Complexity is the biggest enemy for cybersecurity practitioner: McAfee’s Nielsen
With more organisations moving their business on cloud, the attack surface has also widened. While many companies prefer lower level of security and verification for their ease, some feel that default security by cloud service provider is sufficient and then there are those that are adding more security controls by day adding on to the complexity. In conversation with Mint, Craig Nielsen, vice president-APAC, McAfee, emphasises on the importance of unification of security controls, why simplicity of processes matters and what makes India a vital cog in their wheel. Here are the excerpts from the conversation.
Q. Why is securing cloud important?
Nielsen: If you look at the India market today, focus is more on enterprise security, which is a $1.86 billion market. It is growing at 12.4% annually, while cloud is growing at 22% annually. So an increasing amount of data applications and workloads is ending up in the cloud. As the cloud footprint grows so will the attack. For that reason protecting and securing cloud is really critical. In addition to that, you’ve got GDPR coming out of Europe and the Privacy Act is also being contemplated in India. So, not only it is in organization’s interest to protect this data, but the consequences of breaches are now becoming much more significant.
Q. Many organisations have some sort of security system to protect their cloud infrastructure, yet they end up getting targeted. What is missing in their efforts?
Nielsen: If you look at all the breaches, whether they’re on cloud or on premise, you will find that those organizations had the technology, but they didn’t have a synchronized policy. So there has been a gap in the policy deployment because they have been using different tools with different policy engines and configurations or many features haven’t been turned on because existence of many tools creates so much complexity, which is the biggest enemy for any cybersecurity practitioner. So, in the same way we look to simplify it on premise, we not only need to simplify it on cloud, but we need to unify cloud and on premise. So for a lot of these areas, we don’t have to think about cloud data or on premise data protection polices separately. So essentially what we are doing is consolidating management, policy and incident response for different cloud scenarios, whether it is SAAS (software as a service), IAAS (Infrastructure as a Service) or PAAS (platform as a service).
Q. A recent report by Palo Alto says that many company heads of Indian companies feel that they don’t need another layer of security and the default security offered by cloud service provider is enough. How effective are these solutions?
Nielsen: If an organisation starts with the shared responsibility model, they will have to understand clearly what their organization is responsible for and then map that into the security controls from a particular cloud service provider. If you were to use a single cloud service it may be possible for you to rely solely on security controls from that. But not all organisations do that. Organisations on an average are using well north of 10 sanctioned services be that SAS, IAAS or PAAS growing at a dramatic rate. Then there are non-sanctioned applications, which falls under shadow IT. When you start thinking about securing the tools and identifying and mitigating the risks for the non-sanctioned applications, using 10 different security controls from 10 different vendors things can get very complicated. Essentially, you would need to be configuring your encryption and DLP (data loss prevention) policy, and they all do it differently. The other thing that is really critical, is thata major threat vector in the cloud is cloud to cloud data transmission.
So that is why we take an API based approach which allows us to put our arms around all the data that is out there and covers not only enterprise to cloud traffic, but also cloud to cloud traffic. And that is why if you’re using just a single point set of security controls from that vendor, you may not get that 360 visibility and control that you need.
Q. How significant is the risk of infection from use of personal devices for work? How do you plug risk from the end point?
Nielsen: Users will interact with corporate data and corporate applications from their PCs and mobile devices.
And some of these will be behind the firewall and some of these will be outside the firewall and some of these will be managed devices and some will be non-managed devices. So when you integrate your DLP engines, and CASB (cloud access security broker) engines on premise and on the cloud, as well as your web gateways, you are able to cater for all of these forms of access, be it mobile, PC, on the corporate network, off the corporate network, managed or non-managed devices. Traditionally we have been doing it with multiple controls, but to make security simpler and more manageable we are going to be unifying those three control areas using our Unified Cloud Edge platform.
Q. How significant is India market for McAfee and in what way it has contributed to the company’s growth?
Nielsen: India is a special market for us not only because of the revenues we generate out of India but also because of our investment in India. Our largest centre in the world in terms of headcount is based in Bangalore. We have over 2000 employees which include 1500 engineers. More than hundred patents have come out of the India center over the course of its 15 years of existence. While they’re working for us, they are building skills in global leading cloud technologies. So, we’re really proud of our contribution to raising a really large pool of talent around cyber security and engineering in the country.
Q. Will data localisation change attitude towards cybersecurity?
Nielsen: I think it is going to be very important how data is classified as this unfolds. And I think there is still a few moving pieces on what those classifications will be and what exemptions will be allowed. But you are going to see organizations as they think of moving applications to the cloud, really thinking about where the data is residing, and how they meet their fiduciary responsibility around controlling that data and their responsibility to individuals who have given him that data.