'Security is a Demanding Journey'Security Leader Manish Dave Shares Insight on Public Cloud, Skills Gap
The success of new technologies depends largely upon awareness, budgets and skill sets available. While technologies such as Cloud Access Security Broker, or CASB, promise to address security challenges, market maturity may have its own say in how well adoption goes.
See Also: Threat Intelligence - Hype or Hope?
"Companies have their own challenge because most don't have clear strategies to deal with basic items like mobility and others," says Manish Dave, an expert practitioner with a leading conglomerate. "Security concerns are underlined by the lack of a clear strategy in many cases. So expecting CASB now is asking for a bit much."
But he says that technologies, including CASB and Run Time Application Self Protection, or RASP, are going to be the norm in the coming years because they address fundamental security issues.
In this exclusive interview with Information Security Media Group, Dave speaks about his plans for the coming year; the Indian practitioner's challenge and some observations on MSSP trends. He covers:
- The CASB market in India;
- CISO challenges and public cloud security tips;
- The skills gap and the MSSP culture.
Dave has more than 24 years of experience in the IT domain, including 12 years of experience in information and network security; information security audits; policies and procedures; and IT risk management and governance. Before joining his present position, he was the group CISO at the Essar Group.
An edited transcript follows:
VARUN HARAN: What is the level of awareness of CASB as a technology in the Indian Market?
MANISH DAVE: I don't think there is an understanding of technologies like CASB in the Indian market. I believe awareness is a big issue, especially for small and medium enterprises. How do they educate themselves, in the first place? Not enough security practitioners in India today have access to research from the likes of Gartner, Forrester and others. That's where media such as yours need to step in. CISOs are increasingly attending industry forums and conferences to educate themselves on the current trends in the market and what are driving them, but awareness remains low. (Also See: Cloud Security's Next Evolution?)
I feel small companies may not go for CASB because they don't have a complex, hybrid IT infrastructure. Most of the small companies have limited budgets that won't allow them to pursue CASB technology. They will rely instead on the security provided by the public cloud service provider.
But CASB is the way to go. Two to three years from now, CASB is going to be what anti-virus is today. However, in a country like India, in the current recessionary scenario, CASB is not something that's going to be on the priority list. It is going to happen only once awareness reaches a certain critical mass in this market. (Also See: Public Cloud Is Here to Stay - Is Security Ready?)
Public Cloud Security
HARAN: How are you approaching the public cloud security challenge? Can you share some recommendations? Don't you think CASB is going to help?
DAVE: I advise creating a matrix to determine public cloud risk, which defines the parameters on which I recommend sorting these risks into yellow, red, and green. Some of these criteria are:
- What workloads are eligible for the public cloud?
- Are these workloads processing business sensitive information?
- What is the level of availability & performance, the business requires for these workloads?
- Do these workloads connect to the corporate network?
- Are these workloads accessible by mobile devices?
Using this matrix, an example of a green workload would be development workloads. You can straight away move something like this to the cloud without having to think twice, because there isn't going to be any data. In fact you would control costs as this would be on a pay per use model. This is a kind of matrix that can help in preparing for a move to the public cloud.
However, most companies out there have their own challenges because they don't have a clear strategy to deal with glaring issues like mobile security, cloud security, application security and others. So for instance, while there is pressure from the business to push mobility, security concerns are underlined by the lack of a clear strategy, in many cases. In such a scenario where even the basics might not be in place, expecting CASB is asking for a bit much.
Indian organizations also have contradicting philosophies in place. On the one hand, people are moving collaborative platforms like Google & Microsoft Office 365 for their email, portals & basic applications, and at the same time refusing to block USBs, etc., because they don't want to be perceived as mistrusting the employees. Now if you have threats emanating from the USB vector, how do you protect IP & safeguard organizational information?
HARAN: What are some of the issues that are top-of-mind for you this year? What areas are you planning on giving attention to?
DAVE: In large multi-national organizations, there is global guidance and best practices that are shared. However these global perspectives are often strategic, and this where we as practitioners can provide the local, geographic security context.
Some things I feel a practitioner today should focus on include RASP, or run time application self-protection. RASP is important because today, you may have malware sitting on your phone, and if you have an app that is accessing data on your server and storing it locally, there is a good chance that the malware intercepts and exfiltrates the data. Particularly in cases where, for instance, senior management like CEOs are provided BI reports on their cellphones and tablets, it can be a big threat. We tend to focus on security of 'data in transit' when internet is the medium. The big risk lies in the 'data at rest' and integrity of data or application on mobile phones.
Application security, in itself, is a big concern. The security checks that you need to have in applications do not exist in applications that were rolled out a decade back in organizations. Even though some organizations have a process via a VA/PT that is done on applications on roll out, the gap between each testing is in years. In this time, the entire threat landscape changes tremendously.
Keeping these things in mind, for instance, I've gone ahead and implemented a Web application firewall in my geography. My 5 priorities this year would be Runtime Application Self-Protection (RASP), CASB, Secure Software Development Lifecycle (SSDLC), SCADA Security, and intelligence in physical security systems at plants.
HARAN: Lets talk about the skill set problem. How good are the MSSPs in the market today? How are Indian organizations dealing with the skills gap?
DAVE: I think the skill sets available with MSSP today are not up to the mark. In fact, while many organizations pay through their noses, they are getting saddled with freshers and entry level operators for their L1 and L2 kind of job roles - for instance the overnight 24x7 support slots use low-cost, junior level resources during off-peak hours. Many of these MSSPs use the client organizations as a training bed for their operational staff, I feel. Moreover their level of initiative is restricted to the contractual liabilities and there are many gray areas where they fail to take action or are just not bothered because there is no contractual obligation. They are supposed to be 'experts', but I believe that they are neither proactive, nor do they have the proper competencies that they claim. The main question is how well do they understand business risk.(Also See: MSSPs, The Preferred Route to Skills Challenge)
Security is a demanding journey. You cannot implement a piece of technology and then just forget about it. Continuous monitoring and tweaking is necessary. For instance, a firewall with a year-old rule set is going to be of no use. I think I can safely say that today, the majority of the SIEMs being used across all verticals in the industry today might not be properly configured to define what constitutes an incident. An incident needs to be defined, and this definition, unfortunately, is being articulated by junior L1 and L2 operations guys who may not have a complete picture of the business risk.