 Hi, this is your host Sapin Bhartiya and welcome to our new episode of topic of this month T3M. And today we have two guests from UBCube Ahunath Force, head of product management at UBCube and Damian Pichai, compliance senior expert. Once again at UBCube, Damian Ahunath, it's great to have you both on the show. Yeah, nice to meet you. Nice to meet you. We have covered UBCube before, so our audience they do know about the company, but since we are talking about security compliance this month, so let's just remind our viewers. What is UBCube all about? What do you folks do? So in UBCube, what we try to do is to simplify really the journey to the cloud to make it safer, to make it simpler and to make it compliant. So, you know right now the complexity is everywhere, different technology, different providers, hybrid environments. So from the company perspective, this move and the transition to the cloud is quite painful. So we try really to remove the complexity by abstracting all those difficult concepts to at the end manage the cloud in a simple way by keeping in mind also this challenge of the security and the compliance. Compliance is really a hard challenge for any of the company and especially when they are using several cloud providers and you know being compliant with only one of them is already hard. So imagine if you are using hybrid cloud or multiple technologies and so with this abstraction level that we provide with a cloud cloud, we can make compliance easier because most of the time this is the same information we need whether we are running an LWS or GCloud or whatever and this is what we provide a unique point and a unique single platform when you can collect all of this information that you will need for your compliance and your security. What kind of compliance we are talking about here? We are mainly talking about compliance in terms of security or privacy based on SOC2 or ESO 2701, HEPA, HTS for French market for instance and these standards are quite the same actually. We need to collect many of information to make sure that the control are working well. The user access review is made, the security for the design are performed and what we are trying to solve is the difficulty to keep that level of conformity. When a developer is developing a new software, he just wants an environment to make it works and he is not always aware about all of this security control that he needs for any of these standards. So what we bring here is just a simple way of saying okay, this is your environment, you need to run on this standard for instance SOC2 so you choose your standard, what type of environment you need and you just deploy on any of cloud provider. When we talk about cloud, first of all cloud itself and if you look at cloud, we are looking at hybrid cloud, multi cloud, companies still running mainframe so they are still mixing a lot of things, the edge computing is also there. So cloud itself becomes very complicated, developers get overwhelmed with a lot of latest technology than we talk about and when you three throw compliance into that mix, it makes things even more complicated because some things are even more specialized which can be a lot of industries which have been around which are very regulated industries, there are also some of the industries which are reluctant to these technologies. What do you see are the kind of challenges that these companies developers face and how do you folks kind of lower the barrier of entry for them so that they don't get overwhelmed because this is an issue where they cannot compromise with, they can lose their whole license to even operating industry and that can be big risk for their images. Just talk about the complexity there. So you're right, I mean compliance on monocloud by default is challenging, the topic itself is difficult to understand but indeed when you move to hybrid mode, you are the next trial layer of complexity. So I will probably mention two points here, the first is the shift on the responsibility, all those controls you have related to the security, virtualization, shift to the cloud services. So you need to understand those change and define all the security scenarios and sometimes companies try to implement the private cloud security control into the public cloud and in some cases it's quite impossible. They don't have maybe the right talent, the security expert and the target platform globally are difficult to understand and this is also what we want to do with our platform is to bring simplification. The second challenge I will say is to really perform a full compliant checks on the remote platform. You know the providers, they have their own security lock implemented so also the goal for us is to access those remote platforms and to a really a full picture of the compliance and not having partial results. And this is also what we are trying to address is whatever the number of clusters or nodes you have, we want really to have a global idea of the compliance. As we are talking about these challenges, we should also look at culture or people side of this because as you're talking about sometimes companies try to implement that model from traditional IT kind of thing in the cloud native word. We are also looking at the people because people we are still talking about move to DevOps, DevSecOps, SREs, internal teams, whose responsibility does it become because we have kind of break old silos but we are also kind of creating new silos. So when it comes to compliance, whose problem, where does the buck stop there? There are several things here. The first are set of controls that are decided by the company itself. If they are following any standard, any security standard, they will define a set of controls. And the real challenge will be to make all the team aware of these controls. And being honest, this is impossible to ask to DevSecOps or whatever to know perfectly all of these controls and what needs to be implemented. So this is what CloudClap provides. This is the ability to define these controls and make the developer totally free of deploying any of these environment. You just have to say, okay, what type of standard do I need to follow here? And I deploy and the product will automatically perform all of security controls and bring the compliance information we need. And for some reasons, he might want to have some specific controls and it will have this possibility as well without breaking the compliance. For instance, if you set a rule which is in opposition with the standard requirement, the product will say, okay, this is not possible on that environment because you are hosting health data, so you cannot remove this security control, for instance. So we will have the possibility to make sure that this environment is compliant with the standard we follow. Is there any specific persona, just the way we talked about DevSecOps, DevOps, SREs, like security and compliance, any specific persona within teams who is responsible for ensuring that the things are in place so that as you deal with the developer's teams or operator's