>> Narrator: From Miami Beach, Florida, it's theCUBE, covering Acronis Global Cyber Summit 2019. Brought to you by Acronis. >> Okay, welcome back everyone. It's theCUBE's two day coverage of Acronis' Global Cyber Summit 2019, here in Miami Beach, at the Fontainebleau Hotel. I'm John Furrier, host of theCUBE. We're with Katya Fisher, Partner Chief and Chief Privacy Officer at Greenspoon Marder. Legal advice is right here on theCUBE, ask her anything. We're going to do a session here. Thanks for coming on, appreciate it. >> Thank you very much, I'm going to have to do the little disclaimer that all lawyers do, which is, nothing here is to be construed as advice. It's just opinions and information only. >> I didn't mean to set you up like that. All kidding aside, you closed for the panel here for Acronis' conference. Obviously, cyber protection's their gig. Data protection, cyber protection. Makes sense, I think that category is evolving from a niche, typical enterprise niche, to a much more holistic view as data becomes you know, critical in the security piece of it. What was on the, what were you guys talking about in the panel? >> Well, so, the first issue that you have to understand is that cyber protection is something that has now become critical for pretty much every individual on the planet, as well as governments. So something that we talked about on the panel today was how governments are actually dealing with incoming cyber threats. Because now, they have to take a look at it from the perspective of, first of all, how they themselves are going to become technologically savvy enough to protect themselves, and to protect their data, but also, in terms of regulation and how to protect citizens. So, that was what the panel discussion was about today. >> On the regulatory front, we've been covering on SiliconANGLE, our journalism site, the innovation balance, is regulatory action helpful or hurtful to innovation? Where is the balance? What is the education needed? What's your thoughts on this, where are we? I mean early stages, where's the progress? What needs to get done? What's your view on the current situation? >> So, I'm an attorney, so my views are perhaps a bit more conservative than some of the technologists you might speak with and some of my clients as well. I think that regulation is, as a general matter, it can be a good thing. And it can be quite necessary. The issues that we see right now, with regard to regulation, I think one of the hottest issues today is with respect to data laws and data privacy laws. And that's obviously something that I think everyone is familiar with. I mean take a look at, in the United States alone. We've seen the city of Baltimore dealing with breaches. We've seen other parts of the government, from the Federal level all the way down to municipalities, dealing with breaches in cyber attacks. We've seen data breaches from banks, Capital One, right? I believe Dunkin' Donuts suffered a breach. Equifax, and then at the same time we've also seen individuals up in arms over companies like 23andMe and Facebook, and how data is used and processed. So data seems to be a very very hot button issue today across the board. So something that we're really thinking about now is, first of all, with respect to the regulatory climate, how to deal with it, not only in the United States, but on a global level, because, when we talk about technology and the internet right, we're in an era of globalization. We're in an era where a lot of these things go across boarders and therefore we have to be mindful of the regulatory regimes in other places. So, I'll give you an example. You might be familiar with the GDPR. So the GDPR is in the European Union. It's been in effect now for the last year and a half, but it affects all my U.S. clients. We still have to take a look at the GDPR because at the end of the day my clients, my firm, might be dealing with foreign companies, foreign individuals, companies that have some sort of nexus in the European Union, et cetera. So because of that, even though the GDPR is a set of regulations specific to the European Union, it becomes extremely important in the context of the United States and globally. At the same time, the GDPR has certain issues that then end up conflicting often times with some of the regulations that we have here in the United States. So, for example, the right to be forgotten is perhaps the most famous clause or part of the GDPR and the right to be forgotten is this concept in the GDPR that an individual can have information erased about him or her in order to protect his or her privacy. The problem is that from a technical's perspective, first of all, it's an issue because it becomes very very difficult to figure out where data is stored, if you're using third-party processors, et cetera. But from a regulatory perspective, the conflict comes in when you take a look at certain U.S. laws. So take a look for example at banking regulations in the United States. Banks have to hold some types of data for seven years and other types of data they can never delete. Right? Lawyers. I am licensed by the New York State Bar Association. Lawyers have their own rules and regulations with regard