>>LA Las Vegas. It's the cube covering AWS reinvent 2019 brought to you by Amazon web services and along with its ecosystem partners. >>It is so good to have you here on the cube. Once again as we kick off our coverage here live in Las Vegas at AWS, reinvent 2019 along with my a trusty sidekick, Justin Warren, John Walls here. I can't believe they put us back together again so I can't, I feel like I need a cake that actually I would be the trustee sidekick because you know he carries the water and I can wear this band. Andy Miller is going to wear the expert hat in this interview. He's the director of global public cloud at Sofo. So then you're good to see you. Thanks for joining us here on the cube. >>Thank you. It's great to be here. We're excited to be part of re-invent as a, I think this is our eighth year in a row of being part of the show and excited to be here on the cube. I uh, come bearing a couple of gifts. >>Do this every time I visited on the queue here. What do we have here at Sophos? Socks for ya. Soft Sofo songs. I love that look. That's very nice. Yeah. It's something we came up with a few years ago as part of the promotion for SIS admins day and it was so popular, it's never gone away after you're fired. You're hearing the cloud security, the security for the feet. Yes. Is what we have here. So, so your, your security, right. And it's all about the cloud these days. You just came out fairly recently with a, uh, a 2020 threat report. So once you give us kind of the high level and then we'll dig down a little deeper into that, but maybe the key takeaways from that report. >>Yeah, we, uh, we looked at a lot of different things, uh, in the threat report basically. Um, we do this every year, kind of look at trends in what we're seeing and so forth. And we saw a lot of interesting developments around ransomware, both in the cloud and in an on prem environments. But in the cloud, what we really saw was, you know, a continuation of the prevalence of, uh, the bad guys going after those assets, right? They know that there are some very large companies moving some very important data sets into the cloud and as such, they want to make sure that they can get at them as quickly as possible. So we see a very, uh, very, uh, prevalent and constant attack against, uh, those particular assets looking for data that they can steal. It seems that the, the bad act is here I just becoming more sophisticated every day and that they understand how to do cloud infrastructure really quite well. >>Are there specific things that are special to the cloud that are different from what you would have with an onsite environment that requires a different approach? Yeah, certainly when you move to the cloud, one of the things that's really important, and there was a talk about this in the keynote this morning, it's important to this idea of transformation rather than just transition. And the same is true with your security. You should use solutions that are specifically addressed and built for the cloud and that have very tight with a provider like AWS for instance. So it's important that those products integrate with the tools that are available to you through the provider as well as are again, specifically built for those solutions and can scale and move and so forth at the speed of the cloud. >>That seems like a no brainer, right? I mean that seems logical, but you're saying that that's not automatic, that there are those who are trying to cut on retrofit, if you will, a solutions that they've employed before that didn't go to work. >>Yeah. You know, for customers it's a challenge because oftentimes their journey to the cloud starts with a Andy Jassy referred to it today as toe dipping, and that is a very common way that people start in the cloud. And when you start out anything where you're just kind of dipping your toe in the water and then it gets a little further in and a little further in, that's an entire entirely different experience. Then we're not in the cloud and we're going to plan and plan our journey and go into the cloud. With a plan in place, you tend to evolve as you go. The other thing for customers is they may have security technologies that they've used for a long time that they're comfortable with and we all want to maintain a level of comfort, right? And so there are a lot of times you'll see them trying to see old a square peg round hole analogy, right? Trying to bang those technologies into the cloud even though they may not work really well for cloud deployment. >>Yeah, I mean it's a hard problem as well because security is such a difficult thing to solve. Even just all inside that if you add in the newness of cloud on top of that and then have to change the way that you address security, that that just adds a whole bunch of extra complexity into that. So what are some of the things that sofa is doing to help customers as they transition from, this is how you've done stuff in the past. This is how you're going to have to do things in the cloud. How are you helping customers to actually learn about what they need to do as they start to experiment with the way that they're using the cloud? >>Yeah. One of the first things, you know, we have a product that we introduced in April called Sophos cloud optics and one of the biggest challenges for customers as they move to cloud is maintaining visibility and control over their workloads. Uh, cloud deployments are very different in that a lot of times you have a development community that may not be as wired as tight with wired is tight