Welcome. Thank you for joining me. My name is Meg Mude, I'm a TSS, a Technical Solution Specialist in the DPG Sales Organization for Intel. Today we're going to cover a little bit more about risk and security, and specifically, the topics we're going to cover are the role and an overview of security and risk and how is it relating to the computing infrastructure of today, some frameworks and models of risk and security management for data management in particular, the roles of risk governance, policy, compliance, etc, as it pertains to computing and data management, and particularly how data assets relate to one another and to the security infrastructure that we'll be covering. Then some of the practices and methods and models of containing risk and security. I'd like to start with Intel's commitment to security at all levels of the computing infrastructure. Intel makes a tremendous investment in security all of the time, at all places in the ecosystem in which it touches. Whether it's at the hardware substrate layer or whether it's with developers we're doing work at each layer to ensure that products are secured. Specifically when it comes to security and risk, we have programs for Bug Bounty, for researchers, and really we co-develop security ingredients with our ecosystem partners. For customers, we provide actual technical support, troubleshooting, and many software and also hardware artifacts to support their actual requirements for security and risk containment up through and including products that are unique like for security, unique processors for that, and for developers, we have SDKs and other toolchains that are consumable for application security as well. Really ultimately boils down to the types of control systems and the physical, logical, technical, operational, administrative, or policy controls, and the apertures around these controls that we're delivering to the market whereby security and risk and containment is delivered. Generally with security and risk, I like to call this the wheel of security, if you will, but you'll see 4, 5, 6 themes that often come into the conversation around security. Generally it's around risk mitigation, policy governance and management, compliance, the actual risk management, the surface area of risk itself, also certainly we'll see items such as cryptography and the hardware artifacts that are associated with consuming data itself at the Data Plane layer, the regulatory framework and environment that gets broaden, and then of course, how is access enabled and delivered from a security standpoint. Ultimately it comes down to two threats that Intel is driving with security. The first premise is to secure the physical platform or the data platform or the processing platform. The second is to protect the data layer itself. From the platform perspective, we have tools that are delivering resilience that are used for trust enablement at a hardware or platform level and driving for more visibility and control at the platform level such that the applications that are delivered actually are secured and they're not compromised in any way. Then of course the data, the data at rest or of course data in motion, data in flight, is the term that we're using here, and then the data in use. At each state of these data were looking at how is it delivering for the maximum possible amount of performance without compromising any of the risk. Many enterprises, particularly those in financial defense, federal government, state government, local government, manufacturing, and health care, those industries tend to be the most dominant when it comes to being front and center in terms of either technical leadership or thought leadership or governance structures are on security and risk management. But risk reduction and risk management is of super great importance. It's tremendously important for most CIOs. In fact, there's some data recently that indicates that about 80-85 percent of CIOs believe that security at the very top 5, 2, 3 concerns for them in their overall Infrastructure. It's pretty tantamount. Security is cyclical. Now Intel has invested in all of these artifacts. You've been watching through the CloudU series that we absolutely take every experience and effort element of the computing stack seriously, so too it comes with security, and specifically, what we're doing at the security continuum is whether it's encryption or isolation of data or building a chain of trust at the policy level and deployment level, but even at the processor and accelerator level, we have protocols in place to drive security and risk containment until it works across that whole stack and the entire continuum. What we find here is that it plays a big role in how the customers are consuming and managing and thinking through their security problems. It's a cyclical situation. As the world becomes more connected, the data exponentiates as we see, the cloudification of everything is prevailing, and then the landscape itself becomes increasingly complex with many more actors and players in the landscape in terms of who can contribute data, harvest data, how it's harvested, etc. This has definitely introduced, of course, a new series of risk surfaces, but also exposures. We're looking at, again, how we harden that security stack at the accelerator up through the data plane and then beyond the encryption and beyond the data plane to the governance and deployment standards. We're looking at it as a full stack approach, as well. There are many frameworks worldwide. One of the most dominant ones is the NIST Cybersecurity Framework. There's the CIA triangle in Europe, in India, and PRC. We also see similar corollaries on the kinds of cybersecurity frameworks that are deployed, but by and large, almost all of these frameworks have five main pillars to them, which is around how do we identify that risk that's the intrusion of some kind or management of that intrusion and the identification of that risk, the protection of the artifacts of the business itself, the detection of where's the anomaly coming from or where's the violation of the policy coming from, and then the responsiveness. How are we responding to the incidence of security compromise and the communications, mitigation, and analysis around that and managing that, and then recovering from that. Again, it's a full stack approach, which is the identification, the protection, the detection, the responsiveness, and the recovery of all of the valued assets. In this case, the data itself is the valued assets and this is where these frameworks come from. This is a very dominant framework. There are many other frameworks. We're just going with this one since it tends to be prolific and agnostic of industries. Once you look at industries or localizations of geos, you'll see much more branch out in all of these localizations. Some of the more dominant frameworks, as I mentioned earlier, there's many of them. There's certainly ITIL. It's a very famous one. It's the Information Technology Infrastructure Library. It's part of the ITSM protocols. Most CTO, CIOs, IT managers, application delivery specialists tend to be familiar with this methodology, but also there's many others. The Factor Analysis of Information Risk, that's a risk management