I am bringing out this quarterly newsletter, summarizing my key article publications done during Q2’22. Thanks for the great responses to my articles on Identity and Access Management (IAM) and wider cybersecurity topics. It has been an exciting journey so far.
I have received multiple requests to publish cybersecurity educational videos, that are easy to understand. I started working on this and published the first video article last week.
Just to summarize Q2’22, here are the key articles published.
Delivering a large scale Cybersecurity transformation involves solving a complex unstructured problem. This blog neither covers nor advocates any specific project management practice. For a successful delivery, disciplined project management practice is a must-have; whether you follow waterfall or agile methodology. This blog post covers mostly problem-solving aspects from the Cybersecurity angle.
This is an article co-authored with Rob Aragao. Cloud Security Alliance published this article: https://cloudsecurityalliance.org/blog/2022/02/17/multi-cloud-security/
Embarking on a cloud journey is exciting. While the cloud model was thought to bring in financial savings in the form of economies of scale, the benefits are many. The sheer pace at which it enables innovation is even more exciting. Multi-cloud models expand this even further. While this is all a good story and nice to hear, all it takes is just a piece of bad code or a misconfiguration to turn this into a horror show, potentially costing an organization millions. While many argue that the cloud platforms have inherent security controls and why bother, we need to remember cloud is all about shared security! Hence, it is time for organizations to take multi-cloud security seriously to protect themselves as they enjoy the benefits of the cloud era!
Multi-cloud approaches come with several benefits; though there are challenges as well. In order to realize the intended benefits, several challenges need to be addressed.
Gartner defines Identity and Access Management (IAM) as s the discipline that enables the right individuals to access the right resources at the right times for the right reasons. As the automation picks up the pace, the manual task performed by the individuals will be performed by the machines. Thus, governing the access is not just about the individuals; now, it is about the machines as well.
Apart from bringing security benefits, the central governance around the machine identity management provides visibility across the estate. It helps enforce standardization and best practices. At some stage, automation of the machine identity life cycle management becomes inevitable operationally. With digitization at its peak, it is time for machine Identity Management!
In layman’s terms- Ransomware is malicious software capable of holding computer devices and data for ransom. Similar to aeroplanes getting hijacked by hijackers, here computer systems get hijacked by the criminal hijackers with the intention of illicit financial gain.
When digitization is at its peak today, the most valuable asset is the “Information”. Unlike the olden days when bank robbers had to physically break into the Bank building, today- all they have to do is to get access to Bank’s IT system. Hence, the true “treasure” that needs to be stolen or to be hijacked to make lots of money “quickly” is “information”. This is what hackers do by leveraging basic human weaknesses. It might be easier said than done when we say that don’t pay hackers. The attacks are so sophisticated that the situations become do or die for the organizations at times. Hence, prudence is in prevention than even thinking about what to do when attacked by Ransomware!
Role Based Access Control (RBAC) is an approach to controlling access to various resources based on a person’s role within the organization. Rather than granting access to ten different systems based on the work profile, a set of access privileges is granted to the distinct “Roles”; depending on the work profile, a person is tagged to one or more “Roles”. Conceptually, RBAC is very much intuitive and easy to understand.
No access model is foolproof. RBAC is one of the most tried and tested access models. The knowledge worker work set-up is slowly moving away from brick and mortar to hybrid set-up; technology changes are no more breaking news, rather a routine; cloud adoption is catching up fast. All these ongoing changes impact access management considerations. Hence, it is time to rethink how well can we make the best of already made investments without ignoring the vulnerabilities getting introduced due to the suboptimal access model. As the thought process is moving to the Zero Trust concept, contextuality becomes extremely important. Hence, RBAC needs refinement.
This is an article co-authored with Satyavathi Divadari. Here is the link to article: https://techbeacon.com/security/privacy-ai-automation-multi-cloud-era
Cloud has become an integral part of enterprise business strategy. Research firm Gartner predicts that 85% of organizations will embrace a cloud-first strategy by 2025. As part of that, multi-cloud adoption is increasing, and so are the risk factors for your data.
Comprehensively handling data encryption or data masking to protect data across clouds or on premises is essential. Leveraging security solutions such as cloud access security brokers, which sit between the cloud and your on-premises gear, can help to enforce your policies around data security .
While many argue that the cloud platforms have inherent native security controls and you needn't bother to implement your own, you need to remember cloud is all about shared security. It is time for organizations to take multi-cloud security seriously to protect themselves as they enjoy the benefits of the multi-cloud era.
Identity Access Management (IAM) is defined by Gartner as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons”
The definition looks simple, but the implementation is not!
Contrary to the popular belief, IAM is not mere technology implementation, but rather a business-focused enterprise-wide strategic set-up. Hence, like any other Cybersecurity transformation, IAM implementation needs a clear strategy aligned to the Organization’s strategic priorities as well as long term view. It is important to remember that IAM impacts every employee (internal user of IT applications), contractors, and in some cases customers in case they access your IT systems. Hence, the user experience should be the centre of IAM implementation. Million-dollar technology investments will go down the drain if the users are not happy due to usability issues.
IAM implementation is a strategic decision irrespective of the initial scale in scope. Have a big picture view in mind when commencing the implementation. The implementation should not be done hurriedly. The IAM rollout is a multi-year enterprise-wide transformation. It requires disciplined programme/project management for the delivery of the intended benefits.
The technology market has a plethora of Identity and Access Management (IAM) products. The offerings are available both in on-premise as well as in IAM as a Service(IAMaaS) format. The pros of this are that organizations have a good number of choices. At the same time, the cons of this are that it makes the product selection bit confusing. Market research is a good starting point to have an initial shortlist. Before making the final IAM product choice, the organizations need to pay attention to the integration capabilities of the IAM product.
An IAM product investment decision is too important and it has long term implications. Make key data points available to the senior decision-makers so that an informed decision can be made. Once the decision is made, setting up an enterprise-scale IAM is a major transformational effort impacting every business line. Seemingly very simple aspect around integration plays a very important role in a successful IAM transformation!