to how they store data and how they store information. HIPAA, medical records. So, you see these conflicts and there are ways to deal with them appropriately, but it becomes some food for thought. >> So it's complicated. >> It's really complicated >> There's a lot of conflicts. >> Yeah. >> First of all, I talked to a storage guy. He's like data? I don't even know which drive that's on. Storage is not elevated up to the level of state-of-the-art, from a tracking standpoint. So, it's just on the business logic is complicated. I can't imagine that. So, I guess my question to you is that, are you finding that the jurisdictional issue, is it the biggest problem, in terms of crossport and the business side or is the technical underpinnings, that with GDPR's the problem or both? What's your-- >> I mean it's both, right? They're a lot of issues. You're right, it's very complicated. I mean, in the United States we don't have some sort of overarching federal law. There's no cyber protection law in the United States. There's no overarching data protection law. So, even in the U.S. alone, because of federalism, we have HIPAA and we have COPPA which protects children and we have other types of acts, but then we also have state regulations. So, in California you have the California Privacy Act. In New York you have certain regulations with regard to cyber security and you have to deal with this patchwork. So, that becomes something that adds a new layer of complexity and a new layer of issues, as we take a look, even within the U.S. alone, as to how to deal with all of this. And then we start looking at the GDPR and all of this. From a technical perspective. I'm not a technologist, but. >> Katya, let me ask you a question on the (mumbles) and business front. (mumbles) I think one of the things. I'm saying it might or may not be an issue, but I want to get your legal weigh-in on this. >> Katya: Sure. >> It used to be when you started a company, you go to Delaware, very friendly, domicile in Delaware, do some formation there, whether you're a C corp or whatever, that's where we tend to go, raise some money, get some preferred stock, you're in business. >> Is there a shift in where companies with domicile, their entity, or restructure their companies around this complexity? Because, there's two schools of thought. This brute force act, everything coming at you, or you restructure your corporate formation to handle some of the nuances, whether it's I have a Cayman or a Bermuda... whatever's going on in the regulatory regime, whether it's innovative or not. Are people thinking like that? Or, what's your take on it? What's some of the data you're seeing from the field around, restructuring around the problem? >> So, with respect to restructuring, specifically around data laws and data protection laws, I'm not seeing too much of that, simple because of the fact that regulations like the GDPR are just so all-encompassing. With respect to companies setting up in Delaware as opposed to other jurisdictions, those are usually based on two issues, right, two core ones, if I can condense it. One has to do with the court system and how favorable a court system is to the corporation, and the second is taxes. So, a lot of times when you see companies that are doing all of this restructuring, where they're setting up in offshore zones, or et cetera, it's usually because of some sort of a tax benefit. It might be because of the fact that, I don't know, for example, intellectual property. If you have a company that's been licensing IP to the United States, there's a 30% withholding tax when royalties are paid back overseas. So a lot of times when you're looking at an international structuring, you're trying to figure out a jurisdiction that might have a tax treaty with the United States, that will create some sort of an opportunity to get rid of that 30% withholding. So, that's where things usually come into play with regard to taxes and IP. I haven't seen yet, on the side of looking for courts that are more favorable to companies, with respect to data privacy and data protection. I just haven't seen that happen yet because I think that it's too soon. >> How do companies defend themselves against claims that come out of these new relations? I mean GDPR, I've called it the shitstorm when it came out. I never was a big fan of it. It just didn't. I mean, I get the concept, but I kind of understood the technical issues, but let's just say that you're a small growing business and you don't have the army of lawyers or if someone makes a claim on you, I have to defend it. How are companies defending themselves? Do they just shut down? Do they hire you guys? I mean, obviously lawyers need to be involved. But, at some point there's a line of where having a U.S. company and someone consumes my media in Germany and it says, hey I'm a German citizen. You American company, delete my records. How does that work? Do I have to be responsible for that? I mean, what's? >> So, it's really case-by-case basis. First of all, obviously, with regard to what I was talking about earlier, with respect to the fact that there are certain regulations in the U.S. that conflict with GDPR and the right to be forgotten. If