Logo TIB AV-Portal Logo TIB AV-Portal

SAP NS2 Keynote

Video in TIB AV-Portal: SAP NS2 Keynote

Formal Metadata

SAP NS2 Keynote
Title of Series
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
How cloud computing has changed the way in which we as technology companies have to ingest new companies and how we have to deal with industry and compliance through that process.
presentation video speech
service multithreaded Board CNN naturally real complex The list level security
response SICS hazard Case different organization CIO structure measures fields position results
service information development cyber sort security man Plattform classes
Operational Research particle Dampfdruck operations cloud argument part Coloured
points presentation apps local convexity factor times cloud set Amsterdam Ordnance Datum plateau information version good Now different touch video model Conversation Plattform systems mobile service regulations share content smart bits cloud applications revolution completion type process environment strategies Plattform organization speech model Right game space
discrete points webpage control service subscriptions factor Ranges schemes set Continuation branch part dimension number web good internet different core level Conversation security Arc systems service standards Arm information regulations Super forces law share plans energy limitations applications type process diffing game security family data types
Hard presentation integrations code decision times tap water com part certification Compression mathematics core video Elastic model security systems area cyber mapping development closed moment share cloud staff maximal meetings category management process orders organization Right Board webpage control functionality service Transformers component continuum drivers help massive training power period fluid operations touch reduce structure Plattform architecture form module batch response Scale key Super unique experts volume incident applications configuration management environment software Case Data Centre family
Actions Graph fake service ones part Coloured consultant Demo period words process life Right Board sort classes
essence events
alright so next up we have a a great ah presenter from 1 of our customers how many of you've heard of essay The but
so 1st speaking today we're here
today from a specific part of if called SAP and us to now you may be wondering what is the US to stand for what is SAP at us to do I have a video that we can show you we did
you fill in this thread in need
at the top of the list remains so not only do we live in a dangerous world it's
got more dangerous since we were together last year and we must learn to be able to deal with these
various levels of spread around the world on this is what will still
not aware of it and the nature of the
field of writing about of the voice of and what mental mind will
brought whirlwind and the US as
well and the we so all the
America does have a special place to measure position so responsibilities and and what we think
all the structure of the organization of the book
is in it's no longer the case the government as a result of the data is the province of the hazard of the use of different readers of all of this is young
and that that sort of says that no more than a man like that how do we
think about the labelings of policies that works analytics and
we have a class by reason and that is is a now information technologies resouces they're the most efficient way possible is absolutely necessary the new the
development platform services in some of the
more violent of modern that ability and allows a flat whatever the parameters of the this is the reliance on that issue
it from the mean and and the more of it mn on the lives of the 3rd if we all help in playing a part in through automation that were doing the work that we do is industry industry as a community were helping make the world a safer place they can for that the set up for me I would have thank you for making the world a safer place color to alternate particle a FC theater although the gyrfalcon operations for the other thing that
they did the thing and I have a video and I have a whole of everyone good morning and I'm so pleased to be here and I want to thank you in advance for the opportunity to share our journey with you so what we see here up on the screen or
pacman and we're going to start this discussion around the beginning of our story which is kind of typical to the IT industry but we have a smaller company that's acquired by a medium-size company but then gets acquired by a large company this is really not a discussion about it and then what is a discussion about is how cloud computing has changed the way in which we as technology companies have to ingest new companies and how we have to deal with industry in compliance through that process so this story is about a company called plateau systems that was the small company that had a phenomenal market share in the government and regulated industry the market space and they did a great job of delivering to that to that market in then got acquired by a company called Success factors you've heard them they are a sad speech C Company very effective in the commercial market dominance top right quadrant and then shortly thereafter they get acquired by a company you heard of give you plotted the now you really have no way a industry compliance focused company acquired by a very generic commercially focused company acquired by a company now let's a multinational company every industry every language every country in the world so when transpire amusing organization had decide how are we going to deliver this each CM stats applications and how we get to meet the needs of all these different types of customers so we started with the