 Live from San Francisco, it's theCUBE. Covering IBM Think 2019, brought to you by IBM. We're back at IBM Think 2019. Dave Vellante with Stu Miniman. Lisa Martin is also here. John Furrier will be up tomorrow. We're here at Moscone North. Stop by and see us. Raj Nagarathnam is here. He's a distinguished engineer, CTO and director, cloud security for IBM, hybrid cloud. Raj, good to see you again. Thanks for coming on. Good to see you, yeah. You're in all the hot places. Security, cloud, hybrid cloud, lot going on in your world. Absolutely, lots going on. I mean, I think we see a lot of enterprises moving to cloud and like IBM says, there's a lot more to move, right? Just 30% is out there, but security's top of mind. So you're right, it's a sweet spot. What is cloud to people? Because you guys define cloud as sort of a, what I would say, we would say a cloud experience, not a place, but sort of how you operate. But what do customers think of when they think of cloud and hybrid cloud? Definitely, so in terms of as our customers from them, anything that they can consume as a service is a cloud. So from a SaaS perspective, we do have IBM and others have SaaS properties. But in this context of discussion, my area of focus is as enterprises build applications. It could be enterprise applications. It could be their consumer facing applications. So as they look at that landscape, how do they take advantage of cloud and cloud platform where they can build it maybe on premise with a private cloud or they can take advantage of a set of services and seamlessly integrate into a public cloud or multi-cloud, right? So ultimately it's about their applications, how they leverage the benefit. Security was always a big concern, especially in the early days of cloud. You mentioned that we're in the next phase of the journey, we've hit the 20%, the low hanging fruit, so to speak. But even then early on, especially security was a major, major concern. Won't those concerns heighten as you start moving more mission critical workloads into the cloud? They do, they do. Like you said, rightfully over the last couple of years, I mean, definitely early on it was, even if you roll back to many, like two decades back, when web came along and people need to expose what they had in their data centers as a web application, it was a journey. Now we have crossed that point where everything becomes web application. So that's kind of the journey for cloud that is taking place, where it was a concern. It continues to be a concern, but not so much. People there is risks, there are controls that people have put in place to come over the risk and they trust providers like IBM and others because we do a lot more controls in place and we have an army, if you look at how we host many customer applications and help them, then it's better than many times what a particular company can do just for their application. So from that viewpoint, security concern is kind of, they've gotten over it, but to your point in chapter two, it becomes a lot more. So how do enterprises, enterprise risk, the data becomes kind of the core part? Yeah, I mean, Raj, I think you're hitting it dead on. You know, five years ago, it was like, oh wait, I'm not sure if I'll do cloud because security, now I understand. Cloud is an opportunity for me to change security, but absolutely, security is such a huge concern. At least in the companies we talk to today, nobody feels safe. It's not a question of if, but when you're going to be attacked and how you're going to deal with this. So give us a little bit, how do we make sure that enterprises can live in today's security climate and not be totally paranoid all the time? That's right. Security is not the binary thing, right? It's not like you're secure or unsecure. Is it secure enough from a risk perspective, right? So when you look at data, so are you dealing with sensitive data, private data, or mission critical data and how do you protect it? And are you taking the right steps? Like you rightfully said, cloud is an opportunity to do security right. Many times in the past, app teams will build apps and throw it over the wall for the security team to secure it. That has changed. We need to put security up front as part of the entire process. As we think about it as dev and ops, now it is more important to be security as part of it where you have dev sec ops, so that right from as you design it, build applications and build and operate, so that application teams have equal responsibility and accountability as you operate cloud, not just hey, I'm going to throw it away and I get a security team to do it. So that collaborative model between a line of business and application team on one end and the security team and operations team on another end, kind of the classic IT, come together and cloud makes it possible. What's the role of the line of business in that equation, Raj? Is it to sort of set the risk profile, the value of the data? Talk about that a little bit. Yeah, line of business thinks about, obviously from their perspective, what data they deal with, what business they're in. It may be retail banking on one end, or it could be payment processing on another end. So they're looking at how fast they need to reach the data or bring the applications to the cloud for their consumers to reach a digital transformation that they're going through, right? So on one end, they are going through digital transformation. On the other end, the security team from a typical security officer perspective sets policies if there are certain regulations that you need to follow. What kind of data can be put in cloud? Or if you put it, what kind of controls and protection you need? So the policy from a security and risk perspective comes from the security team. Line of business looks at it and says, this is what we need to do faster to go to market, expand your business. And now they need to look at and say, how do we bring these things together? What risk? Am I willing to take the risk? Or what controls and security capabilities I need to protect my app and data with to mitigate the risk? So that's the model that they are in discussions about. Yeah, Raj, one of the areas we've talked to IBM a lot about is what's happening in the container space, what's happening in Kubernetes. What role is IBM helping to the industry as a whole and IBM's product specifically to be more secure in that space? Yeah, no. So it is about helping customers build secure applications and deploy it, right? It's a responsibility model. From that perspective, you brought a very important part. When you look at cloud native and Kubernetes as an example, it provides a really opportunity. So the way we have built our Kubernetes service we have built security in, more importantly, also we are providing security services. So let me simplify this, right? From an elevator pitch perspective, when you deploy an application you need to think about how do you manage access to your application? Oh, that may be network attacks, so