Panel Discussion: Third-party Integration and their implications on cloud IR

our next discussion which is on third party Integrations and their implications on cloud IR as organizations increasingly migrate their operations to the cloud they Embrace third party services and Integrations to enhance functionality and efficiency however while this Integrations offer numerous benefits they also introduce new challenges to incident response within Cloud environments uh let's Leverage The expertise of Our Guest to get some insights on it please welcome our panel members Vikram mea founder and CEO chai5 I Krishna Kumar goind Rajan CTO at miq and Aura Dal CIO at adani Green energy limited and adani solar manufacturing this ping will be moderated by uh Dua goyel who is the co-founder and CEO at B okay uh thank

you so much everyone for joining in today today's topic is really interesting uh because I think one of the core reasons why the industry on its own is grown is because people are now leaving things up to the experts uh you know whoever is good at what let them take care of it and then we'll onboard them as a vendor we'll onboard them as a contractor and so on and that is what many companies have done from startups to Enterprise and it's really grown the overall economy but as you can imagine it presents an interesting problem to cesos as well as cios that you are integrating your own data and your own infrastructure with someone else's and

uh that is always a major risk and uh that is what today's panel will be about we'll be trying to understand uh from a cisos perspective as well as from a vendor's perspective on how these thirdparty Integrations work how a ceso looks at their Cloud strategy how they look at their incident response strategy according to that and uh and so on so to kick off I would like every pelist to briefly you know introduce themselves first and then uh you know answer the age old question of what do you prefer cloud or on Prem so SAS or onr right and that's always a interesting challenge thanks so morning everyone thanks thanks so my name is viam the fer and CEO of a

company called Sai based out of gal I've LED various leadership roles in Security in in the past you know to sort of answer your question right so I think just like uh there has been uh an era of you know Cloud adoption or transition Etc I think it's now the industry is going through a shift of similar nature but into SAS uh right so I think just like there were on Prem infrastructure and deployments there was initially a reluctance you know whether to move to the to the cloud or not similarly uh now you know there is massive amounts of sass adoption uh organizations do not really uh you know require to or want to

manage applications and and data themselves but would rather offload you know that kind of data processing and expertise to SAS platforms and the you know product companies out there uh but again that comes with its own challenges for instance regulatory uh you know regulated industry such as uh banking or telecommunication would sort of have a little bit of you know apprehensions for the right reasons and that's where third party risk management and security players are very very Ro to ensure that there's a balance between business operations technology excellence and security at at the same time yeah so I think looking forward to the discussion should be super interesting yes it's good afternoon folks so my name is Kish

and uh I uh need the technology arm of company called mq which is in the uh ad Tech space so uh coming to this uh question in terms of SAS and on Pam and whatnot um for a company like ours you know we pretty much uh kind of 100% on AWS and now the choice is between in terms of uh um going for like P play SAS Integrations or how much do we want to host or manage something within our uh infrastructure and like what uh VI mentioned it's for me it's uh more of a trade-off conversation with multiple different levers involved you know uh one aspect of it is definitely the cost but that cannot be the be all and all

but of course depending on the size of the organization and stuff you know it can play a big factor but the end of the day it is about do you have the expertise how much do you really want to invest and is it really going to be sustainable for you for the long run and um uh how much does this influence or part of your core strategy or your core identity uh as a company right so that really uh translates to where you want to invest especially when a smaller organization where there is only so much that could be done so prioritization is really key so those are all the different factors that goes in but given a choice or the

priority or the preference is like what uh vickram mentioned there are experts out there let them do their job and uh I might as well focus on what I'm good at what I'm supposed to be good at when I say I like the company um yeah Focus uh is this is the key there choice between uh SAS and on Prem it depends on uh organization's requirement I would suggest see basically you have to look at your uh Enterprise landscape uh look at the applications that you have what you can uh take it into Cloud what you can keep it on so like vikam and Krishna B said so uh some of the organization yeah definitely because their

