Dr. Srijith Nair is a cyber security veteran, he received his M.Sc. (CS) from NUS, Singapore in 2002 and a B.Tech (EEE) (First class honours) from NTU, Singapore in 2000, under the SIA/NOL Undergraduate Scholarship Program. He obtained his Ph.D. in CS from Vrije Universiteit, Amsterdam where he worked with Prof. Andrew S. Tanenbaum and Associate Prof. Bruno Crispo on the problem of information flow control and policy enforcement, applied cryptography, and general system security.
Srijith has been a speaker in several industry conferences and summits and has also published several peer-reviewed papers in international journals and conferences and has served on several Program Committee. He has several patents under his name.
Q. Please start by briefing us about yourself
I am Dr. Srijith Nair, Directory of Information Security at Careem. My team and I work with the engineering and business functions within Careem to ensure that the customer, Captain, partner and colleague data is secured and used in a compliant manner.
Q. Cloud computing is a main pillar for digital transformation, how can enterprises ensure that they are not compromising their data while implementing it?
Cloud computing indeed provides a great tool for digital transformation. Security capabilities are one of the key strengths that can be leveraged by customers operating in the cloud if done in the correct manner. However, security in the cloud is not a given and does not come for “free”. Organizations need to be aware of some key aspects of cloud security in order to ensure that their data is safe. Some of them are:
– Understand the shared responsibility model, aspects of security that the cloud service provider takes up on their side, and the aspects that are still your responsibility. These vary based on the type of cloud service (IaaS, PaaS, SaaS) being used.
– Agree and adhere to a standards-based security baseline for all aspects related to security (golden images, default configurations, network segmentation, etc.)
– Shift left in order to manage the complexity and fast pace brought in by the flexibility offered by the cloud environment.
– Have an incident management process in mind that reflects the nature of the cloud environment you are running.
Q. Being a cyber security specialist, can you elaborate on security in the cloud and of the cloud itself?
Simply put, “security of the cloud” refers to the security of the cloud infrastructure itself that powers the offering provided by the Cloud Service Provider. These involve the procedures and technology that Cloud Service Providers use to secure the environment, including all the way from physical security to TPM chips in cloud baser physical servers. “Security in the cloud” typically refers to the technologies and processes that consumers of cloud services need to adopt in order to secure their use of the cloud service. This can be as “simple” as choosing a strong password and turning on MFA and as complex as ensuring your applications running in the cloud are free from bugs that can be exploited.
Q. How can we leverage zero-trust elements with cloud security?
Several elements of Zero Trust can and should be embedded in cloud security. Elements related to network (micro) segmentation and access control, identity management, granular user access management, web application firewall, enhanced data protection, and leveraging threat intelligence from cloud providers need to be considered. Each of these elements can leverage the capabilities provided by the cloud provider that probably is at a higher maturity level than the smaller SMEs can afford to build out.
Q. What are some of the most important compliance controls to implement to be cybersafe?
There are several compliance controls that are in general good security hygiene to implement to be cybersafe. Encryption at rest and in transit, configuration, patch and vulnerability management process, firewalls at the network and/or application level, having data loss prevention capability (in the cloud and otherwise), and keeping a risk register to provide visibility on the risks are some of them.