techUK news and views
18 Nov 2020

Introducing November's Cloud Security Champion

Manav Gupta, Head of Europe Cybersecurity Transformation and Transition projects, HCL Technologies is this months #CloudSecurityChampion! You can read his interview with techUK below

Congratulations to Manav Gupta, Head of Europe Cybersecurity Transformation and Transition projects, HCL Technologies for being selected as techUK’s ‘Cloud Security Champion’ for the month of November. 

The purpose of techUK’s Cloud Security Champion campaign is to celebrate the work of UK cloud security specialists in helping build a culture of trust and confidence in cloud computing and showcase how they are supporting organisations to adopt, deploy and use cloud services securely. This is also an opportunity to learn from those working in cloud security about the current threat landscape and examples of the strides being made in enhancing security. 

A new techUK 'Cloud Security Champion’ will be chosen every month, so if you would like to nominate a friend or colleague to be the next Champion please drop us a line.

 

1. What are your current responsibilities as Head of Europe Cybersecurity Transformation and Transition projects and what does a typical day involve?

A typical day starts with revisiting the progress of work taking place to augment security in cloud services and create models for cloud security. Then there will be scheduled meetings with customers and internal team catch-ups. Since my responsibility includes improving cloud security for our customers, most of my time is spent working on new cloud security designs and solving customers’ issues pertaining to their respective cloud environment.

In a nutshell, my day-to-day activities include:

  • Planning and designing cloud security architectures for various use cases
  • Validating them against test cases and reviewing progress
  • Cloud security assessment and control validation
  • Cloud security controls, design, and blueprints
  • Cloud native or third-party security control implementation to secure customers’ data
  • Workload/data migration to cloud environments
  • Security incident response for any breach of cloud workloads
  • Further continuous assessments

 

2. What do you most enjoy about your work?

Learning new things is the most enjoyable part for me. There is a lot of diversification in my job, starting from security business development support to escalation management. We usually deal with a lot of challenging and unique requests from our customers to support their businesses. These challenges always keep us alert, and we learn a lot from them.

 

3. Why is cloud important to UK’s economic growth and what does the future hold for adoption and maturity of cloud in the UK?

Digitisation is the future, especially due to COVID-19; every high street business wants to go online and adopt economies of scale, for which cloud is the perfect candidate.

In my view, It makes perfect economic and futuristic sense for all organisations to embark on their journey to cloud adoption, though for some adoption may be constrained by Regulatory requirements or the organization’s considerations for certain critical data.

Cloud provides numerous possibilities, not only for big organisations but to small start-ups as well. Earlier, setting up information systems for small companies was difficult and investment-heavy, but with the advent of cloud, it becomes very flexible and low cost to setup and use. The number of PaaS and SaaS-based services allows organisations to overcome system-level dependencies, which otherwise would have had to be managed manually. Now, developers just need to focus on core application development tasks.

 

4. Would you agree that the conversation about cloud security has shifted and cloud users increasingly recognise the security benefits of cloud services?

Yes, I am in complete agreement. In early 2006-2007 when cloud providers started with public cloud offerings, organisations were afraid to embrace it due to multiple factors, with security being one of the main concerns. Compliance, data protection, secure configuration and visibility were some of the main concerns for organisations reluctant to transition to the cloud.

Cloud providers accepted these challenges and developed services that brought confidence to the industry. At present, cloud providers offer far better security controls and services, which are otherwise difficult to achieve on a private data centre without incurring a very high cost. Cloud native security controls are increasingly popular because of easy integration and provisioning.  Most of the cloud providers and their services maintain minimum security baselines benchmarked with ISO 27K, PCI-DSS, HIPAA, and more.

 

5. What are the key security concerns affecting greater cloud adoption and how can these issues be addressed?

Flexibility and agility are two of the main characteristics of cloud services, but at the same time, these are concerns for the CISO (Chief Information Security Officer). They are always worried that security may be compromised when it comes to agility in consuming IT services in the cloud; for example, an in-cloud virtual machine can be provisioned in less than five minutes. As a result, common concerns are:

  • Has the administrator followed all security processes?
  • Are all the security agents/tools part of the virtual machine?
  • Has secure configuration been used?
  • Are security visibility and audit trails in place?
  • Has all necessary evidence been retained for compliance purposes?
  • Security of data in the cloud

To overcome these challenges, a stringent security policy framework for consumption of all services must be enforced in an automated way, so that security can be enabled in the background from day one without affecting ways of working.

 

6. What steps should organisations take to adapt their cloud security posture to the rapidly changing online environment?

Security must be embedded into the DevOps/online development services in the cloud while based on the “Security by Design” concepts and “Zero Trust” framework. Organisations must establish security policies and governance frameworks, and wherever technically possible, this framework must be automated and integrated with security tools and technology. For example, whenever any new online service is commissioned or a change is being made to an existing service, there should be an automated way to:

  • Determine security vulnerabilities and configuration drifts
  • Remediate such vulnerabilities quickly
  • Report security exceptions and present dashboards to the C-suite

 

7. How can the cloud market equip organisations with the understanding, skills and knowledge to make the right cloud decisions for now and for the future?

Cloud providers need to educate and provide opportunities for organisations to understand cloud services, to give them the confidence that they can overcome their business and security concerns. Some cloud providers are already doing so, but we need to see more sessions being set-up with business and IT strategists (CIOs, CISOs and business heads). This will help them to understand their visions and develop suggestions on how cloud adoption may enable them to focus on wider business objectives, rather than worrying about running infrastructure and ensuring security. The education system should also introduce the topic of cloud and security as part of the school and university curriculum, so that future workforces grow up with a solid foundational understanding of cloud technology.

 

8. Building trust and confidence in the security of cloud computing services remains fundamental to the continued use of cloud services by organisations. What would you suggest is the one thing all companies should do to improve their cloud security?

The one thing that companies should do to improve cloud security is to re-examine how they are managing identities. For me, Identity and Access Management (IAM) is the key for securing the cloud, as it has become a new boundary in the cloud environment. The following will also certainly improve security posture in the cloud:

  • Roles based access control having the least privilege principle
  • Authenticating IDs using password-less method
  • Having visibility into ID usage and alert triggers based on suspicious behaviour
  • Governance and certification processes around IDs

 

9. How can the cloud industry encourage someone considering a career focussed on cloud?

Awareness and education is the only way. In the same way information technology is taught as a separate course in schools/colleges and universities, cloud technology should be part of this curriculum in detail. Cloud providers must work with governments and education systems to offer:

  • Free courses and certification programmes on cloud technology
  • Mentorship programmes
  • Understanding of platform availability
  • Test environments for students to play around with
  • Incentives/rewards programmes to attract top talent

 

 

Return to listing