- il y a 2 jours
Cybersecurity Trends Safety in the Cloud
Catégorie
🤖
TechnologieTranscription
00:14Hello again and welcome to stage 3 here at Viva Tech.
00:20Now for our second discussion this afternoon, we're going to explore an important cyber security remit, that is the cloud.
00:26As we know, with hybrid work becoming the norm, companies and employees are increasingly dependent on cloud computing.
00:33So to what extent does this pose a threat, a risk? How can companies and people make good security choices
00:41in their use of the cloud?
00:43Those are some of the questions that are going to be under scrutiny over the next 40 minutes, but we
00:48also want to hear your thoughts and your questions.
00:51So don't hesitate to go to the Viva Tech platform via the app, and then you can select the tab
00:57in the drop-down menu entitled Interactive Sessions with Slido.
01:01Select stage 3, which is where you are right now, and you're ready to give us your questions.
01:06Our moderator will be sure to take your questions to our panel.
01:10Having set the scene, please welcome the speakers for this session entitled Cybersecurity Trends, Safety in the Cloud.
01:17...
01:22...
10:05more meaning, more visibility out of it and that's typically where I think not
10:10just security but also compliance come at play. So playing the ecosystem to us
10:16is really the only best possible way to go forward with securing well enough
10:22any application in the web, any application on the cloud with all the
10:27360 view on it. So human being one of them. I mean when we did the
10:33preparation of this panel, I mean Thierry told me, wow, security, shift-led
10:40security is totally outdated. I mean everybody does that. I mean it's not no
10:45more an issue. But listening to you, Philippe, I have the feeling that this is
10:49something that we need to address more and maybe the user are not as expert as
10:56the product and tech has. So this is why I guess Christina you're coming into action
11:02with Linda. Yeah we, as Thierry was talking about, do a lot to try to bring the
11:08engineering and security teams very close together if they're not already part of
11:13the same organization. And just as an example of that, one thing we do at
11:17Vanta internally, like within our company, is our security team is running
11:22quarterly surveys of the engineers asking about friction points, right? Because I
11:28think one of the things that prohibits some of the shift left or kind of gives
11:33security teams a bit of a bad reputation amongst engineering teams is that so
11:37security is always there to say no to things, right? The engineers want to
11:41innovate or use a new tool or API or platform and the security team just says
11:46no and they ask for a bunch of approvals. And you know, one I think
11:50philosophically part of shift left is is trying to get the engineers to
11:54understand the decisions and risks the security team is thinking through. So
12:01there's just a bit of empathy building there and then it's bringing the teams
12:04together to ultimately, you know, secure the company surfaces and customer data and
12:10build products that customers really want. And just we've found these quarterly
12:15surveys are these nice benchmarks and checkpoints to make sure we're on the
12:19right side of, you know, there's a little bit of friction introduced by the
12:23security team but not so much that the engineers are frustrated or feel like
12:27they can't innovate or kind of deliver great products for customers. So if I
12:33understand properly listening to all of you, I mean, we need to tackle security and
12:40safety, I mean, as the DNA of the company so that everybody can be educated and can
12:48make sure that humans are educated not to do many things they should not share, but
12:54also that the system that you're building be even more protective. But now we see
13:00more and more coming generative AI and it means that the the cyber
13:07straits are going to be even more dangerous as even more adapted to, I mean,
13:16making something real coming to the company. So how do you see that, Philippe and Thierry?
13:23Do you think that you will have to be even better in anticipating those traits with a
13:29generative AI counter system to anticipate what generative AI could do as attack? What is your positioning?
13:37Maybe you start, Philippe? Sure, happy to take this one because this is something that we're really
13:43thinking about very hard right now. So what does generative AI, what can it do in terms of cyber? I
13:51mean,
13:52clearly this is a tool that can really enhance the ability of attacker in two dimensions. I think one
13:59is the breadth and the scope of the surface attack, two is the speed of the attack. So clearly if
14:05you
14:06are, if you have a team of humans leveraging AI to attack your organization, if you only have human,
14:13which is the case today, today cyber security is man against man, right? Tomorrow if it's AI against
14:19human, we know who is going to win. So it needs to be AI against AI. That means we need
14:23to develop the
14:24tools that the security team within the company are going to be able to leverage to be risk to be
14:31basically able to respond at the same speed or faster than the attacker and across a very wide
14:37surface area. So we haven't seen any tools yet, but there are a lot of very smart people who are
14:43actually starting to think about building products in this area. And if you are, just please come and
14:48talk to me after that. Yeah, I mean, clearly it will intensify a lot the needs for secured environments.
14:58And then I'm asking a question to you, Thierry. To be more secured, do we need to be sovereign?
