The cyber world is evolving at a fast pace. But alongside the growth, ensuring security is becoming a major challenge for companies offering cyber solutions. Sandip Kumar Panda, CEO, InstaSafe, highlights the key trends in the cybersecurity space while speaking with Jagmeet Singh of OSFY. Edited excerpts…
Q How has cyber security evolved to meet the sudden increase in Web attacks?
Attacks have evolved over the years from being mere pranks to clearly having profit as the key motive. Many attacks earlier were also state-sponsored, targeting the computers and networks of a rival state. The focus of hackers has now shifted to targeting the networks and data of consumers and businesses, with profit as a key aim, which was evident in the recent ransomware attacks. Cyber security research bodies like the Cloud Security Alliance (CSA) are continuously promoting the use of best practices for providing security assurance, while startups are creating innovative solutions and disrupting the market by delivering cyber security as a service to reduce the risks of adopting new technology.
Q What are the major challenges associated with offering enterprise-level security in developing markets like India?
The primary challenge in selling security solutions in developing markets like India is that users are more inclined to buy from traditional, legacy vendors. They are also not easily convinced that newer technologies such as cloud-based security can work more efficiently and cost less than the legacy systems. But that mindset is changing as the market goes through a tectonic shift from desktops to smartphones as the device of choice. Customers are realising that innovative products built in India effectively address their usage requirements.
To address developing markets, we must look at technologies that are clearly innovative, easy to use, require minimal investment in IT infrastructure and technical manpower, are priced cost-effectively and come packaged with extensive knowledge-based support. Businesses are looking to save costs in a competitive environment, which is the reason why we think the InstaSafe model of delivering trust and security on a subscription plan will be attractive to users.
Q How does cloud adoption help InstaSafe to resolve those challenges?
Cloud adoption is increasing but there are a lot of security concerns. Typically, consultants and solutions service providers assemble a patchy set of security point products to address those concerns, which is not necessarily the best way to go on a long-term basis. At InstaSafe, we have made our solution attractive to businesses as it gives organisations the agility to quickly deploy and scale their application infrastructure while closely integrating the security. Further, we have ensured that our solution is easy to deploy, manage and monitor by the IT staff, and that the end users too, find it easy to use.
Unlike a hardware-based product that takes weeks to have the box delivered and then integrated with the existing infrastructure, our Security-as-a-Service offering can be quickly deployed on any existing hardware. Organisations can also right-size their services and scale as they grow, rather than invest in infrastructure that they may never fully use and, therefore, realise faster ROI.
Q Why would an enterprise need to start relying on a Security-as-a-Service (SaaS) model instead of deploying its own team of IT security experts?
The SaaS model clearly stands out because of the agility it offers. It promises quick deployments, and a pricing that is subscription based, and hence does not require upfront capital investments in servers and other infrastructure that quickly depreciate in value. Hiring a large number of security experts and developing, running and debugging IT security software in-house is not feasible any more, because of the acute shortage of top quality security professionals. Legacy methods also have the management overhead of regularly rolling out patches, in order to make sure that all systems have been correctly configured and upgraded to the new software. Therefore, it makes far more technical and business sense to instead partner with a provider who monitors the threat landscape for you, provides patches quickly and is able to roll them out automatically over the cloud.
Q How does InstaSafe Secure Access enable an advanced security layer on top of a hybrid cloud infrastructure?
The solution offered by InstaSafe provides on-demand, scalable, secure access for all users connecting with their corporate issued device or a BYOD, to access applications, located anywhere – the public cloud, the private cloud or on-premise. This is based on the ‘need-to-know’ access model used in military networks. Our solution creates an ‘Enterprise Black Cloud’, which is essentially a completely invisible network, and is accessible only after the user and the device that is being used to connect is first verified, and then a level of trust is established. As part of the seven layers of security, InstaSafe Secure Access binds the users to the device(s), ensuring their credentials don’t work on any other device, and it only allows access to specific applications based on the ‘need-to-know’ access model.
Q Is it difficult for hackers to gain backdoor access to a hybrid environment?
All environments, whether hybrid or not, are vulnerable to backdoor attacks, and this is due to the fact that the users and the devices used by them are the weakest links in the enterprise security landscape. Despite the best defences in place, user endpoints can be easily compromised and so the hacker can gain backdoor entry to the enterprise network, including a hybrid one. Once inside, the hacker is able to move laterally with minimum effort. This kind of backdoor entry is feasible due to the trust placed on endpoints once they are inside the network. Google and some other large corporations have started to tackle such attacks. Google’s BeyondCorp project provides a very good case study about the benefits of not trusting user endpoints, and provides context sensitive access.
