 Even Las Vegas for Silicon Angels. Cube coverage of IBM Pulse, IBM's big show in the cloud, new capabilities, big growth opportunity. I'm John Furrier, the founder of Silicon and I'm John Dave Vellante, co-founder of Wikibon.org, my co-host. This is theCUBE, our flagship program. We go out to the events, extract the signal from the noise, and we have a distinguished guest here, Raj Nakarotham, PhD, distinguished engineer, CTO of IBM Security Solutions. Welcome to theCUBE. Thank you very much, glad to be here. We love having PhDs on, because we know you're smart enough to get a PhD that you know you can handle any question. We throw at you. I'm sure you can answer all of them correctly, but security right now in the cloud has been a big thing. Dave and I always talk about this for years. Is it a do-over? Is it bolt-on? Is it perimeter security? How do you deal with all these old security paradigms when everything's getting hacked? iOS has a back door, code and agile in the cloud, data in the cloud, it's a Pandora's box, great opportunity economics-wise, but security always comes down to, always comes down to security when the rubber meets the road, nuts and bolts, it's security conversation. So give us an update. Where are we with security in the cloud? How far deep are we in? How secure is it? One of the things you guys working on. Yeah, definitely glad to be here. Like I said, definitely security remains a top concern in adopting cloud. And we believe cloud is actually an opportunity for enhanced security. We are going to get there. It's a journey. We all went through this time when web came along and companies or customers were worried about, okay, I have all these information systems, I want to expose over the web, how do I secure it? So then came along all the security practices to say, okay, put a perimeter around it and everything outside is untrusted, everything behind is trusted and so on. But with cloud, what's happening as well? You're accessing stuff for mobile devices that you no longer trust, like you said, with any phones out there. You're moving your workloads to cloud. Customers are consuming services and applications as SaaS. So it's kind of, the perimeter is disappearing if you want to think about it that way. So it's becoming more porous. And so we need to reap things security in that context. And what we believe is happening and will happen is, it's kind of more closer to the application. You need to worry about the application, the data that you are rendering over the cloud. And at the same time, you can take the investment you've made, extend out to what you have done as best practices, extend out to the cloud. So we are definitely working on all these capabilities and solutions to help our customers. You know, Dave and I were just at the big data SV conference in Santa Clara that we held and, you know, fraud detection, big data is a big part of the security and that's aspect of it, trillions of dollars. Trasada startup in your area is doing some good work. Abhimed and his team, looking at a completely different perspective, so they're making some headway. That's just on the big data side. Let's talk about the application. You mentioned the application. You know, look at WhatsApp. WhatsApp just circumvented the entire telecom industry. Facebook bought for $19 billion because they're disrupting hundreds of millions of billions of dollars in telecom business. The users are now in control, right? So now you have user experience and preferences that is application driven, which predicates an infrastructure that needs to be dynamic. You need it, it used to be the infrastructure would dictate application, so it's now reversed. That vector is switched. How do you look at that as a computer scientist? Is cryptography the answer? I mean, we've got Bitcoin out there. You've got Bitcoin, you've got WhatsApp. The data center is under complete transformation. I mean, technically it's intoxicating to think about it in terms of like as a geek. But as a computer scientist, how do you look at that and what do you guys do? So when we, yeah, definitely. So when we think of all these security threats, be it external threats, internal threats, across enterprise, cloud, mobile, security is a big data problem. Ultimately, you want to figure out what's happening where in the device, in the network, who's coming from where and kind of correlate that. It's a multi-dimensional problem. You think about it after the users who are trying to access applications. Applications may be on the cloud. Data may be residing there or in the enterprise and delivered over to mobile. So when you kind of weave this in and correlate the information, that's where what we do is we, our strategy is grounded on security intelligence. So with our IBM Q-Radar product capability, looking at, okay, security is a big data problem. We do security analytics. It's just not about monitoring because you may get millions of events. What do you do with it? It's about finding that incident that is risky and what action can you take, what's actionable insight that you can gain. That's more important. So that's key part of the strategy. And you also mentioned fraud. So lately, recently we acquired Trustier so which can handle fraud protection and provide fraud intelligence. So across laptops, web and mobile, so grounded on our strategy of capabilities, the first thing that many security officers, our customers are asking about is, can you give me intelligence? Because that is going to be the next incident all the time. It's not like you're going to protect everything. We have capabilities to do the protection but there's always going to be the next thing. It's about how can you stay ahead of the threat and what capabilities can be put in the customer's hand to make that happen. So with Q-Radar and our Trustier capabilities, especially Trustier delivered from the cloud, we are very well positioned to help our customers and that's what our customers are adapting to. So I feel like we have this multiplicative