Google Cloud: Data Protection and Regulatory Compliance (Cloud Next ‘19 UK)
Good. Afternoon everybody. Welcome. Thank. You for, coming today. We're, delighted to be here to speak about trust, data. Protection and regulatory, compliance this. Is a very, important, topic for Google cloud a very important, topic for our customers, today, I have, the honor, to. Co-present, with Anton. Catch off, Antoni. Set director. Of cloud security at, PwC. So. PwC. Is one. Of our strongest, partners but, also one, of the, largest Google, cloud customers in. Fact, they. Have conducted, possibly. The most comprehensive. Risk. Assessment. In the, history of a, real cloud so. Thank you for coming ok. Thank you and, today, I'm presenting with Natalie, ray who, is head. Of data protection, and compliance, for amia. In Google. Every. Time I think about you, know if I want to have a conversation about. Technology-enabled. Compliance. At scale, I, call. Natalie so, really, excited to be here with you today. Ok. So our presentation. Has. Three sections today. First, Anton, is going, to talk you to how. To enable. A secure. And compliant cloud. Transformation. Then. I'm gonna, be talking about how. Are, we supporting, your, compliance, journey, to, the cloud and, finally. We're gonna give you some, practical. Tips, and takeaways, with, this Anton, the floor is yours thank. You. Right. So. I'm. A director of security architecture, in Peru see financial services. What. It means that every, time our security. Teams dispatch, to work with clients on a variety of, cloud. Security. Related, engagements. I get, to be involved so I see. What's going on in the market and it gives me a great opportunity to understand, what are the challenges that clients, are facing every day and the challenge is very but. When. I had a conversation with, Nathalie and we thought about what. Could be if, we could change one thing in. A way customers. Tackled, prosecuting. Compliance, in the cloud what, would that thing, be and, and, today I want to talk to you about that but and. Before we jump into. Cloud. And and and, change, and I'd like to talk to you about change in general first like, what it means so if, you think about the, the, model like this I think it's a psychology. Model that was developed to, understand, how people go through, through. Grief but. It. Could be applied to any change. If, you, think about stages. Of denial anger bargaining depression, acceptance. This. Is how, I think about any change I'm, moving an office now well, I was told I'm moving an office so obviously. A bit of denial at the beginning. Then. There was a an, element of anger about you know not being. To go to my favorite coffee shop I think. I'm in a stage of bargaining, now where I'm talking to, the, people and saying why don't I spend a few days here and few days there but at the, end of the day. I'll. Pack up my stuff and, I will accept. The change and I'll move to the new office and. If you think about cloud adoption which. Is also a big change for my organization. People. Go through the same phases, and. If you remember and about maybe. 2010. So. I was working for a large system, integrator, and every. Time I would talk to security folks about cloud, adoption they, would be, in a bit of a denial about it I'm. Sure many of you heard from your security counterpart, back in the days cloud, is not gonna happen, for our, workloads. Are, so sensitive, we're processing. Core. Data it's not gonna move to cloud nobody wanted to hear about public, cloud even cloud, in general nobody, kind, of took really, seriously, but, then and. A situation moved, along the chain. We started, to hear about okay. You're doing something I'm gonna escalate, and, then later on there was some compromises. Made and people started to talk about well, how do we adopt the cloud but not really adopt the cloud and you. Know a. Lot. Of people these days a, lot of security professional, are accepting. Cloud and public cloud and even. Even. Becoming champions, of it if I look at the at the market and kind, of stakeholders, that I deal with when, I talk to my clients. See. So and so, first the, so-called first, line of defense. People. Probably running security, operation centers, they're. Already, way, past the, acceptance, phase they. Are accepting. And embracing clouds. Because it gives them the opportunity to do security analytics and, things, like they wouldn't be able to afford in their, you know traditional, data center model however. Heads. Of compliance, kind, of second line risk are still in a bit, of a like a bargaining, phase I've just, recently a couple of months ago I was talking to a. Achieve. Risk officer in a payment, service provider organization. And. When. We started to discuss the approach, to compliance, and you, know how they adopting, cloud I've heard that the.
