 By all accounts, the 2010s will mark the decade that cloud computing came into its own and went mainstream. But lots of questions remain, particularly around this largely untested utility computing model. As the organizational IT management and risk management disciplines and profiles transition from the physical to the virtual world, it's jump ball on security and privacy. What's more is SaaS-based applications go from small work groups to enterprise scale and mission-critical apps get virtualized. The rules of the game change dramatically. Security and privacy protections are top of mind today among CIOs and buyers of cloud services. How will the security model change? What new challenges does cloud computing and virtualization bring? Where are the pitfalls and how can they be avoided? Hello, everybody. This is Dave Vellante. Welcome to theCUBE where we extract a signal from the noise and bring you the enterprise technology leaders that are shaping cloud, mobile, and big data for the enterprise. We'll address these and other questions with our guests today, Tom Roloff, who is the COO of EMC Consulting, and Matt Allen, who is a security practice lead at EMC. Gentlemen, welcome. Good to see you, Dave. Tom, longtime CUBE alum. Welcome back. Nice to see you, Dave. It's always fun to be here. Matt, Nia Fight, Nubi. Welcome. Great to have you on here. No, but welcome anyway. So, well, let's see. You guys have some news. Why don't we start there? Matt, what are you guys announcing in this whole security and trusted cloud virtualization privacy area? Sure. We're introducing several different offers that come as a portfolio of services provided by our security and risk management group. Within that offer set is really what I would call five primary services. There's one overarching service that I would refer to as governance, risk, and compliance, or a series of governance, risk, and compliance oriented services. Underlying that are, among other things, the information governance services, mobile device advisory services, fraud and identity management, and then trusted cloud advisory from a broader security and privacy perspective. So this is new to the EMC Consulting practice or an enhancement to that, Tom? So I think EMC Consulting has long been interested in cloud and big data and trust, frankly, and we have had a number of, I'd call them more point solutions in this space, but Matt has been a lot of time, both with his team and also with our RSA group, to say there's some broader issues here that we need to be framing differently. So by launching a set of services that are, I think, much more comprehensive, we may be able to bring both an overarching perspective on governance, risk, and compliance in the cloud and in the age of big data, and also some more specific services around things like mobile or things like trusted cloud and some of the other things that Matt was referring to. So we've enhanced the services we have and really targeted them at both an overarching GRC conversation and then some of the things that we see going on in our clients, IT organizations today around trusted cloud, mobile devices, information governance and so on. So, Tom, you're one of EMC's go-to guys when CIOs are involved, you talk to a lot of CIOs. What are they telling you about security these days? Yeah, so that's behind some of these offerings, frankly, right? I think CIOs are saying a couple things to us, they're saying, hey, this big data age is really coming upon us, right? So not only is information doubling about every 18 months, but the kinds of information that I'm having to manage is now very different. It's a highly unstructured set of information. It's not just the thing sitting in my relational databases anymore. It's the nature of that data is changing significantly. And so I've got to make sure I understand how to manage that differently. So that's one trend. I think the second is the regulatory scrutiny going on in IT right now is just huge and so everything's got to be documented and everything's got to be retained for very long periods of time. So making sure that you actually can prove to somebody that you're compliant with the regulations that you're under if you're a bank or a pharmaceutical company or a healthcare business of some kind is a mounting problem for them. And finally, I think we see the third part of this, which is the proliferation of access devices, right? It used to be that if we secure the perimeter of our data center, well, then we can have some piece on the belief that we've secured our information. But now we can access data in so many different ways from so many different places that securing the perimeter is a problem that frankly I think we've lost that battle and we have to think about different ways to secure information. So CAOs are asking us, information's exploding. I got to make sure I'm compliant. And I'm trying to access it from all kinds of different places. And can you EMC Consulting help? And this is probably a response to that. So I want to come back to what EMC Consulting can do to help. But before we do that, Matt, this is interesting what Tom's saying about securing the perimeter. I think of the castle in the moat. And sometimes the queen wants to leave her castle. And so in this physical world, you know what's port is connected to what drive is connected to what server. And it's all sort of known. In the virtual world, it's just one big massive stuff. So can you take certain aspects of traditional security in the physical world and apply them to virtual? If so, which ones and what