15:06Well, there are always plenty of dimensions to security, right? And combining sovereignty and security is
15:15never a bad thing, provided you do it right. So what we aim at within OVH Cloud is typically offering
15:22a choice to the customer and being completely transparent to the customers about what they get
15:27for what they source from us. Typically, we are, for instance, providing services which offer the
15:35highest level of certification of security in Europe with Secnum Cloud. There are plenty of debates
15:42at European scale with EU-CS, the new European scheme, trying to combine two things, which is not
15:49always easy, because obviously there is a big debate, which sometimes is a bit more political than
15:54technical, but about, on the one hand, level of security and how you would implement native,
16:00systemic security across all the layers, and the corresponding level of sovereignty.
16:07Let me give examples. Yeah. Storm and the shield and the sword. You will need to have AI to react
16:16fast
16:16against AI, but you will need to go in a cycle and you will need to retrain and retrain and
16:20retrain again.
16:22So how will you do so if you cannot deliver such trained models which were educated with, well,
16:31clear, unbiased, free data? And that would come with a certain level of sovereignty and understanding of what sovereignty brings.
16:39How will you do so if you do not have an ecosystem which will share openly? So there are plenty
16:44of debates right now on how we will use
16:47generative AI to help securing better, help protecting better, and how will we feed those generative AI with sovereign data,
16:56sovereign models, and let's say a sovereign, meaning unbiased, transparent ecosystem of actors,
17:04who will come with their solutions. So we're very much proud of being part of that and we'll keep pushing.
17:12Sovereign should never be seen as, let's say, restrictive and protectionist. That's not the way we see it.
17:19We see sovereignty as transparent freedom of choice and the ability to really make educated choices
17:26about how and what you want to secure. And that is really a motto. We do operate sovereign services
17:32everywhere we go. So when we operate in the US, we are sovereign according to US legislation. When we operate
17:39in EU, we are sovereign to EU legislation. We're now opening in India. Well, Indian government have
17:45their own view about sovereignty and we will respect that. We will implement it exactly the same way. So
17:50very interestingly, people tend to mix. There are two very distinct dimensions, sovereignty and security,
17:57but they feed each other. And we do really deeply believe that we can help ecosystem grow on meeting
18:04both, but not one against the other, one feeding the other. And Christina, a question from the audience.
18:13How is it possible to ensure that in the one hand, we have more safety, but in the other hand,
18:21we do protect the privacy of the user. Is it compatible? I think so. In that, we've seen over
18:31the last couple years at Vanta and years before then kind of the evolution of software and technology,
18:37just more and more emphasis on security and now privacy, right? And if we're going to think back
18:43to 10 or 15 years ago and we were starting to use tools like Facebook or Twitter, right? And I
18:50think
18:51there was a lot of excitement around that and a lot of, you know, oh, I can go connect with,
18:55you know,
18:55maybe people from my past. So I will upload all of my information to this website and what could go
19:00wrong? And we sort of played that out and a couple of things definitely went wrong. And I think there
19:06was a bit of that kind of more halcyon ethos that's just gone. And I think now software companies,
19:14whether they're servicing, servicing businesses or servicing consumers are much more aware of their
19:21obligations to their users and to their customers. And that's certainly true in the EU, right? I don't
19:27mean to be the American telling you that. I think it's actually almost just as true in the US. The
19:33US
19:33culturally has a different spin on this and comes to it from a different place. But even just being in
19:39San Francisco and sort of the epicenter of Silicon Valley for the last decade, you really see the
19:44added emphasis on data privacy, on user protection, and ultimately on unsecuring trust.
19:52And when it comes to environment, I mean, how can we ensure that all those cyber security
20:04additional levels are also compatible with environmental and green durability production?
20:14So is it something that you see both Thierry and Philippe? I mean, Philippe with your investor
20:18eyes and Thierry with your operator of cloud services cap?
20:26Well, I would certainly not oppose sustainability and security. I mean, we have a very specific
20:35operating model. We do build our servers, we build our racks, we build our data centers. So
20:40it's vertically integrated. And that helps us having a total control on the level of water we use for
20:48water cooling our servers. We have extremely low water usage. We also reuse components.
20:55So servers in OVH cloud have a second, a third, a fourth life, right? You recycle everything.
21:02You just don't waste them. So having a server component being in use for 12 years helped really
21:09strongly reducing carbon footprint. And then when it comes to power efficiency, again, water cooling is
21:17pretty impressive. You gain 20 points of efficiency versus any classical cooling technique. So how would
21:28we combine? Definitely we see security as a must and it's not something we would negotiate.