discussion around don't worry industry don't worry government you can just use the commercial version of this that was a very short conversation unfortunately there's an effort in futility it was rejected but why so a lot of you know this already I'm just gonna spend a few minutes on because we do want touch upon the foundations of what industry what's compliance and how does that converge in the cloud so you see some cards here as you can imagine for cards to operate together they all have to smoothly work so you 1st have in an industry based on environment the need for industry capabilities on give you an example that if you are a retail company and industry capability would be your technologies and support of point of sale right or if you're a gaming company more fun and a great example that would be your ability fear technology to support the LCs downloadable content and yes I have a teenage son and that's why I know that the the 2nd called here is deployment models so how do you deliver this industry capability and is it relevant to that industry it's user retail example as a retailer you would expect that you'd be able to deliver on a mobile app the ability to buy something right something very accustomed to 4 that's a deployment model mobility that you should be able to do new technology go back to the gaming industry a great example of the revolution of the gaming industry was the ability to deliver that gaming platform in the cloud like without the now the biggest will send my biggest cog in that in that picture here is compliance yeah so why is compliance important if you cannot consume industry capabilities for deployment models because you don't meet that compliance requirements that all that work he did in developing the best slickest deployment model or the most effective capabilities cannot be consumed by that industry because compliance what over and that it destroys all the fun and so on just like in the public private partnership video we discuss that a bit of critical critical to this and foreshadowing a bit is to deliver this complete set of columns that work smoothly you have to have a public partnership so I know many of you were up late last nite because as I was getting coffee this morning were people coming in but then I thought you and so on so I I I think on a play a little game for those of you who are very sleepy now's the time to take a nap I as I said yesterday presentation compliance induces narcolepsy so you may go to sleep anyway I but for those of you wanna play were going to play a game called let's guess the compliance regulations can be a lot of fun and how how would you Iike they didn't give me that I I promised the something in it for you who who can guess what this says anybody OK and that when they hear a government here what is it Nice try
1 more Hightower added white OK so afterwards come see us will get something so
let me cue that up so everybody can see with that is and here we go out there so what is i top it's really cool it's called International Traffic in Arms Regulations not sexy so so the idea I talk compliance really really talks to and enforces this concept of export control information and what that means is you have a set of data that the government thinks super special there something about it there's information and they believe is important national security war for overall national defense and so this X for Control Data is governed by this Law basically tells you how you can exchange data and how you can access data and it puts it very simplistically 2 things around 1 we got the west person to it or to exchange and you gotta do it on US soil seems simple not really I'm I'm giving examples of control data if you have scheme Maddox to a new design weapons systems most probably that's export control data if you build a part of the the CAD drawing of a part that's in or part of a military vehicle that can be Export Control data and finally my very very favorite I'm an old lady the SR 71 blackbirds at some point it's bill of materials was actually export control are so this is an example of data driven types of regulations data-driven who wants to get this 1 and nobody from 19 who very good OK come see us afterwards federal that was actually process right so fedramp is on a very different type of regulation it's a standardized set of compliance requirements and and the interesting part about federal hazardous slightly data-driven in agency has to describe as somewhat of some discretion in how we describe the data but then there's a standard set of compliance regulations you have to meet with and it really manifests itself in this really fun thing called a system security plan and in that system security plan you write out every manner in which you're going to comply with these things called control families and in each control families there's controls it sounds very suffocating and really doing that on purpose it suffocating on and then within those control families you have to describe hiding do what and hide and meet those best practices that have been articulated by the standards body OK we give me an example on how many of you've heard of the concept of access controls 0 God please raise your hands people on the self access-control holes are the concept is that is that is the idea of who can access what within your system and having some limitations associated with that kind of important parts of it so within that you have controls that the government has set a best practices in implementing access controls so you're required then to write out for each 1 of those controls how you do it and then this auditor comes in and says did you really do it the way you set at the fabric of this 1 deserves the biggest prize of all come on is going to try right no worries this is the really on 1 