Cloud Is permitted, within the organizational. Information security, policy however. Only infrastructure. As a service and the, condition is that all of the agents that we have in our spaghetti. Data center, also. Moved to the cloud and, that was quite interesting to hear because it's not really about adopting. Cloud it's just moving data centers, to moving. Boxes to somebody else's data center, so, that, was, an interesting approach and I kind of I think. Last. Year about this time I ran a bit of a survey to understand, and what what is the real. By. Second. Line of defense, privacy. And compliance professionals. Still. Going, through that journey and still, not championing, the cloud adoption, and, I've heard different things I've, heard the increased, operating, model, and, people. Are not reporting, to privacy, focuses. On security. There, is a misalignment, of priorities, people are kind of closing, gaps and. Not spending enough time understanding. The key business data flows and mapping out privacy. Legislations. I've. Heard about lack of communications. A lot it's, like people. Thinking, that development, teams. Are running and doing their own thing, but. I don't think it's the the reason somewhat there are all valid reasons but the, real reason I think is. About. The. Lack of translation. So. Security. Objectives. And requirements PCI. DSS nice. Tie so 20000, anything. You think of need to be translated, in a cloud, native, language, I, recently. Had a conversation, with. So. I was doing a global, assessment it's the security assessment we flew around and spoke to a bunch of people in an organization and. It, was time to meet a head of, development. And, he. Said to me look there's no point of you doing like, a detailed assessment I can tell you right now you're. Probably gonna think that you know we have a bunch of issues. Because. I can. Right now show you reports, from internal audit external, audit a bunch of risk assessments, that all scream, the red we have a problem but.
The. Real challenge is nobody, told me what, needs to happen in a cloud world. People. Talk to me about monitoring. Service, but I run server less infrastructures. So there, are no box to put a syslog engine in. We. Run we. Spin up additional, kubernetes, clusters, during. The Christmas, period to, allow for additional workload, and you know catering. For increased, spans, within, the organization. Within the government so. What. Are you gonna do forensically, investigate, in January, because all, of my machines will be spun down. There is no network taps, another. Great example that he gave me. His. Network, teams a network security kind of thinking about how do we apply, network. Security taps, and 90s, into the cloud you, can't really do that because all the networks are software-defined, and, while, you can achieve their objectives, you need to do it in a very different way so. He. He told me that he's. Just he doesn't understand, what needs to happen in his environment, to really ensure compliance, security, trust and privacy, because. Nobody translated, it into the language he understands, and, I kind of tend to agree with that I, think. There is a definitely. A need for. A security, architecture, capability. To, take the requirements. Of NIST, PCI. DSS and, ISO, and translate. It in the world to of kubernetes. Pods, nodes etc. It. Is a big challenge that I see across many clients. Security. Teams, you. Know still, getting. Trained on the cloud, language, many of them are not coming from development, background so. They. Still, need to learn and. There is a lot of aspects, to consider when, building security, architecture, function. I've. Seen a lot of clients putting them in security. Team reporting, to see so some. Of them are hiring an, egg's developers, and putting them right in the middle of development. Organization. On the development, floor and some, are thinking more about strategic. Cloud enabled, kind. Of organization. And they're putting them into enterprise. Technology. Organizations. There. Is a lot of things to consider when, making the, choice and. Obviously. The contractor, market has. A lot of people at the moment working. In the tribe space they would you know there. Are X developers, who really, understand, security and great at writing a secure code they, would be deployed to an. Agile tribe, and really, start implementing, requirements. Day one so, they are extremely effective, they, are expecting. But. In terms of the scope of influence. These. Guys struggle, because they can only influence the developers. Around them they, can't look at broader, organizational. Transformation, if. You want to make sure that your security architecture. Can think strategically you need to find somebody who could fit into your enterprise technology team, but, the challenge with those guys I found, that, it takes the months and months to. Learn. About the organization build. The required relationships. To really start. Enabling. The transformation. Not, just fixing, the project that they look. At you know this week. Finding. These guys obviously is, extremely. Difficult, so. A. Lot. Of my clients are, asking. Us to come up with a career, path almost like for these architects, let's, say we find one how do we make sure that the, effective, day one they. Learn and become. Very, useful addition. To a CSO, team but, also have the link in the business so, they could help. Organization. Adopt the cloud properly, not just move, software. From traditional. Data center into, the cloud. So. I guess the key outcome, for me, when. I looked at the organization's and we're coming up with the operating model is to make sure we find an architect, and we don't just put them into an organization. Tactically, but we plan a five to ten year career. Plan for them to, make sure that they. Deliver value, at the very beginning, but also grow within the organization. And can become the, enterprise, security architect, that everyone in everyone, needs. So. We. Talked about the challenge of lack of translation.