effect, Raj. Every year I say this, beginning of the year, I look back and say, do I feel more secure than last year? Oh, the answer is always no. You've got the notion of technology changes so quickly. You've got the sophistication of the bad guys and you've got the amount of data now that is coming into the system. And I say this is multiplicative effect on the difficulty in securing our infrastructure. I've also read a number of times that most of the money today still is spent on keeping the bad guys out. Versus the other interesting data point is once they're in, it takes over a year to find out that they've come in. So I wonder if we could talk about that. Is that changing? Does it have to change, i.e., the investment profile? And what is IBM doing in that regard? Yeah, there's definitely a change in the threat landscape. It's no longer the hackers doing it for curiosity. It's more and more about financial gains, espionage. It goes across the chain. And so when we look at it from an advanced threat perspective, it could be advanced persistent threat kind of attacks that you may not know what's going on. Because you can't be figuring out something and say, okay, there is an anomaly happening or a particular event happening, let me quarantine it. You can't just take the action. We need to start thinking like an attacker. So we need to be on the offensive. So figuring out what's going on, let them deal with what's happening, getting more insight and weaving that with more intelligence. So what we do, what we have in IBM is an ex-force threat research arm where we look at various malicious activities, malware, we crawl the web to figure out all the websites and what's going on, and kind of second largest database in the world having that intelligence on which website to trust, what not to trust. You combine that with our trustier fraud protection and malware analysis. So we have, what we do is we back our capabilities with research, our security research, looking at the threat that is evolving day in, day out, and then that provides you the basis to figure out, okay, what can I do? The next step is in terms of what are they going after and what is the most important asset for me? Is that my crown jewels? Are these gold nuggets that I need to protect? So what VC customers are doing, and rightfully so, we are working with them, is figuring out their data. Data is the king. So ultimately, how do you protect the information? The data, it could be intellectual property, it could be formula, it could be something, customer data. So having a view of what is important to them because you are not going to protect everything. You need to figure out what is most important for you to protect, have monitoring around it, have protection around it, be it from a network perspective or understand the risk from mobile devices that you can manage and have a comprehensive strategy. So when we go into any customers who deal with this, is we work with them on a security maturity model on okay, where are you? What are the risks that you are worried about? What are the key crown jewels that you need to protect? And what are you doing in terms of visibility that you have? Any kind of, like a GPS, we say you are here, you need to go out there. How can we help put a roadmap to get there? When you have those discussions with customers, how much of that discussion is discovery around what you don't know? Yeah. Questions that you aren't asking. That's an excellent question. Most of the time, when we talk to CXOs and with their teams, and when we have this maturity model discussion, they turn around to their team members and say, where are we? Are we in basic mode? Are we in optimized mode? Are we integrated? Where are we? And they all go, oh, we have a view. So then it kicks off, it starts a conversation with them so that we can collectively, because there are many stakeholders, it's just not the security officer, you have the IT teams, you have the application teams, you have the line of business. So that's when they get into what you call the discovery mode. To have a view of where they are. There are, of course, there are many customers who are very good at it, very good security practice and the program that they have. And then, typically financial institutions. But otherwise, others get into this conversation, okay, help us, help us discover or help us identify where we are. Roger, I want to ask you about the consumerization of IT. Obviously, you mentioned security is changing. Obviously, the environment is changing. Transactions and engagement is a big message here. Trans-engagement. And we love engagement. We have the CrowdChat application that we built, CrowdChat.net. Social engagement shows that social business. Okay, that's all messaging, marketing stuff. But in reality, bring your own device to work, it's just a simple task everyone wants to do. So I got to ask you one, security around mobile phones and enterprise. And the whole identity piece, because you've worked in that area, it's a big part of the security plans. But what is, is identity changing? Is it unified? Is it fragmented? Usually identity was statically assigned to platforms and legacy infrastructure. Is there a unification around identity? I mean, on the consumer end, Facebook, Google, plus we're going at it, trying to win the end user consumer identity battle. Some, well, we speculate that it's happening. But on the enterprise a little bit, it's different. You have a directory services, you have all kinds of other credentials. How do you, how does someone just get that done to do the BYOD and other things? So when it comes to mobile, it's a span of control across corporate control devices where you have more controls to BYOD all the way to secure transactions that you hit on, which spans not only employees, but can someone do a secure transaction as a customer? You have no idea of what mobile device that they have. You can't control it, you cannot manage it. So in that spectrum, we think about managing the