>>From the cube studios in Palo Alto and Boston gets the Q covering IBM thing brought to you by IBM. >>Welcome back to our coverage of IBM think 2020 the digital version of IBM. Thank, my name is Dave Vellante and you're watching the cube. Hillary Hunter is here. She's the vice president and CTO of IBM cloud and also an IBM fellow. Hillary, thanks for coming on. Good to see you. >>Thanks so much for having me today. >>All right, let's get really, let's get into it. We want to focus on security and compliance. It's a key, obviously a key aspect and consideration for customers. But I have to start by asking you, there's this sort of the age old conflict between being secure and then having the flexibility and agility and speed that business people need. How does IBM clouds sort of square that circle? >>Yeah, you know, it's, it's really interesting because cloud itself is detained, um, designed to deliver agility, um, and speed. And that's everything from the release cadence to being able to consume things as APIs. And so when we say cloud and security, it's about the things that we implement as a cloud provider and the services that we stand up. And all of that is API driven. Um, all of that is intended to enable, you know, data protection through API APIs intended to enable security monitoring through PIs and dashboards and other things like that. And so actually when delivered as cloud services, security functions can actually even go more quickly and can facilitate that speed and agility in and of themselves. So it's really interesting that the means of delivering cloud capabilities actually can facilitate that agility in the security area. >>Yeah, I mean I think it's, especially in these times with COBIT 19 a lot of why is that? We're talking, you were saying, Hey, yeah, we're really going harder, uh, for the cloud because the downturns have been actually pretty good for them. For the cloud. I presume you're sort of seeing the same thing, but if you think about the cost of a breach, it's millions of millions of dollars on average. And think about the time it takes for an organization to identify when there's been an infiltration. Mmm. I know small companies like ours, we feel good that we can tap into, you know, cloud infrastructure. what are your thoughts? Oh, on sort of that whole notion cloud essentially maybe even having better security in a way, but however you define better. >>Yeah. You know, I, I actually agree with those statements and I think it's played out in many of our client engagements. Um, because when you are talking about cloud and you're talking about security, we have the opportunity to present to you a proactive approach, right? Where we're saying, okay, leverage this type of technology in order to do your key management or data encryption. It is up by us already fully as a service. You consume it API driven. Um, and so we are able to say that this will enable you to have end to end data encryption or corruption according to some standard or key management, um, where the keys remained in your hands or you know, use these things that are security services so that there isn't, um, there doesn't have to be, um, as detailed of a conversation. Um, as you often have to have in your solution, in your own it. >>You can say, okay, what's the objective we're trying to get to what is the net security and compliance posture? And we as a cloud provider can be proactive and telling you, Hey, therefore then use this combination of services and use them in this following way and that will enable you to reach those outcomes. And so moving past, um, you know, being fully self service where you have to configure hundreds and hundreds of things yourselves. To me being more prescriptive and proactive and goal oriented and outcome oriented, um, is an opportunity that we have in cloud where we're standing up Janning up capabilities. And so we really tried to talk to clients about, okay, what's the, what are you trying to accomplish? Are you concerned about control over your it? Are you concerned about meeting particular documentation on particular regulatory compliance? What's the point? And then how does that relate into a conversation about data compute, networking, et cetera, and then what does that matter too in terms of how you should then use certain cloud capabilities. >>I want to follow up on that, Hillary, because I want to see it. If I can discern, maybe there's some difference in the way IBM approaches this. I've often said in the cube that bad user behavior trumps good security every time. And of course you've got multiple layers, you've got IBM securing, you know it's infrastructure and it's cloud. You've got it in whatever role there and you've got the end user now. Yeah. Somebody fishes the end user or end user admin. Okay. There are things you can do fine. Hmm. But there's also the, it kind of in the middle you mentioned managed services is IBM's approach, you know, somewhat different >>no >>cloud suppliers. Maybe you could elaborate on that. >>Yeah. So, you know, we really look to protect the services that we're standing up, whether it's infrastructure services, where it's yeah, networking, whether or not it's container service or you know, other services that we're providing. We're looking to protect it, those, you know, down to the core of what that service is and how it works and, and how it provides security and then the technologies that that service integrates into. Right? So services seamlessly integrating into bring your own key and our, um, FIPs one 40 dash two level four baths, um, keep your own key, et cetera. So, so we take other things for our clients and then in doing so, we enable end to end the client to understand both what the status of the service itself is as well as, um, you know, how they use it in order to take into account other security considerations. >>And, and I think it is a fundamentally different, um, approach then one takes for, you know, your own it, you're responsible end to end for everything. In this case, you know, we a secure what we're doing. And then we enable through things like our security advisor, um, to do configurations in such that, that governed the developer behavior and ensure that overall together between us and the client, the posture, even of what the developers and such is understood and can be monitored and ensured that it is secure and compliant. Okay. So I just want to take an example of that. So you are responsible for let's say, securing the object store as an example, but yet at the same time the clients it organization policies that map to the edict of their organization. So they've got flexibility sort of a partnership. Okay. Am I understanding that correctly? >>Yeah, absolutely. And the question is then that it organization that's taken policies, um, we