The Technology landscape in India has grown leaps and bounds when it comes to the adoption of newer technologies. The pandemic precipitated a monumental shift in the way we communicated, did our work, or learned. India’s industries were metamorphosed by digital transformation as almost every business changed its ecosystem to adapt to a digital one.
Trends in India’s Digital Journey – Data, Security, and Transformation
Today, the cloud isn’t just a new-age technology anymore given the rise of hybrid cloud, and edge computing to name a few. The world has moved a step forward to running on the trend of Application Modernization driven by digital transformation. This means traditional applications are moving from traditional architectures to modernized microservices-based architectures across all sectors ranging from healthcare, agriculture, finance, education, or manufacturing.
The other trend that has taken the world by storm is edge computing by shortening the distance between data and enterprise applications benefitting both local edge servers and the Internet of Things. Edge helps reduce travel time for data because data storage and processing are localized, thereby accelerating the speed of processing.
The common link to these trends is ‘handling data’. As these trends gain momentum, security and secure engineering are becoming critical to this humungous exchange of data. As cliché as it may sound, data has become the ‘crown jewel’ or ‘new oil’ to an organization, making data security a linchpin for digital transformation. To understand this in-depth, it is important to understand and divide the application tier into three levels
- End-user: the one who accesses or uses services.
- Application: written to provide services to end-users.
- Infrastructure: one that encompasses storage, network, and servers, forming the infrastructure stack
Irrespective of the deployment model of the cloud, hybrid cloud, on-premise, this infrastructure stack plays the most critical role when it comes to security. The reason why we need to focus on the infrastructure stack is that the entire data or the crown jewel resides in the infrastructure, making it a primary goal to protect & secure this data.
Secure Engineering, a fulcrum for modernization
We have come to realize that data is a critical asset that will fuel innovation, progress, and transformation. Organizations today need to build the ability to keep this data safe and secure especially given the complexity of data environments. To achieve foundationally secure systems, organizations need to strongly consider infrastructure and solutions which follow security and privacy by design in their product/service development life cycle.
Security and privacy by design can be defined as an agile set of focused security and privacy practices that ensure that the software or hardware products and capabilities have been designed to be foundationally secure. It ensures that security and privacy are considered at every layer of the development involving every member role of a development organization (Architects, Developers, Testers, and Security Engineers) coupled with design thinking.
Security and privacy by design call for the development team to have:
- Threat Models of every component and sub-system: This process identifies, communicates, and understands threats and mitigations within the context of protecting something of value.
- Detail privacy assignments: This process helps to evaluate new projects, policies, and practices for privacy, confidentiality, or security risks associated with the collection, processing, or disclosure of personal information.
- Code Scanning: Helps programmers locate potential flaws and determine areas of improvement within the codebase.
- Security testing: Ensures the development process results in a secure code and threats identified as part of the threat model were properly addressed.
- Penetration testing: Includes authorized simulated attacks on a computer system, application, or IT environment to ensure they are tested to be hackproof.
- Vulnerability management: The process of searching for software vulnerabilities in applications by using an automated security program ensures the system is not affected by known vulnerabilities.
- Secure Release Process: A local business unit dedicated to audit and reviewing the readiness of a product release for the above-mentioned points.
Relooking at Cybersecurity
The sudden pace of digital transformation in the industry, the introduction of the hybrid work models, innovation, and development at breakneck speed has exposed several security lapses and loopholes across industries, prompting business leaders to relook at security. The 2021 Annual Threat Monitor from the NCC Group analysed cybersecurity events through the year of the pandemic and reported that enterprise data breaches, ransomware attacks rose by 92.7% in 2021 compared to 2022. This makes cybersecurity critical to an organization and brings us to some key questions – is your organization’s data resilient to cyber threats? In addition to security and privacy by design, does your infrastructure have key capabilities to cater to modern-day cyber threats and prevent a ransomware attack?
To overcome cybersecurity threats, the security model of an organization needs to embrace a data-centric security model in addition to or complimenting the traditional periphery-based or Defense in Depth (DiD) models. For instance, in a financial organization, an external ransomware attack can be prevented through peripheral security. If an attack on the data happens from the inside of the organization, as DiD model in which a series of defensive mechanisms are layered to protect valuable data and information can be used. Either way, the risk of critical data being tampered with remains high. What if the data is protected at its source? Today, industries are cognizant of the importance of data protection and are working towards building infrastructure-centric security, a process of protecting the data via the use of infrastructure designed to be cyber resilient. Such an approach needs the infrastructure to be developed using security & privacy by design and encompass elements such as:
- Zero trust security
- Confidential computing
- Pervasive encryption
- Adaptive authentication
- Detection and forensics of threats with granular security audit logging
- Enable Data Protection with hardware security modules – From physical storage to data-in-use
- Improve isolation and segmentation of workloads using logical partitioning
- Air-Gapped Backups, etc.
In today’s dynamic world of innovation, transformation, modernization, and disruption, the idea of digital and data security aren’t discretionary anymore but a prerequisite for a foundationally secure enterprise. Industries will have to embrace infrastructure-centric security and follow security and privacy by design as a practice to create secure and enterprise-ready IT services and products for their consumers for a truly safe and progressive digital transformation.
The article has been written by Subhathra Srinivasaraghavan, Director, IBM India Systems Development Lab and Sandeep Patil, STSM, Master Inventor, IBM Storage CTO Office