How CISOs Are Tackling Challenges Related to COVID-19 CrisisDealing With Zero Trust, Shadow IT and More
As CISOs in India scramble to deal with challenges related to the COVID-19 crisis, they're discovering effective strategies. For example, they're adopting the "zero trust" model for the remote workforce devising ways to deal with the security issues raised by "shadow IT" and "free software."
Several CISOs shared their real-world experiences with me. Here are some examples.
"Security practitioners around the world are struggling to cope with the challenges posed by remote workers heavily relying on virtual private networks that weren't designed for widespread use."
A CISO of a large company in the hospitality sector, who asked not to be identified, tells me: "The pressure is on us to help the business teams perform better by enabling over 500 employees to operate remotely."
As a result, he notes, "I am asked to be part of every strategic discussion, including those of reducing the cost to the company, exploring new business avenues, discussing new technologies to help meet business objectives while maintaining process security.
So the CISO decided to use a "zero trust" architecture for the platform-as-a-service model.
"We were doing a proof of concept with two technology vendors around zero trust and the platform-as-a-service model. We converted these POCs into deployments and enabled employees to access ... critical applications since it helps secure our remote work culture."
Protecting 'Shadow IT'
A CISO of a large trading corporation, who asked not to be identified, tells me he faced the challenge of a business unit that acquired over 300 laptops for employees working from home without first consulting with the IT department or security team.
"I had to intervene upon knowing the scenario and configure these systems with data leak prevention tools to enable them with secure access via VPN," he says.
"Besides, we had to extend artificial intelligence and machine learning for monitoring alerts from the traffic, along with fingerprinting as biometric authentication to enable our 450 employees to log in from remote locations, which was a task by itself."
Security for Free Software
Some manufacturing firms face the challenge of product teams deploying free applications without first addressing security issues, says Ravikiran S. Avvaru, head of IT and security at Apollo Tyres Ltd., a Gurgoan-based manufacturing firm.
"The production teams in the plants do not understand the implications of using the free software without any security tools, which results in a chaotic situation as the production stops when the license expires. They do not understand the difference between free and perpetual licenses," he says.
The only way to fix this problem is to enforce a policy requiring that all hardware and software procurement must be approved by the IT and security departments, he says.
Another important step to consider, he says, is to create a dedicated purchasing department that works closely with the IT department to track all inventory.
Security practitioners around the world are struggling to cope with the challenges posed by remote workers heavily relying on virtual private networks that weren't designed for widespread use.
Sudip Banerjee, director-strategy, digital transformation at Zscaler, a cybersecurity firm, tells me this is creating internet bandwidth issues and challenges with inbound gateways.
Meanwhile, some security experts suggest that implementing a privileged access management system can help improve VPN security.
"Deploying PAM in the current scenario is also going through an overhaul," says Dr. Yask Sharma, CISO at Indian Oil Corp. It now includes, for example, more closely tracking where access is needed and for what purposes.