The Guest Lecture Committee (ITBM) organized the 2nd edition of Corporate Charcha on the 19th of February 2022. This year’s panel discussion theme was: Cloud Security and Its Significance in the Present Changing Times.
Dr. Kanchan Patil, the Deputy Director of SCIT, inaugurated the event by welcoming all the esteemed speakers and briefing everyone about Cloud Security, the latest trend. Later she also emphasized the importance of Cloud Security which should be held paramount in today’s industry. Post this, the much-awaited panel discussion began.
The panel consisted of eminent industry professionals working across various roles in the Security domain. Mr. Pons Mudivai Arun is currently associated with Citrix as a director of products (Cyber Security) and is a cyber defence evangelist with more than 20 years of experience in cyber security. Mr. Jitendra Guha Neogi, who is a Senior Manager in Cloud Technology with Accenture in India and has around two decades of work experience in the Information Technology Industry. Ms. Mani Keerthi N is currently associated with Ballard Power Systems as a security lead and is a cyber security expert with a passion for implementing security frameworks and bringing balance between security and operations. Ms. Bishakha Jain who is an alumnus of SCIT, 2019 batch, currently serving as a Senior Cyber Security Consultant at IBM, she is also the Director and Indian brand ambassador for Cyber Security Global Alliance.
The panel discussion began with a question regarding the driving forces behind cloud adoption and cloud migration and where we can see the gap.
Mr. Jitendra started by telling how security is seen as a vertical and a horizontal solution nowadays. He took a small example of cloud forest adoption to explain this further. He explained how we could reduce our IT cost by reducing the on-premise data centers over a significant period. This would be one of the drivers which could lead the organizations towards cloud adoption. Later on, he talked about the organizational transformations, technology, ERP systems, and how drivers can’t be the whole adoption story. There are three more steps for cloud migration, the first two being the reduction in IT cost and the increase in business agility. He explained how these two factors could be measurable outcomes with a specific role within a particular time frame. He then mentioned how we could balance the portfolio in the third step after laying out the initial two steps and then prioritizing among the two. After going through these steps, we should create a return on investment (ROI) plan, and if the ROI is strong enough for the cloud adoption journey, only the organization embarks on the cloud adoption. He also mentioned how wrong assumptions could lead to a skill gap while making the business case. He also talked about change management and concluded that people, processes, and technology form change management. If the people are unwilling to take the cloud adoption journey, that would be a considerable blocker or a gap in cloud migration.
Mr. Pons talked about how security could be considered a roadblock to cloud adoption. He explained the critical issues in risk management and, as an employee, how we can help our leader understand the risk a business can manage and what could be done to alleviate these apprehensions. He mentioned that the principal reason for cyber breaches is ignorance of the basics.
Additionally, Ms. Mani discussed the importance of awareness concerning cloud services. She explained how the whole process collapses even after having a lot of technologies in place. She pointed out that the user base isn’t aware of the cloud by giving a general idea that the cloud service providers are just the 5% and the cloud user base is the 95%. Suppose 95% aren’t aware of the general cloud security terminologies, such as identity access management. In that case, the whole process disintegrates because they might not know the purpose of the shared security model, the configuration, and what changes they can incorporate as a customer. Thus, the user base must have awareness.
Continuing this question, Mr. Pons highlighted three more critical points about assurance, visibility, and insider threat:
- He emphasized the importance of continued access provided to the user on the configuration lines, such as the activities performed by the user and the kind of access the cloud platforms provide to a user.
- Have visibility in all your assets, be it APIs or gadgets, because you can get into trouble even if someone can exploit single unidentified support.
- We need to have a mechanism to ensure we have an assurance in place for insider threats.
Mr. Pons then introduced the audience to the vulnerabilities of shadow APIs and how they can be exploited to get into your infrastructure. Such exploits cannot be detected once the user is inside it. Mr. Jitendra also added that these exploitations due to shadow APIs happen without the formal knowledge of IT, with an example, let’s say the employees are sharing a document with someone outside the organization through SharePoint, but this isn’t allowed by SharePoint, so instead the employee buys a dropbox account and then share the document without the knowledge of IT which makes the system vulnerable as that dropbox account is not being monitored by the IT department as thus it can be easily exploited. He gave one more example: in the organization, whenever you are making a presentation, you can’t use just any logo you see on the internet and use it in your production. You have to go through Marcom, i.e., the marketing and communication department, as they have the license and protocols because shadow API is a security vulnerability.
Adding to this, Ms. Bishakha reiterated Prof. Angelina Gokhale, “when you stop thinking, the attacker starts thinking, and continuous learning is the only key for an effective security management, so don’t stop thinking.”
Mr. Jitendra then talked about Gartner’s 7R solution for answering the question: if there was an application portfolio and we need to select a few of them, then with regards to security, what parameters should one evaluate before migrating to the cloud?
He started by saying that first, we make a strategy document to select all the available applications. Then we cluster them based on industry and utility to know precisely which functional area they are catering to. After which, we go step by step to think about which application should be migrated to the cloud and which should not.
The 7R solution goes like this: the first R is for Rehost, in which we lift and shift wherein some applications can be raised and then moved to cloud. The second R is for Revise, in which those applications which have some mismatch in DBMS or operating systems can’t be readily transferred to the cloud, so we need to use a two-step process for them where you first make them cloud-native and then you put them to cloud. The third R is for Rebuilt, where you build something entirely from scratch. The fourth R is for Re-architect: where you change the business process, the fifth R is for Replace: meaning when you don’t need an application, you replace it, the sixth R is for Retain where you retain a robust application whether you like it or not, due to some necessary feature it provides. The seventh R is for Retire: in which because of the modernization, you might have already built another solution that can replace this solution, so you retire it.
Ms. Mani then talked about evaluating the security levels of cloud service providers. She stated that according to the industry standards, we would come across two main attributes: ISO 27001 and SOC reports. She also talked about how our assessment process may change with the changing requirements of the industry and that cloud controls have to be tailored to meet the needs of these industries. She also mentioned that we might use Legacy control frameworks, but we must first adapt to the cloud control requirements.
To add to this, Ms. Bishakha quoted, “You can stop only whatever you can spot,” so when assessing risk, you have to consider all the sides because it might be the case that, according to your perspective, it is less risky. In contrast, the hacker could see it as an opportunity. Mr. Pons also suggested always looking for the economic value of attack where economic value is good when the cost of the spell is less than the value of the target. Mr. Jitendra talked about using the total cost of ownership calculators or pricing calculators to understand your investment and the total cost of ownership in moving the on-premise application to the cloud. He also mentioned that he advises his clients to “think of security as trust and resilience,” where these two are the essential features.
In conclusion, where Ms. Mani told us about the role of SOC principles and how they are helping in defining security standards, Mr. Jitendra talked about the need to build trust and resilience. Mr. Pons talked about prime reasons for cyber breaches ignorance of the basics. Ms. Bishakha spoke about the importance of bringing confidence to achieve better security and said that security is not a choice. It’s a compulsion.
The discussion ended with an exhilarating Q&A session.
Finally, Prof. Shaji Joseph, the faculty mentor of the Guest Lecture Committee (ITBM), concluded the event and delivered the vote of thanks.
