Ravi Ivaturi is Sr. Vice President – Digital Security Architecture at Citi. He is a cybersecurity leader with deep expertise in building cybersecurity programs for emerging technologies. In his current role, Ravi heads the Cloud Security Architecture function for Citi’s Consumer division, providing security leadership for financial products used by millions of individuals across 19 countries. He also serves on Citi’s apex Security Architecture Council, providing oversight to enterprise-wide security architecture. With over 15 years of cybersecurity experience in the Financial sector, Ravi brings together a well-rounded experience and thought leadership in emerging-technology risks, security assessments, compliance, and technology risk management. Ravi holds a master’s degree from New York University in Computer Science.
In an email interview, with Brian Pereira, Principal Editor, CISO MAG, Ravi talks about the mistakes that companies are making as they rush to adopt cloud computing, during the pandemic months. Why do data breaches happen on the cloud and who should be responsible? How does one get around the challenge of cybersecurity challenges? These are some of the questions that Ravi addresses in this interview.
Excerpts from the interview:
As organizations rushed out to adopt cloud, they found that there were numerous security challenges due to misconfiguration, etc. How big is the problem and what are the reasons for this? In what way is the cloud security provider responsible? What does the tenant /customer need to do to mitigate these security risks on cloud?
I’d describe the scale as “unheard of.” If we look at the count of records exposed over the past three years, we are looking at billions each year. In the current year, the number already exceeded 27 billion records by Q2, 2020. Research reports indicate that over half of these records were due to misconfigured Internet-based storage services or Cloud-based services.
That said, businesses need to adopt Cloud for staying relevant and competitive. When building use cases on Cloud, organizations will need to evolve and refine all the processes, controls, risk-assessments, and cyber defense capabilities associated with software development. The evolution must be towards delivering software relying on “as-a-Service” architecture. Organizations that fall short on this front are likely to have security incidents – like the ones that make headlines.
With regards to the role of service providers – I’d not yet blame the Cloud service providers. The breaches we have seen so far stem from gaps in the use cases – “security-in-the-cloud” bucket as opposed to “security-of-the-cloud.” That said, I think the major cloud providers can do better when it comes to educating cloud adopters on the major differences with the on-premise equivalent services.
During the pandemic months, new types of attacks on infrastructure changed the security paradigm. How does this compare with the pre-COVID days and even the early days of online security?
From what I gather, COVID times have led to a greater number of attacks on VPN infrastructure and endpoints. That said, organizations that had invested in cloud-based virtual desktop interfaces (VDI), switching from laptops, have fared significantly better.
In general, as the adoption of cloud-based solutions increases, we’ll see a lot more attacks that target cloud misconfiguration issues. We already have crawlers that look for storage repositories like S3 and Mongo DB instances exposed on the Internet with default or no passwords. We can expect to see much more sophisticated attacks, and the scary part is that these attacks will quite likely bypass an organization’s existing monitoring tools. For instance, take the Capital One breach of 2019. The attacker downloaded the data from an S3 bucket over the Internet – not via the Capital One network, thus bypassing all their security monitoring tools.
Studies show that cybersecurity skills needed for the cloud are lacking and this is a problem that organizations are grappling with. What are the new skillsets that are in demand? What is the way for organizations to work round the skillset shortage?
Cybersecurity requires a deep understanding of the technologies as well as their pitfalls. Cloud platforms have led to the introduction of several new services, nuances, and design patterns. So, individuals that bring a strong understanding of the cloud platforms are in great demand. This is the case for not just cybersecurity but also for compliance, infrastructure, and development functions. While training is an essential response to skill shortage, it’s not adequately tactical in my view. I’d think organizations can overcome the challenge by hiring “cloud specialist” resources at senior levels and leveraging them as force-multipliers.
The cloud presents numerous advantages, especially for Cloud Security. But organizations have not yet tapped these for advantage. How should they go about it?
That’s a great question. Let me draw your attention to AWS CEO Andy Jassy’s statement at 2019 Re:Invent: “About 97% of the IT is still in corporate data centers.” Over the past two decades organizations have developed or employed tools, processes, systems that are suitable for this footprint. While Cloud is making rapid inroads, an overnight evolution to a similar degree of maturity is not easy. Further, the cloud services themselves are constantly evolving and at a rapid pace. This raises the bar even higher. Organizations will start building out capabilities gradually as they increase their cloud presence. I certainly think there’ll be a major role for cybersecurity vendors in speeding up the capability transformation that’s underway.
What are some myths and misconceptions about challenges on Cloud Security? What is the reality and how should organizations deal with it?
That’s a tricky one … from what I have witnessed, the single biggest challenge for Cloud Security is a general lack of understanding that Cloud services while they look all familiar to their on-premise equivalents, the underlying architectures and the attack surfaces are significantly different. The simple fact is Cloud adoption requires deliberate analysis and planning. There are no shortcuts to it.
Can you elaborate on this? What are you observing in the industry?
Compliance programs have been reactive; people and process heavy. Usually, management teams are looking at reports for the state of affairs about two to four weeks ago. This often results in conversations that end up being subject and often, political. All these factors limit the effectiveness and value addition that compliance programs bring to the business. Cloud offers this very unique opportunity to make compliance pro-active, automated, and even provide telemetry that is current. There are a few vendor products that help build out “compliance-as-code” and seem quite promising. How swiftly the compliance teams, industry standards, and the larger ecosystem adapts itself is yet to be seen.
About the Interviewer
Brian Pereira is the Principal Editor of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).
Disclaimer
The views expressed in this article are entirely personal. The facts and opinions in the article do not reflect the views of Citi.