Of Requirements, and. We. I've. Described, the. Solution, of you, know finding that architecture, capability, and the right person, that can help you and. Translate. All the old requirements. Into the new cloud native language, but, that would only be half, of the coin, let's. Say you find, the right person you, deploy them in the right part of the organization, they design. Security patterns. And really, kind, of help. To explain developers, what needs to be done you. Would. Still need to find a partner that, can help making. Sure the, requirements. For trust privacy. And n compliance, can be met and they. Also can be met in a way that can be easily demonstrated. To your regulators. And. This. Is a segue. Into what, natalie, is going to talk to us about. Thank. You Anton, I really. Enjoyed the stages, of grief. Now. Let's talk about how, we can partner together to, meet your. Regulatory. Compliance, needs how. Many of you know what. Gdpr, stands, for. That's. About. 80%. Ok. Very. Good so. I'd like to start by highlighting, that. Compliance. Is. A shared, responsibility. Building. In word Anton. Just indicated. And. Frameworks. Like GDP. Are helped us understand. This, concept. In. Practice. Let's. See there's. Some. Responsibilities. That, primary, rely, on providers. On us. For example, security. Ask. The custodians, of the data we. Are expected. To, deploy. State-of-the-art. Security to. Protect the confidentiality, the, integrity, and the availability, of the data. We're. Also, expected. To keep customers, in control, when, it comes to subcontracting. The services, this. Is the subprocessors. Obligations. Providers. Are also expected. To offer certain, contractual, commitments. Around things like that I use that. A deletion, the, portability. Incident. Notifications. Assistance. Obligations. And the like. But. There is one fundamental. Responsibility. That, relies on the, customer, and. This. Is the obligation to conduct a risk assessment, to. Determine, whether that processor. That provider offers, appropriate. Technical, and organizational. Measures, so. Today, I'm gonna, equip you. To. Fulfill, that responsibility and. To conduct a risk assessment on Google cloud but. Before, we go there let's, not forget that there's some responsibilities. Regarding the data itself. That. Rely on the customer. Has. The data that you are uploading to the cloud being obtained, in a lawful manner. Do. You have consent, to run their marketing, campaign. If. You need it is. The. Data accurate. Think. About it. So. What. Do we do to support your. Trust, and compliance, journey so, the first thing we do is we, establish, a solid. Foundation of, trust and here. We use the three prong approach the. First prong is protection. We. Recognize. That privacy, is both a fundamental. Human right and a. Critical Enterprise need. But. Privacy. And security are two, sides of the same coin. Data. Cannot, be private, if it's not secure so, security. And privacy come, first in everything we do. The. Second prong is control. We. Live by the premise, that customers. Own their data not. Google, so, we. Equip you with technology. That, puts you on the, driver seat when. It comes to managing, and protecting, your, data. The. Third prong is protection. We. Will world. Class. Compliance. Capabilities to. Facilitate, your compliance, how. By. Making sure that our services. Have by default the. Assurance, the certifications. And the contractual commitments, that your regulators. Are, expecting, you to have and this. Applies in horizontal. Areas, like, privacy, and security and, then in vertical, areas such as financial. Services health care governments. And like. So. Let's, see some, of the examples, of our protection. Approach, first, we. Use technology. For security. At scale. We. Operate, one. Of the largest. Backbone. Networks, in the world in fact we have laid our own cables, under, the Pacific, and now, we're doing the same under, the Atlantic our. Private. Infrastructure, gives the services, high availability, and, resiliency. But, they also, produce. The, attack surface when. The data is not longer transiting. The public internet. Strong. Encryption is inherent, in. The. Way we, run our services. Data. Is encrypted, in.
