Cloud Security is big play for MSSPs in India to the likes of Tata Communications as cloud gains acceptance across companies. With network of SOCs, well entrenched customers and an experienced team, Tata Communications aims to be a defacto for securing IT infra of organizations. ComputerWorld India had an interaction with Avinash Prasad, Vice President, Managed Security Services, Tata Communications on the changing role of MSSPs in the era of cloud, big data and cybersecurity.
How do you see the security market in India hinged at the moment and what role does MSSPs like Tata Communications foresee as definite trends?
Our prime approach is tailored as MSSP; but the story does not begin and end with managed services only. Managing the customer environment means that we need to have reasonable understanding of the changes in IT infra and other aspects, and hence we do analytics and consulting activities also. There is fair amount of new technologies like SIEM, signature based and others that are in great demand by organisations. We do the integration and implementation of these solutions if asked by the customers.
Avinash Prasad: Why Tata Communications as MSSP?
· Ability to cross pollinate and transfer information, intelligence and execution.
· 3 dedicated SOCs with a different design philosophy than the competition.
· In-depth capability and a pioneering approach for cloud deployment.
· Secure cloud environment with a holistic view.
· All offerings except one delivered ‘as-a-service’.
· Great appetite to extend footprint globally through upcoming SOCs.
And then the managed services comes in. From that standpoint, our approach is facilitating the longer term relationship with customer. This we do through managed services engagement that’s aligned with assessment, and consulting services backed on the integration and implementation activities.
In the large private sector, the big trend is that companies feel the need to do something new in the infra as they see what’s happening in outside world. And they cannot ignore the security element. Therefore there’s more relevance for us as MSSP to understand threat analysis and interpret the right roadmap for the customers.
The explosion of digital knowledge and marketing activities means that neither we nor our customers can assimilate and interpret the engagement at the start. Our conversation with companies is multi-level, starting from business stakeholders, then CIO seeking credible strategy--whether the solutions will add results to the company and make it secure, and lastly CISO who wants the security provider with adequate solutions and capabilities. The funds for security is not an issue with most companies; but it all boils down to the capability of security or technology provider.
India’s BFSI segment is now facing more pressure from RBI with monthly checks and enforcement policies on banks than before. RBI has also created special cyber security group which has led to lot of action in public and private sector to invest more in new security technologies. The insurance segment (mainly private sector) is also seeing consolidation of their point solutions in the security space.
The third trend lends towards critical infra getting fair attention of mandate as IT leaders want to get deeper into the security technologies that offer adequate visibility too. They also want to know about what their investments in security today will deliver in the next year. That is driving a change in our motion as MSSP with lifecycle model which extends to better business intelligence and assess customer environment over the years beyond standardized SOC and access to systems.
Has the MSSP model matured and become all opex or some part is still capex for companies?
It depends on the approach of customer. Banks don’t blink much as there is fair amount of capex as they are still the big buyers of technologies. Other companies like manufacturing, healthcare there is a shift happening as Opex model is now a significant part.
It’s about how we innovate to the level of the recent announcement of government’s e-marketplace portal (GeM) which is completely cloud-based with no room for any capex. As the opex model goes live, the services move, transactions roll and the commercial risk is also provided by us. This is transaction–based model as we manage the capacity on the cloud and manage cost for the transition to start and the revenue to flow. I see a whole shift from pure capex to zero capex too. Some transformation models like smart cities will favor cloud model. And as the government and citizens benefit from opex based, transaction based model, the revenues trickle in for MSSPs and technology providers.
Security on Cloud is the biggest fear factor for companies. How can MSSP help recede that fear?
Cloud Security is really at a point which is like peeling an onion. It is like coercing IT leaders and CISOs to open and peel the security juggernaut, and then the fear factor erodes a fair bit. Initially, CISOs react instantly, opening a box of concerns on hearing the word ‘cloud security’. But when you talk to them about the need to deliver services around infra transformation and cloud infra being equally critical to business from service, scalability and assurance perspective, then the qualms of security on cloud become relaxed.
Besides non-critical workloads, many companies already have mission critical data — HRMS, sales data, people appraisal data, DSaaS app — on the cloud. And securing the cloud for these companies becomes super important.
“Cloud Security is really at a point which is like peeling an onion. When you coerce IT leaders and CISOs to open the security juggernaut, the fear factor erodes a fair bit.”