requirement suffice when they go totally on cloud but if you look at manufacturing Industries okay when it comes to Mees system manufacturing execution system you can't take it on cloud these are all R systems okay so it has to be on Prim so that decision will depend on organization to organization and the assessment has to be done thank you so much everyone so that's very interesting you know uh everyone is in favor of both uh I I would like a lot of people to be in favor of SAS as well because you know I'm a uh H onr deployments are complicated uh and and you know just taking on from there uh whenever you're onboarding a vendor right and and I am a

vendor so you know whenever Enterprise onboards me I get a long form that I have to basically fill out that contains you know all kinds of questions ISO where are you storing data what is your data flow diagram and 10 other things uh and you know I look at it as a chore but for of course I understand from a ceso perspective from a leader perspective uh that is very important so a sir I think you know you you would be able to provide uh some insight on this how do you look at onboarding vendors how does it change from say onboarding a smaller startup to say a scaled up Enterprise uh and and how do you manage that overall

process if if you can shed some light on that so uh what like you said you know you get long list of uh question but uh that is uh you know good for both the sides because whatever you feel we have to read and we have to verify okay uh see the reason behind it you know uh because organization is putting a trust in a partner and uh that trust has to be validated before you know you you can't have a blind trust because uh after all it is organization's data and there are certain datas which are IP based and all that so the reason for doing those things onboarding vendor is very very critical where you have to go through

long assessment so yeah definitely you know every organization defines a risk management framework and one of the important topic in that is how do you onboard uh third party Partners into that and that's where you know uh where the organizations will verify you know what are your credentials on the security side whether you ISO compliant opto compliant depending on the type of vendor Hipp and all that uh secondly um uh they will also review your uh system architecture because you know when you put a trust between the two architecture they need to review the how your integration will happen uh how you are going to handle the data that you are going to access so if some data which is

going to be with you what is the strategy that your vendor will be adopting whether there will be a encryption standards uh what are your coding standards so you know regular code reviews and assessment will happen uh definitely and because see this is a partnership so it is not that once done then it will not happen it has to be a regular because as you mature as partner also matures and the organization matures the strategy has to be reviewed so that is very important because you know otherwise you know what you have done like 3 years back will not be true after 3 years so that is a continuous assessment uh has to be there

uh for the vendor also and you know that is over a period of time trust is there it is not that trust will not be there but you know that in today's world it is difficult uh because of the cyber attacks that are happening organization needs to protect themsel that is how you do when onboarding where you know you have to go through all the long list of assessment questionnaire uh uh we have to also look at your what is your data residency PL because if something fails how do I come up back how are you taking care of those are the things I think this is very important sir and you know C is maintaining this and actually

enforcing these in a strong way overall supports the ecosystem as well so it's it's really important for many startups to actually realize you know that they have to become ISO compant they have to become sof to compliant and and so on uh and and you're very right you know in the point that okay uh the overall credentials of the organization also have to be verified because it is a long-term partnership after all uh B2B it is not b2c and there needs to be support there needs to be you know many other things and so on so thank you so much for that answer sir I'll move on to the next question uh so this question is

to Krishna um so you know we spoke about uh on boarding a vendor uh now I would like to understand from your perspective uh how does the presence of a thirdparty integration impact your strategy right so how do you actually monitor what is going on with that integration and uh you know how is it that you're taking care of the alerts are there any particular best practices that you recommend when engaging with a third party yeah absolutely um so go just to touch upon that questioner that you mentioned right when I have to or when my team has to submit it uh it needs to be really short when uh I'm expecting it from others it's never short enough you

know it's it's uh need as much input as possible right so we get to understand uh what exactly is going on behind the scenes in terms of what these uh uh Integrations are really or what are we really getting into um but then when you look at it it is about uh this this doesn't really take into consideration what are the best practices and stuff that you need to have within your ecosystem in the first place uh right so it is all about like you know lot of previous panelists also mentioned in terms of this mitigation and whatnot so the fact of the matter is these Integrations are going to uh be there it is going to proliferate but then what