how do you protect against network threats? We have a capability called cloud internet services to protect against it. Okay, you're letting the good guys in, now how do you know who it is? So you need to authenticate the person, right? So we have a service called AppID that can integrate seamlessly because the developers don't need to care about the security, the gold-pea technology details. We make it simple so developers focus on business logic. So that's about manage access. Next thing is the application, now need to protect the data. So how do you protect data of an application? So you may put in a cloud native database or a object store, right? In the new models these things evolve. And the first thing that companies try to do is you need to protect them, encrypt them. As some people would say, encryption is for amateurs, key management is for professionals. So ultimately it comes down to how do you manage your keys? And ultimately customers want more control of the keys. So what we have is in the industry, what we term as bring your own key, right? So customer controls the key, even the encryption happens in the cloud. So we provide that capability with our key protect service. So all our databases are already integrated, our object store is integrated, our virtual servers are integrated, right? So these capabilities, this way whenever you encrypt the data it's provided. But given IBM's history, we understand like risk the financial teams go together. We are introducing a new paradigm, we are announcing this week. It's just not bring your keys, keep your own keys. This way it's not only about how do you control the key, but in cryptography land the keys get managed and protected by a HSM, a hardware security module. We give the entire module that they can control, the HSM can be controlled by the customer along with the key. This is a shift because now customers can gain more confidence with that. So this service is called HyperProtect Crypto Service that we're bringing to market. Built on IBM's top level security capabilities. If you can imagine banks running on our mainframe and security being kind of the, whenever you talk movies you look at security people say oh it's mainframe, they didn't hack, but they get into this system. That's the level of security, the top level security we have. We are bringing that to cloud to make the data secure. And another thing that we are working on and announcing this week is it's not about whether the data is in the database or there's encrypted form. It's also when it's processed in an application in memory, imagine you have a payment service, a credit card payment, and someone logs into the system and dumps the memory. While you get the credit card, right? Now we can protect it. With working with Intel, we have partnered with and we are launching a capability where when the data goes into memory we can protect it. So end to end we are looking at manage access, protect data, and now you can't protect what you don't see, so we provide visibility. Whose access my services through access logs are their threats. So we are infusing machine learning and AI to detect malicious behavior on network. So bringing it to a single dashboard called security advisor, looking at these pieces. So manage access, protect data, gain visibility, more importantly all of this in the context of developers, developer focus, developer experience, so that in a single click in an automated way they can protect their apps. That's our goal, that's where our customers want to go, and we are addressing that with these capabilities. It's a journey. Yeah, so I wanted to ask you how customers, what's best practice for scaling and automating all this, and I think you've touched upon several things, it's design security in, don't bolt it on, DevSecOps for example, it's scaling the key management and automating that key management. Those are at least a couple of the components that I've heard, maybe you could follow through and add some color to that. Definitely, so when you look at the DevSecOps, right? So from a developer perspective as they build automation tools it goes through a pipeline. You have to take an application that you need to deploy. Let's take Kubernetes as an example. In the past, or in a traditional IT world, there may be vulnerabilities in the system, so you need to patch them. Then it becomes a tension between an IT operations team saying, oh, I need to patch these things, whereas a security team saying, no, no, I got to patch it. In the new world, why patch it? Why don't you spin up a new container that's now the most protected one, as you find vulnerabilities, spin up a new image and spawn it on, right? In that context, as you look at a developer integrating these things, so how do I deploy an application for managed access? You can integrate with our internet services so that any attack can be protected. You deploy it in a way. You can integrate your services where identity can be authenticated. So those kind of built into the application and then as you put this through the pipe, vulnerabilities are being scanned. You can set your policy to say if you have vulnerabilities, don't deploy it in production. That's part of your DevOps policy that you can set. And then as you work with your security team, you can say, hey, guys, you can manage the keys, but tell me which database and which key to use. So the management may be the security guy's responsibility. Application team looks at it saying, which database, which key, let me configure it. So it then moves towards more of a policy management configuration problem. So it's about DevTools integrating security into the design and into the development automation into an that brings a collaborative culture because it's not a technology problem. It's a cultural problem, organizational challenge that these kind of capabilities help customers. Why IBM? Give us the commercial. Well, IBM is a trusted provider from a customer's perspective. We know enterprises for all these years, for many, many decades. We have run enterprise systems, banking, most critical data, workloads, and with our expertise, that's technology and one end. So when you look at IBM cloud built in, IBM security, world leading enterprise security set of capabilities from IBM security, you have one plus one equal to three. Not to mention our expertise, be it we know our services capabilities, consultancy, helping customers understand compliance, how to work with security or even manage security services. So that brings technology, expertise, and capabilities with years worth of experience that we bring to the table. Stu, I always say IBM does hard well, and security's hard. So Raj, thanks so much for coming on theCUBE and sharing with us some of the progress that IBM is making. Congratulations. Absolutely, thank you very much. All right, you're welcome. Keep it right there, everybody. Stu and I are back with Lisa Martin. We're here at IBM Think Day One of theCUBE. Right back, right after this short break.