In
this
exclusive
interview
cloud
security
architect
and
cyber
security
consultant
Mayank
Sharma,
shares
key
insights
on
cloud
migration
and
how
to
manage
an
Internet
of
Things
(IoT)
cyber
security
strategy.
Cyber
Security
Hub:
What
steps
should
be
considered
when
migrating
critical
infrastructure
to
cloud?
Mayank
Sharma:
Firstly,
look
at
what
you
want
to
achieve
with
cloud,
for
example
more
automation,
intelligent
decision
making
or
introducing
predictive
analytics.
Finding
this
business
need
is
perhaps
the
most
important
step
of
the
process.
During
this
step,
engage
the
business
stakeholders,
IT
managers
and
enterprise
architects.
When
you
know
what
you
want
to
create,
research
the
services
cloud
can
offer
to
support
you
in
achieving
this
goal.
This
‘vision’
is
the
key
document
which
drives
all
the
future
work.
Secondly,
create
a
strategy
for
critical
infrastructure
in
cloud
based
upon
the
business
requirements.
This
should
include
items
such
as
capabilities
that
will
exist
in
the
cloud
for
critical
infrastructure.
Your
strategy
development
should
include:
-
A
regulatory
assessment
(for
example,
privacy
or
any
other
regulation
that
applies).
-
A
security
assessment.
-
A
security
operating
model.
-
A
governance
framework.
While
developing
the
strategies
research
about
if
your
cloud
security
solution
will
have
the
same
security
capabilities
as
your
current
on-prem
environment.
One
should
also
consider
what
new
threats
are
introduced
as
a
part
of
moving
to
the
cloud,
threat
model
them
and
see
if
mitigated
threats
are
within
the
risk
appetite
of
the
business.
If
it
falls
outside
of
risk
appetite,
then
consider
what
extra
efforts
will
be
required
to
bring
it
within
the
risk
appetite.
Thirdly,
create
a
migration
plan.
This
is
a
more
detailed
version
of
various
elements
involved
in
migration
activity.
An
iterative
approach
is
always
better
than
a
‘big
bang’
approach
so
try
not
to
be
overly
ambitious
and
move
all
your
infrastructure
at
once.
A
phased
migration
beginning
with
less
critical
assets
is
always
preferable.
Also
assess
the
overall
security
of
this
migration
plan.
Finally,
continuously
review
the
cloud
landscape
to
ensure
that
it
remains
secure,
reliable
and
cost-effective.
Conduct
regular
security
and
compliance
audits
to
ensure
that
the
infrastructure
meets
regulatory
requirements
and
industry
best
practices.
Cloud
is
much
more
dynamic
than
traditional
on-premises
infrastructure
so
continue
to
assess
new
services
and
develop
a
robust
service
enablement
process
to
onboard
any
new
services
quickly.
“In
short,
IoT
has
rewritten
the
rule
book.”
CSH:
What
challenges
are
cyber
security
professionals
likely
to
face
from
the
Internet
of
Things
(IoT)
4.0?
MS:
In
short,
IoT
has
rewritten
the
rule
book.
The
challenges
are
two
pronged;
first
is
the
amount
of
data
that
is
being
collected.
These
devices
are
in
peoples’
homes
or
being
worn
by
them
and
are
checking
their
movements
and
collecting
sensitive
data
such
as
private
health
data.
This
information
is
often
sent
to
cloud
to
provide
meaningful
analytics
to
the
end
users
or
to
feed
into
critical
business
processes.
This
information
is
extremely
sensitive
in
nature
and
must
be
handled
with
care.
Secondly,
traditionally
the
device
onboarding
in
a
large
organization
is
an
exhaustive
process,
however
with
these
wide-ranging
devices
(from
TV
to
smartphones,
to
sunglasses,
to
smart
watches)
it
is
extremely
challenging
to
create
a
cohesive
strategy
for
all
types
of
IoT
devices.
IoT
has
disrupted
critical
infrastructure
even
more!
Historically,
the
Purdue
model
is
the
go-to
model
for
industrial
control
systems
and
operational
technologies
(OT).
It
segments
the
different
processes
in
different
networks
and
ensures
security
is
maintained
by
firewalling
the
different
segments.
It
also
includes
a
very
rigid
network
separation
between
OT
and
IT
systems.
IoT
4.0
disrupted
this
security
model.
Purdue
cannot
natively
integrate
with
cloud
systems
and
IoT
4.0
–
or
industrial
IoT
–
also
blurs
the
line
between
IT
and
OT.
So,
the
security
controls
by
means
of
network
segmentation
are
no
longer
valid
with
IoT
4.0.