is different about cloud and virtualization? Sure, the answer is yes, you can. And I think Tom engine's a great point that just the massive explosion of data and the requirements that different organizations have as a result of that explosion. The changing security requirements sort of drives that. So what I would say is what we found in the backdrop to some of Tom's points is that most organizations or most of our customers and clients in the broader marketplace are viewing the need to marry the broader risk framework or the control framework associated with security into more of a corporate view. So said in fairly tactical terms, security is now a risk in many different angles and many different parts that's much greater, much bigger in dollar terms and much more likely than I think anyone really understood until now. With that, we see a series of very significant risks to any organization and the need for a control framework to manage those risks or those very specific security items. So kind of to your reference point, the queen leaving it certainly can leave with the right permission and the right framework and the right controls and guards and policies and procedures around her as long as it's done. I just add on that, I think one of the things we used to say, you said what's the same and what's different, we used to think that if we built a big enough moat we could sort of keep everything inside or we could at least make sure we know what's going across the drawbridge. Now I think we're starting to say, hey, man, there's too many broad drawbridges, there's too many ways in and out of the castle. And so we have to make sure that we understand the information itself and that we're securing and tagging and managing the information at its source and putting the metadata, putting the policies and controls at the level of the information element rather than at the level of the drawbridge. And so I think some of the things that we're talking about from a control framework perspective, those things apply from the physical world as well. But I think what's new is we got to not worry about the moat, we got to worry about the data itself and how to secure that. So our executives, let's break it down, are IT executives ready for this and are the sort of C-suite executives ready for this? You know, I might have got some interesting perspectives on this, but I will tell you that there are a number of people in the IT and the security organization to understand the problem. They are having to go educate the business executives and the C-suite executives around the risks that now exist. And frankly, that's a very complicated conversation, right? Because it is, you know, Matt and I joke about this frequently, right? The time that the business side figures out that risk and security and trust is important is sort of after they've had the breach, right? That's when they realize that there is a vulnerability and a risk to their information that they didn't think about before. It is partly our job, I think, and partly our mission, to go keep people from having those breaches to begin with. And some of what we in EBSI Consulting are trying to do with Matt and his practice is to get people healthy and get people to be managing and aware of their risks before they become the breaches that you'll read around the newspaper. You've got some more perspectives on that, Matt. One of the things that I guess, you know, specifically answering part of your question, the point, there is still a difference between the way, I think, parts of the organization communicate about the significance of the risks from a security perspective that leaves a lot of open questions for any organization. Said in really specific terms, what we find is the significance, the breadth and depth of the risks that any organization is exposed to from a security perspective, both logical or physical as it relates to infrastructure, are now so acute and so large and frankly are the cover of the Wall Street Journal variety, they're not the type of risk that anyone would want to take lightly, but the ability to communicate about the nature of those risks, what they mean, how one manages them, what you do to proactively prevent them, the way that's communicated within senior leadership groups I think still has a little bit to be desired and I think it's frankly one of the places that we see ourselves being able to help our clients and customers in a pretty comprehensive way understand how to communicate those messages from a very tactical, technical specific kind of topic matter to broader business terms that a chairman of the board or a board of directors and a senior leadership team would want to hear and at the same time understand what the exposure would mean to the organization and then how you deal with any number of other disclosure requirements as a result of understanding that information. So people in your world, the consultant world, let's say prior to the big cloud push might have gone in and started with the baseline, where are we at, let's do an audit, let's figure out the physical and the logical and let's break, let's do it by all the stovepipes that we have in our organization, the network, the storage, the servers, et cetera. Talk about, and I know this is new, new services, how do you expect that to change in terms of the services that you provide? This probably, obviously you got to do some baselining, where are we at, but how much of what you're doing is sort of trying to balance the portfolio and coming up with strategies for security. For me, especially as