IBM’s Nataraj Nagaratnam on the cyber challenges facing cloud services
Nataraj Nagaratnam, IBM fellow and cloud safety CTO, has been with the provider for almost 25 years. Security has been his forte all through this time, whether or not it’s cloud safety, hybrid cloud safety or know-how technique.
Nataraj’s curiosity in safety began when he was learning for his masters and PhD. “One good, fine day, my professor walks in and says there will be this new thing, called Java,” he remembers. “He was already working with the core Java engineering team, which created Java at the time. Intrigued, I started to work on the security aspects of Java, and then my PhD was in security in distributed systems.”
Following his research, when Nataraj was searching for contemporary challenges, IBM approached him with a possibility to assist form the way forward for safety. Just as the web was going to alter the world and the way enterprise was performed, IBM supplied him the probability to develop techniques for a way companies might securely function over the web.
IBM’s provide to guide enterprise net safety for IBM merchandise appealed to the younger Nataraj, as the new applied sciences promised to be each disruptive to markets and enabling to the world. “I jumped right onto the opportunity. And, as they say, the rest is history,” he says. “I was fortunate enough to be part of the way, with WebSphere shaping the industry, and working with industry on standard security specifications, such as web services security.”
The rise of the cloud
Technology, particularly enterprise IT, has expanded massively all through Nataraj’s profession. While this has created alternatives for enterprise options, it additionally carries sure dangers. “In the history of computing, there are three major chapters – mainframes, then web, and now there is cloud,” says Nataraj. “This is a defining moment in the entire IT space, and I am fortunate enough to define and lead the work on security from web to cloud.”
Relying on information and services in the cloud might be difficult, as organisations want to make sure that information stays sharable throughout networks, whereas having adequate protections in place to make sure information is confidential and guarded. This is particularly the case for closely regulated industries, resembling the defence, healthcare and monetary sectors. This has turn out to be a defining second for such industries, that are involved about danger, safety and compliance.
Rather than relying on the subjective time period of “trust”, which suggests that one can place confidence in or rely on somebody or one thing, Nataraj prefers to make use of “technical assurance”. Technical assurance demonstrates that technological and human processes have been put in place to make sure information is being protected.
Part of that is guaranteeing that identity and access management (IAM) is uniformly addressed throughout all of the organisation’s cloud platforms, from their cloud storage capabilities to their on-premise services. Given that no two cloud platforms are ever the similar, this could complicate issues, as a couple of platform is usually used.
Challenges in the cloud
The speedy growth of the tech sector means there’s a rising security skills gap, which must be addressed. This has left organisations struggling to fill vitally necessary roles and relying on exterior contractors as a substitute. This provides additional value, particularly if a big quantity of labor is required, as contractors are costly for long-term tasks.
To handle such issues, organisations are turning to IAM instruments to behave as an overlay throughout their present cloud infrastructure. “If we standardise the access management and security overlay, and enable them with automation and continuous monitoring, we can solve complex problems,” says Nataraj. “Taking a hybrid multicloud approach with security and compliance automation addresses this with consistency and continuous monitoring.”
Data safety and knowledge interchange
Government coverage can be evolving, as regulators turn out to be ever extra technologically conscious, with further calls for on information safety when sharing information between areas. There has, nonetheless, been higher collaboration between nations on this regard. For instance, the European Union’s (EU’s) General Data Protection Regulation (GDPR) has successfully turn out to be a de facto international customary for information safety, as nations realise that commerce is reliant on an unimpeded circulate of knowledge.
“Lawmakers and regulators are starting to understand the impact of technology, and that policies and standards need to evolve in a way that accommodates those technologies, while also providing a level of risk and regulatory compliance. Standardisation needs to happen”
Nataraj Nagaratnam, IBM
“Laws, regulations and policies are becoming much more technology aware,” says Nataraj. “Lawmakers and regulators are starting to understand the impact of technology, and that policies and standards need to evolve in a way that accommodates those technologies, while also providing a level of risk and regulatory compliance. Standardisation needs to happen, as opposed to every country having its own regulatory requirements, because that will have its own complexity.”
With data interchange between totally different nations being dependent on information sharing agreements, organisations are approaches that permit them to satisfy the regulatory and technical necessities.
“A few weeks back, when I was in India, we talked about this notion of data embassies – the fundamental concept is if you run services within these datacentres and service providers, you get immunity from certain laws,” says Nataraj. “A country can have a data embassy in one country, and in reciprocity, they can have a data embassy in their country. There are innovative and creative ideas coming up in different parts of the world. That’s a reflection of a policy and a practical approach to solve this data sharing problem, and that is going to evolve.”
These information embassies are just like TikTok’s proposed Project Texas, which might see the social media platform storing all information in the US underneath the watch of American agency Oracle. These information embassies might evolve into unbiased third-party organisations.
The danger from quantum computing
One of the most important future issues facing organisations relying on cloud services shall be the danger posed by quantum computing, which might disrupt encryption safety. Reliance on present encryption applied sciences is just not an possibility, as the processing speeds supplied by quantum computer systems would allow them to swiftly break encryption, particularly as sure public key algorithms have confirmed to be vulnerable to quantum laptop assaults.
The commonest public key infrastructure (PKI) know-how used throughout the world is transport layer security (TLS), which secures the information in transit. As such, that needs to be thought of the biggest danger, as a result of if information is captured in transit in the present day, the encryption may very well be damaged in 5 years’ time, if quantum computing turns into commercially obtainable. As such, we have to rethink the approach we strategy hybrid cloud, safe connectivity and TLS.
“When it comes to quantum safe, I believe the first thing to fix is connectivity. Two years ago, we introduced support for quantum safe algorithms in IBM cloud,” says Nataraj. “When you do application transactions over the wire, that link can be quantum safe. You prepare for the threat. That has to be one of the first things, when it comes to cloud security, that one needs to work through.”
With the rising ranges of performance supplied by synthetic intelligence (AI) and machine studying (ML), automation will turn out to be a rising a part of an organisation’s safety posture. Automated monitoring of safety and compliance posture permits for steady safety.
Furthermore, safety deployment will turn out to be automated, thereby bridging the hole between the CISOs and CIOs and IT groups. This will guarantee they’re all according to one another and aligned with the organisation’s international safety and compliance necessities.
“There is more to be done in continuous security and compliance infused with automation, and how we change from a reference architecture that may be in a Visio diagram to something prescriptive, deployable and automated,” says Nataraj.
Preparing for the future
Concerns surrounding information sovereignty and information privateness residency are prone to enhance, given the regulatory compliance and geopolitical features of coping with information. As such, there shall be a necessity for extra demonstrable controls and applied sciences that may assist in defending information and privateness, which is able to turn out to be infused with confidential computing.
“Applications of confidential computing are still in their infancy and there is more to be done, because it’s not just a technology, but its use cases in confidential AI,” says Nataraj. “IBM has leveraged confidential computing technology to enable unique approach use cases around encryption key management called Keep Your Own Key, where a customer has technical assurance that only they have access to the keys, where keys are protected within hardware as well as within secure enclaves. This is now extended to hybrid multicloud key management through Unified Key.”
The IT sector is present process a basic shift, because it transforms from a web-based mannequin to at least one reliant on cloud services. This is being compounded by technological and regulatory points coming to the fore. A multicloud system can improve adaptability to shifting market tendencies, however this brings sure challenges. Automating community administration insurance policies allows swift and efficient sharing of knowledge inside networks, no matter location, whereas guaranteeing that compliance with shifting regulatory compliance is maintained.
“We can help industry, governments and others move forward,” concludes Nataraj. “We will collaborate with governments and their policies to make that happen.”
