Cloud Security Made Simple With Swati Anuj Arya

Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. With this podcast, our goal is to get your security questions answered by experts in the security space and build a community.

For Today’s episode, we have Swati Anuj Arya with us. Swati is a Leader at the CISO office at Amazon Pay. Prior to that, Swati was a member of the Financial Services Compliance team at AWS. She has also been associated with ISACA for various security training initiatives.

Swati, Thank you so much for joining with me today.

Swati: Thanks for inviting me!

Purusottam: Let’s get started with the questions. So the first question,

For a fast-growing fin-tech startup, What investments should be made in cyber security?

Swati: I think basics need to be corrected right. Security is not something that you can think about once you have designed everything. So security has to be integrated into the entire process, the entire set-up of the organisation. Generally, we see people think about or organisations think about security once they have sorted out the functionality part and then they realize, there are certain things which were correlated with the functionality.

Even if they have a limited budget, and limited scope, I think the basic controls need to be implemented and when they are designing these controls, they need to assess the risk and based on the risk they need to align the security investment. Most of the time people think that their business is too small for cybersecurity attacks, but stats say that 60% of small and medium-sized organisations have to shut down their shops just because of these cyber security attacks.

So they have to make these investments at the start, they need to consider security at the start and ongoing basis and if they are making an investment, it has to be based on the risk assessment results and basic controls need to be implemented correctly and it need not be always a kind of heavy investment solutions, sometimes opensource/basic security controls can help a lot.

Purusottam: Makes sense, so security and product development should go hand in hand rather than security being an after thought.

Swati: Exactly

Purusottam: Makes sense, so the next question is

For a startup, What’s the right time to invest in improving overall security posture vs getting security certifications like soc2, iso, etc.?

Swati: It depends on the business priorities as well as where they are doing the business right. There are certain geographies, certain markets, and certain industries where the certifications are kind of a must. When you will go to your first customer or when you go to your first investor, they will ask whether you have these controls in place or not. While you are working in an industry where data is less regulated, the sensitivity of the data is on the lower side, I think you may decide to have the certification at a later point in time.

Based on what type of data you are dealing with – if you are dealing with sensitive data like for example financial data or personal identifiable data you are targeting customers in geography is where the regulations and the governance are on a higher side, I think these investments and these efforts have to be done in the initial years and what we have observed in past few years is that even when we are going for investments or they are going for funding,  their investors are looking for these details, they’re asking what is your security posture and they’re making a decision be based on that and the overall valuation of the company can be reduced if you don’t have these security measures and compliance programmes in place

Purusottam: Okay, makes sense, next question-

In case of any ransomware attack, What is the best way to restore data?

Swati: I think once a ransomware attack has happened it’s too late from where you will get the backup and restore the data. This should be decided much prior to that right, it should be a part of your overall BCP plan. You should have a dedicated set up for back up and definitely, you cannot have a backup at the same place where your actual production data is, there has to be segregation where you are keeping your backup data, and if you have done your BCP planning and RDI planning properly, I think these questions can be answered easily because you have planned where your back up data is, restoration would be just like another step right so organisations which have done their BCP planning properly, they have kept their data as recent as possible, which have done there is restoration testings, those organisations have been surviving these kinds of situations better because they have not waited till that attack happened right – they have planned for it in much before and tested those plans right so sometimes you may have planned everything properly, but is it working? have you tested it? have you restored your backup to see if it’s working or not, so, those are critical steps and having a good cloud infrastructure available from different hyper skill cloud providers.

I think backup is not something which is a tedious thing to do, you just have to decide what you want, when you want, and you can get it with minimal cost and minimal effort..

Purusottam: So preparedness with a backup has more value

Swati: And not keeping all the eggs in one basket.

Purusottam: Okay,

How should we prepare for a large-scale event from a security standpoint?

Swati: When you say the large-scale event, I think, organisations may not have considered how to contain those events right so, even if we are saying large-scale event if it is detected properly, the detection has happened timely, there is a proper incident management plan in place, it will do early detection, it will do containment and eradication, and then it will help you in responding in a faster way. The effort should be in the direction of reducing the overall impact and getting this event a large-scale event, and as soon as you identify it, as soon as you take action, it can be, the impact can be reduced and the damage can be on the lower side.

