In recent years, cloud has emerged has a vulnerability for businesses when it comes to cyber security. According to a report by US-based cloud security company, Palo Alto Networks, over just four months in mid-2018, there were multiple high-profile breaches involving public cloud environments, due to negligence on the part of the cloud service providers. In an interview with Business Today, on the sidelines of Cloud Security Summit in Mumbai, Simon Green, senior vice president, APAC of Palo Alto Networks and Anil Bhasin, regional vice president, India & SAARC at Palo Alto Networks, shared their thoughts on cloud security trends and the way ahead.
Business Today: What are some major challenges that companies are facing when it come to cloud security?
Simon Green: Before we talk about cloud security let's talk about cloud, generally. The cloud market depending on who you are talking to, is estimated would be $500 billon in the next 5 years. Many organisations are trying to get out of the data centre business and focussing on core competencies of running their business and outsourcing the data centre and IT capabilities. They are also trying to get the data and applications and customer delivered services closer to the customer. And those data centres tend to be cloud oriented infrastructure. So companies are trying to find better ways of doing things, doing them more rapidly and getting closer to their customers and cloud is one solution to do that.
When it comes to security, you have less control, when your data is residing out in cloud. We have less knowledge on exactly where that information is sitting as opposed to you and I if we had physical infrastructure we can see it, feel it, touch it and we feel more secure. So companies are trying to deliver consistent security outcome no matter where that data resides. The challenge for those organisations today is consistency, visibility (ensure that I can see everything that is going on the cloud), control of how my IT people are putting information in the cloud. What are the compliance parameters in that programme? So these are the challenges that they are facing.
This going ahead can become more pervasive and not less. The cloud market today is about $140 billion so if it grows to $500 billion, then it is significant.
BT: Different types of cloud, do they come with their own set of vulnerabilities?
Anil Bhasin: Cloud has three nuances--infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). In software as a service there is nothing I own, not even my applications; in infrastructure as a service, I still own my applications. So there are different nuances. What we are trying to do is address all of these three different nuances with consistency. So for us it doesn't matter if you are using IaaS, PaaS or SaaS. This is where we are trying to simplify.
In cloud the first basic thing is visibility; let's say I am an employee, I open an account with AWS, I just need to swipe it through my credit card, how does anybody in the organisation know what I have done, as I have not taken any permission. Through me I could have just pushed my password and I just forgot about it. And I have created vulnerability for the organisation without it knowing.
Customers will always try and look at a hybrid model. There are cloud native companies, they have an advantage, where they have developed nothing on premise, so cloud security is embedded as part of their architecture, they are always ahead. But most of organisations have a hybrid model; you have something available on premise and a lot of work load on the cloud. The question is, how we secure data regardless of where data can be addressed, data can be motioned? So our narrative of prevention has resonated very well with cloud security customers and because we have a platform approach and not a product approach to cloud security.
BT: Which sectors have already moved to ensure cloud security?
Bhasin: First of all, it is a myth that people think they are not on cloud. You would be quite surprised that many organisations are not aware that they are on the cloud. We just had a customer in the morning, where he thought there were just two accounts sanctioned and they ended up with 147. I have another customer who is trying to find out how many people have opened accounts. Most organisations are using cloud in some shape and form. How many customers use office 365? Office 365 is on cloud. How many customers user Salesforce? How many customers use Dropbox? So in some shape and form they are already using the cloud. You would think banks don't use cloud. We have to nuance whether it is private cloud, public cloud.
Green: There are lot of start-up organisations and it is not industry specific; they are people with great ideas, they want speed, and they don't want the infrastructure cost so they are leveraging the cloud. They won't need data centres, they issue people laptops, and they provide an Internet connection and consume all of their applications from the cloud. I don't know that all companies get to that point but that is the direction they are going because traditional companies are competing with start-ups, who have the speed and rapid development capabilities and they are all doing it with cloud.
BT: What is the ideal solution when many verticals in the company are employing cloud and there are many accounts?
Bhasin: Our solution is Redlock. It can scan the clouds and provide the visibility to all things cloud. Can tell you what is secure, what is not secure, what is compliant and what is not compliant.
BT: How important is team synergy for cloud security?
Green: Think it is an organisational statement; it should not be department by department, CISOs today are trying to raise visibility and education around navigating the digital age. The obligations and thought processes within an organisation are not as pervasive probably as they should be. So it is a CIO and a CISO challenge. How do they ensure that security is at the heart of IT deployment in the organisation?
Bhasin: In any organisation there are clear roles and responsibilities. You have a network team that is responsible for the firewalls, an info-sec team that is responsible for policy making and compliance, an endpoint team that takes care of all the end points, an operations team that makes sure everything works, a business dev-ops team that is responsible for developing applications, and then they report into different functions. Sometimes CIO reports directly to the board, sometime CISO reports directly to the board but if you see across all of these functions security is pervasive. This is about creating awareness. We at Palo Alto Networks are talking across all these functions and making sure they are on same page but there has to be an aggregation point. Whether it is at the board level or sometimes collaboration between the CIO and the CISO. It is something that is work in progress; you will need not just education but technology where you can allow them the control.