- il y a 2 jours
Up in the Cloud Combining Performance with Security
Catégorie
🤖
TechnologieTranscription
00:00OK.
00:01Hi, everyone.
00:03Welcome to our Up in the Cloud panel.
00:07I'm Romain Monbert.
00:08I will be the moderator today.
00:12And for the context, I'm a gross investor in Eurasio.
00:17Please, come.
00:18And I was super excited by the topic we're going to cover today,
00:21which is how, you know, in a new cloud environment
00:25with hybrid workload and increasing cloud workload,
00:30can we cope with increasing requirements
00:33in security and scalability?
00:35And to talk about that with me today,
00:38I'm joined by an amazing expert
00:41that will introduce themselves.
00:43And maybe, you know, starting with you, Julien.
00:48So, hello, everyone.
00:49I'm Julien Levrar.
00:50I'm the CISO of OVH Cloud,
00:53so a French cloud service provider
00:56that is operating mostly in Europe,
00:59but also in United States and America
01:02and also in Asia.
01:03So we have a global presence,
01:06but we are deeply rooted in Europe.
01:09I'm managing the security team.
01:12So my role is to ensure that the information system
01:15of OVH Cloud is secure, of course,
01:18but also that the products that we deliver
01:20and we provide to our customers meet their requirements
01:23in terms of securities
01:24and to ensure that everyone stays safe in OVH Cloud.
01:28Thank you, Julien.
01:30So Julien represents the cloud provider today.
01:33And we also have Tim with us from Fujitsu.
01:38Thank you for the invite.
01:40It's appreciated.
01:41So my name, Tim Moody.
01:42I head up the Fujitsu Uvance Hybrid IT business.
01:46We're responsible for developing global services
01:50that help our customers modernize, innovate,
01:54optimize their services and also secure them,
01:57importantly for this conversation.
01:59My biggest aim is to take every bit of the R&D dollars
02:03that we spend and make it available to every country across the globe.
02:08Thank you, Tim.
02:09And Zena with us as well.
02:12Hello, Romain.
02:12Hello, everyone.
02:13So I am Zena Zakko.
02:14I'm the global chief technology officer for cybersecurity.
02:18So my role in Eviden, which is an ATOS company focused on cloud security and AI,
02:24is to develop our cybersecurity services and product.
02:27And as you've guessed, cloud security is a core element of our strategy.
02:31Thank you, Zena.
02:32So Tim and Zena here help customers, big corporate, go to the cloud, build hybrid infrastructure,
02:41and Julien build the infrastructure himself for the cloud.
02:45So it's going to be an interesting conversation.
02:49Maybe I wanted to start by giving a couple of data points to help us frame where we are
02:56within the cloud transition.
02:57So, you know, as per last year, and even in Europe, nowadays, more than 50%,
03:05so half of the workload of companies happen in the cloud.
03:11And this continues to grow.
03:13So the traffic in terms of data and growth in cloud services
03:16has a growth pace of 20% to 30% CAGR year on year.
03:23When we look at that, 80% of the company are using more than one cloud provider.
03:31So it's also multi-cloud.
03:35And 70% of the company are hybrids.
03:39So meaning also relying on on-prem.
03:43So almost everyone is hybrid and majority of people are also the vast majority is multi-cloud.
03:52And finally, you know, if you look at the fastest software category also, cloud security is one of the fastest
04:02one as of today.
04:03So just showing that there is also a strong need coming from that and we will develop on that later.
04:09So just to set the stage and, you know, getting a bit to the back to basics,
04:17I wanted to ask Julien, you know, what exactly is changing in a cloud environment versus a non-prem
04:26from the infrastructure perspective that change the level of security required?
04:34And is this level of security and threat, is this level of threat increasing or is it just changing basically?
04:44Thank you for the question.
04:48It reminds me when I start working 20 years ago, when the cloud didn't really exist.
04:54We had a security approach that was based on building information system like Fortress.
05:02So absolutely no security within the information system and a lot of protection around
05:07and a lot of energy spent on the gateways, firewalls, VPN connectors, etc.,
05:14to ensure that only trusted people can go in the IS.
05:18So that was quite easy at this time to do security.
05:22You just have to work on these gateways and to ensure that there is no communication
05:28between your trusted environment and the untrusted world.