it relates to the way we've talked about this, I think the big change over the course of the last few years anyway, has been the idea that information and data has transitioned from some version of commodity to asset, and depending on the organization, extremely valuable asset, one that needs to sort of be protected at all costs, all the risks have to be dealt with and managed in a proactive fashion with broader control frameworks that are a part of any good security posture going forward, so that's sort of the baseline. You've got to think about that transition and what it means going forward. I think you could also make the case that as you roll that out, security as we know it now will continue to evolve into a formal function within every organization, designed to protect that asset, just as you would protect any physical asset that we currently have. The problem is, here before we've sort of thought about physical assets and physical asset terms, it's a piece of property and we have security guards protecting it at a physical level. In this instance, data's a little more temporal, information's a little more esoteric and at some level that asset needs to be sized and scoped and the extent of the exposure associated with it becomes the basis for the security posture. This opens up a whole interesting discussion that is data and asset or reliability, yes. And you've got this yin and yang, tugging at each other. The more you treat it as a risk, the more you handcuff your business lines. Is that a part of what you guys expect to be sorting out with CIAs? I think we definitely spend a lot of time helping clients think about what are the information assets they have and frankly, where are they? And you were bringing up before the physical world and the virtual world, right? Not only is the virtual world change things about where the information is when it's inside the four walls of the enterprise, but increasingly a lot of the information is actually beyond the four walls of the enterprise, right? I'm using salesforce.com for my sales pipeline. Well, now I've moved a lot of information that is specific to my company to a public cloud, to a software as a service provider, right? That's an additional set of assets that I now have to manage that are beyond the four walls of my enterprise. But by the way, I'm still a regulated company and I'm still accountable for the compliance of the information that is sitting in somebody else's virtual cloud architecture and making sure that I'm managing that correctly, right? So I think we do spend a lot of time helping clients think about what is the information they have today? How does that tie to the policies by which they wanna govern those assets? How does that affect, how is that affected by the regulatory environment that that enterprise is subjected to? And frankly, what decisions should they be making about how to govern those assets and how to at least understand and mitigate the risks that might exist around those assets? So this is complicated, right? Because you've now got the whole sourcing issue and maybe the four cloud you had EDI and then, okay, fine. But now I've got, let's say I got Salesforce and maybe I got Amazon, maybe I have an enterprise cloud service provider. They might have all different policies. I mean, where does compliance fit in and how does that relate to the organizational challenges that you can see? It's a huge issue, right? I think it's one of those C-suite issues, right? And unfortunately, it's one of those C-suite issues that is there, but I think senior executives are hoping somebody has it covered only to find when a breach happens that it isn't covered, right? And so I think one of the things that all the press about this is actually making people realize is they gotta get much more proactive about governance, risk, and compliance of information assets. They have to get much more of an understanding about what are their information assets today, where are they, how are they securing them and what vulnerabilities exist and how would they mitigate those? And I think that's, you know, I think the whole compliance and regulatory world is very much making people uneasy about what they know about their information today. I don't know Matt, what you wanna add to that? This is, I think it's sort of an important notice that relates to the way we've set the practices, the services up under the broader banner of GRC, governance, risk, and compliance. This is something that, from my perspective, almost everybody in the marketplace is struggling with. How do we marry some fairly disparate concepts under the guise of risk, compliance, and ongoing, what I would call ongoing systemic alignment with controls in a way that we, to this point, haven't or haven't had to? And that's sort of an important note. If we've got nothing out of sort of the economic meltdown over the course of the last few years and all of the kind of the rockiness of the market is a very clear difference in the demands of the broader marketplace. In understanding the extent of the risks and or compliance requirements of the companies that they're either investing in or are somehow a stakeholder in, said in really practical terms, I think we're all asking a lot of very different questions now about the companies that we have a vested interest in than we ever did before. Under this comes the kind of the broader banner of GRC, or governance, risk, and compliance, and providing every organization with an ability to answer those questions from a single platform that, as I said in the beginning, have