IoT: Security Must Be Built InVerizon's Prashant Gupta on Security by Design
With the dramatic changes brought by BYOD and the Internet of Things, organizations need to bring a 'security by design' approach to new initiatives, says Prashant Gupta of Verizon Enterprise Solutions.
"Security should be an integral part of any solution being designed, and organizations need to consider at a foundational level when building up the architecture," Gupta says. With each new iteration of technology, it is back to basics for security, he adds.
Robust and consistent security that is built in by design will go a long way in changing the threat landscape, Gupta says. It's not a challenge, rather an opportunity, he believes. In this exclusive interview with Information Security Media Group, Gupta discusses:
- Balancing compliance with BYOD and IoT;
- Verizon's 2014 enterprise cloud report;
- Top trends for 2015
At Verizon Enterprise Solutions, Gupta serves as head of solutions for India. In this role, he's responsible for assessing, recommending and customizing the development of advanced networks and IT solutions for Verizon's largest global enterprise customers in India.
Secure IT Design
Varun Haran: Prashant, can you share some insight on how organizations can design secure IT processes in the Indian context?
Prashant Gupta: Indian organizations need to focus on the fundamentals of IT security, which is to have the right policies. It doesn't have to be a 400-page policy - it just needs to be a policy which can be executed, and one which meets the organization's business needs.
Today, data is not confined within the boundaries of the data center, and we are now looking at an environment which is very dynamic in nature. People are demanding more and more information, and organizations want that their employees get access to this information so that timely business decisions can be taken. Furthermore, to do business today, one is not confined to the organization - there is a partner ecosystem that also needs access to this information to support you.
They need to follow a data-centric approach towards information security, rather than a product-based approach, because that is what will help in identifying the right technologies that address the business requirements and instead of making security a show-stopper, help make it an enabler.
Haran: How can an organization strike this balance between all these new technologies coming into its business environment and the regulatory and compliance measures that they need to take into account? What are some of the new challenges?
Gupta: I think the approach should be more business-centric. These new technologies are essentially there to help organizations do business more effectively, and help employees to be more productive. From an Internet of Things perspective, I think it is the basic technologies which will come into play, including cloud and sensors communicating back to enterprise application over TCP/IP. So the only difference that I see that IOT adds a massive expansion in scale.
Instead of just from the data center, information is now flowing across devices, people. The basics remain the same, while the scale will change drastically. So your system needs to be robust enough to handle that load. The other thing is when you are approaching any new technology, security should be a consideration right from the start.
So, while you are designing such a system for IOT, for instance, you need to make sure you are receiving data from authenticated devices/sensors and that such information is encrypted. These are things organizations need to consider at a foundational level when building up the architecture. Security should be an integral part of any solution being designed.
On Cloud Security
Haran: Prashant, Verizon just released the enterprise cloud 2014 report that includes a highlight which says that organizations are now seeing the cloud as having a positive impact on security. Can you elaborate on this trend?
Gupta: I believe it's human nature that when you see your data moving out of your premises, you are apprehensive. But now cloud providers are able to address those needs and provide user organizations with controls that are even more secure than those that they might have internally. Security tools and technologies are available today that can be sourced directly from a cloud provider, whereas an organization would have had to present a business case and invest in that technology themselves if they had gone on-premises.
People have understood that the cloud will have to be the way they move forward. Eighty percent of the respondents understood that the same policies that they had in-house can easily be replicated on a cloud provider, because cloud providers today also understand compliance requirements, be it PCI DSS, FISMA or any other compliance for the specific industry that they operate in.
Varun: What about data governance? How can organization decide between public, private and hybrid cloud?
Gupta: From a data governance perspective, today many cloud providers give you a flexibility to choose which geography the data will reside in to comply with the laws of the land. Another important aspect is the audit trail that a cloud provider can furnish as required by the customer - even access to the virtual server or physical server if required.
Virtual private clouds/hybrid clouds is a prominent trend in the industry right now. Based on your workload and business need, you should have the flexibility to move from a private environment to a public environment, and even one cloud provider to another - because every cloud provider comes with some unique feature sets which are applicable to a specific piece of your business. Some might have more secure controls, while others offer you availability, etc. Based purely on the business need, an organization should decide what to put where in a flexible manner.
Haran: What are some of the top security concerns that your clients are sharing with you? What are some of the trends to look out for in 2015?
Gupta: Different verticals have different concerns, but the common thread is that every vertical is adopting big data, IoT and BYOD, because these are helping businesses become more efficient. Threats will evolve because you have more assets now which can be compromised. Security is a more important discussion than ever before.
The game is changing in the fight against cybercrime. Device proliferation, machine-to-machine connections and extended computing environments will make network security more complex and more important than ever as well in 2015. What is required is a holistic, integrated, multilayered strategy that will be critical to mitigating these risks and establishing trust between these devices. What will be more important will be the adoption of proactive risk management strategies which will be aimed at detecting crimes in real-time using big data analytics techniques, which will be a make or break proposition for enterprises for safeguarding their data in the coming years. Collaboration and information sharing are going to play a key role in securing technology environments in 2015.