05:32Of course, with the cloud, this paradigm changed completely.
05:35Now you put your sensitive workload outside, in the untrusted world,
05:41and your users that you cannot really trust are within your organization.
05:49So basically, you have to change completely the mindset of protection
05:53and change all the reflex, all the way you will protect your information system,
05:59having in mind that on-prem system remains to be operated.
06:04And so we are in a hybrid and a mixed world, so you have to combine the two approaches
06:08and live in a world where the old risks still exist and there is new risks.
06:13But the new risks are not more important, they are just different.
06:16So you have to learn how to handle two types of risks at the same time
06:20and learn to move from the old world to the new one.
06:23Thank you, Julien.
06:25Maybe, Tim, could you elaborate, like we said, how the infrastructure has changed,
06:32but also how the workload has changed and how this is impacting overall the risk we see in the cloud?
06:40For sure, for sure. And just building on Julien's point, we think, you know, it's not cloud or existing data
06:50center, it's both.
06:51So our view is hybrid, multi-cloud, will be the model persisting.
06:56So being able to manage, I think, to your point, both is really important.
07:01Workloads are changing, which are changing the types of threats.
07:04So I think you mentioned the data and the proliferation of data in the use of AI services.
07:11I think there's some analyst estimates that talk to 60 to 70% of new workloads being AI related over
07:19the next two to three years.
07:20So data will become much more widespread in all of those scenarios.
07:26So focusing on protecting data from a security standpoint, absolutely critical.
07:32We'll also see when people think about cloud, we think about virtual data centers in some location.
07:41Actually, edge computing and cloud edge computing is becoming more and more relevant for many of our customers.
07:47So moving services closer to their customers and closer to sources of data and actually shifting data around the network.
07:55So being able to protect not only your legacy, but also the cloud, central core public cloud, but also edge
08:02services becomes another dimension.
08:05And I'd say lastly, building new services.
08:09So cloud native development now becoming a norm.
08:13We're seeing customers and helping organizations mature the way they develop applications.
08:20So they're building security, observability and performance into the application from the ground up with guardrails.
08:28So that would be my thing.
08:30So risk, data risk, breadth of network connectivity is getting wider, but also then how you're developing applications to have
08:39the security built in from the bottom up.
08:41Very interesting.
08:42So those new workloads around DevOps, AI, more data are also changing the workload going to the cloud.
08:52So this impacts the risk.
08:54And maybe like lastly, Zeyna, like you pointed also, you know, other type of risk and vulnerability coming to the
09:03cloud.
09:04Could you elaborate on them and notably like what's the human responsibility within those risks?
09:12Yes, of course.
09:13So Julien and Tim already established that we're dealing with a new type of environment.
09:18And the cloud environment is an environment that changes constantly, but also the cloud service provider innovate constantly
09:24and add additional new functions and features.
09:26So in the end, this environment is prone to human error.
09:30If we don't have the right skilled people or we don't provide them actually also with the right tools,
09:35they will be prone to error.
09:36And we have seen multiple times every day.
09:38Actually, you will see in the news about S3 buckets, you know, that contains very sensitive data.
09:44Like for instance, voters data at one time that has actually been leaked because this S3 buckets was not properly
09:50configured.
09:51Access right was not established.
09:53And cherry on the cake, there was no encryption.
09:55So in the end, we are facing those type of data breaches in the cloud.
10:00But there's also the cloud brings new tools that you need to use in order to create, for instance, cloud
10:05native applications.
10:07GitHub is a good example.
10:08GitHub actually is really excellent in helping with version control and with helping with software development.
10:13The problem is that when it's not properly used, then you have leakage of API keys, encryption keys, secrets.
10:21And it has been happening regularly.
10:22So there was a report two months ago, I think, by GitGuardian, who I specialize in monitoring the security of
10:28GitHub.
10:28And they noted that last year, we had over 12 million of those secrets that were leaked.
10:33And we can imagine the impact if they go in the right hands, I would say, and how this can
10:40then afterward lead to a cybersecurity incident and to an impact for organizations.
10:44But also, I think what we need to understand is that because we don't secure the cloud in the same
10:48way that we secure on-prem, we need to understand the environment.
10:51You have a lot of API interfaces.
10:53You have a lot of UI.