Transit And. Addressed, by, default and, the. Way this happens is pretty unique. That. Is charged, in two different pieces. Then. I'll. Need, help here. Then. Each chunk gets. Encrypted. With. A different, key. Then. The keys, get encrypted, and then. The different chunks and. The. Encrypted kids get stored in different, servers, in different, data centers in different jurisdictions. This. Is a little bit of a computer, science miracle. Thank. You. Thank. You. So. Technology. Also. Helped, us when it comes to fighting threats. We. Do have presence, across. Virtually. Almost, every. Jurisdiction, and, vertical. In the world, and. We also at Google we have around, eight, consumer. Services, with more than a billion users. So. This global, footprint, give us an unprecedent. Intelligence. And visibility, into threats and attacks and, what's, going on there and also. The ability to react, very quickly to. Protect our customers. We. Also rely on some great talent, this. Is the unicorns. That Anton. Was referring to so, Google employs more than a thousand, privacy. And security professionals, this. Include one. Of the best. Information. Security talent, in the world the people that wrote the books on security. So. They together with our compliance, and assurance, and legal policy team they together look, after the protection, of our. Cloud. Now. Let's. Look at some examples. Of control. Of the control prong this. Is again the technology that, puts you on the, driver's seat when it comes to managing, and protecting your, data. Who. Has access, to your data in the cloud is a big question. So. Things like Claude, or it, locks help you answer the question of who did what we do data within. Your organization. But. How. About Google. Access to your data. You. Have a legitimate, expectation to. Control, that, so. Access. Transparency. This, feature gives you near real-time, visibility. Into. The rare cases where, support. Or engineering, personnel, access, your data. You. Get logs that show things like, with. Resource with access, the. Justification, the. Time and even the office location, of the person that made the access. But. Going further. To. Give you more control into, access to your data. You. Can manage, your own encryption and I want to bring up something that was announced yesterday for. GC bigquery. This is two groundbreaking. Features the, first is external, key manager. This. Means that you can have your own keys. Living. Completely. Outside. Of the Google infrastructure, and a separate box so. Google, doesn't. Have access to the keys. Now. The second, feature is key justification. So. Every, time Google, is requesting. A key, to decrypt your data you, will get notice, and a, reason, for. That. And the. Ability to deny. That. Request, so. The combination. Of these two features give, give, you an unprecedent. Amount. Of, control. And oversight.