you can actually assert a defense and sort of a good reason for why you have to maintain that information, that's step one. Step two is, if it's some complaint that you received, is to delete the person's information. There's an easier way to do it. >> Yeah, just do what they want. >> Just comply with what they want. If somebody wants to be off of a mailing list, take them off the mailing list. The third is, putting in best practices. So, I'm sure a lot of things that people see online, it's always great to go ahead and obtain legal counsel, even if you're consulting with a lawyer just for an hour or two, just to really understand your particular situation. But, take a look at privacy policies online. Take a look at the fact that cookies now have a pop-up whenever you go to a website. I'm sure you've noticed this, right? >> John: Yeah. So, there are little things like this. Think about the fact that there are, what is known as clickwrap agreements. So, usually you have to consent. You have to check a box or uncheck a box with respect to reading privacy policies, being approved for having your email address and contact information somewhere. So, use some common sense. >> So, basically don't ignore the prompt. >> Don't ignore the problem. >> Don't ignore it. Don't stick your head in the sand. It'll bite you. >> Correct. And the thing is, to be honest, for most people, for most small companies, it's not that difficult to comply. When we start talking about mid-size and large businesses, the next level, the next step, obviously beyond hiring attorneys and the like, is try to comply with standards and certifications. For example, there's what is known as ISO standards. Your company can go through the ISO 27001 certification process. I think it costs around approximately $20,000. But, it's an opportunity to go ahead, go through that process, understand how compliant you are, and because you have the certification, you're then able to go to your customers and say, hey, we've been through this, we're certified. >> Yeah. Well, I want to get, Katya, your thoughts, as we wrap up on this segment, around Crypto and Blockchain. Obviously, we're bullish on Blockchain. We think this is a supply chain. (mumbles) Blockchain can be a good force, although some think there's some work needs to be done on the whole energy side of it, which is, we would agree. But, still. I'm not going to make that be a wet blanket of excitement. But cryptocurrency has been fraudulent. It's been. The SCC's been cracking down in the U.S., in the news. Lieber's falling apart, although, I called that separately, but, (laughing) it had nothing to do with that Lieber. It was more of Facebook, but. Telegram. We were talking about that, others. People are getting handcuffed on this stuff. They're really kind of clamping down. But, overseas in Asia, it's still an unregulated, seems to be (mumbles) kind of market. Your advice to clients was to shy away, be careful? >> My advice to clients is as follows. First of all, Blockchain and cryptocurrency are not the same thing. Right? Cryptocurrency is a use case coming out of Blockchain technology. I think that in the United States, the best way to think about it is to understand that the term cryptocurrency, from a regulatory perspective, is actually a misnomer. It's not a currency. It's property. Right? It's an asset. It's digital assets. So, if you think about it the same way that we think of shares in a company, it's actually much easier to become compliant, because, then you can understand that it's going to be subject to U.S. securities laws, just like other securities. It's going to be taxed, just like securities are taxed, which means that it's going to be subject to long and short-term capitol gain, and it's also going to be subject to the other regulatory restrictions that are adherent to securities, both on the federal and state level. >> It's interesting that you mentioned security. The word security. If you look back at the ICO craze, internet coin offerings, crypto offerings, whatever you call it, The people who got whacked the most were the ones that went out as a utility tokens. Not to get nerdy on this, but utility and security are two types of tokens. The ones that went out and raised money as the utility token had no product, raised money using the utility that doesn't exist. That's essentially a security. And, so, no wonder why they're getting slapped. >> They're securities. Look, Bitcoin, different story, because Bitcoin is the closest to being I guess, what we could consider to be truly decentralized, right? And the regulatory climate around Bitcoin is a little bit different from what I'm talking about, with respects to securities laws. Although, from a tax perspective, it's the same. It's taxed as property. It's not taxed the way that foreign currency is taxed. But ultimately, yeah. You had a lot of cowboys who went out, and made a lot of money, and were just breaking the law, and now everyone is shocked when they see what's going on with this cease-and-desist order from the SCC against Telegram, and these other issues. But, none of it is particularly surprising because at the end of the day we have regulations in place, we have a