device and the content, securing the application and securing the transaction, because the granularity kind of goes up. And so what we see definitely not- Three separate levels of granularity. Three increases, yeah, exactly. Granularity increases as you go from the device and the content you want to manage. Application. Application you want to control and have more visibility and control around and every transaction that you need to be worried about. If you think about that and with our capabilities, we are so proud with the capabilities that we have in our arsenal to attack this problem. With our Fiberlink mass 360 acquisition, we have a cloud-delivered mobile device management that provides containers so that now an employee can access their collaboration applications, be it email or SharePoint and so on, in a very secure manner. There are customers here at Pulse talking about the success stories on how successfully they have done BIOD and mobile device management using Fiberlink. Then when it comes to application, there are two parts to it. One is, can you containerize the application on the device? There's also the other part where you're accessing an enterprise application from a mobile device. A salesperson coming from Starbucks, trying to access a sales app remotely needs to be allowed. Whereas an employee trying to access that application or from a malware infector or jailbroken device, you need to be really worried about it. So there's a notion of greater trust that we can allow. Who can access what at what time, from where, which location needs to be weaved in. So with our capabilities around access manager for mobile, we can do that. We are helping customers to deploy more context aware security controls from mobile or web because it's just not mobile. When you look at it, it's like omni-channel across, multi-channel across web and mobile. So our access manager product hunts your question around identity because now you can authenticate. Well, if it's a crown jewel, you may not trust a social login. You want to have stronger authentication based on enterprise identity. But if your mobile app is rendering social networks for customers to come in and share their views, you may very well allow a social login. So based on the resource, your identity mechanism and the level of trust you have will vary. And the third part is the transactions which is based on trustier. So do you know what malware is being affected? How can we take control of it and what decisions we can make in making the protection? So what you described it. Before you go there, I want to just follow up on that. So when we were at Open Compute Summit in San Jose, we were talking with Mark Andresa and he would give a keynote and also it went on Twitter around he was bullish on Bitcoin's cryptography. It wasn't so much as it was a currency other than as a P2P payment system for transactions. Do you see cryptography sneaking its way into the paradigm? And if so, how does that affect any potential identity that you guys do? Cryptography is fundamental to many of the technology approaches that exist today and will continue to exist because when you think about data, how do you encrypt it? Then, well, you can encrypt it but where do you leave your keys? If you leave the keys in the cloud, what good is it, right? And so from IBM, we work on, of course with our IBM research. You encrypted the keys. Yes, with IBM research, we focus on cryptography and like homomorphic algorithms. Can we split the data and protect them? So in multiple ways, we look at it. And so it is going to continue to play a role. Ultimately, it's just not the cryptography. It's about, is it consumable? One of the earlier points you made is user experience. How can someone consume this capability to protect data? There may be cryptography beneath it but we need to deliver and that's what we are doing. Delivering these capabilities in more of a consumable manner that administrator can manage and application developer can kind of turn the knob on policies or a line of business can say, okay, these are the five things I need. So it's about hiding the complexity of the cryptography and so on. But fundamentally, many of these technologies and algorithms will play a key role as we move. So I want to follow up on that comment you just made about making security more consumable because a lot of what you describe sounds pretty complex. And so my question is, are these, how do you accommodate the diversity of customer needs and at the same time keep it simple? Amazon, for instance, would say, everybody gets the same security, that's it. Any color you want as long as it's black. IBM's obviously almost the other end of the spectrum. You guys will do a lot of specials for customers. You got a big services organization, it's a big part of your business. So I wonder if you could talk about that a little bit just from a philosophical standpoint. Yeah, that's a great question and it's changing our culture. IBM, we have a big focus on design for the last couple of years. There's a whole program and an organization that's helping us transform into a design-oriented company. So we are now thinking in terms of who's the user, what is a behavior and what are they trying to accomplish? We have been providing user interfaces, of course, but the world, the millennia developers and the people are coming out there, their mindset are different. It's not that they're looking at a console, they may want to do it from a mobile device, they may do social. So how do we provide this? It's not only user interface and visualization but the whole experience. So we adopt that and we are, every one of our products are now geared towards and implementing our design principles. User design is becoming key so that now, let's say, somebody's managing identities in a system. In the past, we would have things to say, okay, these are the five users, I want to have access to these five accounts and the machines. But now we are changing the discussion to say, everyone thinks