with security as you'd like. And a lot of different people who are having input into deployments and changes to workloads. That's a different scenario a lot of times than on-prem. And so it creates situations where you may have new workloads introduced to the cloud or changes to workloads that happen on a constant and continuous basis. And customers need to be able to track that. And that's what Sophos cloud optics was designed to do, was to give them an idea of exactly what they will have running in the cloud at any time. And also what state of configuration that particular asset happens to be. >>I don't, I know one trend is actually tried to move that it's called shift left, which is to provide that visibility up, the stack of it towards the developers so that they can actually respond to what's happening in production or just to understand the security environment a bit better and then push that model, enable them to be able to make good and, and that stuff security being the, you know, the division of no way. You can't do anything at all, which business doesn't lie. The whole point of going to cloud is we want to go faster. We want to be able to do this with a more agile fashion. So it sounds like this is actually just providing that, that intelligence so that you can make those better decisions. >>Absolutely. In fact, a big part of the product is our infrastructures, a code scanning, uh, where we can scan a formation templates. Actually in the repositories before they're published and let the developers know, Hey, okay, you made some great changes to that, to that infrastructure. But in the process of doing that, you actually configure this out of out of the, uh, out of, uh, compliance with the policy that we have internally. So you need to make this change before you ever do it and really make that actually part of the dev ops loop so that, like you say, the department of no doesn't have to be, you know, big brother or daddy coming over the top and, and hammering on them, but instead making it part of their workflow and, um, and really buying, bringing them and buying them into the security process rather than just, you know, coming along behind. >>Yeah. I mean, this is on a bigger picture level. Um, there is some owners on the customer still, right? I mean, like, they can't just look at Sofo say, please take care of all my concerns and all my problems and, and button me up and let me focus. There is still some burden on their backs. Right. >>Absolutely. And, and, or ignore the provider. Right. And so it's, it's been an interesting journey. Um, when we first moved our, uh, our central platform and built our central platform into the cloud, um, in AWS cloud, there was a lot of resistance. I am not going to move security into cloud. This was a number of years ago. And now people sort of inherently trust cloud maybe a little too much in that they don't realize that while the AWS platform is very secure, what you put into the cloud is your responsibility and you need to apply all the controls that you would on prem to those workloads. And customers I think sometimes are a little bit confused about where does their responsibility lie versus what the vendor takes. And in this case, AWS takes care of, um, and what they need, what part they need to play in that. >>Yeah. And in their defense, some of the tools in cloud have kind of not really been there, but we had the announcement this morning where a Amazon announced all this S three access points. Yup. Which provides a, a bit of a, a better control mechanism for controlling S three bucket access, which is notorious for people leaving, you know, open buckets just sitting there on the internet and someone comes along and they suddenly, they have all of your data and that's, it's really easy with cloud to do that. Uh, so it's good to see those sorts of developments come along and, and we're, we're seeing more tooling being provided to customers that then helps them to make that kind of decision. That way they can take more responsibility. Otherwise it's like, well, you know, you want me to take more responsibility, but I, I kind of, how do I do it? >>Yeah, yeah. And, and it's important for us as well, and this is one of the things we, uh, we integrate with a number of services and you'll hear it first here on the cube. We're gonna announce a little later today. Um, some new additions to the optics platform, including integrations with things like Amazon detective. We have some new integrations in the AWS platform with our UTM offering as well. Um, so we continue to add those in, use those tools because essentially things like integrating with the, um, with the identity access management solution that Amazon's just announced that gives us information that we can use to populate along with all the other data that we gather in order to help keep customers secure. But we're really glad to see the, the, the new offering around S three buckets. Cause obviously that is a, uh, that is a very low hanging fruit for us. As you might say, it's not really difficult to detect, but it's been a huge problem for customers cause it's so easy to make that change to that control and cause a lot of damage with just a very small change that a perfectly well-meaning employee made and, and just made a mistake. So why, why is optics >>spend the home run for you? I mean, what, what, what gap did it feel? What service did it provide that, that um, I mean I know you always hope what you, >>we're all at works, but this has been, like I said, it's been a home, huh? Yeah. I, I