here to fore been sort of disparately aligned in different functions are buried in different parts of the organization, the backbone of all of that is literally data and information without beating that to death. The idea that that asset drives that GRC platform is no mistake, it's clear, and that's the big change for everybody. It gets you away from this tactical response to security questions and into a broader systemic management of risk. How do you deal with the, or how do you see companies dealing with this sort of lowest common denominator problem? In other words, you do the gap analysis before and you do the risk and reward and you say, okay, we can live with that. But now you've got all these external suppliers. They might define breaches differently. They might have different policies that may not let you come and audit them. So do you revert to like a caravan to the slowest truck in the caravan? Or do you see clients actually being able to affect the policies of service providers? How is that whole thing shaking out? So I mean, I think it's a very interesting question you're asking, right? So what we do when we advise clients, we spend a lot of time, as you and I have talked about before, about public clouds and private clouds and hyper clouds, right? How do you decide what workloads belong in the private cloud? What should you move to the public cloud? How do you interconnect those things? One of the things we spend a lot of time with clients on is saying, hey, the things you move to that public cloud environment, you need to know a lot more about the public cloud than just the functionality of the service you're gonna get, just the economics of what you're looking at. You actually need to understand the service level and the risk profile that you're comfortable with in that service provider. And so asking for service level agreements around availability and uptime and so on is one part of it, but asking for service level agreements around the security side of the equation an increasingly important part in my opinion of clients making decisions to move things to public clouds. Now, frankly, I think there's a lot of fear and certainty and doubt about how secure the public cloud is. I think it can be very secure, but I think it's up to clients to start demanding that public cloud providers demonstrate and prove how secure they are. And I think that's one thing that we're certainly encouraging our clients who are thinking about the public cloud to ask themselves, what has to be true of that public cloud environment before you should entrust it with data that frankly you have policies and regulations and obligations to manage in a certain way. Do you think that security can be a differentiator for a public cloud? It's sort of an obvious question, but is it becoming a differentiator for public cloud environments? Do you have enough data and knowledge to discern? I mean, Amazon versus maybe, let's say an enterprise class, yeah, sure, but is it more nuanced than that? I think larger enterprises are more willing to go put a price tag on that, frankly, right? So will you pay me X for my public cloud service and X plus something for my secure public cloud service? Value-based security price. I think frankly we need to do as an industry a better job of educating people about the value of the additional security. Now, clients will see the downside of it when they have a breach and at that point they're like, man, I should have paid that X plus something price, right? But then it's too late. And so I think one of the things that we're constantly talking to clients about is don't have the heart attack before you realize you got to get on, you know, on a training regimen basically, right? Do you feel like in this world of virtualization and cloud and hybrid cloud and public cloud and private cloud that security is in a large part a do-over? I sort of, I guess the way I would say it is for me, having been within the industry for maybe too long now, I feel like there's a little bit of a refresh every five years, almost without fail. And it's the nature of the changes in the broader marketplace for enabling technologies. With those changes comes changes in the requirements associated with security and the standards that are applied for any organization. So the quick answer is yes. It really is a function though of I think the breakneck pace of change that we all undergo when you start talking about infrastructure components and requirements and the way the technology changes, how or rather the implications to a security posture that those changes impose. It's important that everybody's ahead of that curve and it's in every five year cycle easily. You know, I would add maybe that we've treated security as something that we set up a security operation and we hired a chief security officer and check we've got that managed, right? But I don't think that information risk is like that anymore. I think that information is becoming a much more important, much more, both an asset and a liability. And we need to more systemically embed security into the way we do things in IT and in the business. And in that sense, it is a do-over, right? In that sense, it is not something that an outside group can just go manage and make sure you've got covered. It is something that your entire IT organization and frankly the business side of the house has to understand much more deeply. And that's not the mentality that exists yet around information risk management. So it's a mindset do-over at least. Do you think that, so everybody talked about cloud