can you do from an architectural aspect right it's not just the uh application architecture side of things but also the data architecture side of things uh uh to to understand what kind of data do you have uh the sensitivity there is different theing of uh uh that data and kind of gets into the zoning of that uh data as well so uh and then and when you're looking at all these Integrations what um kind of data that uh really needs to be exposed to these uh uh through these third parties so what kind of interventions do you need to have in place what kind of monitoring alerting needs to have in place so it's pretty situational as well

but then it helps a lot to go back to the drawing board of uh uh what what should be the the landscape you know what should it look like because essentially this is pretty much what we did uh uh in in the recent past as well where uh we wanted to bring in more of these controls you know more oversight you know more of these certifications and everything sorted out but then when you really look at it that just focusing on those things is it's not going to really help so we had to take a a step back and then uh uh really go back to the drawing board uh which has led to good amount of uh checks and

balances you know bringing in proper governance and stuff in place so uh coming to the monitoring thing there's a lot of tools and everything that is available but you can't just rely uh on that you know in terms of helping so needs a holistic approach no got it uh and and you know taking on from there Vikram uh I think this could be very interesting for you as well because you know you have the experience as heading a security team at big my trip and then now you have your own company so you've seen both sides of how this you know data Flows In and Out so uh you know in your perspective how do

you manage all this data how do you ensure that the right data is going as Krishna mentioned as well and how do you monitor you know any kind of sensitive information maybe flowing on to the other party and so on see I think uh what what Chris mentioned is super critical right so apart from a standard vendor assessment checklist it's really really important to understand or rather not just for security team but also for the larger engineering and product teams to understand what that integration is all about uh you know what apis have being called down to what data is actually leaving uh you know your organization into a third party uh if uh left Al loan to a security team very

often more often than not security teams might not have the visibility of actually what parameters are you know being uh sent out VI an API call so I think it's in my opinion it's a larger responsibility of product and Engineering functions as well uh to own third party risk management right and to own the context so every uh you know not every third party integration is alike so uh there would be certain uh so there would be a product integration there could be uh you know tnm engagements where you might have data flowing through endpoint so depending upon the kind but how do you own the context so uh I think that trickles down from uh

business requirement right so what is a third party trying to solve for you right is it a system integration is it a uh you know is it Outsourcing business processes is it a call center that's working for you right so not uh so every third- party integration uh or Outsourcing engagement uh should in my opinion be treated differently and assess differ although there would be standards that would be measured against but I think that context is super uh critical uh to ensure that uh a security team uh and Technology teams are actually uh you know going down to the level of detail that's really required I'll give you a couple of examples so let's say um you know if uh there is a

there is a process call center process that needs to be outsourced and uh for an organization customer data is like super critical and very very important if there is a non-negotiable control right organizations might just want to extend their DLP and ngv systems to call centrer saying that you know okay fine fair enough we trust you but we would like our visibility to uh be there as well right so I think that's the context that I'm talking about um and uh nowadays uh I mean the good thing is that uh there are a lot of Technology Solutions that also help this right so there are data observability platforms cor right and that can help uh you know

get down to that level of uh act looking at what data is being exchanged for one third party or to another so I think it's it's a mix of two or three aspects that have to go hand in hand and like I mentioned again context is like is really important as far as at least critical third party Integrations are concerned um with regards to obser observability I think that is becoming extremely important and I'm seeing many companies pop up in the space of observability as well uh be at cloud or on Prem uh and uh and it's great that you know you you brought that up uh now coming to the next question which is for

AOL which is on compliance uh compliance is something you know everyone kind of GRS but again as you know we discussed earlier it is important uh from a seeso perspective uh how do you take care of compliance um from a global point of view right your customers may be somewhere in the US your customer may be in Europe Europe there is gdpr us there will be CCPA in India there is not dpdp law there is also coming um how do you take care of these compliance challenges how do you ensure that everything is compliant uh have you thought of these compliance as code Solutions as well right and if if you can you know give a

bit of insight on that yeah so if you look uh today the system integrators uh which they are operating they are operating uh globally so definitely compliance is uh the key and uh when you look at compliance it is uh you have to see the local regulatory requirement where the data should aside because if you are processing for Europe EUR stringent requirement whether that data should decide on that now even India will with dbdb coming in it will happen the same day so yes definitely for compliance you'll have to have multiple certification uh as a system integrator yeah they'll have to have multile certification as a organization when I am partnering with a system integrator I