of a shopping cart. We are all used to going to online websites and say, I want this widget, that widget and so on. So our user interface has changed so that the experience is like a shopping cart experience. I want access to these five applications. You do check, you add to your cart and you submit a request. Then your manager comes and says, okay, what are my employees as far, here are the five apps he has as far, let me approve it. So the paradigm that we have come across in the online commerce and so on, we are taking that and applying that back into our products because the users out there, their mentality has changed. The way they do business, the way they work, the way they do stuff at home has changed and we need to kind of attach to that and address the paradigm and that's exactly what we are doing across our portfolio. You're adapting your processes and it's kind of cliche but everybody talks about people process and technology and oftentimes practitioners say that technology is the easiest of the three. In the solution pie of how we attack the security problem, people process and technology, how would you break them down? So with differently in terms of technology, we have superior technology. Understanding the people, when customers look at, okay, people process and technology, they can deploy all the technology they want but they want to make sure people are aware of the risks. So we, for example, in IBM and we tell these to customers and customers do it as well, they have education programs, awareness of risk and security, what you can do and should not do. You should not post your intellectual property on Facebook. Maybe common sense, but you need to create the awareness. So dealing with people, leads with education. How was your birthday? Yeah, exactly. So it deals with people creating the awareness and education, technology, definitely with products and capabilities that one can deploy. The process is now, how does it fit into my business model? How do you process engineer, be it identity or security, or if you have an incident that you gain from security intelligence, what do you do about it? How does it affect your business process and methodology is a key part and that's where working with our IBM security services teams and business who work with our customers and evolving their process. So absolutely, it's education when it comes to people understanding their behavior and attaching technology to it, delivering technology capabilities that will address the problems of today and ready for the problems of the future and process in terms of adapting, understanding, be it industry verticals, their concerns, the complaints and regulations and how we can address it. So we target these both in terms of technology products that we deliver, services that we deliver, at the same time, sharing our experience as IBM, what are we doing in IBM in dealing with people or process and technology with our customers, these go a long way. Raj, I would imagine you spend a lot of your time helping commercial customers think through the security problems but I want to ask you, just cyberspace in general and security specifically really changes the whole nature of the world that we live in and this is sort of a bigger topic than commercial security but thinking about things like Stuxnet when you see what happened there, cyber security and the impact on international relations, things like the future of warfare. How much of a time do you spend thinking about those types of things? Maybe certain three letter clients have asked you to think about them but what do you just generally can you say about the future of things like states interactions, nation states of the future of warfare or terrorism counter-terrorism? You said there's something earlier which was interesting. We have to sort of go on the offensive. What are your thoughts on that whole big topic? So the way we work through it, the thought is that it is there in terms of what gain someone can, it can be financial gain or for any political gain. So understanding and the same principles that we talked about about having the data, the crown jewels and protecting it. Critical infrastructure is a crown jewel. You need to protect it. Understanding what's going on. So both in terms of monitoring, gaining intelligence and threat intelligence. So this is why when we look at these things with our exports, with our security capabilities and for example Q-Radar, we can support for smart grids. So the crown jewels are different for different people. For a bank, the customer data maybe, for an IP, intellectual properties key for people and when it comes to governments and countries, the critical infrastructure is important. So monitoring for and gaining security intelligence is definitely there. Managing the end points because finally many of these end points could be old, could be vulnerable. You need to protect them from attacks and vulnerabilities, taking steps. So ultimately in a digital world, many of this critical infrastructure or institutions are made up of technology pieces. You would be taught about connected cars this morning. So it is going to evolve. So when we look at it, we are dealing with cloud, mobile, internet of things and security is definitely a key part of this whole journey that we continue to work on, help our customers across the spectrum of industries and governments. Raj, Dr. Ratham, thanks for coming on the QPHD Distinguished Engineer, CTO of Security Solutions. You're a busy guy in your team. Congratulations. Security is a huge issue, not just tactically at the enterprise level, but as Dave mentioned, abroad, global, from a global economy standpoint, truly to use the smarter planet, that is the future, having secure transactions just for business, never mind individuals. So you have some job security, I have to say. So thanks for coming on theCUBE, tech athlete. This is theCUBE, we'll be right back with our next guest after this break. Thank you, I appreciate it. Thank you very much. Thanks.