Home Interviews “Applications that are not visible in a different environment cannot be protected”

“Applications that are not visible in a different environment cannot be protected”

Edgar Diaz

Edgar Dias is the Managing Director at F5 Networks for India. In his current role, he is responsible for driving business growth and expanding F5’s India operations. Edgar has over 22 years of experience across networking, cloud and SaaS, bringing with him an excellent understanding of the industry to accelerate revenue and profit growth opportunities.

Prior to joining F5 Networks, Dias was Managing Director at ServiceNow India & SAARC. He was also Managing Director at Brocade Communications India & SAARC and has held various senior roles at Juniper Networks, Nortel Networks, Alteon Websystems, and Wipro Infotech Ltd.

In an exclusive interaction with CISO MAG’s Rudra Srinivas, Edgar Dias narrates his journey, the vision of the company, and the challenges he confronts.

As a security leader, what are the challenges you face while executing new security strategies?

Today the world wide web is much wider, but perhaps not secure. Digital transformation has increased the application footprint (consider different and expanding form factors like web, mobile, APIs, micro services, bots, and more). Modern app architectures are diverse and extend across hybrid and multi-cloud environments, with each app service carrying a potential for compromise and increased exposure. Hence the need to protect app service has become increasingly vital as the attacks are more at the app layer.

The biggest challenge is to defend against sophisticated attacks as the existing standard security tools generally fall short to do, as some attacks need to be detected automatically.

With a wider sprawl of applications deployed across different environments, visibility is the key. Applications that are not visible in a different environment cannot be protected. Hence, data collection from multiple endpoints and correlating the same to make sense of the threats, are both facing a challenge and an opportunity.

Secondly, security should be dynamic and proactive. The system should be capable enough of analyzing potential threat scenarios and act with minimal human intervention, which requires skills above and beyond security alone.

What are the challenges a company encounters during cloud adoption/migration? Why are companies hesitant to move toward a cloud setup? Is (inadequate) cloud security still a hindrance to cloud migration/adoption?

The first challenge is one that may not be identified until it happens: multi-cloud sprawl, where existing applications have been lifted and shifted and born-in-the-cloud applications have been deployed in an unplanned and unmanaged manner. Different IT and DevOps teams, siloed by organizational structure or function, independently design and deploy their applications and select the cloud provider infrastructure services and technologies that best meet their individual needs. It should come as no surprise that siloed teams with varying needs result in architectures that are also siloed and varying.

Several enterprises value both deployment agility and native cloud services to meet their short-term needs. Using native cloud services certainly seem like a simpler, faster, and more cost-efficient approach for small teams or narrowly focused projects. However, this lack of a disciplined methodology leads to the second challenge: the use of disparate cloud platforms, different architectures, varying application services, and multiple toolsets. This results in architectural complexity across the enterprises and makes shifting applications from one environment to another much more difficult, not to mention more expensive.

The result of application sprawl and architectural complexity is limited resiliency against architectural changes and inherited technical debt.

Today more organizations are moving their businesses to cloud, and with new multi-cloud strategies, organizations can work efficiently resulting in better outcomes. However, the top challenge that our customers face when they move on to the cloud is to ensure consistent security across all applications.  There are a rising security concern and a huge disparity between public cloud app and on-premises services deployments.

Second, and perhaps less obvious, is that consistency goes beyond the application service. There are many web application firewalls used but their capabilities are not necessarily equal.

To achieve consistent security across all applications in a multi-cloud world requires consistency:

  • Functional Consistency: Deploying application services from different providers can be problematic for users and difficult to manage operations. The key, however, lies in the uniformity of functionality that can create a seamless system for businesses.
  • Operational Consistency: The second, and less mentioned, the source of inconsistency is at the platform layer. That’s the application delivery controller (ADC) for a significant number of enterprise organizations. When moving to the public cloud, many organizations opt (intentionally or accidentally) to employ cloud-native options for application services. That immediately introduces operational inconsistency at the platform layer. The way that you provision, onboard, and operate those application services is operational, and introduces operational debt the moment you hook into the first API.
  • Consistency Needs Standardization: With IT under pressure to deliver value to the business, increasing operational staff in order to maintain multiple platforms and a menagerie of application services seems orthogonal to the goal of achieving multi-cloud consistency. Standardization, especially at the operational layer, is a key component to innovation because it alleviates the burden on staff to focus on operating platforms and encourages collaboration on policy and architecture. By ensuring both operational and functional consistency across properties, organizations can achieve the consistency of policy they desire without breaking their budgets.

Could you brief us about F5’s recent acquisition of NGINX? What additional value did it bring to F5’s multi-cloud application services and portfolio?

The F5-NGINX combination enables multi-cloud application services across all environments, providing the ease-of-use and flexibility developers require, while also delivering the scale, security, reliability, and enterprise readiness network operations team demand. Secondly, it is extremely lightweight and ideal for Kubernetes, considering how applications today are moving towards a containerized environment.

Also, when you want to scale out and scale in applications in real-time, the load balancer sitting in front of the application must be equally lightweight and flexible. NGINX can provide next-generation architectures that application developers are looking for.

Every single company today is interconnected using APIs. You need to have a gateway that can control the API communication. API security has now become the next aspect for security concern and as you expose your applications to a third-party application, vulnerability increases. So, it is crucial that API traffic is inspected thoroughly to ensure that the communication is legitimate. Together with NGINX, we can provide end-to-end application delivery solutions.

With Cloud Security being an increasingly preferred choice for the new security architecture, how can enterprises deploy, manage, and protect themselves from evolving threats?

Organizations are beginning to realize that the cloud does not lend itself to static security controls. Like all other elements within cloud architecture, security must be integrated into a centralized, dynamic control plane. In the cloud, security solutions must have the capability to intercept all data traffic, interpret its context, and then make appropriate decisions about that traffic, including instructing other cloud elements on how to handle it.

These concerns include authentication, authorization, accounting (AAA) services; encryption; storage; and security breaches. Adding to this array of concerns is the potential loss of control over your data.

According to F5 Labs researchers, 86 percent of successful data breaches begin with compromises of the application layer services or user identities placing responsibility for app security squarely in the hands of the app owners, developers, and enterprises deploying them.

With applications residing on various Clouds, CISOs face the challenge of formulating and administering a consistent policy that can be deployed in real-time. What are your suggestions/solutions to enterprise CISOs on this?

We spoke about the need for CISOs to be aware that the move to a multi-cloud is a conscious decision, driven primarily by the type of application being deployed. Organizations must resist migrating to the cloud just to get around the inefficiencies of legacy IT infrastructure and processes.

We also discussed the need for consistency. Application services aren’t always moving with the applications they protect. The disparity between on-premises and cloud app services deployments lead to security concerns. This means that organizations are deploying apps in the cloud, but they are not matching application services deployments at the same rate.

MSSPs are being targeted these days and that ups the risk factor for enterprises. What should enterprises and MSSPs do to mitigate these risks?

Securing a company’s IT infrastructure and systems requires 24/7 monitoring and expertise as cyberattacks have grown in both volume and sophistication. To protect themselves, mid-market businesses and enterprises often turn to manage security service providers (MSSPs), which are designed to deal with complex and targeted assaults. However, beyond a 24/7 response to threats, a good MSSP should have experienced security engineers well-versed in a range of security threats. They will also be supported by the right security technologies and follow industry-standard incident response methodologies for rapid escalation.

Rudra Srinivas is part of the editorial team at CISO MAG and writes News, Features, and Interviews.