Purusottam: Okay makes sense, the last question-

In the event of a data breach, What should the response plan look like?

Swati: When you say the large-scale event, I think, organisations may not have considered how to contain those events right so, even if we are saying large-scale event if it is detected properly, the detection has happened timely, there is a proper incident management plan in place, it will do early detection, it will do containment and eradication, and then it will help you in responding in a faster way. The effort should be in the direction of reducing the overall impact and getting this event a large-scale event, and as soon as you identify it, as soon as you take action, it can be, the impact can be reduced and the damage can be on the lower side.

Purusottam: Okay makes sense, the last question-

In the event of a data breach, What should the response plan look like?

Swati: When we say data breach right there are multiple things that should be considered –

1. what kind of data has been having been impacted and is it a confirmed breach?  if the answer is yes, then if this is a data breach then regulated in nature and there are legal implications of this data being breached, I think the first part is that you need to identify who needs to be informed, and what is the timeline that you have to abide with. Sometimes there can be legal implications of not abiding with the incident reporting, so, I think that is a critical piece where you involve multiple stakeholders and you make sure that you are in that timeline.
2. Second is very critical, which is that again the containment is an important right, so, you are aware that the data breach has happened, have you addressed it, have you contained it or you are facing it, it’s like kind of happening on an ongoing basis so containing that data breach. Then, doing a root cause analysis, like what has gone wrong so that the steps can be taken in short duration and long duration or long-term to make sure that these incidents are not happening. Because even if we are talking about data breaches kind of regulator data or legally protected data those cases regulators or agencies will be very interested to know what you have done to protect your data right and if you need to take more steps like you have to inform your customers, depending on where you are doing your business what kind of data it is, you can take those steps. They want to understand what is the entire RCA, what is the lesson learning and based on that, the action can be taken and those are important.
3. But the immediate thing should be that the damage needs to be reduced. You know that something has been impacted, it should not be a rippling effect or other data sets or other system problems.

Purusottam: Makes sense, so doing both the things at the same time, like, controlling the damage and going out to the stakeholders and keeping them updated

Swati: It should be done in a careful way. You should not create panic at the same time you must be abiding by the policies and the guidelines which are there in the country. Those two things need to be balanced out properly so that you are being transparent you are informing stakeholders with the facts and you should have those facts while you are reporting these events to the agencies, and regulators. At the same time, you should not be creating a panic right, so, the right set of information should be provided.

For example, if there was a data breach and data was increased it probably the damage was much on the lower side only the encrypted data has been exposed and in some geographies that data may not be qualified for a data breach because the actual data has not been breached. Giving the right information, being factual, and assessing what is the impact based on the app on the communication given to all the stakeholders who have impacted and who need to be informed and reported.

Rapid Fire:

Purusottam: Makes sense, okay now let’s move to the rapid-fire section-

What’s your persona animal?

Swati: I think I like tiger, I like them.

Purusottam: okay,  What is one of the myths about cybersecurity?

Swati: I think one thing is that people need to realize is there is nothing called as 100% security, there are two types of organizations, right, one who have been breached and those who need to be informed that they have been breached, so there is nothing called 100 % security. You need to assess where you are and based on that you can secure your organization.

Purusottam: Okay, the next question is –

Assuming you are hiring, in one sentence, What stands out the most in a candidate’s resume for you?

Swati: I think articulation and integrity are important and I mean these two things are important in information security roles. You need to be really good in articulation because you have to communicate with different stakeholders, you need to articulate based on the audience, And second is integrity, I think if I have doubt about someone’s integrity then I think that will not work for me.

Purusottam: Makes sense, ya,

What is the biggest lie you have heard in cybersecurity?

Swati: I have encrypted everything, I have fireball and hence I am secure and compliant.

Purusottam:  Makes sense,

What advice would you give to your 25-year-old self starting in security? and Why?

Swati: I think learn a little bit of developing software, software development side, I started my career in information security and I have been heavily involved in compliance on-site, I think having an experience in product development, I think that sides help a lot and even today I feel like I should go and have learned on those aspects as well.

Purusottam: Okay, so with that we wrap up the rapid-fire round as well. So thank you so much Swati, it was so insightful to speak to you. Looking forward to learning from you in future.

Swati: Thank you so much Purusottam, thanks.