Perspectives on securing the cloud

The network perimeter is gone, enterprises are at different ends of the cloud migration spectrum, and IoT, AI, 5G, and other technologies are on the horizon. IT leaders from Singapore share their perspectives on the security challenges in this era.

As enterprises go through the digital transformation process, they have to manage data, comply with regulations, make sure customers receive the perfect experience, and that business activities continue uninterrupted. Meanwhile, at the back end, IT teams have to battle with securing the complex world of the multi-cloud, on-premise and hybrid-cloud models of infrastructure deployment within an organisation.

At a roundtable in Singapore hosted by McAfee and organised by Jicara Media, senior IT executives discussed data governance, IT visibility, and the future of security.

Craig Nielsen, Vice President APAC at McAfee, opened the roundtable by summing up the changes in the security industry over the past decade or so. “As security practitioners, the whole mindset was so different when I got into this industry,” he said. “The perimeter was really the key control point, and as we know, that’s gone away. Today, security needs to be built into our thinking about how we approach what we build in the future.”

He then summarized his observations on the APAC security industry, which sparked off a lively discussion at the start of the roundtable. Said Nielsen, “The conversations we’re having around APAC are really interesting. In many cases, we’re pretty stunned by the different levels of maturity and the thinking around cloud security problems. That being said, our customers are different – some are very early on in the journey, but many have almost nothing on premise anymore.”

Nielsen’s remarks led to an interesting analysis by the participants on the dilemmas faced by enterprises in Singapore, and the obstacles preventing them from realizing full digital transformation.

Changes in regulation

Many of the participants have had to adapt their IT strategies according to changing policies and regulations, and have begun digital transformation only recently as a result.

Said Kia Siang Hock, Head & Chief Information Security Officer at the National Library Board, “Not too long ago, we weren’t supposed to touch the cloud. And suddenly, we’re supposed to move to the cloud. Previously, I had to move one of my cloud services on-premise because of that, but now I’m doing the reverse. So because of that, we don’t have a lot of expertise in cloud. This sudden change in direction means we have to pick it up very quickly, and it’s not easy – for us, at least 80-90% of the systems now have to be moved to the cloud based on the cloud-first policy.”

Singapore’s financial services industry is in a similar position, and now has to deal with legacy systems that have not been updated due to regulatory restrictions.

A senior IT leader from a large bank said,We’re highly regulated, so we bought our infrastructure 15 or so years ago, and it’s still in the production environment today. At that time, we didn’t even know what cloud was. The business applications that are still running on it also don’t know anything about cloud. It is secure by design. I personally think that this industry, in this time of change in IT, is probably the most challenging place to be, because of so many restrictions. Cloud is finally accepted, and now we’ve finally got our regulators to come along with us on the journey, but now, we have the problem of shadow IT.”

Sourabh Chitrachar, Regional Director (Asia & Russia) – IT Transformation and Applications Liberty Insurance Private Limited agreed. “The insurance industry is a regulated industry as well, with a lot of monolithic architecture. Changing it to a micro-services-based organization is very difficult. That’s one of the challenges I’m facing right now. So what we’re looking at is a global security strategy. Because of the changes and the regulations – GDPR, especially – a lot of thought is going into handling topics around how to work around cloud security, perimeter security, and customer data security.”

The problem of data governance: what to protect

According to the participants, one of the biggest security challenges they are facing today is around data governance, and understanding what data they need to protect.

Said William Hewell, Head, Customer Platforms / Engineering & Architecture at Prudential Assurance Company,“In terms of security, there are many fronts where we are facing challenges. We hold sensitive data on premise, but once we move to the cloud, how do we secure it there? Conducting transactions, as well as being able to share that data with our banking partners: how do we safely do that? How can we make it open to co-collaborators and partners, and how to provide more value in our services while being secure?”

Ramesh Munamarty, (former) Senior Executive Vice President, Technology & Innovation at International SOS, argued that part of the problem is that organizations are storing too much irrelevant data, and that internally, there is a lack of understanding of the data.

He said, “I would say that we store all the data that we should not be storing, such as healthcare data, government data, credit card data. All these things are taboo. And then we’re going to the cloud. So the challenge is more around the governance of identifying where the boundaries are, what data is considered confidential, and what’s considered okay to share, and really driving around data governance, which leads to additional security elements on top of that. But primarily, getting an arm around data is one of the key challenges.”

Vishnu Bhan, Director – Digitalization, Head of Center of Digital Excellence at Singtel, suggested that the challenge of data governance might drive efficiency within an organization.

He argued, “The biggest problem today is that data systems haven’t been classified – what is the [data] level? Is it restricted, or is it confidential? Going to the cloud is the second step. But the beauty of that is, it provides a window [into the data]. Because of the movement to the cloud, organizations have to ask, ‘Why are we holding this data?’ It’s solving a lot of different problems today, because companies have started becoming accountable.”