will also look at how what compliance they follow whether it is fitting my uh requirement whether it is adhering to the Enterprise uh security policies uh that we have in place uh the second part will be you know when you look at compliance for system integrators or as well as for uh Enterprises uh what is the fall back plan whether you know how do you give me my data back as a organization if I hosting a data somewhere I will always ask if I want to terminate a contract how do I get my data B what will the data policy all that so there are and definitely this will you have to involve your legal and compliance team over

there because you know laws of the land you have to follow correct so unless uh as a CSO we won't be able to understand nity of those laws so that's where you need legal help also to understand the nity and Ure that uh you know uh when you make a contracts your contract has to be robust correct uh otherwise uh it's very difficult you know you land up in a legal battle which is not good for both the parties correct yeah no I think it's very interesting you know working with SI is for a ciso I would imagine would be complex because at the back end you know where is the S storing the data what all

10 vendors are it are they working with uh are they following these Global laws or not uh I think you know from a legal and compliance perspective having a strong contract is one of the only ways to properly enforce it and then again you're dependent on the credentials of the SI that you're kind of working with and and you do assessment of your partners also so you you have right to do the assessment so that's how you make your contract that you know I can come to your prices and I can do that as awesome so uh we move on to the next question and this is a question that I love talking about uh and this is for

Krishan uh so Krishna you know API security is is one of the you know core topics right now in the world uh because practically everything is connected to each other with apis and if you look at the overall web traffic that's going on in the world right now I think around 60% of all of it is actually API traffic right it's not get requests it's not you know patching HTML Pages anymore it's just Json talking to each other and so on so uh when you know many companies are integrating with third parties using only apis uh API security is something that becomes extremely important so you know what is your opinion on API security how should you know startups

and Enterprises look at API security uh and and you know how do you solve there so many challenges that arise in this space you have Shadow apis which are you know unused API end points that are not documented but are operational um how how do you how do you go about that yeah um it is definitely a problem that we are facing not just you know in terms of the third party right even within your request you have hell of a lot of these uh uh Services running and these endp points exposed and over a period of time they get lost they get forgotten they get lost yeah um so so definitely good amount of work and stuff goes into

managing and maintaining these things and I would uh spend more time on the internal set of things because there is also the external set because for example the way we do it's an AP uh approach that we take in even from an internal development side of things and that's what we end up exposing to the outside world as well you know as a s offering and whatnot so we really need to be Bing in uh those things into uh uh how we go about building the right API uh ecosystem and picking in API security uh right so um there someone I think it was sades earlier who was talking about the whole shiple corre strategy and

stuff you know how do you really bring that to the Forefront you know not as the uh end thing but how do you we B that into the API design part uh so how are the uh the the tokens manage how the secrets manage you know what kind of uh uh uh what is a header policy that you use so on so forth so that kind of gets baked into how you end up developing stuff and I think that also translates into what you need to expect uh with the uh the interations that you are looking at or integrating or working uh with and then what are the best practices uh that is being followed and also what the

other aspect of it is again with all the data you know mentioned about uh uh what are you really passing on and what right so that's where the Partnerships also become really key in terms of uh uh know there is no one size fitall but then s offering an API has a set contract interface and what it might not be the exact sit for what you're looking at but is there a way to tweak it okay uh to serve your use case with just enough stuff that is required that you pass back and forth to make it work for you correct so you to take away all the external stuff or you know trying to

reduce that threat uh surface there in that uh in that case so all the best practices involved around uh uh uh having that clean uh ecosystem and then there are these days there are really good tools available at AP security platform yeah yeah you know which which BS it in into the whole CD side of things too and uh um and of course all the different uh testing strategies penetration ass same so on so forth that that you do to make sure that you're on the right side of these things corre correct no I think one of the big problems that arise over here is just discovery of the end points right and as an organization scales to such a large

