Raj Srinivas, Chief Technology Officer (CTO), SecureKloud Technologies, explains how CXOs can improve their cloud security posture.
With businesses increasingly moving to the cloud for the benefits of cost, resources and productivity, security remains a key element that is often overlooked. While businesses were already scrambling to keep up with the ever-evolving cybersecurity landscape, the most recent COVID-19 pandemic and the resultant shift to remote working has created innumerable challenges for organizations.
According to a newly released Thales report, over 40% of organizations globally have experienced a cloud-based data breach in the past 12 months. The study shows the pandemic further fuelled the adoption of cloud environments, including multicloud and hybrid deployments, resulting in a dramatic increase of cyberattacks in the cloud. Yet, some 83% of organizations still fail to encrypt half of the sensitive data they store in the cloud.
In a recent interaction with CXOToday, Raj Srinivas, Chief Technology Officer (CTO), SecureKloud Technologies Ltd, a cloud security company that caters to a range of industries and verticals, discusses the trends, challenges and innovations in the area of cloud security and the way forward.
With over two decades of experience in the technology industry, Raj has architected and led the implementation of many innovative solutions/services for customers in Healthcare, IT and BFSI verticals. With a keen eye on the current tech, cloud and security trends, he has helped customers to solve cloud security and compliance problems on time, securely and within budget. In this interview, he also advises how CXOs can look to improve their cloud security posture in the next one year. Excepts.
What lessons can be learned from the biggest cloud-related breaches in the last one year or so?
In the last year, a couple of important patterns in the cloud breaches came to our notice, primarily related to ransomware and database. These breaches impacted many users with loss of valuable data from within the enterprise to external forces. Inadequacy in internal security mechanisms like access control, identity management and internal security postures undertaken by enterprises have been contributory factors to these breaches.
The second learning is when the ransomware or a similar attack happens, it simply implies that something within the perimeter has been breached. The size of the organization does not matter as even large organizations with better security controls were impacted while some smaller organizations did better to ensure data protection and integrity.
The biggest learning was that in the process of cloud migration it is critical to make sure that right security policies are in place. Lack of clear definition of cloud security policies can prove to be costly miss.
Are Indian businesses doing enough to secure their confidential data in the multi-cloud era? What trends do you observe?
Indian businesses are bolstering their cloud infrastructure, and we see a lot of US and European companies doing the same. We have achieved 60-70% immunity against breaches, but still, a lot needs to be done, especially in an environment where we are moving to multi-cloud or hybrid cloud. And this is where it gets a bit interesting, as the business need to look at security practices of not just one cloud but multiple cloud providers. A requirement of a robust security mechanism in the interoperable point between the on-premises servers and public cloud servers in a hybrid scenario is critical.
In a multi-cloud scenario, the multiple assets in multiple clouds interacting with on-premises servers or private data centers complicate cloud security, even with zero-trust environments. This situation is critical because you cannot even trust your internal employees or users.
Some policies can get dropped or changed frequently. You must have every asset in every cloud monitored independently in a zero-trust environment. In terms of adequacy, we as a cloud-community are there. But in terms of addressing complications, we still are behind. Cloud security must be amplified by a couple of notches. A lot of work needs to be done in this aspect, both in India and globally.
What according to you is the most common challenges organizations face when it comes to cloud migration?
Currently, many businesses haphazardly undertake cloud migration. While chasing deadlines, companies tend to overlook important aspects. Before migration, one should have partaken in devising an effective plan, strategy, and design, as migration is a moving target. While implementing the cloud migration, there will be an inclusion of multiple different infrastructures.
In the final stages, departments that were not to be moved will be migrated, and departments that were not critical from a security standpoint becomes crucial. Some of the critical industry assets will get moved in some stages. Keeping an eye on the different risk factors of every asset that need migration will be a major challenge, and this increases when high-risk assets are involved.
Prerequisites of the migration need to be addressed and best security practices for the move need to be outlined and followed. Cloud formation templates and programs can be utilized during the cloud/data migration; however, each migration process will be unique and idiosyncratic.
