A leader in the space of CDN (contend delivery network) and cloud services with more than 2 lakh servers in 120 countries, Akamai Technologies’ foray into cybersecurity has been quite successful. With their Intelligent Edge platform, the Massachusetts, US-based company is enabling organisations across the world including in India to migrate their business to cloud and offer digital services in a secure manner. In a telephonic interaction Nick Hawkins, Senior Director, Product Management, Enterprise Security APJ, Akamai Technologies, spells out what makes India a fascinating market, why organisations need to be prepared for a cyberattack and how device posture recognition can help in dealing with exposure at the employee level.
Please tell us a bit about Akamai’s India operations.
India has always been a very important market for us. We have over 250 customers in India. We have a large presence here including a research and development centre in Bangalore with large number of employees (2,000). From a business engagement perspective and certainly from an enterprise security perspective, we have been dealing with a wide range of organisations in financial services, e-commerce, travel, transportation and media. There have also been discussions with some government departments.
What makes India a fascinating and challenging market at the same time?
What I find fascinating about India is the broad spectrum of organisations that exist here. There are organisations moving from the very traditional infrastructure to a more internet-centric infrastructure, which in itself is very much a journey and doesn’t happen overnight. Then there are more internet-centric organisations that are running online applications on the web and on mobile devices. They are already embracing the cloud from a compute platform. They believe in the concept of seeing value in delivering some security services from the cloud, whether it is web application firewalls for their public applications or looking at perimeter security for their internal protection. There are also organisations that are really at the other end of the spectrum, where employees don't have laptops and there is limited to zero external connectivity. The applications are still running in AS/400 Mini computers in basement covered in a layer of dust. If they have any internet connectivity, it's only in one location in headquarters and that too is heavily regulated.
What are the challenges of working in a cost conscious market like India where many companies do not want to spend more on cybersecurity?
When we were introducing our solutions and having conversations around the concept of zero trust and cloud based security couple of years ago, we came across a lot of blank faces. We had to educate customers on why this was important or would become important. In the last couple of years that has definitely changed. The vast majority of customers now understand that the world is shifting, and they want to listen. They may not be in a position to start on that journey yet, particularly if they're a more conservative organisation with a very traditional infrastructure, but at least they want to learn and understand what others are doing, so that they're prepared when the time is appropriate for them to shift.
From a budget perspective, India has always been a very cost conscious market. We have a number of customers that see the value of reducing the dependence and investment in capital intensive hardware and certainly being able to take some of the security capabilities as a service delivered with just a monthly subscription charge. It is something that certainly helps from a financial perspective.
Cyberattacks are continuously evolving, unleashing new threats faster than before. What should be an organisation’s approach to deal with it?
It is a constantly evolving landscape that we're operating in. One of the benefits that Akamai has is the global edge platform and the volume of traffic that we carry on that platform. The threats that we see both targeting our platform and customers on our platform on a daily basis, gives us unique insights into the threat landscape and how that is evolving. We are very aware of the fact that no one security solution can ever claim to be 100% perfect. It's about having multiple layers. A lot of the conversations that we have is about figuring out how the Akamai solutions should fit with some of the other aspects of a customer's security portfolio so that they have as comprehensive solution as possible. So they are ready to react quickly to new threats as they emerge.
Letting employees use smartphone in a work environment can expose an organisation to all sorts of risks. What should be the way to deal with it without curing the flexibility of working on smartphones?
Mobile devices have completely shifted how organisations are opening up their applications. One of the things that we focus on is making sure that our secure access solution also works just as seamlessly with mobile devices as it does for web applications on desktops or laptops. It ensures that users are restricted to only the specific devices that they're entitled to access. Some of the other things that were working on includes
device posture recognition. So effectively an agent on a laptop or on smartphone will understand the posture of the device—whether it has biometric security enabled or has it been jailbroken. So if a device doesn't meet the appropriate security policies of the organisation, user will be restricted from connecting to a company application.
Several reports suggest that employees are responsible for putting organisations at risk of cyberattacks. To what extent can employees be blamed? Shouldn’t organisation do more to secure their business?
A number of IT organisers that I have talked to say that life would be easier if it wasn't for the users they have to deal with. There is clearly more that can be done to educate users on cyber hygiene and the threats that they face in their everyday work. But training and user education are effective to the point of reducing the threats and the potential of attack. I think it's important that organisations build a security posture that works on the assumption that at some point, there will be a user who gets infected and they need to look at security solutions that both minimises the potential of that happening and also recognises and minimise the danger once that has happened.