security and how risky it is, but I happen to be of the opinion, especially as a small business person, that the public cloud security for certain public cloud providers is way better than I could provide myself and that's probably true for the vast majority of enterprises, you know, maybe not for B of A. But for a lot of small besides businesses, my question is generally can cloud security be better and what are the attributes that could make it better? I think the short answer is yes, it can be better. I think the way you wanna think about what is it that makes it better is clearly defined attributes associated with security. What are the fundamental components of having a secure environment? What does that mean? And that's unfortunately a combination of both best practices, so different ISO standards and or broader industry marketplace best practices that will find themselves sort of in the de facto best practices framework that everybody adheres to at one level or another. But I think the thing that's missed almost every time in that conversation is the need to have a security posture and set of requirements no matter what your environment that are unique to your organization and conform to your needs from the way you use data and or transport your asset or you house it or you manage it, all of your unique business requirements are incorporated in that set of best practices and the requirements that you have from a security posture going forward. So let's talk a little bit about EMC, why EMC consulting? I mean, it's a relatively new entity. I mean, a lot of internal stuff and some acquisitions. Why EMC? I think some of what's driving the need for another look at security is some of disruptions that EMC and frankly EMC consulting is very concerned about, right? One of them is the change to cloud computing and with it the mindset shift and the relook at how we're securing information, not just within our own enterprise, right? Which is now becoming highly disaggregated but also across our existing enterprise and the public cloud providers or the partners that we're looking at, right? So because EMC consulting is very much central to helping clients understand how to leverage the cloud in the right way, I think we owe it to our clients to give them a sense for how to security in that environment become an increasingly important thing for them to think about. So one is the disruption from the cloud side of the equation. Another in my opinion is that, you know, EMC talks frequently about the big data story and about the fact that not only is information exploding but the kinds of information that we're being asked to manage, the unstructured big data nature of information that we're now having to manage. That's another trend that EMC is very focused on and frankly EMC consulting is very focused on helping clients understand. So the convergence of a cloud architecture change, a rapid acceleration of data in the big data world means that security becomes a central component to both of those changes. And frankly we have believed very strongly that we can't answer the question around cloud adequately without having a strong opinion about security. We can't answer the question about big data and the explosion of information without coming up with a better answer for how that security and risk management of that data asset needs to be managed. So it's a central part of what we as a company at EMC do and frankly what we at the EMC consulting do. You see it as a compulsory capability to enable growth and adoption. Very much so, sure. And I'll add, I mean, the RSA division of EMC is I think a world class organization when it comes to securing information, right? So we're very keenly aware of the leading edge technologies that are being developed right now. They're being developed by EMC and the RSA division of EMC. And so having that tight connection to the RSA side of the house, I think gives us some insights into what is technologically feasible. In VMware, I mean, you're at the heart of it. You bet. Virtualization, obviously cloud big data, data-centric RSA. I mean, sort of why wouldn't you be in the middle of the storm? Negative, will you agree? Yeah. All right, good. It might be useful, Matt, maybe this is a question for you. Can you go through an example, either a real one or a hypothetical one, scrub the names of how you guys would actually deploy and what problems you'd solve? Sure. I think with increasing frequency, what we're seeing from certainly a segment of the marketplace is an acute interest in understanding how to systemically approach security from a broader strategy perspective. Very specifically, how do we set up an environment that gives us the ability to frame up security engineering requirements, security architecture, internal audit requirements, external audit requirements, and do this in a way that maps to our business processes one and to our control framework in a way that gives us the ability to manage the security posture in a way that's consistent with business requirements. So there's sort of a lot of technical ins and outs associated with that, but in practical terms, we're on a pretty regular basis now getting calls sort of after the fact that Tom talked about a little bit. And what we're seeing is, as I kind of referenced earlier, kind of a big gap between the technical infrastructure group at one level or another charged with dealing with security matters or measures at one level or another and the business leaders and their ability to communicate and understand how to prioritize all the risks