from our studios in the heart of Silicon Valley Palo Alto California this is a cute conversation hi and welcome to the cube Studios for another cube conversation where we go in-depth with thought leaders driving innovation across the tech industry I'm your host Peter Buress every enterprise has to concern themselves with how they're going to go about ensuring the appropriate access to those crucial applications that run the business this is especially a key question in domains where the applications our seminal feature of the operations how can we set up IT so users see what they should see can access what they can access and that we have control over all about how these systems work and have that conversation we're here with Tony Ferguson an IT infrastructure architect at man energy solutions Tony welcome to the cube yeah thank you so Tony before we get into this crucial question about the appropriate level of visibility and the need for security between people users and applications tell us a little bit about man energy solutions yeah so we're a german-based company I'm working out of Copenhagen but we're part of the Volkswagen Group we have 16 thousand users globally across a hundred locations our company we we make large diesel entrants you also make smaller versions in our own factory and yeah in our company we have a course a lot of my irt on the actual engine and of course we have corporate IT and my job is to secure all of this infrastructure so specifically some of these big diesel engines as I understanding are being placed in locations and use cases that have an absolute requirements for security for example driving a ship is a major feature of the way that your engines are being used within the world so if I got that right yeah yeah that's correct and yeah and then the scale of this you know the number of engines and the number of vessels we need to access and the data we collect it is critical infrastructure we also have power plants so it's really important that we secure this infrastructure so it's a it's a it's a very it's an infrastructure that has very interesting physical characteristics but also has very interesting security characteristics as you went into thinking about how you're going to improve the applicability of the overall infrastructure that you use to drive your business use cases what were some of the issues that you find yourself struggling with yes so yeah a lot of issues actually one of the first things is that we wanted to authenticate the actual engineer and we wanted to make sure that the right people got to the right assets and we wanted to make sure that a thing dication was strong so like the two-factor multi-factor authentication and we wanted to show that the all the data between their engineer and the vessel was encrypted and another big problem for us is scale we need to scale the solution and one of the one of the things as these get brought for us is namespace routing we had the ability to really scale the system without using IP addresses were actually networking so this solved really a lot of problems for us and trying to get those engineers to all of the assets and the IOT on the engine now one of the things that you noted in your as you move forward was this notion of a black cloud where you could formalize the clock the types of relationships you wanted between your engineer users and other users and the Eric the applications you were running on a global scale basis to actually ensure the reliability of the product you had out in the field tell us a little bit about this notion of black cloud yeah so it ties it into a little bit around zero trust but how I see black cloud and how I would describe it is you know everything is dark right so if there's an attacker and he scans port scans of my infrastructure he won't see anything so so basically we would use their tech surface that means that there's no answer back and by doing this we we remove all these vulnerabilities all these zero-day vulnerabilities were remove this and in the same time we stall out that engineer to commit to their assets now how does that work in an environment that is as physically constrained as you know integrating or networking internet working with seagoing vessels yeah so of course a lot of this connectivity is over satellite and of course it's across the internet so it's important that we encrypt into end and it's important that we allow the right engineers to the right customers and we're able to access all these resources and to do Federation and make sure there's strong authentication for our customers we can we really tell them that this all the similar structure is completely secured dark and it's extremely difficult to to come into this black cloud so you've got a challenge the challenge that we've set up here is that you've got a use case that is constrained by the characteristics of the physical infrastructure where the security needs are absolutely paramount and still has to scale and very importantly be evolvable to allow you to be able to provide future classes of services that will further differentiate and improve your business that suggests that these decisions you had to make about the characteristics of the solution was gonna have an enormous impact ultimately on what you could achieve tell us a little bit about the thought process as you went through as you chose a set of sub technology suppliers to help you build out this black cloud and this application set yeah so we looked at a lot of different solutions but a lot of these solutions were based around the old knit work style right around VPNs around having files and around having ACLs and a lot of this is really network centric and what