What
makes
things
trickier,
is
that
typically
industrial
systems
are
designed
for
a
very
long
life,
in
the
order
of
decades,
and
may
incorporate
protocols
can
become
vulnerable
over
this
time.
Connection
with
IT
and
cloud
provides
an
attack
surface
to
a
threat
actor
to
exploit
these
vulnerabilities.
Needless
to
say,
people
can
suffer
physical
harm
from
a
compromised
industrial
system,
so
the
stakes
are
very
high.
CSH:
How
can
cyber
security
professionals
create
and
manage
an
IoT
cyber
security
strategy?
MS:
IoT
is
a
rapidly
growing
field
that
is
disrupting
the
way
organizations
operate
and
interact
with
their
environments.
As
more
devices
become
connected,
it
is
increasingly
important
for
organizations
to
have
a
clear
understanding
of
the
strategic
need
for
IoT
and
to
develop
a
comprehensive
security
strategy
to
protect
against
potential
threats.
First
element
of
strategy
is
creating
a
strategy
about
the
IOT
devices
themselves
–
how
the
devices
will
be
onboarded,
how
they
will
be
deployed
and
maintained
(for
example
firmware
upgrades
and
decommissioning)
should
be
discussed
in
this
step.
Physical
security
of
these
devices
should
be
reviewed
in
this
phase.
Lastly
things
such
as
how
much
data
should
be
collected
should
also
be
discussed
in
detail
while
creating
a
strategy
about
IOT
devices.
Second
element
of
the
strategy
is
analytics.
This
step
primarily
deals
with
the
security
of
analytics
engine
where
meaningful
information
is
derived
from
the
signal
received
from
IOT
devices.
Data
security
and
user
privacy
should
be
reviewed
in
this
step.
Third
element
is
the
integration.
This
element
primarily
deals
with
security
of
integration
between
analytics
engine
and
other
business
systems.
While
developing
security
strategy
of
devices,
analytics
engine
and
integration;
delve
into
security
domains
of
authentication
and
authorization,
e.g.
how
devices
will
authenticate
with
the
organization
and
ensuring
that
only
authorized
devices
can
access
the
network.
All
data
transmitted
should
be
encrypted
using
resilient
encryption
algorithms
to
prevent
unauthorized
access
and
“eavesdropping”.
Data
protection,
data
access
controls
and
data
deletion
policies
should
be
implemented
to
ensure
that
data
is
protected
at
all
times.
As
the
organization
matures,
security
patterns
can
be
developed
to
reuse
in-house
capabilities
and
further
enhance
the
security
of
the
IoT
network.
“Imagine
the
consequences
of
an
out-of-control
AI
model
to
an
organization!”
CSH:
How
can
organizations
create
an
AI
strategy
for
the
cloud?
MS:
The
field
of
artificial
intelligence
is
rapidly
evolving
and
has
the
potential
to
transform
businesses
across
various
industries.
The
introduction
of
AI,
however,
also
poses
significant
risks,
particularly
if
the
AI
model
is
not
properly
managed
or
if
it
malfunctions.
Imagine
the
consequences
of
an
out-of-control
AI
model
to
an
organization!
To
mitigate
these
risks,
business
leaders
must
ensure
that
AI
is
developed
with
adherence
to
secure
development
practices;
using
high
quality
data
when
training
the
AI
model
and
ongoing
governance
will
ensure
that
the
model
remains
trustworthy
and
free
of
bias.
Development
of
a
well-defined
AI
strategy
should
be
based
on
these
three
principles.
To
begin
with,
it
is
important
to
identify:
-
The
context
in
which
AI
will
be
used. -
The
amount
of
risk
the
organization
is
willing
to
take.
-
The
risks
associated
with
the
introduction
of
AI
systems.
These
risks
should
then
be
assessed
and
appropriate
mitigating
control
should
be
introduced.
Lastly
a
matrix
should
be
developed
to
effectively
monitor
key
risk
indicators
(KRIs)
and
key
performance
indicators
(KPIs).
Overall,
a
well-defined
AI
strategy
is
essential
for
businesses
to
maximize
the
potential
of
AI
while
mitigating
risks.
A
good
resource
on
this
matter
is
the
AI
Risk
Management
Framework
by
the
National
Institute
of
Standards
and
Technology
(NIST).
Hear
more
insights
on
cloud,
IoT
and
AI
from
Mayank
Sharma
in
his
session,
How
to
adopt
cloud
and
govern
it
at
Cyber
Security
Hub’s
All
Access:
Cloud
Security
APAC
event.
Watch
now!
About Author