think the biggest thing has been really helping customers to get their arms around what their cloud deployment looks like and what state it's in. So, you know, one of the things I frequently would, uh, would talk to customers when we first came out with the product was I would say, take out your cloud bill and if you can tell me every workload that is running on that cloud bell and who owns it and who's responsible for maintaining the security port or a profile of that, then we have nothing more to talk about. But the reality was, no one could. My own team, when we first got the optics product, we have our own really a playground environment for our security architects on our team to try out different things in AWS and so forth. We didn't even know everything that was running in the cloud belly. It turned out that we actually found some things that were running that were workloads that were fired up by employees that hadn't been with the company for two or more years and didn't even realize it and traced it back and were able to get rid of those and, and you know, essentially create a situation where we obviously spend less, but also that we don't have assets running that we're not aware of. Which is obviously a glaring hole for someone to take advantage of. >>Yeah, I mean there's lots of technology and advances coming out and there's a particularly advances in machine learning, for example, that that has a lot of promise for doing this, but yet a lot of the solution is security. It does seem to be just doing the basics and that just for a bit of discipline from customers, are they a customers really prepared to have that level of discipline and and take that responsibility to just do the hard work? >>I think to varying degrees. I think one of the things is you want to make it as easy for customers as humanly possible. You do not want to interrupt their flow of business for sure, but you also want to, you know, you want to make it so that they can implement the security controls that they need without as much with as little effort as humanly possible. And that's always been a big mantra for Sophos. We security made simple has been our, our tagline for, I dunno, four or five years and it's always been a guiding principle of the company because we feel like, you know, complex security is security that won't be implemented and not on a continuous basis for sure. We let off with ransomware and, and kind of left from there. I just want to get back to that if we can to close up. >>Is it, um, are there unique aspects to it in a cloud environment that, that create different kinds of complexity? So obviously this is not a new phenomenon, it's been around, right? But, but going into the shared source, the shared resource of what kind of difficulties does that bring and then what are you seeing that unique that you think you've really got are gonna need to ramp up your game to attack down the road? So I think there were some new, there were some new, uh, some changes to how people go about ransomware that are not unique to the cloud, that are the same across what is probably unique to the cloud is the prevalence at which people are constantly, the bad actors are constantly scanning it. So you talked earlier about, uh, their sophistication, their level of automation frankly is impressive. So we deployed earlier this year, we deployed in a a steady, uh, 10 workloads around the world. >>And in 10 different of AWS is most popular data centers. And what we found is, is I believe the first, uh, attempt to compromise happen in 52 seconds. The longest one was about 15 minutes. And then even more scary than that was the fact that once a, a server was, uh, discovered on the cloud, there was an on average and attempt every 13 seconds to compromise that it ended up totaling over 5 million in a 30 day period on 10 workloads. So the bad guys are out there, they're busy, they have an impressive level level of automation and a, I think they realize that the cloud is as good at target as any, but certainly going out at hard hardcore for sure. For sure. Well, Andy, thanks for the time. Uh, good to see you. And uh, more importantly, thanks for the socks now, right? Yes, exactly. Some more for the rest of the week. Let me know. We'll do. Thank you. Thank you. Thank you. Back with more coverage here live where AWS reinvent 20, 19, and you're watching this here on the queue.

>> Live, from Boston, Massachusetts, it's theCUBE. Covering AWS re:Inforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello everyone, welcome back to theCUBE's live coverage in Boston, Massachusetts, here for two days, AWS Amazon Web Services re:Inforce, their inaugural conference around security. I'm John Furrier, Dave Vellante, our next guest Andy Miller. Senior director, global public cloud at Sophos. Based out of the UK and here in Burlington, Massachusetts. Welcome to theCUBE. >> Thank you. >> Looking good, love that jacket, nice color on you! (all laughing) >> I got the memo. >> You got the memo! >> Blue jacket! >> Thanks for having me, it's great to be here. It's great to be a part of AWS's first security event, security focused event, not by coincidence, happening right here where our US headquarters is. We're very excited to be a part of it. Wanted to share with you guys, I brought you a little gift. Socks are definitely a part of our-- >> Thank you, love the socks. >> Okay, I'm wearing them tomorrow. So we'll do a little close up on that. >> They're mostly clean. >> Thank you very much. Stu Miniman will love this, he loves