we were looking for is something that was more application centric something that moved up the stack and started to look at policy around what the user would want access to so putting those users and applications together and create meaningful policy based on the DNS rather than on the IP layer and this was really important for us to be able to scale and really make meaningful policy so in many respects it allowed you to not to necessarily de-emphasize but refocus your network design engineering and management efforts from device level assets and perimeter level assets to some of the assets that are really driving new classes of value the applications the users and the data that these engines are streaming and the models that you're using to assure optimal performance of them have I got that right yeah that's exactly right it's extremely important that that we don't have electrical movement you know we look today there's all sorts of were mobile malware attacks ransomware and you know you can imagine if something got into into this cloud that you wouldn't want to let remove so it's not just about the products but it's also about making sure that all these assets are designed from the ground up that that dark as well all right that even on the interns that they can't speak to each other all these very limited connectivity there Tony this has been a fascinating conversation about how you've taken this notion of a black cloud and applied it to a really crucial business case within man energy but I got to believe that this sets you up for a range of other use cases that the investments you've made here are gonna offer new classes of payback in a lot of different use cases how are you going to roll this black cloud concept using Z scalar out to the rest of the organization and the rest of the work that's being performed yeah it's a good question um so when we first looked at this technology we thought it was perfect for consultants because we could have very specific access policies and just allow them to the SS we will be required but then we also saw that there were so many other user cases here for example we are moving our applications from our data center to AWS and to Azura and as we move those applications the users need to connect to this so where would you have this black cloud and have the connectivity to it but we're not opening this to the Internet so you know as far as you're concerned I don't even have any resources or a service in AWS because it's black it's dark so there's a huge amount of security that we can add to this and then there's also a lot of other user cases like company mergers we had to buy a company so we could use this technology to to move to another company together because you don't need to worry about the network anymore you just worried about getting applications to users so I there's a number of great applications for this technology and I really see that this technology will really grow and I'm really excited about it so moving away from a physical orientation of the network to a more logical application and user oriented services or any care orientated a vision of the network has opened up a lot of strategic possibilities what's been the cost impact yes so it what's quite interesting we when you move to the cloud and move to a company like Z scalar is there a software company so forget about all the hardware you can imagine we have a hundred locations globally so we don't have to install all the hardware we don't have to have VPN concentrators we just have to have some software on the client some software the connectors in the cloud and then Z scalar do the magic so for the business they really love this technology because it is very simple it's sitting in the background they don't have to log on to the VPN all the time so it's very seamless for the user and for us we save a lot of money on buying hardware and appliances excellent Tony Ferguson I want to thank you very much for being on the cube Tony Tony Ferguson's the IT infrastructure architect at man energy solutions I'm Peter Burris once again until we have another cube conversation you [Music]

that are aimed at educating you, When they come to theCUBE, it's a more conversational interview. We have big technology executives, from Michael Dell, for example, who come to theCUBE, share different messages, and reach a much bigger global digital audience than they could in person. Whether you're watching from home, in Europe, in Asia, it doesn't matter where you are, you can access and watch live, and access on-demand content 24 by seven. We come to you wherever you are. We bring to you real, live conversations so you understand how you can make a difference >> Announcer: Live from Nice, France, at your company. >> Technology industry for over 12 years now, so I've had the opportunity of a marketer to really understand and interact with customers across the entire buyer's journey. Hi, I'm Lisa Martin, and I am a host of theCUBE. Being a host on theCUBE has been a dream of mine for the last few years. I had the opportunity to meet Jeff and Dave and John at EMC World a few years ago, and got the courage up to say, "Hey, I'm really interested in this, "I love talking with customers, "give me a shot, "let me come into the studio and do an interview, "and see if we can work together." I think where I really impact theCUBE is being a female in technology. We interview a lot of females in tech. We do a lot of women in technology events, and one of the things I personally love is understanding what their career path was. They're very inspiring, and it's a great vehicle, theCUBE, to showcase and raise the profile of females in the technology and software