The critical requirements, the needs, the right security posture treatment will vary from one company to another. Hence, succeeding in applying the best practices of security during migration remain complex.
From the identity controls to the grouping of employees, from VPC (Virtual Private Cloud) cloud resources to private keys, from repositories to internal policies, from interoperable point securities to Privacy Impact Assessment (PIA), each aspect of migration poses a challenge that will be unique with each company.
How can CIO/CISOs ensure a smooth and secure cloud migration?
Without the support and guidance of CIOs and CISOs, cloud migration cannot happen securely. All CIOs and CISOs are serious about the security postures, and they go the extra mile to ensure that everything runs smoothly. Many have an elaborate plan towards streamlining their organization’s data/infra/app migration to the cloud. They keep track of the requirements and constantly address the risks of pre, during and post-migration.
The CIOs and CISOs need to be flawless in executing the cloud migration plan from a technical, business, security, compliance, testing and vulnerability assessment standpoint. Some have clearly defined their policies and goals for all these phases. Once these processes are in place, they will need to allocate the right personnel to address each of them.
How is SecureKloud helping enterprises in secure cloud migration journey?
Cloud migration has become complex in the last couple of years, owing to multi-cloud and hybrid cloud policies. One of the definite things in such cases is an assessment of the internal infrastructure. SecureKloud is positioned in the cloud business to evaluate requirements, support implementations, and assess infrastructure to make migration to the cloud a smooth and secure journey.
Every enterprise will have its objective to implement the migration be it a management mandate to be cost efficient, sales improvement exercise or for addressing security concerns. SecureKloud makes sure to satisfy the objectives during and after the move. Our focus is on moving the critical assets/data/apps in the shortest possible time in a more secure manner.
In the post-move phase, we help in audit control implementation and infrastructure scanning to ascertain a successful move from a compliance (HIPAA etc.) standpoint. Additionally, we help rebuild pipelines in the new infrastructure to set up an extended CICD (Continuous Integration and Continuous Delivery) process so that new applications in post-move can benefit from the extended pipelines.
We are leading in the managed services space. This helps us ensure application security, device security and policy management, governance processes involving data governance, identity governance, thus enabling proper functioning of the entire cloud infrastructure. With this expertise, we help our customers in their cloud migration journey.
What is your advice for organizations looking to improve their cloud security in 2022?
At the present time, the zero-trust model that is gaining prominence is the biggest differentiator. Earlier, organizations trusted their employees and gave them access to resources based on groups and roles they belong to. However, the environment has undergone a change with businesses having a lack of trust internally.
Even the people at the senior level should be authenticated as though they are new users into the environment every time resource access permission is granted. This is going to be a significant change and a need for the future. A key factor of the zero-trust model is the access point, wherein, a user is tracked to the last point in the database.
With work-from-home and increased penetration of mobile devices, the key concern area companies should focus on is the policies towards mobile or device management. It has been estimated that trillions of devices would access applications, databases, and application servers over the next few years. In this scenario, it is important to ensure that device security is implemented correctly.
Another area of concern is key management, as keys are going to become important in the future. Password policies will change and multi factors will be implemented for every access. Additionally, there is also a lot of action happening in cross-enterprise security, many enterprises are communicating in a collaborative manner with each other in the blockchain world and around edge security.
Going forward, businesses should amplify security needs while allowing other users to access their network as per predefined policies or agreements. They should ensure vigilance and enhanced care towards applications that are deployed closer to their customers and make a note to increase security in the cloud location which is far away from the actual geographical location.
What do you think is the future of cloud security?
The future of cloud security is promising and bright. However, I am a proponent of something called ethical hacking. I believe, you are as safe as your weakest link. Now, how do you ensure that your infrastructure is secure during the migration or in the post-migration phase? The only way to check it out is through ethical hacking done on your infrastructure by your people. It gives you an idea of where you stand in terms of infrastructure security. I would say that ethical hacking should be encouraged more so that we can identify our faults. Once in every quarter, the hacking should be conducted. It will prevent threats like ransomware, phishing, and cross-site scripting attacks.