That. Was not available. In, the cloud industry, so, far. Data. Residency. Is also. An important, aspect of control, so. Data location is not a regulatory, requirement on their major frameworks, like EDP, are and you know that however. We continue, to invest in adding. Cloud regions and zones and features, like these with. Regions. The. Idea is that you have choice, and control. Regarding, the location of your data and you have the ability to store data, in, Europe. Now. Let's. See some examples of, our compliance. Approach, our. Privacy. And security practices. That aim to some of the most, stringent. Frameworks. In the world. An. Example. Of this is gdpr as, you. Know this, is. The. Most significant. Piece of privacy. Legislation introduced. In the last 20 years. Google. Cloud, adopted. Gdpr as the. Privacy. Bar globally, not. Only in Europe. International. Standards. Are also, a pillar, of our. Compliance, approach, how. Will. We, have. A dotted 27001. As, you. Know this, is the golden, standard. For, information. Security. Actually. This is the most successful standard. In the history of ISO that. Is the baseline. We. Have also adopted. 2717, which. Is the cloud, security specific. Standard, and it, captures. Things like our. Nuance. Or particularly, the cloud like data, that, was logical, separation of, data or virtualization. So. You get that component, as well, the, flavor of the cloud on security. We. Have also adopted. 2707, t-80. This. Was the first. Privacy. Standard, for cloud computing and. Actually. If you read it it looks like pretty similar, to you did here and it was approved, before did, it here actually the French Data Protection Authority, was. Heavily, involved in the drafting of this standard, it was the first time that the world the, whole world not only Europe agreed on a common. Global standard for privacy. In the cloud. Last. But not least I'm happy to announce that we will be soon certifying. Against, twenty seven seven, zero one this. Is the first standard. For, privacy management. Not, only controls, but, how you manage, privacy, within, an organization. Regional. Standards. Are also an, important. Portion, of how we support, our, customers compliance. Journey some. Recent, European, examples, include the Germany. The CFI certification. For cloud security. The. Filmer attestation, for, the financial, services community. In Switzerland, the, HDS, certification. In France to. Host, health. Vada governed. By French law and the UK security, principle the list goes on. That. Was the foundation of. Trust. But. What, else are we doing to support your compliance, so, we deliver, full transparency so. That you can conduct a meaningful, risk assessment. On our practices. And the. Idea is number, one that you can. Understand. Where we are with. Respect to, your unique requirements and, I say unique because they will depend on the, country to operate depends. On the type of customers, you have on your vertical or, your internal, policies, but you need to understand, where we are and the. Second is you can determine whether the. Protections, that we offer are. Adequate. Or not. And. At. The end of the day is a, matter of where, you are in security. If. You're here, and your, provider is, here. Then. That move. To the cloud is probably a reasonable, decision. If. You, are here, and your provider is here, then. That's certainly not the right decision, from. The risk and compliance perspective. But. If you're here in security, and your provider is here then, that's probably the right choice, when. It comes to risk. Management. So. First. We offer transparency. Into our contractual. Commitments. In. Fact you can search this online is in our website, these. Are, our data. Privacy. Commitments. To our cloud customers, these. Have been created, with feedback from customers, and, regulators, over, the years the. Intention. Is to make your life easy and to incorporate, things like you're likely looking for and your regulator, is likely, looking for there. Are available globally not only in Europe and then, gate also, regularly. Updated. The. Last, major update, was. GDP, are as, you know GDP air contains, very, specific, provisions.
Then. You put, in the contract and. Also. The most recent for brexit. We're accounting. For the possibility. Of the UK, leaving the EU and saying, things like hey when we say ye dpr we also mean the UK version, of the gdp ah so, you can continue to rely on the commitments, and things. Like the International, Data transfer, mechanism, we, offer, so. These include commitments. Like processing. Restrictions, we. Can only use data, in. Order to provide the services, to protect it period. Not. Forever time C not for anything else. We. Also commit you for, example delete data within, a set, period of time from, both. Life. Systems, and backups there's. Organizations that, don't ever set, retention, periods in their own on-premise. Systems. So. Processors. Google. Conducts, the vast, majority. Of the. Processing, but what. If we use vendors. We. Do use some vendors, and an. Example is technical. Support in many languages, so we, offer a commitment, to notify, you of who. They are what. They do where. They are located, even before we. Board. Them. That. I used in notification. What. If Google suffers, a breach we. Hope, that's, not the case but what if this happens, that's the reason when you're moving to the cloud to have more security but. We offer that contractile commitment, because one you have a right to know and the. Second, you may have an obligation to, notify your customers, or your regulators. And by. The way this is a new obligation, under EDP, our data, breach notifications. But we've been offering these commitments for, many, years. Last. But not least data protection team I'm proud to have members of the data partition, here team, here today so you have a dedicated, channel an assistant. Channel in which you can direct your privacy security and compliance questions, any time and we'll jump on help. We. Also offered, transparency. Into our, operations. We, have a stream of white papers, with details, on, our security. Design. Choices a few, recent examples, include our, overall, infrastructure. Encryption. At rest encryption. In, transit, data, deletion in. Our cloud that, I incident, response process, when. You have this type of detailed. Information you. Can, make the, decisions, and the determinations. Yourself, on whether what we're doing on security, and, security is adequate, or not. We. Also offer transparency. Into our infrastructure. In. That this means that we give you visibility, into the locations, of the, data centers, I, mentioned.