socks. He'll replace his Star Wars socks with those. >> Thank you, Andy. >> Andy, thanks, so I want to get your impression of the show, obviously, inaugural event. And it's interesting, you look at Amazon, we've been covering Amazon for eight years with theCUBE, prior to that, just as a company, love the company, obviously, the success of cloud is a no-brainer. But re:Invent is their name of their global conference on the commercial side, for all their customers. And everything else they call summits. This is not a summit, this is not an Amazon Web Services summit, this is a branded event with the word re, not invent, but re:Inforce so gives that call out. Good call on their front? Is it needed? Why is this show so important, what's your opinion on that? >> I think it absolutely is, it's very helpful to customers to help them to understand their responsibilities when it comes to security in the cloud. And just like re:Invent was essentially reinventing the network into a digital environment, this is reinforcing their environment and understanding what their responsibilities are, where the cloud provider's very secure infrastructure ends and where their responsibilities with applications and data that resides in the cloud starts. >> What does your data show in terms of the evolving threat landscape? I mean, there's one school of thought that says okay, security in the cloud, actually, well it was a concern early on, people say oh it's better. That maybe raises the bar and lowers the ROI for the bad guys, but what are you seeing? But at the same time it's more global and distributed which opens up holes. What are your guys seeing? >> So, what we're seeing is that, the cloud's interesting in that there's not necessarily anything that is new or unique from an attack perspective. It's more of an attack surface perspective. And what I mean by that is is that, with an on premise environment, sometimes controls are very easy to place around new instances, new workloads being stood up, a change control process that is very controlled, key carded data centers and so forth. Cloud accounts operate very differently and one of the things that makes the cloud great is the speed at which you can go to market and stand up new resources, that also creates challenges for customers when it comes to visibility and securing those assets. >> Yeah, I mean the guy from Liberty Mutual today in the keynote, said his number one challenge is just keeping up with Amazon, the pace of change, you're seeing that in your client base? And how are they dealing with it? >> Absolutely, one of the conversations that I frequently have with customers when it comes to the visibility and keeping up with angle is, I frequently will say to customers, pull out your cloud bill, if you are aware of and know everything that is on that bill and where it came from, frankly I'd be very surprised. A lot of them struggle with that, with being able to keep up with that. And it's again a double edged sword, it's great as far as a business standpoint and being able to extend your business globally within minutes, but it's also a challenge for them from a security standpoint. >> And you talk about the challenges that businesses are up against when it comes to cloud security because on premises has decades of experiences dealing with security, the old days of perimeter based security, some still do that. Now the perimeter's pretty much gone away with cloud, cloud native has a different approach. So there seems to be a lot of questions around what to do, what are those challenges in cloud security specifically, that businesses face? >> So, you hit the first one, right? The first one is this concept of I build a castle and put a big wall around it and a moat around it, no longer exists, right? The perimeter is a memory. Another one is, as I mentioned before, the speed at which resources are added to the cloud, that's difficult for customers 'cause you can't see it, you can't secure it, right? If you don't know it exists. And then the third thing is really being able to understand how you make security happen within the cloud because those tools that you used on premise and in your own perimeter, don't necessarily exactly translate to the cloud. And it's important to have solutions that are designed for that and that not only work and operate well within the cloud but also don't take away the benefits of the cloud. If you have a solution that's going to slow you down or make it where you can't innovate at the speed of the cloud, you might as well keep it on prem, you're taking away all the benefit of the cloud. >> So, are you finding, a lot of times, the early cloud days with a lot of so called crapplications, just going to the cloud, okay. So maybe not as much credit card information, so maybe it's not as valuable, but are you seeing, people hitting the cloud more today than, say, certain on prem environments? Is it escalating, what does your data show? >> So, there was a study done not too long ago that showed past and projected cloud growth from 2017 to 2022. And what was interesting was the cloud services revenue growth was expected to grow by double, the cloud security spending was expected to grow by more than three times. And we think that was in large part of customers understanding their responsibilities in the shared security model, but also a product of exactly what you say, crapplications, right? One of our first customers that I think of was a convenience store chain, the very first things they moved, store locator and nutritional