success-winning-concept

Standing on the customers’ side

Estimated reading time: 7 minutes

Malaysia was one of the first stops for Fortinet’s Accelerate Asia 2022 roadshow, in early June. The highly anticipated customer panel, had an illustrious lineup of  well-seasoned cybersecurity professionals and an IDC analyst.  The session was moderated by Rashish Pandey, VP of marketing and communications for Fortinet Asia.

Besides sharing comments about cybersecurity spending, and looking into the interests of the end user, further views were added about other prevalent industry trends like cloud computing security, and zero trust.

Kelvin Chua, Fortinet SEAHK’s systen engineering viewed zero trust as something that involves the device, cybersecurity posture, and also the application. “So, it’s really a package.”

He shared about how pandemic had  driven accelerated uptake of VPN or virtual priivate nework services, which traditionally have been implicit transport.

According to Kelvin, when a user logs in with their user name and password, they can gain access to every part of the network regardless of how the infrastructure is designed.

With zero trust network access, VPN services have taken it a step further by not only authenticating users, but authenticating devices via certificates and even doing what Kelvin called a ‘cybersecurity posture check’ to ensure that the device is really safe.

Is zero trust a technology for everyone?

Rodney Lee, Firmus’ subject matter expert responded to the idea of Zero Trust with, “I always believe in standing on the customer’s side and executing a MacGyver principle, in terms of purchasing.”

Rodney Lee

He posed the theoretical question that organisations could ask at the start of every purchase decision process: What can I use with what I have first before I talk about the advancement of technology?

“Does it mean that if I don’t have zero trust, I can’t go out to the Internet?”

Shanker, Cybersecurity group head from Averis, also brought up the pertinent point that if zero trust requires authentication multiple times before one can access services, will that not impact the user experience?

Rodney Lee, Firmus’ subject matter expert responded to the idea of Zero Trust with, “I always believe in standing on the customer’s side and executing a MacGyver principle, in terms of purchasing.”

Perhaps, another way to look at it is : Is zero trust a binary choice, or is there a pathway to zero trust?

Perhaps, another way to look at it is : Is zero trust a binary choice, or is there a pathway to zero trust?

Ultimately, zero trust is a framework and solution that may not necessarily require the purchase of new technology.

Rodney reminisced about a bank in Malaysia that implemented zero trust ten years ago – this bank disallowed its employees from email communications on their machines. Instead, they would need to send and receive emails from one dedicated computer.

That could be seen as zero trust at work as well.

What is cloud computing from a cybersecurity perspective?

Rashish said, “Everybody is moving to, or planning to, or thinking about moving to the cloud in some shape or form. What does the shift to a hybrid cloud, or private cloud mean? Is it just another workload or is something else to think much more deeply about?”

Dr. Suresh, chief research officer and CISO at Center for Advanced Computing and Telecommunications (CACT), pointed out that cloud makes the security journey much, much more difficult.

Case in point is the 6000 access controls that admins have to learn up to be able to configure on a single identity on the IAM (identity access management) portion of Amazon Cloud Services (AWS).

So, it requires a completely different skillset to master, and this is further compounded by environments that have multi-cloud environments – more access controls and configurations to master!

“And the dynamics of how security works on cloud may be similar, may be different. It depends on which provider you use, and what model you use.

“So, that’s a completely new stack of technology that you have to master, and you also have to secure this completely new stack of technology,”Dr. Suresh said.

Dr. Suresh

So, it requires a completely different skillset to master, and this is further compounded by environments that have multi-cloud environments – more access controls and configurations to master!

Rather than having to master another set of requirements and policies, a single pane of glass to view and manage on-premise and off-premise IT environments, would be very useful, he also opined. “That would make it much easier for customers to adopt.”

Credentials on GitHub?

Threats are not just attacks from nation state hackers, or sophisticated advanced persistent threats (APTs) from sophisticated attackers with deep pockets.

There are also opportunistic attacks which can happen to the cloud instance due to lack of proper skills at configuring cloud settings, for example.

Another example, is when an organisation’s third party vendor posts source codes along with credentials, on websites like GitHub.

“These are real tangible issues that people face (when using) cloud technology.

“ There is a new set of skills that need to be mastered, and I guess Fortinet could step in and help you,” Dr. Suresh said, suggesting that cybersecurity vendors and service providers could ‘learn’ those skills instead, as well as provide a convenient interface and security baselines that would allow organisations to configure settings that enable safe, secure operations.

Rodney emphasised that architectures by cybersecurity vendors need to translate into physical and actual delivery for end users.

Training and jobs

Kelvin said, “As part of supporting this gap,  we are continuously ensuring that we develop reference architectures so it is practical for orgnanisations that are moving architecture of their systems to the cloud platform.

“We are also helping customers on their journey to the cloud, and looking at how to reduce cloud misconfigurations because it is quite a major problem.”

Besides providing technology solutions, Kelvin shared Fortinet initiatives like offering security awareness training, training for more cybersecurity professionals in the market so they are able to handle all cybersecurity challenges with NSE (network security expert) certfications, and so on.

“Our aim for the industry is to train a million cybersecurity professionals.”

Skills gap – is formal education delivering enough?

Rashish went on to the next point to highlight which is the current skills gap. “I can say with confidence, that pretty much everybody in this room wants to hire more, but they are finding it challenging to hire the right set of cybersecurity experts.”

This leads to the larger question of what can be done at policy level, government-level, or even intra-government level to help resolve the skills gap, and strengthen overall security posture at a national-level?

Rodney weighed in with his thoughts that vendor collaboration, like Fortinet has with three universities in the past few years, would help a lot.

“As I am talking now, our company is still hiring, and we have 60 vacancies so it’s crazy. Shanker is hiring, I know many of you are hiring. You can’t get people right now.  Many of the cybersecurity people that are coming out of colleges and universities today, are not ready.”

Rodney also shared about how his previous work with a university in Sarawak, gave him the opportunity to link with one government agency.  The university could send their graduates to this agency, and it also prepared a three year programme to ensure theoretical basics of security was imparted, as well as security operations centre (SOC) experience with students getting a feel for analyst, threat intel professionals, and SOC manager roles.

“These are skillsets that need to be learnt together with solution vendors. For every dollar that vendors make, they can maybe send back 25 cents the community, and work with universities to develop syllabuses that help students be industry-relevant when they graduate.”

“When they come out to work, they would immediately know how to run security themselves.

“These are skillsets that need to be learnt together with solution vendors. For every dollar that vendors make, they can maybe send back 25 cents the community, and work with universities to develop syllabuses that help students be industry-relevant when they graduate.”

Dr. Suresh pointed out an upcoming trend among large organisations whereby, ‘You no longer need a degree to be able to be successful in your career.’

“Perhaps there can be a parallel route for students to get into the industry, instead of setting university degrees as bare minimum to qualify and be successful,” he said.

Dharmaraj opined that the younger generation’s mindset tends to veer towards, ‘What’s the ROI for me as an individual if I take this up?’

“If that can be made very clear through a combination of collaborations with industry experts as well as academia, I think that will help by way of building a more robust talent pipeline as well.”