Nataraj Nagaratnam, IBM Fellow and CTO cloud security, been with the supplier for almost 25 years. Security has been his forte throughout this time, whether it’s cloud security, hybrid cloud security, or technology strategy.
Nataraj’s interest in security started when he was studying for his Masters and PhD. “One good, beautiful day, my teacher comes in and says there will be this new thing, called Java“, he recalls. “He was already working with the core Java engineering team, which created Java at the time. Intrigued, I started working on the security aspects of Java, then I did my PhD in security in distributed systems.
After graduation, as Nataraj sought new challenges, IBM approached him with the opportunity to help shape the future of security. Just as the Internet would change the world and the way business was conducted, IBM offered him the opportunity to develop systems that allowed businesses to operate securely over the Internet.
IBM’s offer to lead enterprise web security for IBM products appealed to the young Nataraj, as new technologies promised to be both disruptive to markets and empowering to the world. “I jumped at the chance. And, as they say, the rest is history,” he says. “I was lucky to be part of the journey, with WebSphere shape the industry and work with the industry on standard security specifications, such as web services security.
The rise of the cloud
Technology, especially business computing, has grown tremendously throughout Nataraj’s career. While this has created opportunities for enterprise solutions, it also comes with some risks. “In the history of computing, there are three big chapters: mainframes, then the web, and now there’s the cloud,” says Nataraj. “This is a defining moment in the entire IT space, and I have the chance to define and lead the work on security from web to cloud.”
Relying on data and services in the cloud can be challenging, as organizations must ensure that data remains shareable across networks, while having enough protections in place to ensure privacy and data protection. This is especially the case for heavily regulated industries, such as the defense, healthcare, and financial sectors. It has become a defining moment for these industries, which are concerned with risk, security and compliance.
Rather than relying on the subjective term ‘trust’, which implies that one can trust or rely on someone or something, Nataraj prefers to use ‘technical assurance’. Technical assurance demonstrates that technological and human processes have been put in place to ensure data protection.
Part of that is making sure that identity and access management (IAM) is treated uniformly across all of the organization’s cloud platforms, from their cloud storage capabilities to their on-premises services. Since no two cloud platforms are ever the same, this can complicate things, as multiple platforms are typically used.
The rapid expansion of the technology sector means that there is growth security skills gap, which needs to be addressed. This has left organizations struggling to fulfill vitally important roles and relying on external contractors instead. This adds additional costs, particularly if a significant amount of labor is required, as contractors are expensive for long-term projects.
To address these concerns, organizations are turning to IAM tools to act as an overlay on their existing cloud infrastructure. “If we standardize access management and security overlay, and enable them with automation and continuous monitoring, we can solve complex problems,” says Nataraj. “Adopting a hybrid multicloud approach with security and compliance automation solves this problem with consistency and continuous monitoring.”
Data protection and exchange of information
Government policy is also changing, as regulators become more technology-aware, with additional data protection requirements when sharing data between regions. However, there has been greater collaboration between countries in this regard. For example, the European Union (EU) General Data Protection Regulation (GDPR) has effectively become a de facto global standard for data protection as countries realize that commerce depends on an unimpeded flow of data.
“Legislators and regulators are beginning to understand the impact of technology, and that policies and standards must evolve to accommodate these technologies, while providing a level of risk and regulatory compliance. Standardization must have place “
Nataraj Nagaratnam, IBM
“Laws, regulations and policies are becoming more technology-aware,” says Nataraj. “Legislators and regulators are beginning to understand the impact of technology, and that policies and standards must evolve to accommodate these technologies, while providing a level of risk and regulatory compliance. Standardization must have place, rather than each country having its own regulatory requirements, as this will have its own complexity.
As the exchange of information between different countries depends on data sharing agreements, organizations are exploring approaches that allow them to meet regulatory and technical requirements.
“A few weeks ago when I was in India, we talked about this notion of data embassies – the fundamental concept is that if you run services within these data centers and service providers, you benefit immunity from certain laws,” says Nataraj. “A country can have a data embassy in a country, and in reciprocity, they can have a data embassy in their country. Innovative and creative ideas are emerging in different parts of the world. It’s a reflection of a policy and a practical approach to solving this data sharing problem, and it’s going to evolve.
These data embassies are similar to ICT Tac‘s proposed Project Texas, which would see the social media platform store all data in the United States under the supervision of an American company Oracle. These data embassies could evolve into independent third-party organizations.
The risk of quantum computing
The risk posed by quantum computing, which could disrupt encryption security. Relying on existing encryption technologies is not an option, as the processing speeds offered by quantum computers would allow them to break encryption quickly, especially since some public-key algorithms have proven susceptible to computer attacks. quantum.
The most common public key infrastructure (PKI) used in the world is transport layer security (TLS), which secures data in transit. As such, this should be considered the biggest risk, because if data is captured in transit today, the encryption could be broken five years from now, should quantum computing become commercially available. As such, we need to rethink our approach to hybrid cloud, secure connectivity, and TLS.
“When it comes to quantum security, I think the first thing to fix is connectivity. Two years ago, we introduced support for quantum secure algorithms in the IBM cloud,” says Nataraj. “When you perform application transactions on the wire, this link can be quantum safe. You prepare for the threat. This must be one of the first things, when it comes to cloud security, to work on .
With the increasing levels of functionality offered by artificial intelligence (AI) and machine learning (ML), automation will become an increasing part of an organization’s security posture. Automated monitoring of security and compliance posture enables continuous security.
Additionally, security deployment will become automated, bridging the gap between CISOs and CIOs and IT teams. This will ensure that they are all consistent with each other and aligned with the organization’s overall security and compliance requirements.
“There’s still a long way to go when it comes to continuous security and compliance infused with automation, and how we move from a reference architecture that can be in a Visio diagram to something prescriptive, deployable, and automated,” says Nataraj .
Preparing for the future
Concerns about data sovereignty and data privacy residency are likely to increase, given regulatory compliance and the geopolitical aspects of data processing. As such, there will be a need for more demonstrable controls and technologies that can help protect data and privacy, which will become infused with confidential computing.
“Applications of confidential computing are still in their infancy and there is still a lot to do, because it is not just a technology, but its use cases in confidential AI,” says Nataraj. “IBM has leveraged confidential computing technology to enable unique approach use cases around encryption key management called Keep Your Own Key, where a customer has technical assurance that only they have access to the keys. , where keys are protected in hardware as well as in secure enclaves.. This is now extended to hybrid multicloud key management via Unified Key.
The IT industry is undergoing a fundamental shift as it shifts from a web-based model to one based on cloud services. This situation is compounded by emerging technological and regulatory issues. A multicloud system can improve adaptability to changing market trends, but it comes with some challenges. Automating network management policies enables fast and efficient sharing of information across networks, regardless of location, while ensuring compliance is maintained as regulatory compliance changes.
“We can help industry, governments and others move forward,” Nataraj concludes. “We will work with governments and their policies to make this happen.”