That It will also give our customer, choice and control. But. We also give you visibility, into, the, reasons, of all the considerations. We have when choosing to invest in a particular place, there's. Some very obvious. Considerations. Like bandwidth. Cost. Or. Trade, restrictions. You will never see us building a data center in places, like Cuba, or Sudan. But. There is also some very interesting, policy. Consideration. Here for example the human rights record, of. A country the. Political, stability the. Rule of law. So. We give you transparency. Into these reasons. As well. We. Also give you transparency. Into how we, respond, to government. Requests and here's. Our approach. We. Are after view, that, government. Should approach, enterprises. Directly. Now. Google. But. If despite. This we received, a request we, will review each and everyone against, very high privacy. And due process standards. This. Means applicable, law human, rights our, own internal policies appropriate. Scope. We. Have never provider, and never will provide any backdoor, to any government, we force them using, encryption, technologies, to knock, on the door when, it comes to requesting, data. Third. Is, customer, notification, you, have a right to know when. Government, seeks your data so, we have battled in court, for. This right to notify our customers, when government's approached us and there's two recent cases that have been published in a in a, blog post, where. You can see more details. Last. But not least we promote transparency, we. Publicize. Transparency. Reports with the number, and the. Type of requests we get from governments, around the world and I'm happy to share that early, next year we will start breaking. Down the. Number of requests that we specifically. Receive. For both DCP, and these, we cloud customers. What. Else are we doing to support your. Compliance. When. You work on compliance. You. Know that, sometimes. The most important. Thing is not to, comply. But. To be able to demonstrate that. You. Can play. And. I can recall an example, of a of a customer. In a heavily regulated industry and, financial services, they. Did a a. Decent. Job in terms of. Assessing. Us we have a bunch of conversations on, data protection on, privacy, and security on, pre-owned on technical, capabilities. On. Everything. But. When. Their, financial. Services, regulator, knock, on the door. They. Were. Not able to demonstrate, their, the, job they did they. Didn't have a document. And risk assessment, they, were not able to demonstrate which, were the elements that. They considered, in terms of risk we're, moving to the cloud so. Dad, put, us in a less. Than ideal let's put it this way position, with the regulator, and they. Have to start from scratch so, if. You can, take. One one one practical. Tip is when. You're doing this when you're working, on this make sure that you're able to demonstrate that you've done your work on security, and compliance super. Important they're, just doing it but. Being, able to prove. And that's why we regularly, conduct, independent. Third party audits for, accountability. This. Is the way we demonstrate our compliance, this is the way we demonstrate that what we say is true, in. Our contracts, and our papers. And this, is this is the way in. Which you will be able to demonstrate before. Your auditors, and before, your regulators, and you stakeholders. That. You're supporting, your. Compliance, with. Evidence. So. This, means is that an independent third-party auditor. Comes and reviews our controls, our infrastructure. Our software, everything surrounding the services, and. They. Provide attestation. Certifications. Or declaration. Of compliance, so. To, give you a sense of our. Investment. And commitment in this area, in the, last year, over 2 million of, control. Instances. Were audited, a Google. Think. About that scale, we're. Thinking about all global. Infrastructure, operations. The software, supporting services, and by the way when.