and mitigation methodology that you'll see, then you'll also see a framework around, for instance, Intel has been part of a framework, it's called a Threat Agent Risk Assessment. This is at the hardware and the network layer. We developed it in 2010 actually, that was built for actual intrusion detection and things of that nature. You'll see many such established frameworks coming out. Prior to Intel, I did a tremendous amount of work in financial and health and life sciences. In those industries, you'll see many frameworks and regulatory criteria for how data is managed and governed. These are just some of the frameworks, but really, in all instances, whether it's on the Cloud, especially, when you're deploying in a public Cloud, it's important to consider the risk containment criteria that your customers might have, but also what is the predominant framework for that end customer or for the regulatory environment in which they operate and the legal and policy governance structure within which they deploy their products and services. At the end of this though, what is it? Security is a way of life. We've been talking about that all along. In a large recent study, I think I mentioned this earlier, about 86 percent of CIOs mentioned that it is one of their top concerns. Really, how is this important or how is this delivered, Cloud storage, end point storage, really, the entire network. Everything from every and each surface of every email attachment or every downloaded file or uploaded file up through and including worms, malware, hacks, etc. It's a full surface area approach to how security needs to be managed. Ultimately, of course, when you're looking at applications, for example, Salesforce, you're uploading a file, even there you see security and risk requirements being there. This is very much architectural, systemic level consideration of how security and risk management is deployed and delivered. Where do we have security and risk today? As you can see here, there's many ways to deploy security and risk. This is one of the more comprehensive approach. Apologies for the eye chart, but it gives you a perspective on what a good, comprehensive, and secured system looks like. You can see on the left and right sides, you'll notice the monitoring and responsiveness portion of it. We covered that a bit in this model. Then the prevention portion of it. But at the deployment layers itself, you see the actual data security aspects, the application security aspects. The endpoint security, network security, and physical perimeter security coming through, ultimately, protecting and securing the mission critical data and mission critical assets. Fun fact here, it's very hard to detect the hacker, but you'll notice that there's a masked hacker in the network layer and the perimeter security layer, that has infiltrated our security fan. As you can see here, the security compromises can come from any place. Each of these tranches, whether it's perimeter security, or data security, application security, or endpoint security, data tends to be a dominant thread of that conversation, coupled with whatever that architectural feature you're looking at. It might be the network element, or the monitoring element, or the prevention element. It's always about the data plus whatever this other element is. This is why we consider a data plane problem as much as an infrastructure problem. What are we doing about security today? Firmware, which is the layer right above the hardware itself, which governs how a processor consumes information, what propagates it, we work on building firmware resilience at the lowest level, such that the platforms themselves are secured. Whether it's looking at a DDoS attack, or a disruption of critical infrastructure, this layer of security is considered an extremely important national priority, and virtually almost all federal entities, certainly the United States, but even in Europe, PRC, India, many other large geos, Latin America, you'll find that governments themselves are aware that this is a level of compromise that needs to be followed. We at Intel do a tremendous amount of investing, at that firmware, resilience, and security layer. Let's talk a little bit more about what is SGX and where does it live. For sure, SGX is relevant and useful at the Cloud infrastructure layer, but also, we're seeing it in block-chain applications, and secure networking applications, and trusted multi-party compute application. We're talking about, for instance, health data exchanges or financial exchanges. These are the environments that you're seeing a lot of trusted applications being built through SGX. Obviously, for learning platforms, for key management, and we talked a lot about databases a bit ago, but the securing of databases itself is important. Fun fact, Azure has SQL already, the Azure SQL Instance already is available as a secured database with SGX, and it is consumable as a protected artifact. Then of course, any application that you would host through an SGX type methodology can also be run through SGX as well. We're seeing a tremendous amount of application utility for SGX, and it's incredibly interesting and an important time for it. In summary, security, we just touched very tip of the iceberg, but security and risk containment go hand-in-hand. We talked a little bit about the products and frameworks. Certainly, the NIST framework was introduced as one of the main advisory frameworks. I had a friend recently say that whatever the framework is, pick one and execute to it. That's really the guidance that we like to give customers for their architectures. Security is absolutely important, but it's important to pick a framework and execute to that. Of course, security and risk deployments are multilayered, and platform security matters across the full lifecycle of data, but also the full deployment lifecycle, and the application lifecycle for customers. Because Intel's work portfolio is vast, we look at data security as both a business artifact, but also a computing artifact. We look at the computing substrate from a platform securing, or a data securing standpoint, and we have a tremendous number of assets, and I shared with you a little bit about the latest which is around SGX. But when you're looking at applications for health care or crypto, things like that, security plays a big role. Then finally, we have a tremendous and big pedigree and security. Tremendous amount of research and development. The security field continues to evolve at each and every layer, both from the logic, and the foundation and substrate of computing layer, up through more nuanced artifacts, such as social hacking or crypto applications that you'll see emerging more and more in the Cloud environment. This is how we're seeing the supply chains of tomorrow emerging, the healthcare value chains emerging, the federated learning models emerging. This is how we're seeing security being deployed increasingly with customers, and it's a tremendous conversation to have with CIOs, with end-customers, particularly once you're starting to talk about the data plane and data artifacts. Thank you for joining me for Risk and Security of Data Platform Module, and I hope you stay tuned to join us for other modules.
