microphone. If not, I'll just carry on you guys. Any questions? No. Okay. We talked a lot obviously about the cloud. One of the questions is, will cloud solutions be held back by legacy and on-prem applications? Would it be better to strip everything out if it was possible and to build an entirely cloud native infrastructure?
Yes.
Yes. But is it possible?
Give me the pot of money and I'll do it tomorrow. Yeah, yeah. So, so look at, look at, and I can only talk about financial institutions, but looking at Alpha, you can probably tell a different story from, from the industry as well. But if I, if I look at our infrastructure then that starts with a mainframe. A lot of banks are using mainframes for their big scale business. I know people are dreaming about mainframe in the cloud.
I'm not visionary enough to see that in the next few years. So it will remain being on OnPrem, I can now start investing millions and moving that away from the mainframe into a cloud environment. Or I can accept the fact that it's sitting on my, on-prem and making sure that I'm protecting it. Guess what? Mainframe security tools are usually not surfing anything else but mainframe. So I need to do that anyhow. So that may be something that I accept. If I have, I don't know, 10 Windows, 2008 operating systems that are sitting there and I now need to go through the transformation of moving them to 2012 16 whatsoever,
I may use that as an opportunity to say, let me rethink, maybe I can rebuild them in the cloud and save the money of that transformation to just another Windows platform to oh yeah, let's move them natively into the cloud. So it all depends on, on what we are talking about. And, and again then crown jewel do, do I need my taxi booking system in the cloud? Okay, the first question should be, do I need a taxi booking system? Can't I buy that as a SaaS? Okay, fair. But it's those kind of things. That's why I, I think it's too pl and too pro to say let's just move it all to the cloud. They, if I don't have a business case, I wouldn't even touch it.
Okay. And what about your customer feedback?
Yeah, exactly the same. Okay. So we have customers, we have customers. They are a hundred percent cloud native and they are perfectly fine in, in this virtual environment. And we still have customers on-prem and this is then fine as well and maybe most cases there as a reason behind it. But we, we as we, we as a company allows our customers to use both worlds and we provide everything they might need to to interconnect them securely and as I mentioned before, to provide them the, a possibility to reuse their existing experience that our, our solutions can, can provide in any environment. And this maybe is also a, a good way to, to use the best environment for my application, for my workloads just based on the use case. And so, so we provide everything which makes it easier for them to, to move application by application or, or leave it where it is, it doesn't matter for us. We can, we, we can, can provide our solution for all environments. Okay. That's, that's our experience.
But one very final question and probably have to be quick. What major trends in development areas that CISOs, or not just CISOs, but people, senior people, what should they be looking to invest in in terms of cloud-based security tools? And I don't mean vendors, I mean just technologies.
I I
Yeah, go ahead. Go ahead.
No, start. I I need to go ahead.
Yeah, from our point of view, it's, it's what, what we can see with our customers is that they, they need solutions which, which can be used in a, in an easy way. They have, it has to be agile, it has to be very fast. And yeah, just based on the demand data they have. And, and for this, there's only one, one good solution from, from our point of view, which is any kind of or SaaS service. So we, we, we provide a, a, a platform or yeah, it's a platform with different solutions and our customers can use wherever they want and, and they have a single configuration Porwal or a place where they can find everything. Either if it is reporting or, and any kind of, of information about the system itself, but also any information about any ongoing security issue or is there any protection available or not for, for those applications. So it's easier for them to have it in one place and usable on, on, on in every location instead of, of building their own solutions just on-prem or in this specific cloud environment, you always have to learn the specific solution and it is easier for them to use. Yeah. One solution which is usable at that time and, and how long they needed SSR service, for example.
Okay, great. Sold, sold pretty much. I am, no, I sold, I want an ecosystem rather than 10 different tools. I wanted to be in the cloud SaaS native whatsoever and not sitting OnPrem. And I wanted to be able to connect to the other ecosystems. I, I won't buy a SASS e tool if it doesn't connect to Microsoft M 365. So then I can't use it. I cannot worry about whether the Sasa tool is now making a decision on conditional access or Microsoft does because I couldn't care less. I want a tool to take a decision on conditional access and if they can't agree between the two of them, I may not use either of them. Yeah. So that's, I'm looking at this very, very, very thin thinking. It needs to be, as you said, agile, it needs to be fluently. I need to be able to use it, it needs to be in the cloud and it needs to fill, fulfill an ecosystem.
And if it's falling in between those, then I really need to think about whether I'll buy it. I, I was shocking somebody yesterday from the vendor community who was trying to sell a tool to me because that tool is so much better for that use case than all the other three tools that are out there. And it would be my decision whether I go with the best tool in the market or I accept an 80 to 90%. I think she was a bit shocked about my comment that I go with the 18 90% if it's part of an ecosystem. But that's what I hear a lot from CSOs nowadays saying, I, I don't want the 120% tool if it's a standalone and I need to embed that into all of my other tools. Yeah. I want the vendors to embed that exactly
Myself. Okay. Fantastic. Well that's it end of time. Thank you so much for answering those questions and thank you. Yeah, the conference hasn't finished yet, so we still have some panels and a session in Plateau, which is the main big room. So see you there. Thank you guys. Thank you.