10:55So all of those environments, you don't secure them in the same way.
10:59And in the end, if you had some data misuse, misuse of configuration, I would say misuse or misconfiguration of
11:07access control, then it's going to lead to a data breach.
11:10And all of those things, organizations need to adapt their security strategy so that they understand how do you secure
11:16this cloud environment.
11:17Otherwise, you are prone to those type of security risks.
11:20Thank you very much.
11:21So I think it's clear from what you say, if I'm operating in a cloud environment, lots of things are
11:28changing.
11:29The infrastructure, the workload, the skill required by people.
11:34And so what it seems to me is when you speak to companies, sometimes they are not especially aware of
11:41that.
11:42Because, you know, they will come and say, yes, my cloud provider is in charge of the security.
11:50And so hence comes the question of trust and responsibility here.
11:55I mean, Julien, are you the one responsible for the security in the cloud?
11:59I mean, you're the cloud provider, right?
12:03We carry a huge responsibility.
12:07You have to understand that we are a subcontractor for a lot of customers.
12:14And each customer we host, each server we host from a customer, we appropriate the threat of our customers.
12:23So basically, we are facing, of course, our own threats, but also all the threat of all our customers that
12:30will target our infrastructure.
12:31So that's a huge responsibility that is global.
12:35So every customer of ours that is targeted by a bad guy, we are attacked for him.
12:42But we are also attacked as a cloud provider because it's fun to attack a cloud provider, because there is
12:48big resources,
12:50because you can shine, because it has a huge impact if you succeed in your attack.
12:54So we are also attacked as a cloud provider in itself.
12:59And the last part that is really important is that we host the battlefield.
13:04The battle is actually on our system, on our network.
13:08And sometimes the bad guys, the attackers, they use resources we provide to them,
13:13either because they hacked some servers that we host for our customers,
13:17either because they buy it and we don't know they are bad guys until they start to do bad guy
13:23things.
13:24So once we find them, of course, we kill them, we destroy their service.
13:28But until they start, we cannot detect them.
13:31So we have to manage the security of all these aspects at the same time.
13:36And of course, protecting our assets.
13:38So it's basically four things to do with the same tools, the same team.
13:43And so it's a big responsibility that we carry.
13:47So you bear a lot of responsibility, but do you bear all the responsibility?
13:52So maybe turning over to you, Zena, like what's the responsibility from the customer perspective
13:58and from the service implementation perspective also?
14:04Like who bears with risk within the value chain and the implementation of the cloud?
14:11So, I always like to refer to the matrix of shared responsibility for the cloud
14:17because it's actually, it clarifies everything in the end.
14:21When you talk about cloud service provider, Julien is responsible for security of the cloud.
14:27This is undeniable.
14:28Then when we talk about the customer or the service provider that is managing on behalf of the customer,
14:33the security in the cloud is the responsibility of the customer.
14:37Now, it's not that simple because afterwards it's going to depend what type of cloud are we talking about.
14:41Is it infrastructure as a service?
14:43Function as a service? Serverless?
14:45So then it depends on which type of cloud environment I'm talking about.
14:49The responsibility, the scope of responsibility and operational responsibility might vary.
14:54But always whatever type of cloud I'm talking about,
14:57the responsibility of data classification, data security falls on the customer.
15:01This is undeniable.
15:03Then you have the access control, the permission that you put on the data.
15:07It's the customer's responsibility.
15:09Again, and then afterwards it's going to depend.
15:12You know, if I'm talking about infrastructure, then the control is different.
15:15But when we talk about this matrix of shared responsibility, we really refer to it as shifting up.
15:20The more we go into those new type of cloud environment, the more you're shifting up the responsibility of the
15:26customer.
15:26But always the data and everything around data governance is something that the customer must actually take ownership of it.
15:33And the service provider in this, what is the responsibility of the service provider?
15:38When they are acting on behalf of the customer, they share this type of responsibility.
15:42They share the responsibility with the customer.
15:44Definitely.
15:45Okay.
15:45Thank you.
15:46Tim, maybe like if a threat happens, how do you, in your experience, how do you rebuild trust?
15:57Do you have to finger point?
16:00How does it work exactly?
16:02Like how do you rebuild trust with your customer when this, the bridge happens?
16:06Finger pointing never works.
16:08Never works.