associated with security, what's required from a broader infrastructure perspective in base security terms and what the costs and benefits are of that going forward. So sort of in really practical terms, very common to get calls from customers or clients who've experienced a significant breach at one level or another or some fall down in security requirements or security perimeters and not understand what to do to react or how to react and what the next very specific tactical steps are. This is a part that I think is missed. The importance of this is missed by sort of the broader marketplace until you're in the throes of that problem. Very specifically, there's a lot of legal requirements, disclosure requirements, compliance requirements associated with what one does once an event has happened. And us helping or what we typically do is help our clients understand what that broader framework is, escalation policies and procedures, literally the processes and tasks and activities that one engages in to manage the security environment. And there's even a, there's another complexity that I just want to put out there and get your feedback on this. You talked about business processes. Tom, we've talked about the application portfolio before. So you've got the applications supporting the business processes and that's sort of the link to the IT infrastructure. A lot of times application portfolios are not well documented or they're just this boil the ocean spreadsheet. Business processes often aren't well documented. People don't understand the dependencies and they don't understand the data flows. Can you help? And number one and number two is can you eventually teach me how to fish? So I don't have to call back every time. Sure, and the short answer is that's one of the objectives behind our engagements, typically is helping our clients understand or our customers understand what's required of them going forward, how to literally implement the framework and then manage it going forward. Where we typically from a kind of a broader engagement life cycle perspective find ourselves acting as subject matter experts, as time goes on after we've gone in and implemented that security posture and ongoing framework management. Yeah, I mean, just if you look at the five services we announced, right? So one of them is around fraud detection, right? So often in the web, in the online world, right? Somebody has some kind of an online breach coming in and unfortunately we get the call after they've noticed that there's been an online breach of some kind, right? So the fraud detection has already happened. Now we gotta get to the point where we can help you prevent that going forward, right? So our approach there might be to say here's maybe what happened, here are the architectural things you could do to prevent that in the future. And by the way, here are the kinds of things you need to start monitoring on a regular basis because the threats are evolving and you need to be looking out for much more than you're looking out for today. So we seek to try to educate you, not about here's the latest worm that's been released and that you gotta look out for their signature, but rather hear the kinds of policies and the kind of procedures and the kinds of gaps that you have that you need to go address more proactively. And we hope that when we have helped you to understand how to do that once that you're building the muscle to kind of continue to do that going forward. We may leave some technologies behind and some tools behind that let you do that, but our hope is there that that's not an event that that becomes muscle that you're building in this regard. So my last question, you guys are big on journeys, right? So this is sort of the beginning of a new journey. Where do you see this going in the next several years? What's this whole business gonna look like? You know, I think if we are successful this becomes a pervasive part about how you think about information, right? So just as the cloud is a way to architect your information infrastructure and application portfolio differently, to us, security and risk management is a way to think about the asset and liability side of information differently. It's the kind of thing that cannot be ignored as information starts to leave the physical confines of a data center, as you start leveraging public, private and hybrid clouds, as you start virtualizing in the world of big data, right? It has to be an integral part of the way you think about information. So if we're successful, we'll help clients think about their data and their information with a lens to security, with a lens to how to secure that information in the right way. And that won't be a firewall and an intrusion detection strategy. That'll be an information management strategy that includes the governance, risk and compliance of information. So we're here at Wikibon headquarters. This is Dave Vellante. I'm with Tom Roloff and Matt Allen. We're talking about security, EMC, identifying what I've always said is a major barrier to adoption. It's the tip of the spear, EMC consulting, coming in and actually facilitating new services that will assist with cloud security and virtualization security. And it's something that I think that you guys have to step up to. You're well aware. You talk to clients every day and they're I'm sure pounding on you to help solve this problem. So congratulations on taking it head on and good luck with the services. Thank you. Thanks for coming into theCUBE. All right, everybody. Thanks for watching and we'll see you next time.