but it's sound this impact levels so I the mean example of a data-driven regulation a giving an example of a more standards-driven regulations and now we're back to a data-driven regulation that almost unilaterally forces you into a certain standards regulations so the department defense has very strictly defined the types of data In levels 2 through 6 don't ask me why it's to but it's to being publicly available information good US therefore start or whatever branch of service it is you see on you know something extra I don't know but it put up up a lot of Web a web page Internet web page it's publicly available information level 6 is the super-secret stuff called classified information dif everything in between is everything in between OK so if you have a specific datatype that induces a certain this level it forces you into more and more of those family controls and more more rigid controls within those family controls so give you an example PII it's not what you do at the break PII is on it sorry of PII is personally-identifiable information if your system contains so security numbers it contains names of things that can identify you on that this PII if you've got PAI in your system you gotta disyllable for system which means you are going to comply with a whole lot of stuff OK so now we've we finish the game but it sets up now will your journey and I have I appreciate your patience and doing that this is all called the opportunities the so as we received this company success factors we need to figure out how to deliver this each thing and sounds capability to that range of industry and compliance requirements and it hits on each 1 of those compliance examples I gave you so how you do that how you can have a commercial application delivered in a manner that the customers expect without taking all the fun out of that so here is where we begin the lessons learned on and there's a lot of them so all all people will go through some more later on but we can hit the high the high points on this journey is continuing I hope that will have the opportunity to hear from you in your journeys and think it's super important a share this stuff because for all learning were feeling our way through this whole new compliance security agility conversation so let's start with the 1st thing self-actualization seems like an all and lessons learned for an IT system it wasn't the IT system that had to be self actualized it was asked and it was on a process that really began I'll tell you interest with the CEO we can really had a force ourselves to understand what did we have to do what was our core competency to deliver this to our customers in a manner in which they wanted it in a manner that was agile how would we do that and he really looked at us and said hey guys you gotta stop obsessing about controlling every dimension of the delivery of the solution you got a focus on as very that the outcome it's the outcome you want subscription license revenue you want happy customers most importantly which
drives that that's the outcome and so we made a very critical decision after that talking to and we are determined we would move are traditional delivery model of this ASR application which was usually own bare-metal their own data centers to Amazon . com now I know that too many of you that seems like a no-brainer and maybe in retrospect it was but it was a tough decision for me as a business owner because it's never been done before it was an unproven platform for this very large very effective well very well entrenched suffers a service application I really need invest in their battle so there was some forgiveness I had asked in making this move and frankly business case that had to be done in order to justify that move In I was alone and often when you have to make difficult decisions you are alone yeah but what I learnt which a lot of what I've learned you learn how was it really worked on it's part of the next lesson learned In seat in the damn lots culture are cross-functional teams and what we learned we had to do was extend the definition of a cross-functional team to people outside organization wasn't just about a cross-functional team with an assay kinase 2 it was about partnering with Amazon to make the ship pardon the shaft to make this we have third-party experts we have brought in for both security and technology to help us in this we architecture process yeah and I'll tell you the the most important part of that cross-functional team was our customer base so why did we need to extend our cross-functional team 1st of all there was no way we could have every piece of expertise we needed resident in organization wasn't happening we knew we have to reach out and ask for help in this room platforming exercise 2nd we needed ask for special things again I'm foreshadowing here about that but we knew that that not everything we needed to make this happen already existed within each 1 of our technology partners portfolio and frankly at the end of the day in this new world of security in compliance we really had to make sure with our customer we understood what did they want their and there's hundreds and hundreds of pages of guidance on what these security controls mean but at the end of the day it's interpreted by each customer differently so if we ran out we employed a control we felt we did it beautifully the customer like get what was a hollow requirement and it was a hollow delivery so all punctuate this point with but the true story so this was several months ago we were at the on and that we were attending a meeting was the final meeting to approve was called a Provisional Authority operate that needed from the government in the form of our system it in 18 months of hard work to do this in finding a lot of people along the way a lot of naysayers as