teams or SRE teams that it doesn't get lost, is there any specific persona within companies who is responsible for compliance? Compliance is a matter of everyone. I mean, there is not only one person who is in charge in the global compliance, but this is also the reason why the awareness is really important when we are talking about compliance because we have to make sure that all of your teams is aware of the standards of the company, but we cannot ask for everyone of them to be aware of all of the security controls that need to be implemented. So there is a first step when you decide of all of these controls to be set up and then you delegate the availability or the possibility for developers, for instance, or SRE or DevOps to deploy this environment without having to consider or to think about all of these controls that have to be set up. As we were talking earlier about complexity, we are also talking a lot about automation. Manual processes cannot deal with that. So talk a bit about the role of automation. We can also talk about AIML. That is also being leveraged here. When it comes to compliance and helping teams, once again, depending on industry, they remain compliant. The automation will raise up some new risk because with automation, when a mistake is done, the mistake is automated. So this is one of the major risks we have here. This is also the reason why the way that you will deliver all of your cloud services need to have some validation steps. When you deploy, you can go on to production at first stage. You need to make some tests. You need to make sure that you are in line with all of your security before going live on production. So the automation won't eliminate these validation steps that are still needed. Whatever if you do it manually or automatically, you need to have these steps of validation before going online. The thing is that the automation will just make you save time just in terms of security, just to make sure that all of these tests are okay and you can go on the next step. This is what we bring here. We just make safe time for developers from the development to the go live production. Oh, no. You want to add anything? Yeah, I mean, probably I will link automation and remediation because this is the topic that are linked together for the people that are doing compliance every day. This is something that is on the daily, weekly basis. And through the platform, in fact, you can choose. You can choose to do the things manually or with automation. I would say probably for the security expert that would like to keep their hand on the security control, maybe applying those manual recommendations will help them to keep their hand on the control of the platform. But honestly, some people that are using the platform are not necessarily security or compliance expert. And this is where our platform will help them to really have an environment that is green and clean to deploy application without being certified to any provider program. We are also kind of going through this phase where a lot of companies who like kind of over hired during COVID, they are now laying off employees cost cutting is how much impact are you seeing there might be there on these compliance and once again, depending on industry, they cannot compromise with compliance. But did you see any challenges that are going to be for these teams? Or you're like, Hey, this is something which is not going to be affected by any cost cutting or any layoffs. Even if compliance should be the thing that you consider at the very hand of your process, unfortunately, the more the teams are getting smaller and the more the compliance is impacted because you are right. People don't have enough time to cover all of compliance requirements and they are very numerous. So this is a hard challenge. And this is also the reason why Cloud Clap has been built to save time and to make and not to waste time by defining, okay, for this environment, this is the standard we need to follow. This is all of security control we need to set up and this is all of the information you will need for compliance. This is a fully automated process, meaning as soon as you deploy your environment, you have both security controls that are in place and compliance information. And so even if the team is really small, it doesn't impact the project itself. We keep having this information we need for compliance. But you are right in other environment when the team is getting smaller compliance, unfortunately, is the one which is the most impacted aspect. When it comes to compliance, of course, you have to implement it. You have to maintain it for the lifecycle of whichever application whatever workload is there. Number two is as companies may enter new markets or sometimes regulations also change for political reasons. So they have to keep up with that. It's not that they have implemented something is done. So it's a whole lifecycle which can be very dynamic. So talk a bit about how do you folks help those teams in not just implementing but also evolving over time? This continuity topic is really crucial. Infrastructure go bloody are not static. So having your infrastructure respecting the standard, the day one is fine. But what about in one month? What about in one year, for example? So an expert security expert acting like that every day. They maintain the security in the daily basis and compliance should follow exactly the same schema. So for us at the time when environment is created, all the system is configured to scale compliance can in every location in daily basis. And the results are collected in a one unique dashboard. So at the glance, you are really a nice ID or close or how far you are compliant to the standard you choose. And you write whatever the environment will change in the future because an environment can move. You can deploy a new app, you can scale, you can rehost, you can migrate. The system will continue to work. So we maintain really the compliance status in the time. And we also offer the possibility to update the standards itself. For instance, it's over 27.0. One has just released a new version last year. So the software will automatically integrate the new standards and raise up the new requirements and say, okay guys, on this topic, we don't have the information or we don't have the security control set up for this specific standard. And here you have two options. Either you do it manually saying that you are analyzing what is needed and you set up the control, the security control, or the software can take some remediation action to keep it compliant. If you need to add I don't know, separate networks, VLAN, whatever, you can have some recommendation and delegate to the product to integrate and set up this new control to fit with the new standard and the new version. Oh no, Damien, thank you so much for taking time out today. Talk about this topic, compliance. I really love your insight there. Thank you so much for sharing those with me. And I would love to have you folks back on the show. Thank you. Thank you very much. Bye-bye.