then enable our clients to use tools, everything from things that can be integrated into the dev sec ops pipeline of red hat, you know, and initiatives that are going on. We had CNCF and NIST and other places like that. Yeah. So how can they translate their risk, insecurity, postures into concrete tools? That's that we deliver, right? Everything from dev, sec ops and OpenShift. So then tools and dashboards that we have, like security advisor, um, so that they can then most effectively implement the entirety of what constitutes security on in public cloud environment with confidence. Yeah. So security in compliance slash privacy or sort of two sides of the same coin. So I want to understand, Oh, IBM cloud is approaching, Oh, compliance, obviously GDPR, yeah, yeah. Whatever. They may have, I guess 2018 in terms of the fines. >>Oh, the, the California consumer privacy act. Everybody sort of has their own little GDPR now States and regions and countries, et cetera. How is IBM supporting clients in regard to Oh, compliance such initiatives? Yeah. You know, and this is an area where, you know, again, we are working to make it as easy as possible for our clients to not only see our status on certain compliance areas, which is visible through our website on compliance, but also to achieve compliance is where there is some joint or shared responsibility. So for example, in Europe with the European banking 30, we have kind of an industry unique position and enabling clients you achieve, um, what is needed. And so we provide proactive, you know, guidance. I'm on European banking authority or a PCI DSS or other things like that. So we really are trying to take a very proactive approach to Mmm, uh, providing the guidance that clients need and meeting them in that journey over all. >>We, in addition have a specific program for financial services, um, where we announced our partnership back in November with the bank of America for financial services for a very significant control setting compliance, um, that is not just a of a bunch of little existing things, but it really is a tailored control set for the financial services industry. Um, that acknowledges the fact that, you know, getting compliance in that space can be particularly, ah, particularly challenging. So we are, are taking a very proactive approach, do helping our clients across different doctors, um, deal with those changing, you know, postures and internally as a cloud organization. Um, we are advised also by IBM Promitory, which, um, it has extensive background over 70 jurisdictions globally, changes in all these postures and in compliance and rules and such like that, that they consistently and continuously monitor. Um, and help us design the right cloud moving forward. Cause is compliance as you said is it's very much a dynamic and changing landscape. >>You know, when you talk to chief information security officers and ask them what their biggest challenges, they'll tell you. Yeah. The lack of skills. Uh, and so they're looking to automation. It really helped close that gap. And clearly cloud is sort of all about automation. So I wonder if you could just talk a little bit about what you're seeing with regard to automation generally, but specifically how it's helping, you know, close that skills gap. >>Yeah, you know, it, the, the, the topic of automation is so interesting when it intersects security because I really view this, um, transition to cloud and the use of cloud native and the use of containers and such actually is an opportunity again, yet again to improve security and compliance posture. Um, because cloud, um, and uh, the dev ops and CICB pipelines, um, and all of that of, of a cloud native build and a containerized build give you a certain opportunity both to prevent a bunch of behaviors as well as to collect certain information that may become useful later on. Um, I think actually called modernization because of the automation it brings, um, is a really, really topic for both CSOs and risk officers right now because it can not just improve the agility that you started with as a motivation to go to cloud, but it can also improve visibility into what's going on with all your workloads. >>You know, to know that a developer used a particular library and then you see, oops, maybe there's a concern about that library and you instantly know where across the entirety of your IOT that that's been deployed. That's a tremendous amount of knowledge. Um, and you can take either, you know, immediate action on that or you can through automation push out changes and things like that. Um, we use internally as a cloud provider the best of SRE and automation practices to keep our estate patched and other things like that. And that can also then translate into people's own workloads, which I think is a really exciting opportunity of cloud. >>You know, we're out of time, but I want to close and asking you sort of what we should look at 42, we had a great conversation earlier, well with Jamie Thomas about, about quantum and she talked about ideas. You get that on the IBM what what should we look forward to sort of in the coming months and even years in IBM cloud. >>Yeah. You know, we're really excited about that agility, that cloud itself for us as a company and provides, right? Like you said with quantum, it is the place that we can bring out the latest and greatest things, um, in, you know, uh, for our clients to use and experiment with and adopt their algorithms and such juice. So you're going to continue to see us taking a very aggressive posture in turning the latest and open source and technologies into cloud delivered fully managed services. Um, and so, you know, everything from what we've done already with, um, Istio is a service and can native as a server, a service and quantum as a service, et cetera. Um, you'll continue to see us take that approach that, um, you know, we want to be a fresh and vital environment for developers to consume the latest and greatest that's out there. Um, but yet as an enterprise focused company and a company, you know, very much focused on security and compliance, you'll continue to see us back those things with our own efforts to secure and then enable security, um, on our environment. >>Well, Hillary, thanks so much for coming on the cube. It's always great to have experts like yourself, uh, share with, uh, with our community. Appreciate it. >>Great. Thank you so much for having me. >>And so we're seeing cloud acceleration as a result of covert 19, but it's always been a, a real wave for the last 10 years. We're just seeing it again, accelerate even faster. This is Dave Volante for the cube. You're watching the cubes, continuous coverage of IBM thing, digital thing, 2020 people right there, but right back, right after this short, >>right.