16:10It's probably quite a simple answer, but assume that you are going to be attacked.
16:17And assume that you are going to have to respond to that attack.
16:20And for organizations to have prepared for that.
16:25So rehearsals, disaster recovery, escalation procedures.
16:30You know, we work with some third party organizations in the Nordics actually that help react very rapidly and to
16:39cleanse any threats from certain types of attacks.
16:43So it's quite a dull answer, I'm afraid, but just really being prepared and doing governance well, doing rehearsal well
16:51and having that response and escalation in place.
16:55And it comes back to, I think, Zaina's point about clarity of responsibility, escalation routes, whether it's providers, internal resource,
17:04cloud providers, having that really clearly defined early is absolutely critical.
17:10And surely you help with that as well with your customers to establish the roadmap.
17:15For sure. And it sounds quite doom mongering, but it's when you're going to get attacked and penetrated, not if.
17:23As soon as you put workloads into an internet facing environment, they will get attacked.
17:30So you have to secure them to Julian's point.
17:34If I may add something, you cannot evaluate a provider, a cloud provider or any other provider, by the fact
17:44that it never has incidents, security incidents, because it can be luck.
17:48But it's a really good way to evaluate your provider to check out how they manage an incident.
17:56And because if you never had an incident, you can have been lucky that it will never last.
18:02But when you demonstrate to a customer, to a partner, that when something bad happens, you are able to handle
18:09it clearly, quickly, with transparency, with honesty, and that you come back to the normality really fast and with a
18:18good transparency, you actually gain a lot of trust, much more than not having incidents, which is quite impossible actually.
18:27So, thank you very much. Now, it's more clear, you know, what are the main difference in this new hybrid
18:34world and requirement in terms of security.
18:37Now, we also have a better understanding of where the responsibility sits.
18:43Let's talk about the solution.
18:45What are the existing solutions that we have today to bring more security to the cloud?
18:54And, like, maybe, yeah, turning over to you, Zena, to get a better sense and if you can share with
18:59us an example of, you know, what are the typically solutions you implement to bring more security to when you're
19:07doing cloud implementation?
19:09Yeah, sure. So, today, when we're talking about securing the cloud, the hyperscaler, the cloud service provider, they have already
19:17native security controls.
19:18We need to leverage those native security control. I would say this is 101 cloud security.
19:23We need to start by leveraging this, making sure they are configured properly, and then making sure that they are
19:28monitored regularly.
19:33Quick example, you know, one of the most successful cyber attack on the cloud is brute force. Brute force attack,
19:39which is crazy because brute force attack means, you know, I will try to guess and guess a password and
19:44then I will be able to get in.
19:45Those are the most successful attacks. Why? Because the security policies that organizations have implemented on their classical perimeter, on
19:53the corporate perimeter, works where there.
19:55They have not been extended and implemented and we're not monitoring whether they are properly implemented on the cloud environment
20:02or even the multi-cloud, as you mentioned earlier.
20:04So, today, what organizations need to do is to be able to leverage those cloud native security control. What we
20:09do and how we help them is making sure they are properly configured and also making sure that we can
20:14fire up the security fast enough.
20:16Security is not here to hinder the performance that you expect from the cloud. So, what we do is that
20:21we make sure that we can immediately activate the security controls and make sure they are properly configured and then
20:26start monitoring as soon as the cloud migration will start on the environment.
20:30Now, also, because we mentioned the multi-cloud, today, you have tools that will help you, I would say, measure
20:36the security through one tool across all those cloud environment.
20:39They have existed at standalone, cloud security posture, KSB. Now, we're seeing the, I would say, the emergence of a
20:48new technology that's called cloud native application protection platform.
20:51It's a mouthful, it's a mouthful, so let's go with CNAP. And with CNAP, actually, you have the shift left,
20:57everything around cloud DevSecOps, it's part of the story.
21:01Then you have everything around the configuration of the cloud, the posture management, the policy management, that is part of
21:07it.
21:07And then you have the runtime, the security protection during, I would say, the lifecycle of your services on the
21:14cloud.
21:14This is very new, very nascent, which means that today, we don't have actually one vendor that covers everything that
21:21has been defined as part of CNAP.
21:23So we have multiple use cases that vendors are covering, they are improving, but the actual definition of CNAP, as
21:30Gartner has defined it,
21:31today, you don't have one vendor that covers all those use cases.