you know we do something transformational and now we're all really nervous sure felt like we were walking into the Coliseum defy alliance so you walk into the sum and by the way for some and into the room about 40 or 50 people on the it's standing room only it's hot and and we we walk in and ready to fight and I realized at that moment when you have these kind of experiences you realize that we were not alone in that room marching down that to the presentation in front of the presentation area was passed which was good are third-party experts right all these experts we brought in for security and ah auditor believe it or not was with us Amazon problems with us a customer so we are marched in together collectively and we could defend the integrity of our system because we had spent 18 months debating discussing designing n In the absence of realizing that at the end the processing very bureaucratic to me this was a great example of a cross-functional team coming together In the delivery something unique and special that public-private partnership so let's talk a little bit about in the video balancing the benefits the cloud of agility speed and flexibility and then throwing in security compliance and the mass and that's what it looks like and there is a tremendous amount of tension between the dove agility in compliance and we do as a organ that as a as a as a community we need to start to mitigate that there will always be tension but the question is how how hard is that tension polling so as we receive the gift now were back before 18 months on with this is before we went to attempt to meet with the with the government agency we received our package a Christmas present which was this h c ancestor applications were pulling the wrapping off of it were getting ready to have some fun and that's when we realized award that tension is is is is more than we thought it would be the we already committed to having Dev Ops as part of this whole architectural organizational structure development operations already co-located all we did was the 1st couple a times we made a mistake we deliver something that we thought would be compliant we went through the process being dead that we opted to and then we end up that security and they're like no this isn't gonna work we did it again and this anymore so we really almost in about a 3 week period did a quick spent and really get ourselves a dead setups environment we collocators our security people in and ask with those other 2 we have 90 % of our staff physically located altogether on and that's how we we ran going forward it was a huge improvement in our ability to turn because they were part of the solution at front on and if you don't realize that in some cases security culture can be 1 of the Monday nite for about it really forced a cultural change across the board was not about asking for permission it wasn't about asking for forgiveness anymore was now being a part of a continuum of a solution 2nd 2nd key step we took on was to make sure the automation is at the core of what we did we weren't just going to do automation as an after thought it was embedded in the core of our architecture so this leads us to shut up we knew we wanted you Shaath on that that's
the gentleman that I brought over from the parent company to run Dev Ops was very well was knew that was a good that chef a good partner for us to to deploy this technology and work with it before so the problem now can 1 more acronym I promise just maybe 1 or 2 more and there is this thing called Fips 140 dash to anybody heard of that before yeah only kind surprising guys of great OK so on so for those who don't know what it is it's it's called federal actively this because it's so nonintuitive Federal Information Processing Standard we're really means that the standard used to prove cryptographic modules we need a chapter defects 140 batch to certify that was part of what we need in order to make sure we could bring them into the fold and so cheer up I'm sitting here in front and Christian right were Chris's around here somewhere on the settled up and they got it done they work together to on to design and implement a capability that allow us to deployed in our environment and what does that mean that an outcome in and of itself why because now we as a public of private entity have delivered something to the public federal got market that really really means this fits 40 dashed to validated environment or certified environment so very very important very to chefs that of so let me kind of tap touch on power using shaft and closing here relatively shortly but a few areas so we use it to automate the code pipeline and establish and maintain the baseline in and scale pretty generic benefits seems like right others outcomes in it's unintelligible but 1 that goes from serendipity is a compliance killer in our world your baseline sacrosanct configuration management its own control family by light is at the heart and soul of most of your compliance if you don't get your configuration management right it blows up your compliance upstream and downstream the problem so building and Shaath automation was critical for us to be able to maintain that baseline and not require the maximum mass of human intervention to do that very important for us and I think it was alluded to earlier by nation on the importance of the cross the intersection of which half is doing today in compliance very interesting the government customers loved it so we presented government customers guys we rip architecture part we tell and every piece of software using what the function as they have to know which we step upon shaft would say there's using shuffle and germ would explain because God forbid I do it and and they loved it they love that that automation and that the reduction of