21:36I never saw any technical implementation which would contradict having on the one hand this integrated
21:43circular economy approach to the infrastructure and the security. Things could go a bit more blurry when
21:52you go up in the software layer, especially if customers would have, let's say, a very intense use
21:59of the infrastructure without knowing the implications. So what we work at is reflecting back to the
22:07customers on their actual power and carbon usage, giving them calculators which tell them real time,
22:14oh, be aware, this type of AI training means you're consuming so much watts and so much water and so
22:22much
22:22carbon footprint. So step by step we're expanding that type of metrics so that then customers can make
22:30make educated choices. But we don't see it as a negative versus security. And I would say in most
22:39use cases when we discuss with customers, when we investigate about the solutions that deployed on our
22:45infrastructure, security is only a tiny fraction of their resource consumption. So I would say let's not
22:53oppose them, let's educate the customers with many more metrics available on their power, water, carbon
23:01consumption and they will be clever. Philippe, do you see that as something that is really
23:10core for a new startup in cyber security to think safety but also green impact as low as possible or
23:21is it something that you don't see at all? I don't think security is any different from any other
23:29software technology out there. I think it's great to see that the next generation of for the next generation
23:34of founder I think sustainability is very important and it's at the core of the values of the the company
23:41and so we're seeing it in cyber as much as we're seeing it in other enterprise or software
23:47application or even any kind of startups today. I think it's very exciting to see and I think as an
23:53investor it's also something that is very important to us. I mean clearly and Christina you're working
23:59with I mean partners all over the world or do you see any specific distinction between Europe, US,
24:09is it easier to sell your services to US players? I understand that you're already working with OVH, no?
24:16Correct or not yet? Not yet? Oh! So how would you sell what you are developing to Thierry?
24:27Ah yes, okay. Elevator pitch in 30 seconds. Elevator pitch, great. No, just in speaking to
24:33to I won't I won't put you on the spot we can do that in the back afterward but um
24:37I think Americans
24:39uh you know part part of the founding thesis of Vanta was can we use compliance and getting these
24:46compliance standards that um often open up new markets you know something like ASO 2701 or GDPR
24:54in the US or sorry in the U for American companies SOC2 in the US for European companies can we
25:00use that
25:01kind of uh uh like revenue motivator and market opening motivation to help companies improve their
25:08security posture and that was always the thesis and I think that's you know true on both sides of the
25:13Atlantic um I will say I've been uh in Europe for a couple weeks talking to Vanta's European customers
25:19and it is striking how much more closely tied security and compliance teams and leadership
25:26is in Europe compared to the American counterpart to very broadly generalize we we're dead about
25:33compliance in Europe you know we love it I mean we love it at Vanta it's nice to you know
25:37find our
25:38people um but I think honestly that's something of a tailwind I think the flip side is we grew up
25:44as
25:44a cloud native company our initial customers were cloud native companies and you know we operated in
25:49Silicon Valley where it's it's sort of the obvious you're using the cloud that is less true globally
25:56and I so I think that's that's kind of the primary headwind and it sort of balancing that where
26:01for the the European companies that are embracing the cloud we actually see a bunch of traction at the
26:07highest levels of the company because compliance isn't a back office you know process that must be managed
26:13but something to your questioning that's core to the company itself so elevator pitch to Thierry 30 seconds
26:22how would you sell your company to Thierry and Philippe but I guess you're already backed by
26:28but anyway Thierry uh what sort of comp or rather how do you build trust with your customers uh it's
26:36all
26:37about making sure it's 100% transparent they should know what they buy they should know how much it's going
26:43to cost them they should know exactly where their data is they should know exactly which authority
26:48could have a look into it etc etc make sure there is absolutely no glimpse of a shade around what
26:56they
26:56know this source and how do you so that makes a lot of sense of using transparency to build trust
27:02we have a principle advantage that's like do what it says on the tin right so do what you say
27:07you're going
27:07to do how do you it's great as a principle how do you operationalize that with your customers well
27:14typically it's it takes the roots into the the operating model and the business model so just walk the talk
27:21in terms of making sure prices are predictable so no kind of fuzzy call per api type of fees or
27:29no no
27:30unpredictable usage metrics that could clash back on the customer uh a two secure that they understand
27:39which security pattern they buy and and the consequences meaning uh sometimes a customer would
27:45want to have the most secured service because it looks great on the slide but then when it when it
27:52means that they have to adapt their operating model because they have to fit into a security model
27:58suddenly they would they would have to rethink and really help them make the best possible uh
28:06trade-off between the level of security they want but also the operating model they want and the level
28:12of constraints they are ready to take right and make sure that together with partners you accompany them
28:18on that journey that it's not just too late that they would discover the service the source is not adapted
28:24to
28:24the need be proactive be very early in explaining the do's and don'ts about any service you push
28:32and i think on the last question it was a 30 second pitch yeah yeah after the pitch um
28:40can i ask one question uh yeah i love just like because this is something i was uh discussing uh
28:47the other
28:48day someone said well you know one of the great applications of generative ai is compliance like
