Watch: Capgemini’s Radhika Ramesh on current cloud security requirements

Multiple cloud solutions, abundance of devices and an unmet demand of cybersecurity skillsets have meant that very few organisations have a complete grasp of cloud security needs.

Organisations are struggling to address security challenges around identity and access control, monitoring and responding to threats, data leakage, governance, security skills shortages and shadow IT adoption, according to a Capgemini spokesperson.

TechCircle interviewed Radhika Ramesh, executive vice president and global delivery centre head of the French software services company’s Cloud Infrastructure Services division, to discuss how a lack of centralised control raises concerns about end-to-end security, among other topics.

Watch: Infosys’ Vishal Salvi on cybersecurity practice, current threat landscape

Excerpts:

How has the cloud security landscape shifted over recent months?

Yes, cloud and digital transformation, it will all make business more efficient. But this also brings across a huge challenge to the topic we are talking about and that is the security posture of enterprises. With increased connections across platforms and systems, the attack surface has just increased exponentially. Increasing regulatory compliance also is very, very important. The needs around the compliance and in the complexity of attacks, make cyber security of super, super importance. Again, when you look at the visibility and the balance between the external and the internal threats today, it needs to be weighed cautiously to enable resilient enterprise.

There is a need for a very well-defined cloud security strategy and architecture with business aligned controls. That's the key. A structured approach is required to manage the complexities because you have hybrid environments. And then you need to also ensure secure access uniformly, and provide a streamlined user experience as well. Some cloud strategies fail because security is not built-in. But it is more of an afterthought, it's more of a plug-and-play later. So that makes these kinds of solutions pretty weak. It is also critical that a well administered shared security model is established between the various stakeholders, the business, then you have the cloud providers, then you have the service integrators. It is also important to maximise zero trust architecture.

What is zero trust architecture?

If you look at conventional strategies earlier, they were based on the premises that data residing outside an entity is vulnerable, and hence, we need to protect it. Now when zero trust architecture (ZTA) is a security paradigm that fixes this inherent weakness. This requires the organisation to get into a continual mode of analysing, evaluating, and mitigating the risks involved in internal IT assets and business functions. 

When you look at the ZTA model, it restricts the access by providing it only to those in need at a time when it's required depending on whether they are successful in the authentication for each and every access request. So there is no blanket access, which is given to anybody. This actually eliminates unauthorised access to data and services, and employs a positive agile security enforcement model. So this is something that is strongly advised and being imbibed by many of the security officers.

What are some top cloud security challenges across industries?

When you're looking at cloud challenges, the interconnectivity across the IT landscape. This is the key for us when you're looking at the presence of legacy estate, evolving technologies and more of the open IT systems, increased need for sharing and accessing data, that also poses a huge challenge to the security posture of an enterprise. So organisations today struggle for provision and control access consistently across, you have the Infrastructure-as-a-Service, you have Platform-as-a-Service, you have Software-as-a-Service.

All this due to the lack of a centrally managed identities and access rights. Then data leakage is also a big threat right now. The cost of sensitive data leaking from cloud storage service providers and cloud repositories can be huge in terms of both reputational damage as well as non-compliance penalties.

Then the next point is ownership of strategies and risk is not always very well defined. This leads to a lack of control with little agreements on secure ways of working. When we talk about any service, the key resource is obviously people. Cloud skills are at a premium, cloud security and Dev Sec Ops skills are still in the evolving stages and hence high in demand and low in availability. So that is another challenge. 

There is also the risk of staff bypass central IT to adopt cloud services, exposing you know the organisation to unqualified risks. How do you manage European GDPR compliance if you cannot identify where your personal data stored? I would not envy the job of a security officers, extremely challenging and there is a significant shift in thinking and expectations.

What are top requirements of CISOs in cloud security offerings?

Everyone's going by the philosophy to think like an attacker, to protect the enterprise within as well as from you know, the various engagement partners they have. So it is like you know, how do you actually think like an attacker, that is the key. 

The second one is the security officers are very strongly oriented towards leveraging on service orchestration, artificial intelligence, machine learning, these are becoming a need rather than would-like-to-have, you know, something new which has come up. So, analytics, AI, ML, automation, these are becoming a very important ingredient in this entire exercise. 

There is also a lot of information available around us. You're flooded with threat intelligence information coming from commercial sources, you have national CERTs and security agencies, they just flood us with a lot of information around security and threats.

What is required is for someone to help evaluate these alerts is one, in context to the particular enterprise or his particular organisation and then assist in rolling out the necessary reactions in a structured manner. So, that is what the chief security officers are looking for, when it comes to this particular space.

There is also a need for security labs to test security products and malware analysis, end-to-end cyber security services right from policy defining, strategy consulting to deployment, management and monitoring are also in the key focus. Every security officer would prefer to the extent possible to have security and privacy by design and not as bolt-on at a later stage. This is where the collective intelligence of service providers like us come in to a great help to them.

How have client asks in the cloud infra side changed with the pandemic?

As far as the new deals are concerned, they are carved out the way the requirements are. Of course, there is a lot of focus on the transformation piece, especially tilted a lot towards cloud transformation. Digital transformation is predominantly what I would say. But then what has happened on the existing contracts is that the clients have worked with us very effectively.

Today, clients have understood that you don't need to be physically present for certain kind of services, they are more open towards remote working... I think India has been a great revelation to everybody. Today, we have people working across the length and breadth of India. So, they are spread across. So, rural infrastructure has actually proven itself, fantastic infrastructure, telecom infrastructure has helped us and given us the confidence that we can have people working across India and render services which are seamless and without any disruption.

So, I will say now, the clients have seen that especially in India have been very resilient to all the changes and if you recollect, I think along with a pandemic, we also had a lot of natural disasters which came in, the floods in Kolkata side and of course in Mumbai and other things. And this work-from-home stood up to all those tests well, because if you see till now, our disaster recovery (DR) setups have been more focused on the office premises per se. 

But this was the first time we were testing a full DR from the various respective homes of people and I think that really proved a lot of work and the quality of the infrastructure which we have today in India. I think that's given a lot of confidence to clients and they're very open with the kind of engagements which they have and I think we, from all of us in India have a lot to have contributed to that.