21:34What does it mean also in terms of implementing the right security control?
21:38So an organization needs to understand that today you have selected that technology, tomorrow you might change it.
21:43This is the cloud.
21:44So in terms of security, you need to make sure you have the right service provider that will help you
21:49identify the right security solutions for your environment today,
21:53and those solutions will evolve, or at least it will be under the responsibility of the service provider,
21:57to provide you with the updated type of solutions that will help you, I would say, make sure that the
22:03security posture over time is properly secured.
22:06Okay, so if I understand well, your role is also to bring some external solutions, and software vendors notably,
22:16to help protect across the value chain, for your customer, all their cloud activity.
22:24Okay, and so from your perspective, Julien, from the cloud provider perspective, do you do the same?
22:29Do you rely on third party, or do you build everything in-house?
22:34We build a lot of things.
22:37As a cloud provider, we had a scalability issue.
22:40So it means that we need to find technologies and solutions that most consumers, customers, doesn't have.
22:49When we deploy a system, it has to scale on 10,000, 40,000, 1 million instances, so it has
22:58to work at a very large level.
23:00And when you look at the solution on the market, most of the time they are not built to that
23:06kind of scale.
23:06So for a lot of solutions, we need to rebuild and to write our own piece of code to ensure
23:13that we can do those simple tasks.
23:16But of course, we use some technology from the market for some use cases, that there is technologies that are
23:24really good and that we don't want to develop,
23:26or we don't have the expertise to develop, and of course, we rely on market product.
23:30Thank you.
23:33Maybe adding to that, next question to you would be like, how does this impact performance?
23:39Like, does your performance lower the more security layer you bring on top?
23:46Yeah, actually there is, depending on the layer we are working on, there is a performance issue or a feature
23:57issue.
23:58The lower we are, the most performance issue we have, because there is a factorization.
24:03So, it means that working on an asset that is really low level will have impact on thousands of services.
24:11So, for instance, if we talk about DDoS, distributed denial of service, which is a huge risk for our customer,
24:21because our network is attacked all the time by this type of attack.
24:26We have to invent, we have to innovate, and to find solutions to be able to mitigate terabytes of traffic,
24:35and no public solutions are available for that.
24:38So, we have to build it, we have to go at processor level with FPGA card, with EI, etc.,
24:44with technology we develop to ensure that we can mitigate the risk with top experts that are able to do
24:51this.
24:52But for some use case for our customers, that is on few instances, or in some specific case,
24:59we partner with a solution provider to ensure that they can deploy, as a standard, security solution on their cloud
25:08at OVH.
25:10And of course, we don't develop all these solutions, because there will be so many to develop that we cannot,
25:16we don't have the power to do that.
25:18Okay, interesting. So, the cloud provider work also with other technology providers.
25:26And, you know, so it seems that this impact, like, those additional layers of security can impact performance.
25:36Maybe, Tim, like, could you give us your sense of that, like, should we expect that the more security you
25:44bring to the cloud,
25:44from the lower performance we have, or can we find ways to combine both, actually, performance and security?
25:53It's not a simple answer, but I think in the context, we need to sort of remember that the context
26:01of the cloud is about providing placement for customer workloads,
26:06organizational workloads that are near their customers.
26:10So, there is an intrinsic, should be an intrinsic value in placing workloads near to customers, data near to customers
26:18that allows them to access it more effectively.
26:21But I think there is an overhead if you are layering controls on top of workloads generally.
26:31That said, we're seeing more of the organizations we work with and we're helping them look at that end-to
26:39-end performance.
26:40So, it's not specifically a security discipline, but observability tools that provide application mapping, application management, performance management from end
26:52-to-end,
26:52are allowing customers and organizations to be able to spot the hotspots and then make configuration changes to optimize.
26:59So, I think there are technologies out there that allow you to map that across both cloud and traditional infrastructures,
27:09would be what I'd say.
27:10So, if it's well set up, you should be able to combine security and scalability with the basis that you
27:18bring also the data closer to you.
27:20Yeah.
27:20And you build like an infrastructure that allows for both, actually.
27:24And, you know, cloud infrastructure is by definition intrinsically scalable.
27:29Yeah.