VP, Tata Communications
Cloud is undoubtedly about agility and cost amongst other benefits; but the security element has to be baked in at the start. If we associate security to be problematic to cloud, we have another problem. Security has to be incorporated in the ‘plan and build’ stage to secure the cloud and that helps large traction in market for private cloud providers like us and the larger public cloud providers like Azure and AWS. There has been a big ramp up of the number of security tools listed on public cloud providers’ list in the last 12 months. Cloud security is a very big play for us to really make an impact in the market and the customers to benefit out of it.
Have the modern day SLAs become tougher? What’s the new expectation list by CISOs and CIOs of India Inc.?
You can no longer work on operational SLAs in modern world. Cyber risk and Real cyber threat are software elements which are tougher to put into black and white boxes. Operational SLAs were more direct with uptime, downtime etc. Secondly, as the type of user changes and data changes, we have to constantly gather more information as the customer rolls new programs, data type being shared etcetera. We have to understand environment changes in right and timely manner. Customers should have minimum steering committee on monthly basis on new initiatives, programs and further allow us to understand the data ourselves, or their teams can talk to us.
Customers are very clear in terms of whatever technology and services gets implemented on day one, they need to see the roadmap over the next year with the technology provider or MSSP. Secondly there is lot of collaboration happening between tech vendors due to the complexity of the infra at time of requirements. There are organizations that will roll out RFP; maybe not today but in near future. They look to collaborate with technology providers like us to help them deploy the right solutions and services in the fast changing world. They expect right level of partnership upfront whether we are preferred partner or not; but it is about how we can add value to the partnership. Lastly, they want us to be regulation-aware, cloud-aware and aware of all the changes happening in the tech world.
What are the typical pitfalls IT leaders should avoid on their journey of managed security services?
The governance of MSSP hinges on level of trust with the customer based on matrix, performance, and other aspects. It is also based on how they respond when something (breach) hits. CISOs, for many years now, do not look at sheer availability as a parameter to measure MSSP and its strength. The protecting, detecting and responding is the first shift that they expect. They want MSSP to track and report around detection, response and remediation which gives them the confidence for the whole life cycle of cybersecurity.
“MSSP is a dual play with a push from the customers on what they want and how much data/information they can share, and how we create the right engagement model for them.”
In India, many customers put lot of faith in detection and prevention through IT tools. But they are well aware that technology will not work on respond and recover, hence work with MSSPs. The reality is that we can’t let technology operate on its own, and sometimes we do get stuck due to operational reasons, like non-communication between teams (customer and ours). MSSP is really a dual play with a push from the customers on what they want and how much data / information they can share, and how we can create the right emaggement model for them.
CIOs and CSOs always ask us on the share of responsibility – which at times is decided by them or us or both. All customers explicitly tell us that they engage with MSSP due to the lack of technical expertise at their end. Good governance, well architected systems and data management at the customer end needs to be shared with our teams which helps realize the true potential of MSSP model that benefits both sides.
Why should organizations work with Tata Communications than the competition companies in the marketplace?
Tata Communications has the ability to cross pollinate and transfer information, intelligence and execution across the customers through different engagement models. That is the design philosophy of our SOCs. We do have semi dedicated customers too which have hybrid model of on-prem and SaaS. We have built our own tool instead of the standard ITSM. This helps us harvest data from different tools in a multi-tenanted environment to deliver best experience to the customer. At present we have three dedicated SOCs (two in India and one in Singapore) and the plan is to launch three more globally in the next eighteen months.
With our capability depth and pioneering approach in cloud, we are clear that we want to secure cloud environment and tie it back as a holistic view to the customer. Lot of potential is paid to ‘security as a service’ jargon; but we have made it real as today, except one, all our offerings from SIEM to Unified Threat are offered in security-as-a-service mode to the customers.
We have the appetite to extend things globally. Being present in half a dozen different regions, we are well versed with the data change, data rules etc. across the countries. We aim to be a well-entrenched global MSSP through our forthcoming SOCs to address markets of Middle East, Europe and the sixth SOC would extend to US or UK.
Highlight your top priorities for India market. Does security skillsets figure in the list?
We want to evangelize process knowledge out into the market and into the domain. In India, the discipline has not evolved beyond what the tools does ,whereas countries like Israel look at the discipline more than just the tool in cybersecurity. There is enough engineers in India and we want to create entire management of threat as a discipline.
Secondly we want to have partnerships with CERT-in, RBI, and information and sharing analysis groups so that we can create interfaces and play a nodal role in the overall digital economy.
We want to give confidence to Indian customers to use our own platform —service manager platform and service reporting dashboard being two such examples. Our own analytics platform will add value to the huge network and the network data we have over the years. Its built grounds up using open source frameworks, Hadoop, Apache etc. We have the analytics capabilities and the creation of these platforms will deliver more intrincitic value for India market.