regulatory regime, and most people just chose to ignore it. >> It's interesting how fast the SCC modernized their thinking around this. They really. From a speed standpoint, all government agencies tend to be glacier speed kind of movement. They were pretty fast. I mean, they kind of huddled on this for a couple months and came out with direction. They've been proactive. I got to say. I was usually skeptical of most government organization. I don't think they well inform. In this case, I think the SCC did a good job. >> So, I think that the issue is as follows. You know, Crypto is a very very very small portion of what the SCC deals with, so, they actually paid an inordinate amount of attention to this, and, I think that they did it for a couple of reasons. One is because, you asked me in the beginning of this interview about regulations versus innovation. And, I don't think anyone wants to stifle innovation in America. It's a very interesting technology. It's very interesting ideas, right? No one wants that to go away and no one wants people to stop experimenting and stop dreaming bigger. At the same time, the other issue that we've seen now, especially, not only with the SCC, but with the IRS now getting involved, is the fact that even though this is something very very small, they are very concerned about where the technology could go in the future. The IRS is extremely concerned about erosion of the tax space. So, because of that, it makes a lot of sense for them to pay attention to this very very early on, nip this in the bud, and help guide it back into the right direction. >> I think that's a good balance. Great point. Innovation doesn't want to be stifled at all, absolutely. What's new and exciting for you? Share some personal or business updates in your world. What's going on? What's getting you excited these days, in the field? >> What's getting me excited these days? Well, I have to tell you that one thing that actually has gotten me excited these days is the fact that the Blockchain and cryptocurrency industries have grown up, substantially. And, now we're able to take a look at those industries in tandem with the tech industry at large, because they seem to sort of be going off in a different direction, and now we're taking a look at it, and now you can really see sort of where the areas that things are going to get exciting. I look at my clients and I see the things that they're doing and I'm always excited for them, and I'm always interested to see what new things that they'll innovate, because, again, I'm not a technologist. So, for me, that's a lot of fun. And, in addition to that, I think that other areas are extremely exciting as well. I'm a big fan of Acronis. I'm a big fan of cyber protection issues, data protection, data regulation. I think something that's really interesting in the world of data regulation, that actually has come out of the Blockchain community, in a way, is the notion of data as a personal right, as personal property. So, one of the big things is the idea that now that we've seen these massive data breaches with Facebook and 23andME, and the way that big government, big companies, are using individuals' datas, the idea that if data were to be personal property, it would be used very very differently. And technologists who are using Blockchain technology say that Blockchain technology might actually be able to make that happen. Because if you could have a decentralized Facebook, let's say, people could own their own data and then use that data as they want to and be compensated for it. So, that's really interesting, right-- Yeah, but, if you're just going to use the product, they might as well own their data, right? >> Katya: Exactly. >> Katya, thanks for coming on theCUBE. Thanks for the insight. Great, compelling narrative. Thanks for sharing. >> Sure, thank you very much. >> Appreciate it. I'm John Furrier here on theCUBE, Miami Beach, at the Fontainebleau hotel for Acronis' Global Cyber Summit 2019. We'll be back with more coverage after this short break.

>> Live, from Las Vegas, it's theCUBE, covering AWS re:Invent, 2018 brought to you by Amazon Web Services, Intel, and their ecosystem partners. >> Well, good morning. Welcome back, or good afternoon for that matter, if you're watching out on the East Coast. Good to have you have here on theCUBE as we continue our coverage here in Las Vegas. We're at the Sands Expo, Hall D to be exact, one of seven sites that are hosting the AWS re:Invent John Wallace here with Justin Warren. We're now joined by Ankur Shah, who is the vice president of Products, a public cloud security, Palo Alto Networks, and, Ankur, good to see you this morning. >> Yeah, happy to be here. >> Thank you for being with us. And Richard Wise, who is the cloud security engineer, or a cloud security engineer at Robert Half. Good morning to you, Richard. >> Good morning. >> Well, first off, let's tell us about Robert Half. So, you're a recruiting firm in a partnership with Palo Alto, but fill in a few more blanks for folks at home who might not know exactly what you do. >> Sure, we're a staffing and recruiting firm. We have offices worldwide. We have roughly 15,000 full-time employees. We also have many, many