information applications. If something went wrong with those, yes, it's not great for your business if they can't find your store, but it's not credit card data, it's not personal information so on and so forth. As businesses start moving really key to the business applications, ERP systems, things like that, with real data that's at risk, that's where their focus on security is real strong. >> So there's a lot of confusion out there. And as I walk around the show floor here, I see, we secure the cloud, we the secure the cloud, no we secure the cloud! And I hear from Amazon we have a shared responsibility model, we secure the infrastructure, a lot of customers think, hey, Amazon has great security, so does Google, so does Microsoft, I'll put it in the cloud, I'll be good to go. Help us clear up some of that confusion, what's your point of view on that? >> Yeah, I think that when you look at it, customers were at one point extremely afraid of the cloud. And the cloud providers themselves did a great job of talking about why you could trust their infrastructure. In the process, I think customers have a difficult time understanding where their responsibility begins. And what we always like to say is, the cloud provider's responsible for the security of the cloud, you, Mr. Customer, are responsible for the security in the cloud. And the reason that's important is, the fact is the cloud providers could potentially provide the security in the cloud, but the measure of control that they would have over the applications that you build, the applications that you deploy, who you give access to and what you allow them to do would be so great, I don't think it would be a really positive experience for customers. >> Too many permutations. Just 'cause, criticism early on in cloud security wasn't that the security was bad, it was that, I couldn't enforce the edicts of my organization, there weren't enough features and now today, it's like you're drinking from this fire hose of features. So is that really the issue? It's up to you to figure out what works for your organization and then apply it. We heard today, you've got to opt in for things like encryption. Make sure you opt in to each availability zone. So that's a individual customer choice. Amazon provides the tools, okay, but then where do you pick up? Where does Sophos pick up? >> So, that's a great segue, so, as an example, our new Sophos Cloud Optics product does a great job with that, for instance uses the AWS CIS benchmarks. And that is a heavy heavy document that may be difficult for a customer to ingest, but we can run it against all of your workloads, your S3 buckets and see that you're in compliance with that CIS benchmark policy. That's a great place to start. Maybe you have some compliance regulations that you have to follow that have a security component to it such as BCI for example. And they would lead you towards things like identity and access management, they would lead you towards, am I following a good password policy? A good updating policy, am I sure that my S3 buckets are encrypted and not accessible to the internet without some sort of protection in place? All those things. >> The evolving cloud security landscape's changing on the threats side. You've got now detection, alerts, all these things are going on. You guys have some data on the cyber criminal activity. Up, down, is it more complex, harder to crack? Is there people cracking it? Certainly we know people are always trying, you can attack anything, we've seen foreign states enabling these groups out there, you've seen all kinds of cyber criminals, what's the data showing? >> So, the data shows, I think the most compelling thing. We did a study that we commissioned earlier this year where we placed workloads in 10 of AWS's most popular data centers around the world. And what we saw was, the first attempt to compromise one of those assets took all of 52 seconds. 52 seconds after we launched it there was an attempt to compromise it. More compelling was the fact that, on average it took a sum total of 40 minutes was the average time before an attempt to compromise took place. And, on top of that, once the asset was discovered, on average every 13 times every single minute of every single hour of every single day over a 30 day period, someone was attempting to compromise this. We ended up totalling over five million attempted compromises in a 30 day period on 10 assets. So, I think the biggest thing is not so much the techniques, but the level of automation that the bad guys have going on, they know that there are assets out there, that are not in a state that they necessarily should be and they are doing their level best to find them as absolutely quick as possible. >> What makes the cloud so attractive to the cyber criminals? >> I think the biggest thing is that as customers go from the crapplication into some real applications, they know that there is a lot of data there. They also know that customers are, well this is a newer platform for them, and they may be struggling with understanding exactly what they need to do differently than they did on prem in order to secure it. >> So follow up on that, how do you approach cloud security and how is different than on prem? >> So, the biggest difference is can it work within the fabric of the cloud? Is there tight integration with the things that the cloud providers offer? And do you not in any way hamper the great things about the cloud, scalability, the option to be available in a matter of seconds? If you are hampering