28:52how suddenly can i fill all my forms and and you know when i'm doing this bid for these customers
28:58i'm going to spend hours of filling the security form how do you integrate that in your product so
29:04that yeah so we actually are so more effective really high level vanta's product takes information
29:09about how the company's technical and people and administrative and you know vendor systems are set up
29:15helps uh conform those configurations to compliance standards and generates a bunch of documentation
29:21so actually we are already using some generative ai in the product to help companies answer security
29:27questionnaires i'm not sure if that's something you get but the you know we have all this technical
29:32information in one format your customer would like it in their format can we just use ai to do that
29:38translation so that's one use case there's a couple others around generating documentation
29:45particularly uh section four of a sock two or a statement of applicability in iso but it's sort of a
29:50similar concept where we have the structured information about how the company is set up
29:55can we use these new models to turn them into natural language documents that are accurate and
30:00continuously updated and again somebody in the company doesn't have to sit there and you know
30:05write five pages and update it quarterly all of that so uh coming back to uh innovation
30:14um and um new companies in that field philip we may have a lot of entrepreneurs in the room
30:24so so far what we've seen in cyber security there's a lot of cyber security company that finally are more
30:32consulting companies with not such a nice product so you know self-service so as for you where do you
30:41want to bet in the coming months in cyber security or bet invest you're never betting
30:48exactly we're uh we're backing entrepreneur um and help them realize their full potential i think one
30:55area that i'm super exciting right now is data because if you think about um you know the shift to
31:01the cloud now uh means that there is a ton of data in the cloud people need to protect it
31:07the amount of data that keeps being produced continues to grow exponentially so the amount
31:12of data we have today is nothing compared to the amount of data that we're going to have two to
31:15three years from now and now you have the ai wave coming and that means that company needs to understand
31:21exactly what data they have where how to be compliant because there's a lot of compliance that you
31:27need to abide by but then who can access this data which models can access this data how do the
31:32user
31:33have access to the right data when they use a model because if you're use an llm tag you know
31:38connected
31:39to the data within your company then certainly if you're the ceo you shouldn't get the same information
31:45that if you work in the rnd department so we have invested last year in a company called sayera which
31:51is really focused on cloud data security and really helps company basically by plugging uh into their
31:58their cloud infrastructure understand exactly what data stores do they have what is what is exactly
32:03the data that is in the data stores and then what is the security posture that you need for this
32:08data
32:08which i think is a key enabler uh for companies to be able to leverage this uh data for ai
32:14applications
32:15i'm super excited about that thierry uh with your perspective where would you like to find
32:21a scale-up startup um and doing something that would be unique for your cloud services wow so my road
32:34map is
32:34for the next five years uh but you're in a startup we do partner a lot um and we do
32:42see that
32:43uh our sweet spot is really to help companies would grow into verticals with more generic platforms right
32:52we see two areas where where there is an absolutely huge need which is not yet covered one is about
33:00data and analytics as you mentioned volumes of data keep growing at a level which is unprecedented
33:07but when you look a little bit deeper into it um there is no two vertical who will have exactly
33:15the same
33:15need so you need to tailor generic analytics products to fit with their need now what we see more and
33:23more
33:23is that we have we build up a generic partnership scheme so that companies who are at the center of
33:32an
33:32ecosystem and who would want to animate their ecosystem with a kind of community analytics type of product
33:39could really leverage on our generic analytics and build their health-oriented analytics or aeronautics
33:47oriented analytics etc and there is a big move around data spaces like that where you need the
33:54combination of analytics the combination of governance and make sure you open data in a trustworthy way
34:01with a lot of management on term in terms of governance across a community of users around one kind of
34:09leader that is one big big thing we're very much interested in there and we're going to push there
34:15another one is around ai because yeah llm is a is a buzzword of the moment but there is more
34:22than just a
34:22buzzword to it there is a disruption so the key question is which type of use cases in which verticals
34:30will really leverage there to get a gap in productivity that's why we're trying to assess with customers
34:36because we do believe that same thing we can bring a set of tools and let's say neutral models neutral
34:45platforms training platforms etc data sets which would be qualified curated unbiased etc but then
34:53again each each and every vertical with that will have a need for their own color their own taste of
35:00their
35:01of their retraining model and that will happen per community so we're very much looking into partners
35:10will take the best of what we will deliver as a generic neutral path and build on top of that
35:18that spaces let's say ai spaces for their own vertical community i i would say this is a very nice
35:26conclusion to our panel as this is also the synthesis of what is vivatech combination of innovative
35:33companies from all over the world with women founders i mean i love that in cyber security together
35:39with ambitious investors and the the best of the world uh with company like uh ovh that can be really
35:48uh
35:49a driving force to develop that and provide even more innovation to users and safety thanks to all and
35:56see you soon
36:11so
36:19you
Commentaires