space. The benefits for vendors to have theCUBE at events are manyfold. I think the first one is de-mystifying the messaging. You're going to hear great guys and gals as keynotes, prepared speeches. it's theCUBE. Covering .NEXT Conference 2017 Europe. Brought to you by Nutanix. >> Hi, I'm Stu Miniman, and we're here at the Nutanix European Conference .NEXT, and, being in Europe, one of the hot topics of conversation leading up to May, 2018, is, of course, GDPR. So happy to welcome to the program two guests that are here talking about this, Famke Krumbmuller and Nina Vassilief. Thank you so much for joining us today. So, Famke, we'll start with you. You're a partner with OpenCitiz. Tell us a little bit about your background and what your organization does. >> Sure. So OpenCitiz is a consultancy. We work together with companies and businesses helping them to understand the impact of policy and politics on their business, especially European politics and national politics of countries in Europe. We're based in Paris. I'm here to talk about GDPR. >> Alright. And Nina, you're a security and GDPR consultant. Tell us a little bit about your background, also. >> Well, I used to work with Volkswagen Group France as CTO and I'm a CISO, and then I was asked to work basically on GDPR and security as a consultant, because many companies want to be compliant by the due date of May 25th next year. And many companies are having a hard time, so I'm doing business analysis, audits, and creating roadmaps for GDPR. >> Yeah. That's great. Famke, there's been many times when policy and technology come together, but GDPR feels like this growing buzz that's been around the industry. Like, I've heard people, "It's the new Y2K," it's this impending thing, there's a lot of uncertainty, it seems, for something that has a big legal document on it. Give us where people are, how are they feeling, how are you helping people go with it when there is so much uncertainty there. >> First of all, it's very interesting to know that a lot of companies, even in Europe but also outside of Europe, who will be concerned by GDPR, not even aware of the fact that this regulation exists and that they are concerned and they need to comply. And then the other half, roughly, it's unclear whether they will be able to comply by the deadline in May of next year, because it's a huge burden on the majority of the companies. They really have to review all of their processes, maybe do something new, get outside expertise on how to do so, and if they don't, they actually face huge fines from the European Union, which is obviously a way to try and incentivize these companies to do all that hard work to be able to comply. >> Yeah Nina, as if IT organizations didn't already have enough challenges to work with, it's like security is kind of keeping people pretty busy these days. So where does GDPR fit into the discussion? How do they bring it up? Where in the organization does it usually bubble up? And in which teams need to address this? >> Well GDPR actually concerns everyone, so it really concerns the business, but IT has a big role to play in the sense that, for example, many companies don't know what applications they're running. I've seen three companies, and they might be running, let's say they say, "Okay, we're running on the cloud 40 applications," but when they start looking at it with shadow IT, they might be running the triple. So it's actually good, because it's forcing best practice, it's forcing inventories, audits, and it's cutting costs at the same time. >> Yeah, I moderated a customer panel towards the beginning of the week here, and there was one research organization, they're like, "Look, we've anonymized all of our data, "I think we're pretty good," and one that was like, "Well, I'm doing a lot of cloud stuff, you know, "Amazon will take care of this for me," something like this. But if you ask all of them, "Are you ready?" most of them kind of said, "Yeah, we think we're ready." What do you find, Nina? Are most companies really ready? >> I'd say most are not. I find that in the UK, they've understood most companies that they need to be thinking about the big companies. Some of the small companies are just waking up. In the US, they're really thinking about it too, how it's going to touch them, because all services and goods concerning European citizens are concerned. So companies are really, and executives, are waking up. And for France, for example, I'd say about a third of the companies realize it's really going to hit them, and there's many others that are not ready at all. >> Yeah, you mentioned, Famke, that half of all companies barely heard about this, and absolutely, most companies, they are global. Even if you're some local place, you have customers and everything, so what's the step beyond becoming aware? Where do people need to go? >> Right. I mean, there's several things they should be doing when they start to realize that they are actually concerned by this regulation. One of the most important thing is just to educate yourself about it. What do I need to do? Do relevant people within the company know that we need to respond to this, and are they aware that something needs to be done quickly? And then conduct internal information audit, like what data do we hold, why do we hold it, do we really need it? What are our processes? And then maybe appoint a data protection officer, somebody who is on the inside of the company and will have the legal responsibility to inform them about how to be able to comply with GDPR. Things like these, I think, are the most important things to do in the very beginning. >> Nina, I've heard the most from companies that handle data