The Covid 19 pandemic accelerated the pace of transformation for all business giving way to a ‘new normal’ of people working from homes. With the sudden transformation, the prominent challenges for organizations were cybersecurity and safeguarding any breach or threat that could impact business and their users respectively.
Team NewsBarons connects with Rajendra Vallecha, a digital transformation expert for cybersecurity and compliance systems and a senior business analyst for Atos Syntel Europe Limited. He has, to his credit, designed and modernized the IAM system for the world’s third-largest asset manager. Interview excerpts.
NB: What is a general outlook of digital transformation in cybersecurity space?
Rajendra: The world is a very different place now, in comparison to 2020 as the pandemic has forever changed how organizations look at cybersecurity. Working from home has introduced a new ‘attack gateway’ for hackers. Working from office is more secured as the malware or strange network activity could be monitored. At home, it builds vulnerability to the employer’s ability to protect itself with the increased risk of downloading malware and accidentally sending the same to the company’s network. Hence, remote working has captured greater interest and board attention leading to higher investments in cybersecurity that enables secure remote access.
Cybersecurity giant Microsoft for the first time disclosed revenue from its various security offerings as part of its quarterly earnings of $10 billion over the last 12 months amounting to a 40% year-over-year jump in the growing security business, making up roughly 7% of the company’s total revenue for the previous year.
In nutshell, companies are changing their strategies with surges in cybersecurity investments.
NB: What steps should organizations take to make “Work from home” environment more secure from cyber attacks?
Rajendra: Security can be broken down into four categories: security, compliance, identity and access management. Working from home will require to not only provide security on employer-provided devices, but also on employee’s devices, which might have Apple’s iOS or
macOS or Google’s Android, as well as products running on competing cloud platforms like Amazon Web Services and Google Cloud Platform. Digital transformation will be required at every single point to ensure security. Timely software updating, ensuring endpoint protection, having a strong firewall, backing up the data, a robust access management system, executing phishing simulations are few important aspects of security to be considered by the organizations. Apart from training the staff, organizations should also provide a comfortable and open environment/mechanism for employees to report back any data breaches. Organizations can also rely on the cloud-based service called managed security service provider, which can help to provide the security support that would otherwise be missing in a WFH setup.
NB: As a cybersecurity expert, can you throw some light on upcoming advancements in Identity and access management (IAM) space?
Rajendra: Apart from implementing multifactor authentication, strong password guidelines and digitally transforming ‘Joiner, Leaver & Transfer’ processes and making them foolproof, securing the data by implementing privileged access management and periodic recertifications is extremely important to make the system robust and secured.
One of the key concepts is Zero Trust that requires all users, even those inside the organization’s enterprise network to be authenticated, authorized and continuously validating security configuration and posture before being granted access to applications and data. This approach leverages advanced technologies like multifactor authentication, identity and access management (IAM), and next-generation endpoint security technology to verify the user’s identity and maintain system security.
Due to the stringent password guideline, the passwords have been longer and difficult to remember, making them easier for hackers to guess or steal. Password-less solutions like biometric authentication or Authenticating using the mobile device can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks. Although going password-less will be non-negotiable for admin-level accounts, however, it will provide employees with a fast, easy sign-in experience saving their time and reduces frustration.
NB: What are the key factors you consider when designing an Identity and access management system (IAM)?
Rajendra: I always consider the MVP (minimum viable product) and the need v/s want comparison of requirements when designing any IT system first. In the case of IAM system, the basic business need is to ensure that right people have right access to just enough data so that they can perform their daily duties.
From a functional point of view, it will be essential to develop robust ‘Joiner, Leaver and Movers’ processes. To ensure advanced security, developing processes like re-certifications and Privilege access management are significant.
From a technical aspect, the IAM system will be connected via a “connector” (a piece of code that enables automated provisioning/de-provisioning of access) to different applications and platforms in the system. A role-based framework will ensure how the access/permissions in the system will be configured. This can be decided based on the size and volume of the applications and platforms. Overall, the time-based approval workflow of the system should consider senior management’s approval to access critical information/data, this will ensure maximum control on data.
NB: What would you suggest the employees should do to prevent cyber-attacks?
Rajendra: With advancing technology, it is not prudent to simply rely on firewalls and antivirus software for protecting the system. History and statistics are evident that time and again breaches are mostly caused by insiders and these are often more costly for an organization than other types of hacks. The role of the employees is of utmost importance in protecting the enterprise. At home or outdoors or at the office, an employee has to be in control of the system. Investment scams grew by 23% in 2020 as criminals used social engineering to exploit innocent users hence it is important that employees should be vigilant of Phishing emails. Other than that, employees should diligently use the identity and access management systems for getting access to applications/platforms or data. In case an employee notes a data breach or policy violation, he/she should always report.
Following simple guidelines like never setting up same passwords for different applications/systems also counts towards securing the data.