that, then that's not security that's really going to work well, it's the whole benefit of the cloud in the first place, right? >> So sum up your cloud solution, what's the big problem that you guys solve? >> So, we have several different solutions that are available from a next generation firewall to our host protection. Our newest offering Sophos Cloud Optics, is really about helping them to gain that visibility, to understand exactly what they have running in the cloud, present a topology map that shows them how it connects, how it communicates, both internally and to the outside world. And then to constantly and continuously evaluate where they are in a security posture. >> So that's visibility into threats? >> Yep and for posture as well. >> Help look for quality alerts. >> Yep. >> Okay, so what's the customer orientation right now? Red, yellow, green? (he laughs) It seems to me it's always red. We asked someone earlier, what's a good day in security? And it's like, when we're still in business. There's a lot of pressure, again, hacking just shows you, it's easy to attack, certainly seconds to minutes, things are being compromised. It's going to happen on premise as well. What's the state of the union in your view? >> I think for customers there is a feeling sometimes and I think we as security vendors need to be careful about this, of not presenting the world as impossible to secure because I believe that it is absolutely possible to secure the world. I think there are some things that customers need to do, I think it's difficult for them sometimes to cut through some of the misinformation, the marketing spin and so on and so forth that's out there, but it's really incumbent upon them to look and read through the materials that are provided by the cloud providers to understand where their responsibilities begin and end. And then find the solutions that they've always used on prem and been successful with, that are ported to the cloud. And if they're not ported to the cloud to look for a different vendor. >> So why Sophos? >> So, Sophos has been around for 30 years. We have along history, we've been a security company, always a security company. And we have frankly what is a rather long track record in the cloud, we first ported our firewall to the cloud six years ago, we've continued to innovate in the cloud. We are able to do things that other vendors are not to support things that customers want to do, autoscaling, outbound gateway, things like that. And we continue to innovate that platform as well as add key pieces to our platform such as our Cloud Optics, which interestingly enough, came to us as we were shopping for it as a customer to support our own central infrastructure that runs in AWS. Our security guys thought, hey we need a product that will help us with visibility and posture management. And then they turned to the organization and said, hey this is great product, we ought to look at buying this company and that's how that acquisition came about. >> And so what's new with the company? What's going on, what are you guys doing? Got a lot here at Amazon, what other things you working on that's important to tell? >> Yeah, we're basically at this point, with that acquisition of Optics happened, it was a company called Avid Secure. That just went down in January this year, we released in the first week of April. Our own skinned Sophos version of the product. And we're really looking to continue that innovation. Our theme this year for our company was evolve. We feel that as the world evolves, security evolves and we have to evolve as well. And so there's a real focus on constantly evolving our products, innovating and trying to stay one step ahead of the bad guys, unfortunately. >> Andy, you've been around, we've been around, we've seen all waves come and go. Client server mainframe all the way back into those days to now. What do you think the most important story in the security industry is these days? What needs to be told that either is being told or needs to be amplified or isn't being told, what do you think's the high order bid in terms of the most important story? >> I think there's two fronts to that. One is as I mentioned, evolve was a big point of discussion in our internal meetings as well as our partner conferences. And helping customers to understand that their world has to evolve as well. The idea of a perimeter for instance, there are lot of companies that still try to stick to that idea of I can build a wall around my business. And the reality is is between mobile devices, between every employee practically has a laptop now, the idea of keeping that castle wall around your business is just unrealistic and so, customers have to understand that. They also have to understand that a migration to the cloud is inevitable and the sooner that they embrace that, the sooner they'll get the benefits of it and the sooner that they can begin the journey to the cloud. We feel it's inevitable. >> Andy, great insight, the evolving security threat landscape here on theCUBE. Live coverage covering AWS re:Inforce. Be right back with more after a short break, I'm John Furrier with Dave Vellante, we'll be right back.