You Think about the port audits, and certification. The. Scope is is very important. So. In this case this is all of our services, all the infrastructure. All. The operations, the personnel. You. Need to look when you're looking at in. General whether these scope of the certification. Is that, or, is, just a call center or, an. Office so you. Need to look at the scope. When. The, auditor, comes in it, takes a long time given, the size they. Will look at things like on, in, the ISO, 27001. World. Access. Controls. They. Will look at HR, security. Communication. Security business. Continuity, physical. Security. They. Will check on those things and gather evidence on those things. Moving. To the other standard, which is the. More privacy-related. They will look at. Processor. Scope of processing, whether you're using data for commercial, use or for your own purposes, they. Will look at things like the disclosure, of subcontractors. They will check. All. Of that. But. Now in the ISO world. After. You are examined. Against. This, stringent. Rules which. You can buy an ISO. And read them yourselves. All, you get is a batch. You. Just get a logo. That's. Why we. Produced the soft to report, which. Is the most relevant, to you and the, software report, is a two hundred pages. Report. With. Details into our, operations. Our physical. Security our logical, security our personal. Security. It's. A highly confidential document. But. It's the attestation of everything, that has happened so, on the one hand you can see this. Is the standards, that Google complies with and, you can check the standards but also you, have visibility. Into all those operations. So you can evaluate yourselves. We're. Also promoting. More. Industry. Accountability. In the cloud, ecosystem. Things. Like UDP, are and frameworks like UDP, are required, going, the extra-mile, so. We're. Happy to share that we are partnered with industry peers. Like IBM. Cisco, Microsoft. Workday. And. Oracle. In, creating. The. First cloud. Code. Of conduct. This. Cloud, code of conduct, is now, sitting with a Data Protection Authority. For. Approval. We. Are doing the same exercise, with the Cloud Security Alliance. And. GDP. Are for the first time. Recognizes. Codes. Of conduct, as means to demonstrate, compliance so, this effort is super important, to promote more. Accountability. Within the ecosystem we're. Partnering, heavily. With industry, peers they're. Also. We've, been supporting. Regulated. Companies, of scale. Recently. We. Have facilitated. A collective. Audit, from financial. Services institutions. That. Gave them the assurance. They needed to. Move them most, heavily, regulated, workloads. To our cloud. Ultimately. We, want to, equip you to be able to answer, these, questions. With confidence. To your regulator. What. Are the security capabilities. How. Are you using my data how. Can I control my data what. Is my data store and more. But. The. Most important. Consideration. Is that we are fully committed, to. Continue. To engage with customers and, regulators, around, the world to make sure that, our cloud, is, shaped in a manner that, meets their. Expectation. So. This. Is what we're doing to support your compliance journey and you were just getting started so, with this we'll. Give you some takeaways. Thank. You very much. Fascinating. Stuff, you. Know having, your data encrypted, and then managing, the key and all, the access to the key yourself. Yeah. So. Today we talked about. The. Need to create, an architecture, capability. Enabling. The architect, by putting them into. The right place within the organization. And thinking, about a career path that would make sure this, knowledge stays, within your organization. And help, you on a, transformation. And move into the cloud. Well. I've, highlighted that, you, know having your requirements, very well defined and, documented, and, creating, a patterns is just half of the task you, need to find a provider that can support. Your compliance trust, security, and privacy, requirements and, I think Natalie. Made a very strong case for for. Google as. A partner, that can really support, you, in very transparent. Way so not, only you can make sure that your requirements, are addressed but, you can prove to your stakeholders, board and regulators, that, you can achieve everything you want to achieve.
Yeah. It's, you. Talked about very well about the structure. Of kind, of risk management if, you if, your third party is way, ahead of you in terms of addressing. Regulatory, and compliance requirements, that, by moving to the cloud you, inherently, making, your organization. More, secure. And. I really like the point about, being. Able to demonstrate, compliance using. All the tools and materials Google's. Give, you I've seen a lot. Of you taking, photos of the slides and I'm sure it's all going to be available, so. Yeah, I think that that's the takeaways would you like to add anything else thank. You very much for being here and just, when a housekeeping. We. Loved your feedback so OPS's, make sure that you submit, your. Impressions. Of the session by yes the app thank, you very much thank, you. You.