Achieving visibility of the IT landscape

The participants agreed that the first step in managing both data and the move to the cloud is to attain visibility of an organization’s entire IT landscape.

Said Eric Sim, Head, Technology Office at ST Logistics, “The key problem we have is, there’re always new solutions, new processes, new devices.. I struggle with the visibility of my IT landscape.”

McAfee’s Nielsen agreed that IT visibility, especially of the data, is the most important starting point for an organization undergoing digital transformation. He said,“One of the first steps we advise is visibility into data location. Where is your most important data? Most folks don’t know where that is. You need to know where that data is, and then you can decide what your strategy should be.”

Kia, who is both CISO and Chief Architect, suggested one of the reasons for this is that CISOs are too removed from IT architecture.

He said, “There are many issues where CISOs are a bit too far from the ground. So they do not know exactly what the thousands of applications out there are, and how they work. I have visibility into every single project across the entire enterprise, because everything needs to go through me. I may not have every detail, but at least I have the overall picture, and that helps a lot in trying to see the possible gaps in cybersecurity, and the important aspects that we need to tackle now.”

Keeping up with the pace of IT

One of the things all participants expressed having struggles with is keeping up with the pace of change in the IT application sphere.

For Lim Koh Peng Director, Head of Risk Management at CIMB, keeping up means having to achieve a balance. She said, “We are part of an aggressive 5-year expansion plan leading towards 2023, which will include cloud, replacement of old technology platforms, as well as allowing digital banking and expanding current mobile apps, etc. I’m making sure these things align with regulations, what the bank can afford, and what our customers can accept — it is a triangular relationship we’re managing.”

Arvind Mathur, Chief Information Officer at Prudential Assurance Company, argued that, with the breakneck pace of business, IT audits are now becoming ineffectual.

He explained, “Things are changing so fast in this space that it’s hard for most people to keep up to speed with what’s going on. For instance, one of the challenges we’re facing more and more is, as the landscape changes so rapidly, new applications are being put in place, perimeters are changing, shifting to the cloud etc. The way we used to understand our overall security posture was by doing an annual or bi-annual audit, with one of the big consulting firms. That is pointless now — you literally need an hour-by-hour update on the security posture.”

The multi-cloud is inevitable

The participants agreed that the IT landscape today makes multi-cloud a necessity, and that most organizations do not have the luxury to rely on a single cloud environment. According to Munamarty, one of the reasons for this is a vendor-driven cloud market.

He said, “With so many of these vendors, all of them having their own applications on their own cloud, you are almost forced to be in a multi-cloud environment. By definition, you are already in the multi-cloud if you use multiple cloud vendors. On top of that, you have internal systems that need to go up on the cloud, and those also end up being on multiple cloud platforms. For example, if you have a lot of Microsoft-based applications, naturally, the best thing is to try Azure, where there’s a natural linkage. If you’re using Oracle applications, then Oracle Cloud has a natural inclination towards that data. So I think multi-cloud, and the hybrid cloud, is sort of the destination for any company, regardless of where they are on the journey.”

Bhan, using the example of Singtel, showed that managing multiple cloud environments has become a service in itself.

He illustrated, “We have a cloud business, and we manage it. So instead of people getting on a single cloud and then charting out what their mult-icloud strategy should be, we have features such as plugging in the workloads and then moving those workloads across clouds based on the cost optimization.”

Challenges of the future

The roundtable concluded with a discussion of the potential IT challenges of the near future. Here, a recurring theme was the growth of IoT and securing the billions of IoT devices across the world, brought about by 5G, AI and machine learning.

Robert Chin AVP, IT Governance & Infrastructure Planning Global PSA, anticipated the struggles of running Singapore’s upcoming fully-automated port.

He said, “You can’t really secure an IoT environment like you do an IT environment — things are not quite as firm. As we design the cranes and automation systems, we have to constantly review and decide on what is the best way to secure them.”

Bhan agreed, saying, “What’s really scary in my view is that, next year, 5G will come in. Per square kilometer, you’re suddenly going to have a million devices instead of the 10,000 devices we have right now. The number of endpoints which have to be secured has suddenly gone up by a factor of nearly 100. Even cloud-based security providers might not be able to manage that kind of a load. Because once 5G comes in, the speed at which they’re transmitting data is going to go up astronomically.”

After sharing their concerns, the participants determined that the IT landscape will be transformed dramatically in the coming years, leading to disruptions in the way businesses operate. A participant concluded the event by suggesting that one crucial way to survive is to engage startups and encourage innovation.

“We’ve also started an innovation lab to co-create and invest in startups, where we know we can disrupt ourselves before someone else disrupts us. And I think that is key to our survival — if we don’t change, someone will change us, and we’ll be out of work.”