(gentle upbeat music) >> Hello, everyone, and welcome to theCUBE's coverage of Commvault Connections 21. My name is Dave Vellante and I'll be hosting the program today. I want to start with a bit of an assessment on the keynotes that we heard this morning, but before I get into that, I want to set the framework for thinking about Commvault as a company. This company has been around for a long time, since the late 1980s, but really came into prominence in the client server era and it has ridden numerous waves, including network backup and recovery, data management, and now cloud data services. It's a company with more than $700 million in revenue and a market value of nearly $3 billion. Since coming on as CEO, Sanjay Mirchandani has embarked on moving the company towards a subscription model, focusing on optionality for on premises, hybrid and cloud workloads. It's launch of metallic and data management as a service are two components that underpin the strategy. At his keynote earlier today, Mirchandani drew on his experience as both a former CIO and current CEO roles to connect with his audience. His major themes hit on data, the value of data, and the imperative to get control of your data. Of course, data protection has become a fundamental component of digital transformations. For years, data protection was an afterthought or a bolt on, but today, organizations are forced to think about their digital stacks in their entirety, which means they have to build resilience into their platforms from the start. Mirchandani said that if we embrace, manage, and properly protect data, it will become the defining disruptive difference for an organization. But he talked about the gap between what the business wants to do and what the technology teams are actually equipped to do and when it comes to data, I couldn't agree more. He called this the business integrity gap and I'll come back to that. He also put out some fun facts and I'll share those here. According to IDC, 64 zettabytes of data was created and replicated in 2020. That's the equivalent of 2 trillion 4K movies. That's a lot of data. Gardner says by 2025, 85% of business will be delivered through SAS applications. Sophos, the security firm, estimates that the average cost of a ransomware attack is approaching nearly $2 million. The security company Proofpoint did a survey and 64% of surveyed CSOs felt that they were at risk of a material cyber attack in the next 12 months. I'm surprised that number was so, so low. I think the other 36% are busy responding to a cyber attack. Coming back to Sanjay's business integrity gap. Here's how I see it. Data by its very nature is distributed, decentralized, and it's becoming more so with hybrid connections, multicloud installations, and edge use cases. This is only going to accelerate in the future. As such, organizations need to rethink their approaches to getting value from data. Instead of building monolithic data architectures and hyper-specialized technical data teams, organizations are beginning to empower lines of business and domain owners to take end-to-end responsibility for data ownership. The underlying technology platform is becoming an operational detail that serves the data owners, where data protection and governance is computationally automated in a federated model. So the policy is centralized, but the implementation of that policy is done by software. This means that data governance, security, privacy, access, and policy are all adjudicated wherever possible by software and our automated, irrespective of physical location. Data silos are not just a technology problem. They're a symptom of flawed organizational constructs, steeped in the notion that highly technical data specialists and centralized teams should be the stewards of the data and serve multiple lines of business simultaneously, without proper business context. Now, this is changing. Data is being used to create a new class of products and services that can be directly or indirectly monetized, or drive other value, for instance, like saving lives. It's about the organizational mission. Now in this sense, data is undergoing a renaissance, where the responsibility for end-to-end data ownership is being distributed and decentralized, where highly specialized technical teams are becoming enablers for generalists that reside within the lines of business, i.e., those who are building data products and services. This is not shadow IT. It's decentralized management with federated governance. Now, by rethinking the data management paradigm, the responsibility for good data protection policy transcends technical teams and becomes a priority for the entire organization. To that end, Commvault laid out its strategy to deliver a comprehensive set of intelligent data services, spanning data protection, security, compliance, governance, data transformation, and data insights. In my view, a huge part of Commvault's strategy lies in automation. That's a key ingredient of cloud and any cloud strategy. In other words, supporting cloud native and cloud-like data management capabilities that can be programmatically deployed, secured, managed, and governed, and applied across an organization's sprawling data empire. The world of enterprise technology is complex and the winning technology companies are going to be those that can abstract the underlying complexity and assist organizations to implement sound data management practices, irrespective of data location, in the most efficient way. So as you hear the stories and examples here at Commvault Connections, you can decide for yourself if the company is on the right track and if what you hear aligns with your digital business skill goals. So let's now get a practitioner's perspective and hear how the CSO is thinking about data protection. Up next is Dave Martin, Chief Information Security Officer at ADP. You're watching theCUBE. (gentle upbeat music)