extent you may have you know thousand million API end points at the end of the day right yeah so U what is the strategy to ensure that everything gets documented right because I all developers say documentation I think everybody kind of knows that right uh but from a security perspective you can understand how documentation is important important how do you enforce that uh you know everybody documenting everything they're building yeah I mean one is lack of documentation and sometimes there is lot of crappy documentation right so uh um so what we are doing currently the the practi is that we just started on is the uh service chassis based uh architecture maybe end up creating all those core

components those building blocks that is uh that our Engineers that our folks can leverage to uh bootstrap and uh application so some of these things are actually baked in in in terms of these best practices you know the the the part that you mentioned on the security side and same thing applies for my documentation side of things too where these things become uh uh uh not an task but there is a base version that is available uh already and then uh there's a good amount of platforms as well that is coming up you know that provides that whole into integration you know we the platform as a product you know uh I'm not endorsing anything by the way but

like you know products like backstage and what not that really helps bring things to the Forefront to get a proper inventory of what is out there and uh not just that but going deep down uh into the behavior in terms of the usage in terms of the lineage in terms of uh uh uh you know tracing stuff through so uh there's a good amount of innovation happening there and and I think uh uh investing there bringing those kind of uh tools into theem could help uh reduce the pain no I think reducing the pain is something very important uh like all of cyber security is always there's no you know end okay I've done cyber security

for my company that's it you know I'm done it's always a journey it's always a process and just making that process easier is what everyone is kind of striving for um i' I've seen API security incidents a lot in the wild as well recently I was doing a pen test and I I won't name the company um they they had a payment Gateway basically implemented with one of the larger providers and U the issue was the issue that I identified was you know you add a iPhone to your card and you go to pay uh you click on pay and then you enter your card details and then that popup opens for entering your OTP right so instead

of entering the OTP you just close that Tab and you come back to the previous page and it says you know transaction is eded so uh you know what could be the problem here uh the problem here wasn't on the be on theal of the uh provider side of things right the API Gateway Pro the payment Gateway provider was Secure they were tested but the implementation of client side implementation of the API was messed up so you know all kinds of issues arise over here and that's just how it goes and you know moving from there Vikram I would like you you know to ask you a question if you can share without again disclosing any secretive

or you know revealing details any you know interesting incident that you've seen um in integrating with a third party service provider uh that you can you know share with us with the audience and everyone else yeah so I think I'll I'll probably talk a little bit about that and then sort of go around a few no hanging fruits that you know we've seen work in various companies that we've worked with so I think one of the instances that uh that I could probably recall is you know again a third party uh with certain business processes uh that were Outsource right and uh those are Core Business processes and that third party was connected uh to the

mother network via NLS Etc the third party got compromised and then uh you know there was lateral movement uh happening back uh onto the core Enterprise Network uh now again uh thirdparty risk management vendor risk assessment everything was done uh but there was still a compromise right now um how is that compromise detected via you know there were Solutions such as Network detection and response in place there were s Platforms in place that start started flagging off lateral movement uh that's where uh I think uh you know one understood that it's is actually a third party that's been compromised that's trying to make way into um you know the core network uh so I think there uh I mean that's precisely

you know what we're talking about so at a lot of times uh uh you know uh assessments are definitely good like I mean that's like must have but it's also important to make sure that you either extend your security controls or if not uh you know at least at a bare minimal have enough observability and monitoring in place so that in case there is a compromise at one of the third parties uh you know you get to know and before things go or to bad another uh you know scenario that I could probably recall is you know there was an API ignation uh data was sort of you know going out but the third party was compromised and the

data would make the public right now again so there as well it's important to leverage technology you know such as you know surface start web monitoring to understand or to get a head start into an incident just to make sure that you know you pull the right plugs where where required and you know fixes for stuff like this is easy right I mean uh it's not it's not it's not rocket science so let's say uh and I I'm a firm believer that you know humans uh that are always mistakes it's is human nature to falter right uh so it's very important to have technology controls in place that uh give you the right visibility at at the right time for ex