27:29So, it can also be a case of how much do you want to pay for that performance is the
27:33other side of it as well.
27:34Yeah.
27:35No, it's an interesting topic and a good segue what you're saying about, you know, having the workloads close to
27:44where you are,
27:45you know, to switch over to the sovereignty and, you know, Europe, obviously, has been lagging a bit behind the
27:56US,
27:56even though we have OVH here represented by Julien, but in building those cloud hyperscalers.
28:04Julien, what's your perspective on the place of Europe within building a sovereign cloud?
28:15We often hear that the battle of cloud is lost for Europe, the American companies won the battle, etc., etc.,
28:29and we just have to accept that as a fact and use American services for everything.
28:36And, of course, I disagree. I wouldn't work at OVH Club if I agree with that.
28:43But I will provide some reason why I disagree.
28:49There is a very important thing in technology, is that when it becomes mainstream, when it becomes a standard, it
29:00has to be open.
29:01You have to develop a community, you have to open source a lot of it, and so it means that
29:06when a technology becomes mainstream,
29:08the entry cost to use this technology and to develop it at scale on your side are getting really low
29:16compared to the first ones that developed it.
29:18So, of course, I would love to have in Europe innovators that are the first ones to invent technology and
29:25that the American copy us.
29:27That would be fantastic. But otherwise, there is very, very good technologies that have been invented in the United States,
29:36like S3, for instance, like Kubernetes, that we can use because the community is really wide, because all the technology
29:44is available open source or closed source with product from editors.
29:49And we can develop solutions that are adapted to local markets. And actually, we have a lot of requirements in
29:57Europe.
29:58We want to protect the data of our citizens. We want to protect the competition between our companies. We have
30:06an ethic when doing business that is not exactly the same as the one in the US.
30:11And we have the ability to inject those requirements into the business in Europe and say, let's adapt the technologies
30:18that show that they are the standard and that they bring a lot of value to the market and adapt
30:25them locally to what is expected by the European market.
30:29And actually, in China, they do that and they do that pretty well with other values. But it's working pretty
30:36well. They use OpenStack, they use Instance, they use object storage.
30:40We have their own values that we don't share for most of them. But it's something that is possible to
30:46adapt the technology locally to the culture and to the value of the local market.
30:50And we should push more in Europe and stop this loser mindset saying that the battle is lost. No, it's
30:57not lost. Now it's time to adapt this technology to the local needs.
31:01Thank you, Julien, to bring us hope in our capability to build an hyperscaler here in Europe. I like the
31:10part that you mentioned around how, you know, they do it in China.
31:15Maybe Tim would be curious because you work a lot with Japan, with Fujitsu. Do you see like a difference
31:24with the way things are done in Japan with regard to sovereignty and, you know, things we could get inspiration
31:29from and bring here to Europe, including the UK, because Tim is from the UK.
31:34So you asked me to speak about European sovereignty, kidding, but obviously we include our friends.
31:41I will wish I was properly European like I used to be. So I think it's probably helpful to break
31:49down data sovereignty a little bit and the services.
31:53So data sovereignty, I don't think, has a great single definition would be the first thing.
31:58So agreeing on what you want to be sovereign is quite important. So typically that's in three areas.
32:06So there's data and access to data and the and the legal and regulatory controls on that data.
32:14So not not being applied to overseas jurisdictions technical.
32:20So what services are available? How quickly they're being developed and then operationally who has hands on on those controls?
32:28And typically those three dimensions vary depending on which model you're you're looking at.
32:34The hyperscalers have some data data sovereignty solutions which are extensions of their standard cloud services,
32:41build them for defense in many country countries already which are isolated through a number of those dimensions.
32:50Within Fujitsu, we will partner with a number of software providers.
32:54So SAP and Oracle just recently announced a partnership with Oracle to take some of their core technology and provide
33:04a local instance in Japan,
33:05which is our biggest market in our headquarters.
33:08So providing Oracle Alloy, which is bringing together a local trusted market provider like Fujitsu
33:14and delivering the Oracle Alloy services on top of that.
33:18And similarly for SAP, SAP rise, we have a similar agreement to deliver that in region.
33:24So I think there's the local cloud provider that Julian talks about.
33:28There's the hyperscaler, but there is also a middle ground for specific services within a jurisdiction that combine that software
33:36provider updated services,
33:39but also are being managed by a local provider.
