“Security is a critical factor when evaluating enterprise cloud tech, says cloud expert” – Ratan Jyoti
2020 saw the highest number of cyber-attack counts in India, with a 37% spike just in Q1. Accelerated digitalization and overnight shift to a remote org setup have widened the exposure to possible threats, pushing IT leaders today to be the agents of change ensuring their organisation is secured from potential threats.
We recently caught up with two industry experts, the CISO of Ujjivan Small Finance Bank, Mr. Ratan Jyoti and the Co-Founder and Product Head of leading Cloud HR Tech platform Darwinbox, Mr. Chaitanya Peddi, to learn how they went about mitigating the security risk during Ujjivan’s recent 100% remote HR digital transformation initiative.
Oh, and we’ve converted all the learnings here into a handy RFP that you can use while evaluating cloud vendors.
Onboarding Cloud Technology Vendors
Cloud-expert Mr. Ratan Jyoti says “While onboarding new vendors, organisations should gain a comprehensive understanding of their infrastructure and evaluate if they accommodate for continuous monitoring and remediation for any aberrations.”
Further elaborating, Mr. Jyoti shares a checklist every IT head should refer to while evaluating a new vendor:
A. Data Encryption, Restriction, Authentication, and Role-Based Access Control (RBAC)
“Start with classifying the data meticulously and map exhaustive RBAC framework to govern access.RBAC is not just effective and easy to manage but also helps in ensuring that the security basics are in place.”, shares Mr. Jyoti.
Vendor’s Mobile Device Management strategy should help control and limit user actions to only the ones that are required – Blocking screenshots, Restricting copying of sensitive information should be included in data leakage prevention policies.
B. Integrations Planning
Warning against an unplanned integration roadmap for implementation, Mr. Jyoti says “A detailed scoping exercise is key to understanding how data flows across systems and identifying potential leakages. Data should flow only through secure channels with stable API gateways and network encryptions”
C. Trusted Certifications
“Security is the biggest priority for large enterprises, especially for those in the BFSI sector, such as Ujjivan. The access, storage, and processing of sensitive data is carefully controlled at Darwinbox and is governed under global standards such as ISO/IEC 27001, ISO 9001, SOC 2 Type 1 and
SOC 2 Type 2. We comply with international standards of personal data protection (GDPR) making us a highly secure HR platform for organisations across the globe.” shares Mr. Peddi, co-founder, Darwinbox.
D. Penetration Testing and Mitigation of Vulnerabilities
Mr. Jyothi believes that an in-house ethical hacker is a great investment. “Solving for vulnerabilities should not only be limited to standards and frameworks, but should also analyse possible attack vectors for the business and prepare against them”
E. Secure and Stable Cloud Infrastructure
One of the easiest ways to evaluate a vendor’s security readiness is from their investment in the right cloud infrastructure.
“Darwinbox runs on AWS, and our customers have benefitted from the state-of-the-art security infrastructure it offers from the very beginning. With the backbone of AWS, our application is capable of scaling vertically based on the number of users on the system and has consistently delivered a 99.99% uptime. Darwinbox is also tested against 20,000 connections for every new software release, with a team dedicated to monitoring the health of the system 24/7.” shares Peddi.
F. Monitoring: Audits and Log Trails
If used effectively, Audits and Log Trails can identify problem areas and provide the means to find remedies.
“With over 500+ organisations and 1M+ active users on our platform, we analyse 600+ GB of logs daily and check over 29 TB of data monthly for anomalies. We also leverage SIEM and DLP solutions integrated with log aggregation to provide real-time analysis of security alerts.” shares Peddi.
G. InfoSec Awareness & Training
One of the most important challenges for any organisation is evangelising the importance of data security and preparing the employees for potential threats. Mr. Jyoti, CISO at Ujjivan recommends the following:
- Text-based infographics or video-based awareness campaigns on safe practices are very effective. Mr. Jyoti also emphasizes the importance of using regional languages for training.
- Continuous exercises for assessing each employee’s level of awareness regarding cybersecurity, through simulations of possible attack scenarios should also be undertaken.
Summing up the whole conversation, Mr. Chaitanya Peddi shares “Never let a good crisis go to waste. Use this opportunity to proactively invest in technology, effective people management, and the creation of policies that will yield long term gains.”