you talked about apis being insecure or going live right so we've seen instances where apis go live without the security team getting to know about it okay yeah exactly so I mean use an SIM platform to to notify you when an API goes live without without consent and there's your first line of defense so right correct correct no I think uh these incidents are you know kind of going global everywhere well uh and and in fact I think a lot of buck bounty hunters who would be here would be noticing this as well um if you want an xss on an application you look for places where there is an eye frame of a third party

and if you find an xss on that third party you are able to actually gain cross-side request py on the domain you're trying to hack and this is one of the best ways because you know the third party may be insecure uh but that is leading to the main domain's compromise uh and and that caused a lot of problems across the world and big bounties have been given out uh we're running a bit short of time so I'm going to move on to the you know final set of questions U so Aur sir you know one question and that is something very interesting that's popping in is AI right and with things like chat GPD and all coming in um

you're always scared that you know there's going to be some AI hacker that's going to come in now right and ruin all the overall security measures that you have in place but there's also the hope that okay yeah Will supplement security solutions that are there already which it is already doing so what is your opinion on on AI helping you out or harming you in the overall infos seex space as a security leader if you can shed some light on there so like you said it works on both the sides positive and negative um definitely uh yeah it is a continuous effort that you have to make how do you protect your organization so when you when you look

at your strategy you have to see how you can have threat Intel fed into your system uh have ai ml running that because you know today uh with lot of data logs in coming in humanly impossible to read all the logs and all that so that is where AI is going to help you but at the same time you know threat actors are going to use the same thing against you uh today if you look at fishing the fishing emails have become like a realistic email with use of AI Technologies so definitely that's pros and cons and uh when you and see the AI also works on the data that you feed in so if your data is biased you

are not going to get the right answer right so that's where you have to put a strategy in place how you are going to have your AI tools working with your security system to give you the right uh ENT to protect your environment mhm so I think that's very important and you pointed out very rightly that today itself people are using AI to write fishing emails and they're very good right and um and similarly the skin scale to whatever length so uh having good controls in place is becoming very important uh Vikram we we'll wrap it off with a question to you right um the recent dpdp bill has basically come in in India uh you would have heard of it I

think everybody in this audience has uh it's one of the first laws that has been implemented for you know data security for cyber security at all in India and I think the good part of it is that there is a massive fine on it so uh people will actually get down to implementing it so what is your opinion on you know the dpdp bill and how it's going to impact uh companies working with other vendors because that's where I think everyone is really concerned like uh if you can shed some light on that I think I think the first thing that's that's going to probably start happening is uh you know law firms are going to make a

lot of money which right and U so I think there's going to be a massive revision of of contracts uh Li ility ships uh you know um liability caps probably you know getting capped at the dpdp fine rather than anything else s insurance is going to make a lot of money right so I think so these are some aspects that are natural and we saw the same shift in the European Union with the gdpr coming in uh it's it's definitely uh you know uh a very uh important step uh in not just third party security but security health of the nation corre U and I think it's it's a step in the right in the right

direction for sure because we all know how personal data is is treated we all get um numerous number of spam calls and uh I think this is a lot to do with primary as well as uh third party data data processing so I think it's definitely a step in the right direction so as long as it's enforced in the right in the right way one of the biggest reasons why gdpr has been such a massive success is the level of enforcement whether whether it was uh you know the Fang companies whether it was any multi-billion dollar company when there was a breach it was followed by uh you know action so I think that's uh

enforcement is going to be key for us to uh you know see this actually hit the road I think everybody is looking forward to that enforcement and uh you know I was speaking to a security leader couple of weeks back and they were telling me the same thing whoever cracks implementation of dpdp automatically it's going to make a lot of money right because everybody is concerned about it so uh I think we we you know wrap it up open up to the audience if anybody wants to ask any questions to the panelists uh on any other the topics uh any questions anyone okay uh I think uh people will reach out to you we run out of time uh

well no I think yeah we are B so yeah I I just wanted to add like yeah it is a lot of the default settings as you all were mentioning right is the human error um we have a lot of resources itself available whichever Cloud we take it we have a lot of security def option if people look into it then also we can prevent a lot of thing but yeah I just want to thank you all