A lot of organisations are still very skeptical about shifting their core applications to cloud.
This is largely due to the challenges that they face when protecting Data.
The question then is how can organisations overcome these challenges? W.Media’s virtual event ‘South Asia Cloud Security Market Insights’ had a panel discussion titled ‘Securing your cloud environment- Outlook for the future’. The panel was moderated by Nanda Mohan Shenoy, Director- Bestfit Solutions Pvt Ltd, Past President, ISACA Mumbai Chapter. The panellists included Ambarish Singh, CISO, Godrej & Boyce, Thilini Wijewardhana, Head of Security Operations & Technology, Cryptogen, Sapan Talwar, SVP & CISO, Tower Research Capital, Satyanandan Atyam, CRO, Tata AIG General Insurance Co. Ltd and Vikram Mehta, Ex- CISO, MakeMyTrip/Goibibo.
The basics of data protection remain the same, be it on premise or on cloud. If the data has gone on cloud it is important to do a holistic risk assessment about what kind of data has gone on cloud. Secondly, the API is done via an integration with the cloud service provider, maybe third parties.
“If a third party integration is done it is important to see what kind of security measures are in place for a third party integration, if it is API then what kind of security measures are in place for APIs,” said Ambarish Singh, CISO, Godrej & Boyce.
“By doing a risk assessment and threat modelling one comes to know about the possible ways in which the data can be leaked. The second important aspect is what kind of security monitoring system is in place, the kind of logging and its monitoring and most importantly who has the access to this data. For example, an e-commerce company has a lot of customer data. What kind of encryption do they use or if they store the credit card data what kind of masking do they have. There are various regulatory requirements related to the same,” added Singh.
A comprehensive data protection strategy is needed at the design stage. Secondly, it is important to have proof of data security getting implemented and the third aspect says that the data breach control and planning has to be in place.
“Organisations are realising that it is not the cloud service provider who are completely responsible but there is a lot of obligation that comes to the customer itself when they are putting their data on cloud. From a design standpoint if the organisation is ensuring that there is a data breach control and response planning practice or mechanisms in place, there will be a mechanism in place to prove that the data security has been implemented,” said Satyanandan Atyam, CRO, Tata AIG General Insurance Co. Ltd.
He further added that the comprehensive data protection means if the organisation has a AAA (Authorisation, Authentication and Accounting), do they have encryption, data masking, tokenisation backup and recovery. These controls together become the data protection principles. All these controls are implemented.
The proof of data security principle means whether the organisation is evidencing it where they are able to demonstrate the encryption, authorisation and authentication. Third is the ability of data breach control and response planning. If there is a data breach then how good are the response mechanisms.
These principles are similar to the on premise data security requirements. The principles and concepts do not change from on premise to cloud.
“Amongst the many challenges in cloud, the first one is lack of expertise and skilled people who are responsible for cloud security management. The other aspect is the lack of cloud users as it is still a new technology and how will it be possible for them to keep the security measures in tacked.
Looking at the breaches that happened in the past indicates that it happened due to misconfiguration, design flow and lack of protection, authentication and access control. Such situations have led to data breaches which indicates a skill gap which is one of the challenges in cloud security. Providing relevant training to the employees is one way of overcoming this gap.
The second way of dealing with this is opting for a managed security service provider, wherein they will help to manage the security aspect of the cloud,” added Thilini Wijewardhana, Head of Security Operations & Technology, Cryptogen.
“Encryption is the key to your data no matter where ever it is stored. Encryption has to be put in place to ensure that the basic element of data protection is taken care of. As we have evolved, I think application level encryption gives the best benefits over time and it also secures specific subsets of data including the database.
The encryption and decryption appear in the application layers which means that the data can be encrypted before it is transferred and stored which is a huge benefit and offers highest level of security BDA be it internal or external that is trying to get the credentials and is trying to get in the organisation’s database,” said Sapan Talwar, SVP & CISO, Tower Research Capital.
“There are various solutions for solving various security challenges. For example threat detection or misconfiguration detection. It is not easy to manage until and unless you have a highly skilled InfoSec and DevOps team that understands cloud native implementations.
There is a huge talent gap across the industry, this problem is here to stay for a while. This is why there are integrated solutions that solve multiple of these challenges. Whether it has to do with security configuration or threats, until and unless these pointed security solutions are simplified and also integrated it is here to stay,” pointed out Mehta.
He further added that in terms of ROI, the security it is said that ROI is a little difficult to justify but there are security services that come by CSP at a cost.
It is a matter of picking and choosing depending upon the risk factors the security depths available with the security and DevOps teams to either go with a cloud native security service or a native one.
