Voya's Badhwar explains how to prioritize cloud-based security and save a world of headaches by getting a CISO on company boards

After 25 years of analysis, architecture, design, development, and management of technical resources for cybersecurity engineering, operations, and incident response, Voya Financial CISO Raj Badhwar has seen it all and has become a go-to expert in all thing’s cybersecurity.

We were thrilled to join Profile magazine to talk with Raj on his perspective on the CISO’s role in putting security priorities in the forefront.  “When the board of directors wants guidance about where investments are being made in a company and they don’t have security people on that board, there is a valuable voice that is not being heard.”

Especially as companies make significant investment in migrating critical applications and systems to the cloud. The cost-efficient pay-as-you-go models and scalable database capabilities offered by cloud environments make them an irresistible choice. There is a catch, however. A whopping 84% of companies say their current security solutions won’t work in these new environments, and in most cases they are right. Badhwar warns that when companies weigh the pros and cons of moving their entire networks to the cloud, having a CISO on their boards of directors could save them a world of security headaches.

Badhwar remarks, “There may be some short-term gains in moving everything to the cloud, but I think security has been forgotten, and that’s why there are breaches literally every single day in the news.” Juxtapose this with the Gartner data and the conventional wisdom that the future state of application and system hosting for every corporation is in cloud environments, the need for effective, affordable database security going forward is very clear.

Built-in security for cloud-based data sources may not be the answer

Many cloud deployments lack basic capability to provide adequate securityBut, many cloud-based data sources claim their built-in security capabilities are enough to get the job done. Why the disconnect? Badhwar explains the myriad of issues, “Although the cloud compute and service providers have built in native capabilities to enable application, infrastructure, network and perimeter security, these capabilities are not being used appropriately as legacy (on-premise) applications in the industry move to the cloud environments. Specific areas of concern on the radar of corporate CISOs are perimeter, network, data and application security; Logging and Monitoring; Vulnerability Management; and Identity and Access Management (IAM). Many cloud application deployments in the industry lack even the most basic and fundamental capability to provide adequate security logging and monitoring of these cloud-hosted (IaaS or PaaS) applications for the reasons I mentioned.

“Frequently, the on-premise security solutions cannot be migrated to cloud environments along with the app migrations – creating a gap where the apps have to enable cloud native security tooling and capability on-the-fly, oftentimes creating misconfigurations and coverage gaps. The DevSecOps models of many firms in the industry do not have the ‘Sec’ piece fully enabled and integrated into the CI/CD pipelines. This can lead to untested, un-scanned or vulnerable code (or services) making it all the way to production.”

“On-premise code development, testing and deployment paradigms must be re-factored for an agile SDLC model generally used in the cloud. This leads to a learning curve in the industry that often requires new tooling to support the new paradigm – often resulting in non-compliance with cybersecurity and IAM processes, procedures, and best practices. In many cases the on-premise IAM paradigm in use within the industry cannot be replicated to the cloud, leading to a hodge-podge identity and access management paradigm. This opens the door to unauthorized access, enhanced risk from data exfiltration, insider threat, lack of visibility, exposure to regulatory non-compliance, un-optimal access and entitlement reviews and access certifications, etc.”

“The micro services and container centric application design used in cloud environments can lead to a fundamental shift in application security design and introduce implementation complexity – often resulting in potential coverage gaps and un-optimal security solutions.”

Guidelines to follow for effective, affordable database security in the cloud

jSonar has enhanced Voya's ability to secure and monitor database activityWhen an enterprise is evaluating solutions to facilitate their transition to cloud, there are some specific guidelines to follow. Badhwar suggests they should look for solutions that can operate in a hybrid mode, (i.e. in addition to being cloud native, they can also work in tandem or inter-operate with existing on-premise solutions). It is also important for enterprises to adopt solutions that are not proprietary and are built on open (industry) standards and that are not overly complex or require significant customizations.  It is important that a solution doesn’t have a cloud lock-in or can at least work or federate across various cloud environments (e.g. Azure, AWS, GCP, Oracle cloud etc.). Finally, the solution needs to be securely designed inherently, rather than require different customizations to be bolted on later to ensure security in each cloud environment.

Badhwar says, “Fortunately, partnerships with cloud-based database security companies like jSonar have helped ease this difficulty. jSonar enhances our capability, speed, and agility to provide security monitoring and behavior-based analytics both on-premise and in the cloud.”

Ron Bennatan, chief technology officer at jSonar, echoes Badhwar’s point, “most organizations struggle with deploying consistent data security policies to the cloud. Legacy on-premise tools don’t carry across to cloud workloads,” he explains. “At jSonar, we abstract the complexity of the underlying data systems and provide a single platform to secure any data workload.

“Our customers, like Voya,” Bennatan adds, “can accelerate innovation in their business and migrate to the cloud while having the confidence that their security controls and more will be consistent across all on-premise and cloud systems through jSonar.”

Practical benefits to bringing a CISO onto a corporate board of directors

When given the opportunity, Badhwar outlines some of the things CISOs could bring to a company board in order to help improve risk prevention and remediation strategies:

  • Appropriately assess cyber risk and help implement security controls that can either remediate or mitigate risk from network breaches and other cyber events in an expedient manner.
  • Help bring the needed awareness, set the appropriate level of urgency, and secure any needed funding to patch known critical and high severity vulnerabilities and exploits on internet-facing high-risk applications and sites.
  • Provide a cybersecurity-focused assessment of any new business or technology acquisitions including but not limited to: M&As, new enterprise systems and software, secure cloud adoption and deployments, third party engagements and other new business relationships, etc.
  • Bring a cyber-security focused point of view for assessment of compliance with existing and new government regulations or client requirements.
  • Make the case for needed proactive investments to upgrade the cybersecurity capabilities, services, and infrastructure for a given firm to protect against APT (advanced persistent threat), sophisticated malware and other internal and external cyber threats.
  • Help ensure that a company has appropriate cyber insurance to provide coverage for cyber risks including but not limited to: cyber events, threats, incidents, breaches and other events that can cause reputational and financial harm.

“The views expressed, and commentary provided in this post are strictly private and do not represent the opinions or work or the state of and/or implementations within the cybersecurity or IT programs of Voya Financial. Any advice provided here must not be construed as legal advice. If you choose to follow any advice provided in this blog, then you must do so at your own risk.”