temporary employees, and, of course, we do recruiting. Many people I've met here at the conference, in fact, got their first job or one job in the past through Robert Half. And we also-- >> That's makes you a really popular guy-- >> Yes. when the show closes. >> And we also have Protiviti, our prestigious consulting arm. >> Okay, so now, about your partnership. How did you find Palo Alto, or how did Palo Alto find you? And talk about maybe that relationship, how it's developed and where it stands today. What are they doing for you? >> Sure, well, we found Palo Alto about two years ago. We're about seven years into our cloud journey, but it became very clear at a point in time that we needed to get a better handle on how we were managing and securing it. We were doing all the right things but we didn't have the visibility we needed, so we brought in Evident to do that. Also, compliance is very important to us, and the tools allowed us to ensure that we were conforming to all of the compliance standards that we needed to. >> So, maybe Ankur, you can get us in here. Explain how did this partnership get started? >> Yeah, so Robert Half is kind of prototypical customer for us at Palo Alto Networks. Customers moving to cloud. AWS is obviously one of the biggest clouds, so all our customers are migrating, a lot of their, you know, shutting down their data centers, and moving the work loads and applications to the cloud, but as they move to the cloud, they want to make sure that they have the visibility and the security controls to make sure that they are not in the news. So, that's how the partnership started. A lot of customers, just like Robert Half, starts with kind of, you know, I'd like to get a visibility into what's happening in my cloud environment, detect advance data breeches, like cryptojacking, stolen access keys, things of that nature, so that's how we kind of started this partnership. We've been kind of helping them kind of move more and more applications and more and more workloads in their AWS environments, and it's been a really amazing partnership. We've gotten some amazing feedback from them that has helped mature the product over the years. >> What's one of the more surprising things that you've noticed as part of this journey. What's something that you didn't realize that this was going to be a benefit to this partnership, and then, once you actually had Palo Alto come in there, it's like, oh wow, this is amazing. >> Well, there were a couple of things. First off, their RQL, the RedLock Query Language, is very powerful and flexible, and let's us take our compliance and security to the next level, but was really impressed when we first started talking to RedLock and Palo Alto, even before we had purchased the product, we saw some opportunities for product improvements, suggested them, and before we purchased it, within a couple of weeks, they were there. >> Wow. >> Yeah. >> That's pretty fast of all those cycles. I mean, that's what we're here for is rapid innovation. They're trying to change things at the speed of cloud. So, how do you do that safely and securely? Maybe you can tell us how does Palo Alto help do this rapid innovation but still keep everything really secure. >> Yeah, so our DNAs, obviously, network security is where the company started. Over a year now, the company has doubled down on public cloud security, and a lot of emphasis on, sort of, securing customers' cloud environment, helping a lot of customers migrate their applications into the cloud, and from a security standpoint, we look at it from different angles. One is kind of the basic configuration management aspects, making sure that customers don't leave open s3 buckets, permissive security groups, things of that nature. Above and beyond that, we also perform network analytics, so things like triple jacking, data exploration attempts. The platform is able to detect those kinds of advanced threats. Privileged activity monitoring, and anomaly detection is another thing we do, and last but not the least, host monitoring and host security aspects. That's something we do really, really well in the cloud as well, so when you combine all of that stuff, gives customers 360 visibility, as well as security for all things in the cloud. >> I'm sorry. Richard, how hard is your job these days? (laughing) And I mean that with all due respect. We've talked a lot about complexity. We've talked a lot about speed. We've talked a lot about versatility, and high demand, and all these things. Corner office is making demands on you, right? I mean, how tough is it to be in your shoes? >> If it was easy, it wouldn't be fun. I've been working in cloud about as long as Robert Half has, about seven years, and moving into the security role, it's been an incredibly interesting challenge. Yes, it's hard. I do stay up at night on occasion worrying about, did I check this, did I check that? I'm fortunate that our management has a really good understanding of the importance of security and of cloud, and I've gotten a lot of support in my role there so, in that respect, it hasn't been too hard. >> And where is it that security, in terms of a deployment? So, you think about function, right, right? >> Yeah. >> What