InstaSafe Secure Access is based on the very same principles defined in SDP (software defined perimeter), which ensure that the enterprise network is a ‘Black Cloud’ and access is granted to the user and device only after a certain trust level is established.
Q What are the big obstacles faced when securing hybrid data centres, and how does your solution save costs for enterprises?
Hybrid data centres require solutions that are flexible, and even better, programmable. Maintaining security across these set-ups (whether a public or private cloud) is different due to the network visibility, access and scalability. Hence, the ideal security solutions to protect hybrid data centres are programmable and scalable, yet easy to deploy, maintain and monitor. InstaSafe Secure Access is a ‘software only’ solution delivered as a service. It can scale and adapt along with the access to the hybrid infrastructure. This ‘software only’ solution that is delivered as a service positively impacts costs by significantly reducing TCO and delivering a faster ROI.
Q What strategies should a company adopt to secure cloud deployments in today’s market?
Corporates need to gain a clear understanding of the shared model of security while doing cloud deployments. Typically, the cloud provider secures the hardware infrastructure, while the company needs to ensure that the network access, the operating system security, and the application security are handled effectively. As such, the cloud providers secure the underlying physical infrastructure, ensuring the logical data isolation between different customers, and so on.
Also, corporates need to invest in the skills improvement of their workforce so that they understand these changes and keep an open mind in terms of looking out for innovative security solutions — be it from startups or established vendors.
Q How does InstaSafe help to educate the market about cyber security?
We have partnered with leading organisations like the Data Security Council of India (DSCI), the Cloud Security Alliance (CSA) and the Cloud Computing Innovation Council of India (CCICI) to promote awareness of security at multiple levels, starting with CIOs.
Q Have the recent partnerships with CSA and CCICI enabled InstaSafe to enhance awareness of cloud-based security solutions in the Indian market?
Along with our partnerships with cloud security organisations, last year we published a pioneering survey on cloud and security adoption in India. We are continuing this study in 2017 and will do so in the years to come, aiming to provide an authoritative benchmark for how the country and local organisations have evolved in cloud deployments and cloud security.
Q How do you view VPNs (virtual private networks) in the security landscape?
VPNs have been around for 20 years with minimum innovation. They have limited utility by themselves, as they do not have much flexibility in deployments for hybrid set-ups. In many cases, they do not even allow for fine-tuned, multiple-level access to resources on the organisation’s network, as they operate on an ‘all-or-nothing’ principle for access to the assigned network. SDP solutions offer the flexibility and functionality required for today’s set-up, vastly improving the security posture of any enterprise, both of which VPNs cannot fulfil.
Q What are your views on India’s national cyber security policy? Do you think such legal developments are vital for the country?
A national cyber security policy is certainly vital for the country. Till date, we do not have a formal, legally enforceable cyber security policy, but there has been some talk of it being under consideration. We clearly need a legal framework that would address, for example, the basic requirement that data should reside within the country. This would make it possible to prosecute the people responsible for data breaches, within India.
Q Where does open source sit in the world of cloud-based security solutions?
The security industry has to look at using open standards and the concept of sharing as key strategies. Going forward, open source will inevitably become a key element of security as people have to turn to a code base that is easily reusable, and more importantly, has been worked on, tweaked and tested for bugs by a large installed base of users.
Q Do you believe in the philosophy of releasing the code to the public?
Certainly. The cloud security industry is moving to open source because of a large number of crowd-tested solutions out there that are open source. Hypervisors and Apache Web servers are open source, while security protocols like SSL are open. They have been time-tested and crowd-tested, so they have become better than closed source software.
Q Is it lucrative to opt for a career around cyber security?
Most certainly. As a growing shortage of security professionals exists in the market today, there is clearly an opportunity.
Q Lastly, where do you see the world of cloud security moving in the next five years?
What we are going to be seeing is that as network speeds improve, IoT devices such as small little sensors located in industrial and consumer infrastructure will proliferate faster than smartphones and other end user devices. All of these IoT and IIoT sensors will be monitored and managed using cloud set-ups. This will create an environment where cyber security will become ubiquitous, since it will then directly impact the safety and well-being of humanity.