CareEdge Ratings (CARE Ratings Ltd) commenced its operations in April, 1993. Since then, it has established itself as the leading credit rating agency of India and helps corporates to raise funds for their requirements and assist the investors to form informed investment decisions based on the credit risk and their own risk-return expectations. The company also provides a wide range of rating and grading services across sectors. Also, it boasts of having a strategic alliance with Japan Credit Ratings Agency (JCR) and MoU with Russian rating agency ACRA.
Express Computer had a chance to interact with Nadir Bhalwani, CIO & CTO, Care Ratings Ltd., during the Enterprise Data Center & Infrastructure Summit 2023 held at Hotel Sahara Star, Mumbai on a myriad topics related to cloud security, SAAS based Applications and Privileged Access Management.
Here are the excerpts:
- What do you think are the key challenges in securing cloud based applications?
It all depends on which model you go for on the cloud, so if you have a private cloud then your challenges are different and if you are on the public cloud, your challenges are different. When you are on the private cloud, it’s your complete responsibility to make sure that your applications and infrastructure are secure. And, if you are on the public cloud, then it is as a joint responsibility.
Perhaps, the major challenge is to understand how much security one actually requires. We all have budgets, we all know what data and in what quantity we have it and what we need to secure. And, that doesn’t mean that one has to get multiple solutions that are available in the market; we don’t have to get all of them for our infrastructure or applications. In my view, the biggest challenge is to choose what you really need based on what your applications are and what kind of consumers that you cater to, so that’s point number one.
Secondly if you go for a public cloud then you need to be very certain on what your SAAS provider has in terms of security. So, you need to ask them the right questions; like what do they need? How much do you they need and how do you implement it for your solution?
- Can you brief us on the overall strategy for securing your cloud based applications that includes SAAS based applications.
Let me first talk about the SAAS based applications, as I had mentioned before that if you are going for a SAAS based applications your responsibility is a little different, there you need to start asking the right questions to the service provider regarding what they are doing to make sure that their applications are secured. So the first question would be; what’s your disaster recovery strategy? So if something happens to your production site, how do you move for the DR (Disaster Recovery) and have you tested that regularly. The most important thing in security is the availability. So DR is important for everyone to know that if any situation happens; can they seamlessly move to the DR or there is a longer time that would be taken to move for the DR. The other questions could be; how do they encrypt the data, what kind of authentication do they use; these are the kind of questions which you need to ask for a SAAS based service provider. Also, whether it is on-prem or on cloud, you could have a major challenge in terms of unauthorised access. So the IAM (Identity and Access Management) becomes very important, which not only gives you an audit rate on what is happening but it also gives you alerts on some abnormal behaviours. Also, if it’s your own system then you need to make sure what’s the encryption that you are using so that the data, whether it is at rest or while it is moving, is constantly getting encrypted.
- Could you give your perspective on reducing the effect of lateral supply chain attacks, like privileged access management ?
Before I talk about the access management, I just wanted to add one more thing on the issues which happens through may by the change in configuration or some access issues which leads to possible security breach. According to me, the only solution for that is that one should have a bulletproof change management system, if you don’t have that and if you are just making a small configuration change, make sure that there is a maker-checker in place for that. And, if you are making a bigger change that affects the application, then one needs to post the changes during production time to make sure that there is a scan time before you actually expose it to the internet. All of these are small things but I am sure whenever you do any change please make sure that you have this process in place. If you do these small changes, then your issues with configuration changes and security breaches will definitely get reduced. And, as I always say, whenever I talk about security – the most secure system in the world is the one which is shut down, but today that could also be a huge problem as there could be a physical theft.
Nothing can give you a guarantee of being completely secure. What we could do is follow the processes, we can follow the checklist which we have and make sure that you implement everything. Coming to the question of access and PAM (Privileged Access Management). PAM, even today, is not considered to be an accepted concept across. I am sure very few of the organisations, maybe 50-60% would have implemented PAM till date. In my earlier organisation, we started the journey in 2010 for PAM, some organisations are now adopting. If you would know exactly what needs to be done, now there are more more solutions available, typically if you implement PAM in the right manner, wherein you make sure that there is a complete workflow in providing normal access as well as privileged access which again goes to multiple approval mechanism and the configuration of PAM becomes very important- like what are you tracking? What kind of abnormalities are you tracking? Or are you tracking the administrators commands? Or, are you making sure that some commands are not allowed? So typically you make sure that the database administrator cannot use some commands. As some of those commands if, allowed or used then probably your database could be compromised or could be shut down or if one needs some approvals to use such commands things like that should be configured in a PAM. Typically, when one starts off, they know few things about what they can do in PAM, but as one moves ahead you understand and learn many other aspects of it.