are we going to get done here? But is it a close second, is it a tie? Because, especially in your business, I mean, you have a lot of personal information with which you're working that you've got to protect. >> Absolutely, so, people trust us with their data. We have personal information for many, many people, and we take very seriously our responsibility to manage and protect that. One of the things that we've done with Palo Alto's tools is ensuring that we're compliant with all of the various standards like ISO 27001, and compliance is kind of like brushing your teeth, right. Everybody needs to do it, and somebody doesn't want to be friends with somebody who doesn't brush their teeth. So, we ensure that we brush our teeth using tools like Palo Alto's. We can demonstrate to people that we're brushing our teeth. >> Right. >> With the innovation of RedLock now, we're able to take that to the next level, so we're not only brushing our teeth now, but we're also grooming our hair. >> You're technologically flossing as well, I'm sure. >> We are, we are. >> So, Ankur, I think that makes you the dentist of cloud security. (laughing) >> So, you've got people brushing their teeth, they're flossing. What comes next? What should they be looking at? Should they be going beyond just hygiene factors, and is there something they can do that's more than just brushing their teeth? >> Yeah, so I touched upon some of those areas. So, I think it all starts with the basic hygiene that we've talked about it, right. So, you got to do it. That's the, kind of, the fundamental, but the next-gen attacks are not going to be very simple, right, because the cloud fundamentally increases the attack factor, right, so the malicious actor, they're smarter, right. So, like I mentioned, things like cryptojacking, stolen access keys, a lot of the next-gen breeches are going to happen in the cloud, so customers have to constantly understand the kind of AWS services that they're adopting, understand the security implications, make sure they have the security guard rails, and like I mentioned, that once they understand that, look at it more holistically, both from, sort of, the basic hygiene perspective, as well as from network security, user activity, as well host monitoring perspective. Once they cover all of that stuff, you know, hopefully they'll have good teeth forever. (laughing) >> Strong cloud teeth. I don't think that's a phrase I wouldn't have thought I'd say until today. >> You know, we hear a lot about the cat and mouse game in security, right? You're trying to stay one step ahead of bad actors who are spending a lot of time, and a lot of resources, and a lot of energy to stay a step ahead of you. So, in today's world, how do you really win that battle? How do you predict where the next wrong turn is going to come, if you will, or where that invasion's going to try to occur, and prevent that, or are you in a prophylactic state all the time where it's about seeing where that action's going, and then trying to stop it once you've learned of it? See what I mean? It's a conundrum that I think you find yourself in. >> You know, I think 90% of the problems that happen where bad actors get hold of your sensitive data is because of common, silly mistakes. So, making sure that there is a user training across the board, not just security teams. Now, DevOps teams have to be part of the equation as well. They need to be trained, and coached, and understanding the security implications of their day-to-day operations. Once you train the users, you'll find that a lot of these problems will go away because most of these actors are using simple techniques to get into the customer's cloud environment because those mistakes are being made. So, start with the user training. Obviously, you need third party tooling and technologies like Palo Alto Networks to make sure you have that security guard rails all the time. Beyond that, you know, you just have to hire a lot of smart people like Richard just to insure that you're ahead of the game, thinking two steps in advance, yeah. >> It's about locking the door. >> Yeah. >> Yeah, and I want to touch on a couple of the things that Ankur said. He talked about building security into DevOps. So, there's this concept we call shifting left where you're trying to build security more upfront into the development and deployment process before you even get into the wild, and that's something Palo Alto is helping us with. The other thing is, we cannot hire enough people to keep up with the pace at which we're scaling our cloud environments, so we need tooling and automation like RedLock in order to ensure that we can get visibility and control on this vast set of resources with just a small number of people. >> Yeah. >> So necessity driving invention in that case, right? >> Yes. >> You need it. Well, gentlemen, thanks for the time. We appreciate the conversation. I feel like I need to go brush or floss. (laughing) >> Yeah, thanks for having us. >> Very self-conscious all of a sudden, but thank you both. >> Thanks for having us. >> Brilliant discussion. Back with more from AWS re:Invent. You're watching theCUBE here in Las Vegas. (energetic electronic music)