33:42So I think there's a number of different models that we need to probably pick apart.
33:46Thank you.
33:48I just wanted to add a couple of points, you know, because when you talk about sovereignty, there are different
33:53definitions of sovereignty.
33:54As Tim and Julian said, we have the certified sovereign cloud.
34:00For instance, in France, you have a certification called Secnum Cloud.
34:03And this is when you're going to the certified cloud.
34:05But however, there is a controlled cloud approach that is adding a layer of trust in your cloud environment.
34:11And there is being able to help organizations understand the regulatory frameworks that actually impact the data.
34:17Most time when we talk with critical national infrastructure, operators of essential services, they believe that certain applications cannot be
34:24on any cloud, you know.
34:26And then when you start the discussion and you run this sovereign risk assessment to be able to understand what
34:31is the data that is used in those applications,
34:33what are the interdependencies on those applications, then you can help organizations understand which application should be on a certified
34:41cloud,
34:41because it's highly regulated, which application can be on the cloud, but with a clear layer of trust added on
34:48top of it,
34:49whether in terms of access control, whether in terms of encryption.
34:53And Tim mentioned this technological sovereignty.
34:56And technological sovereignty, sometimes you have to use a technology, when I'm talking about encryption,
35:01that is certified by the national security authority.
35:05We have those type of requirements in Europe, in different European countries.
35:09So all of those, you need to take them into consideration to make sure that your journey to the cloud
35:13is possible, it's feasible,
35:15as aligned with this regulatory framework that will impact the organization per se in terms of their adoption for the
35:23cloud.
35:23But many times organizations believe the cloud is something that I cannot go there,
35:27because I'm an operator of essential services or critical national infrastructure.
35:31And when you do this risk-based analysis, sovereign risk-based analysis,
35:35you can identify how they can still leverage the agility of the cloud, the scalability of the cloud,
35:41by being still aligned with the regulation.
35:44Do you see many cloud providers, European ones, able to offer this secure sovereign cloud?
35:53Yes, actually, this is what we have it, as we already proposed there, but also we have partnership, you know,
36:02between service provider and cloud provider in order to bring this package approach around sovereignty,
36:08so that you can help organizations choose which cloud provider fits the need,
36:13depending again about the data that we're talking about.
36:16Because in the end, it all goes back to the data and the regulatory frameworks that impact this data.
36:22Do you think maybe that we have the talent in Europe sufficient to, you know, build our own also cloud
36:29infrastructure?
36:31This is undeniable, I think.
36:34And even in terms of the innovation cycle in security and security for the cloud,
36:39we have amazing European companies today.
36:42Now, they are not good in the marketing front.
36:44You might not hear of them as you hear of other companies from other countries,
36:48but we have, you know, these ecosystems of innovation in Europe,
36:52and they are doing completely disruptive innovation.
36:54For instance, today, you have privacy-enhancing computation,
36:57which is about how can you put the data in the cloud,
37:01never expose the data in a way the data is actually encrypted throughout its lifecycle.
37:05You never operate on the data, and then you'll be able to use this data.
37:09So it's not science fiction. It's really the case today.
37:13And we have a lot of European companies that are working on those homomorphic encryption,
37:19differential computing, and what have you that are coming with those type of innovation
37:22that will help further increase the adoption of the cloud
37:26while still being compliant with regulation and the security.
37:29So we have the talent in terms of the ISVs, in terms of those innovative startups,
37:34and we have the talent in terms of operating the cloud
37:37and in terms of, you know, running security operation centers
37:40in order to analyze and understand the threats that fall on the cloud
37:43and understand what are the techniques, the procedures.
37:46The TTP is used by, and the IOC is used by the cyber criminals
37:49and properly secure the cloud environment with European talent.
37:53Thank you, Zena, because for me as an investor, it's a message of hope.
37:58And it's true that we've been investing quite a bit already into companies
38:03within the space, software provider, data security in the cloud.
38:08And we continue to see more and more emerge, whereas before it was really US companies
38:15and now we see a lot of them flourishing here in the ground.
38:19So I think we can be hopeful.
38:21But maybe one message is that we need to support those organizations, you know?
38:26So we need to invest in those organizations, but also we need to subscribe to their services,
38:31to those innovative European startups.