human intervention so another so kind of money tied this together was signed by the way because you heard a video about cyber was a lot about you know on that topic any problem 1 how does that tie and hashing ties in beautifully 1st unauthorized changes a reversed automatically using shall right well is is not a better way to do security yeah you awake and alert a master of an incident response teams for a postmortem log review that shows you something that shouldn't happen happened this is a great way to address security in a proactive manner to insider threat even heard of insider threats you haven't you got get a little fluid with it it really is a very in fact it's it's becoming more more of an important area around compliance with addressing insider threat again of super way to mitigate the insider threat and I'll call even say a colored inadvertent or purposeful human intervention in your system baseline is teacher time and the 3rd benefit 3rd outcome for us was our teams spent less time the guardians of the past maintaining that baseline and got to spend more time modifying and it's really visioning for the future where we needed to take our baseline that was also very very important so scale us offers a service models like tuna to sorry and suffers a service model but business and it's about scale so we want to take advantage of AWS is gov clouds elasticity city because we had now been freed from the shackles of bare metal writing the water equipment install the equipment we can actually use the elasticity component of it and so on that was a key thing we wanted to do and 2nd we wanted them to address various systems a seasonal system it's it's a human capital management system so think about that performance reviews they're done pretty predictably but often at the same time for most companies or government agencies learning learning has a cycle if you're going to get your answer to category certification down by a certain period of a turn off your user access that generally has a cadence to it and so we saw a lot of peaks and valleys and we wanted to be able dresses peaks and valleys and then on the flipside we could have a customer that would have a mandatory training they have to roll out had we done 30 days so we had to be also in the scale at on with little notice and so you shaft to codify our infrastructure on top of the WS and in this case I will say that a business benefit cross was the ability to deploy in hours and not weeks and why because now I can address scale both predictable and unpredictable scale required to address a volume business Our goal at the end of the day for the folks out there will talks on a moment is to fully automated system really close leading taken away but further and of course to really start to unpack and fully use inspect and that's also on a road map as well because we do believe that's going to be not only a security posture improvement which I believe is an outcome in of itself compliance without which in our business an outcome but also efficiency on n and on a driver of a true business benefit from that so I think Nathan speak some more about this I cannot tell you how much I appreciate your attentiveness and the topic that often puts everyone to sleep I I really appreciate the opportunity share our journey and thank you to the community of for your support and for Schaeffer's sport few
if you have the problem of graph with them so right here that it didn't and also over here OK how's that but pretty cool so that 1 key phrase the use of the guardians of the past on all
too often in technology we do we feel like we're that we're guardians of the past we have all this text that we have to keep it running a that's really interesting another thing that you touched on earlier is that you brought together this community of people to help drive forward what I think about as if had as to what I think about securing and being driven to defend there is a community of people that I think about and others are veterans and those that are in the military service so are you doing something with them he had a central to our DNA on our company is not just to sort of walk the walk the talk the talk so on our CEO and and 1 of our board members and decided to certify the 1 3 c could be sigh worldwide and that turns on way way 5 0 1 3 C 0 sorry it's a for profit data we'll not a problem of fake for profit for them and so on so that they decided to do was to address come about a scene that existed in the transition for bats from military service to to civilian life many of our veterans are necessarily technology savvy on common ground counters right they're the ones are really on the ground fighting but they may not have they go they may not have had the opportunity to to to learn technology and therefore the often wrecked relegated to low-paying jobs and within the service and they can't find a job because their skill set this and analogize well to civilian life so this we started with a 1st class on and they decided they would make them and the the color the squares and can't they would feed and housing for the period of the actual training and have and be certified as SEP consultants coming out of that and then work diligently and most important part was to get a 100 per cent placement of every class so that so on and after achieved in and it's immediate from thank fewer and and so our health now is to extend that into an ecosystem and and frankly into 1 company in a technology that we believe in witches and working which have been to natural and chat and we we're really excited about the opportunity because the thalamus thank you so much have a really wonderful and thank you for all the work that you do it we words a all
in essence the treaty they on their limited events that are is that if you do this for a