protection, you know, IBM, Veritas, Veeam, all ones that I've heard kind of a strong push from them. A company like Nutanix, do they fit into the picture? Is it something that they're just part of the landscape and they're trying to help and be good citizens to make sure their customers are aware? What from a technology standpoint? >> From my perspective, it concerns every technological company that's running a service concerning European citizens. So of course it concerns Nutanix. And yesterday we had a really great session for executives to explain, and quite a few of them were actually saying, "Hey, I didn't know GDPR really concerns me," and so it's good that Nutanix realized they also need to wake up. >> It does even concern companies who are not based in the EU, but simply by the fact of holding data that concerns EU residents, they need to comply, and that's something which is obviously extremely important, because it affects companies globally, even though they might think, "We're not based in the EU, "we don't have any headquarters in the EU, "we're totally not concerned," well, yes they are, as soon as they hold EU residents' data. >> Yeah, well, the clock's been ticking. It was only towards the beginning of this year that I first heard about GDPR, I've done a number of interviews and talked to many companies. Any chance it's going to get delayed? Or are the lawsuits just going to start as soon as we get to May? >> Well I guess the authorities who will be responsible for overseeing where their companies are compliant, if there is a data breech or something like this happens, I think they will really look at the processes that companies have put into place, and if there is a good amount of goodwill and work has been done, and it's a minor breech to a certain extend, they will probably be lenient in the very beginning, because they know what a burden it is on companies to comply. On the other hand, obviously they also need to set a precedent and show that they're actually serious about enforcing this regulation. So depending on what company they have, if the Amazons and the Facebooks don't comply, that will be a huge problem. If a small business doesn't comply, that's maybe a little bit different. >> Just following up on that, companies have so many different challenges they need to work through. Any, kind of, first steps that they need to make sure that they're doing to kind of meet with what is expected? >> Well I'd say just for them to be compliant to start with is to find out what they're really running on systems and on the cloud, applications to do inventories, to do business assessments to see what risk is involved around it, and I find that most companies that are starting to wake up, the first thing they do is they realize they don't know what they're running. So operations has a lot of work to do, and the security staff. >> Nina the other question I have is, we've spend the last few years, a lot of companies are getting excited about what they can do with information. Is this going to be now a headwind that's going to stop companies and say, "Wait, hold on, "maybe I shouldn't be holding onto everything," or is it just having the right governance in place to make sure I have protections for personal information as opposed to more anonymized information? >> I would think that it's the governance. It will make a big difference in many companies for the governance in IT. It might change the roles of CIOs and operations staff. I don't know, what do you think? >> I think companies will have to re-evaluate what kind of data do they hold and for what purpose, and ultimately, GDPR actually really introduces this principle of you need to have, first of all, consent to hold the data, and then second it needs to be data that you really need for your operations and to deliver the service, or whatever you're delivering. So if there's no good reason for you to hold certain data, then you're actually, strictly speaking, not even allowed to do so. That should probably change a little bit, how companies view the type of data that they hold and for how long. >> And I've even heard, we've talked about some of the global impact, because, even if this is the EU, if it affects people that work there, but other governments are looking and might copy that, if this becomes the template to go forward. >> Right, and we've seen already. I think South Africa, Singapore, have published papers that are relatively similar. And it does make sense. This regulation was negotiated for four years in the EU, so it took some time to agree. And if it's globally applicable, and if it's extremely strict and high standards, it makes sense that it's being copied. >> I want to give you both the final word as to takeaways for this topic. >> Well, I'd say that if anybody's thinking about GDPR, I know there are 99 articles, but in most companies, 30 to 40 really concern the company, not to be scared. You need to start from something, and just to see what really concerns you. >> And I think the most important thing to know is that there are many legal and IT experts out there who really know this topic, which is very technical, extremely well, so it's probably a good idea to get outside consultants look at your processes and how you should go about things. >> Nina and Famke, I think that's part of the reason why Nutanix brought you in as to socialize some of their customers, and even some of their executives with the expertise that you bring. So thank you so much for sharing with our audience. We'll be back with more coverage here, getting towards the end of two days of live coverage from Nutanix .NEXT Conference in Nice, France. I'm Stu Miniman, and you're watching theCUBE.