38:33So I think this is important because this is how, you know, we bring more talent
38:36and we create this...
38:38We will do the investment and you do the implementation and the partnership.
38:44Let's do that. It's a deal.
38:46Maybe last topic I wanted to quickly touch upon is that, you know, with increasing cloud, increasing security,
38:56there is also an AI, there is also an increasing consumption of electricity impact on the environment.
39:04I know that Zena, you worked notably on the topic. Do you have a few words you could tell us
39:10about that?
39:11Yeah, actually, we were one of the first to create a security service that has a net zero carbon footprint.
39:18And it was almost four years ago. So our objective was to create a managed detection and response service that
39:25is cloud native.
39:27And that we have the lowest footprint possible and then we reach the net zero.
39:31To do that, you need first to select the right partner.
39:34You need to select the right cloud provider who went into this journey as well,
39:38because this is where your data will be hosted.
39:41And you need to take into consideration not only the journey that this cloud service provider is taking,
39:47but also where you're going to put this data, which platform, which region are you going to use?
39:52Because, for instance, when you're using the cloud environments in Europe, we have a lot of renewable energy.
39:57So the carbon footprint is less versus I will power up a platform in another country, for instance.
40:03I can give India just because it's a carbon energy company. So there the carbon footprint will be high.
40:09So you need to take those into consideration when building the design.
40:13And we actually use like a concept, which is a framework for us of architectural eco design.
40:18So that also when I'm building the solution, I will not move data a lot because when you move data,
40:23you are consuming energy.
40:25I will make sure I'm not also storing a lot of data, the necessary data.
40:29Not duplication.
40:30Exactly. Not a lot of duplication. Even the security operation center, you know, the people that are monitoring the data
40:35because this is part of the entire servers.
40:37So all of those, you need to integrate them into your analysis.
40:41When we did it, we had really a very small remaining carbon footprint that we offset it.
40:48And it was nothing, you know, it was less than 10K.
40:51So this is a good example.
40:53But just for the story, when we did it, we talked with analysts about this.
40:57We were very proud of the job that we did. The first reaction of the analysts was SISO don't care.
41:03SISO cares and the board care and the procurement care because every organization has a net zero journey.
41:10And in the end, when they see that they can subscribe to security services, that is actually a net zero
41:15in terms of carbon footprint.
41:17Of course, they're going to tear. Now, two years later, they change their opinion.
41:20But the first time, yeah, you had people that believe it doesn't bring any value.
41:25Maybe to finish, Julien, Tim, do you see that's also a topic that's coming up like ESG and environmental impact?
41:34At OVH Club, we have been very, very ecologic for a very long time for bad reason, which was the
41:43cost.
41:43When you consume less energy, it costs less money and you make a major margin.
41:49But for the last few years, it has become a pure objective in itself to be carbon neutral, to be
41:57eco-friendly and to provide a cloud that is very healthy for the planet.
42:04But we actually, today, we work a lot, not only on reducing our footprint, but also to provide the data
42:13to our customer so they can measure exactly what is the consumption.
42:17And so they can manage using the cloud what is the carbon footprint and be sure they can optimize it
42:24in their usage, which is a key for everyone.
42:28Tim, Fender World?
42:29Really quick. Minus 19 seconds, I reckon.
42:33So Fujitsu, I'm delighted I had a reporting on this to one of our analyst partners.
42:39We've had 35 years plus of doing a sustainability report at a corporate level.
42:45So it's really in our DNA.
42:47I think, as Zaini said, embedding sustainability into the way that customers operate their environment as they assess that as
42:56a standard part, whether it's what they do, whether it's cost.
42:59Whether it's performance, sustainability, build that in as a core part.
43:03I think the other bit just to build on the discussion we've had around multiple cloud providers.
43:08The complexity isn't getting the data out of the cloud providers.
43:12All of them report slightly differently.
43:14So being able to consolidate that into something that organizations can use and consume is really, really important.
43:21Thank you so much to this amazing panel.
43:24I think we live with more hope that we can have a cloud that can be sovereign and European, that
43:30can be secured and can be environmental friendly.
43:34Sorry, sorry.
43:35So thanks so much for your time.
43:37Thanks everyone for your attention.
43:39Thank you.
Commentaires