Cloud security is high priority for enterprises: John Watts, Gartner

Cloud security is high priority for enterprises: John Watts, Gartner
John Watts
11 Sep, 2019

As enterprises increasingly adopt Infrastructure as a Service (IaaS) and Software as a Service (SaaS)-based solutions on the cloud, it also brings a range of security risks like moving towards different points of vulnerability due to developers using a lift-and-shift technique. 

Another obvious concern is the environment becoming increasingly complex if the cloud servers are housed in different data centres around the globe. Adding to it are increased chances of misconfiguration and a decrease in visibility compared to an on-premise data centre.

In an interview with TechCircle, John Watts, senior director and analyst, Gartner Global, decodes the network security landscape in the cloud.

With over two decades of experience in the network security domain, Watts covers the areas of infrastructure protection, web gateways, network access control, network security policies, network traffic analysis and a host of areas related to the network security landscape.

Edited excerpts:

How has network security evolved over the years in hybrid cloud IaaS solutions?

At Gartner, we see IaaS is not as large as SaaS but it is growing as a market worldwide. As a result, we see a lot of clients looking to expand network security to the hybrid cloud. Often they will look at hybrid security solutions like micro-segmentation vendors who can provide security both in the public cloud as well as the data centre.

What are some of the best practices that enterprises can look at when they are adopting SaaS-based cloud solutions?

For SaaS-based cloud solutions, we see that the primary control for security is cloud access security brokers (CASB). 

CASB can engage in forward proxies and is often integrated with the secure web gateway to control access to sanction SaaS applications coming into the network. It can also undergo reverse integration through application programme interfaces (APIs). 

It can also act as reverse proxies for SaaS applications where if somebody were to access them from outside the organisation, it would redirect the request to CASB, which would then enforce the security protocol.

Can you briefly describe anomaly detection and the problem of increase in encrypted traffic? What are some of the strategies that can be utilised to recognise encrypted traffic?  

For anomaly detection, we see tools like network traffic analysis, user entity and behaviour analysis, security information and event management. All of these tools use machine learning (ML) through which they baseline normal behaviour across different data points.

After baselining for 2-4 weeks, they can identify anomalies that occur on the network. Clients that we talk to find success in implementing these solutions in finding insider threats and other unforeseen security instances.

For encrypted traffic, with TLS 1.3 (Transportation Layer Security 1.3), the encryption standards have been increased for SSL traffic or TLS traffic. 

It is becoming more difficult to decrypt, and many vendors have downgraded TLS 1.3 connections to TLS 1.2 and are also working on ways to decrypt TLS 1.3 more natively. There are some vendors who do this today.

For network traffic analysis, vendors who don’t decrypt traffic use things like netflow analysis where they can look at the nodes in the network, the common connections between them and can detect the things that are occurring without actually requiring to see the packets that are flowing between the nodes and the network. They can do more imprints of security threats on the network as opposed to a deep inspection of the contents.

Since you mentioned machine learning, how are some of the vendors utilising AI and ML to take network security to the next level?

ML is the technique of artificial intelligence used by many of the vendors, especially in the security field. ML works by taking a large data set and building algorithms to segment the data into different categories based on the property of the data.

The biggest hurdle for a customer who is using an ML-based solution is in getting good data for the algorithms. They often have to set network tests, collect the data and then understand what to get out of the solution.

What are some of the emerging network threats that have evolved over the last couple of years? How can organisations go about mitigating these threats?

The threat vectors haven’t changed much. If we look at the threat vectors, there are probably close to eight that occur commonly but it’s the techniques within the vectors that have changed.

We see more ransomware and they have evolved in increasing their encryption strength. It is more difficult now to decrypt files that are encrypted with ransomware.

They have also become advanced and demand payment through bitcoin or cryptocurrencies. It has become a lot more evasive, destructive and difficult to mitigate today.

In terms of geographies, how susceptible is the Indian subcontinent/APAC region to cloud security threats compared to the Americas and Europe?

In India, the cloud market is growing fast and expenditure on cloud security is likely to more than double to $10 million by 2020 from $4 million in 2019. India is adopting cloud security at a faster rate than other areas globally.

The increase in spending on cloud security in India is due to the increase in cloud access security brokers and the implementation of their SaaS solutions in the Indian market.

Within Indian organisations, what are some of the cloud security strategies they are not implementing or are not aware of?

First steps include having a good security posture and good operational hygiene, automated patching of browsers and software patched on a regular basis.

Then it is a matter of risk-based approach and how threats can be prevented. We know that 100% prevention of threats is not possible. We also recommend you put network controls such as NTA (network traffic analysis) solutions.

Being able to respond when things don’t go as planned is something we call as CARTA (continuous adaptive risk and trust assessment). As we go through the cycle of feedback from different domains, it leads to a better security posture and reduces risks to the environment.