 team and works in defining technical strategy and development of IBM Cloud security. He is an open group certified distinguished architect, IBM master inventor, certified ethical hacker and member of the IBM Academy of Technology. Shrikanth also serves as a member of the open group architect certification group. Shrikanth, over to you. Good morning sir. I say let me thank the open group for providing me this opportunity to be at the stage to actually follow and act like Dr. Pulsandrai who has given us a lot of insight into the threat landscape in the country and what are the challenges ahead of us. So, without much ado, the topics that I have to discuss was mainly this digital transformation that is happening in the industry within the government, within the enterprises. And we had certain good discussions yesterday about what are the difference architectures, how enterprises are transforming to that digital world. So, I wouldn't spend more time on some of that, but as architects we are always passionate about patterns, the ways we try to abstract how multiple people are building these digital enterprises, the patterns there and how we can actually address security paid into those patterns. So, lastly, what will touch upon the, you know, how do we address those scenarios in that sense. So, again, particularly of the changing business landscape, we all know how Dr. Pulsandrai talked about it, each and every industry is going through these changes or, you know, the way we know each industry is changing, right. We can see it in banking, you know, the new kids on the blocks are like not the banking folks, but people like, you know, KGM or. So, many of these enterprises, like whether you take the retail, whether you take the credit card, whether you take the bank, all of these industries are changing so fast that the traditional enterprises are trying to do continuously, trying to do in a way and make that value given to the N customers. So, it's all about, you know, whether it's about enterprise architecture or about business trees, the ultimate aim is about how do I present or give more value to that N customer. And in this process, again, all of us have certain legacy with us. All of us have to run in the two-speed stuff that we talked about, right. You know, the earlier presentation on, I think it was Eugene and Guru Dhaka about it around the two-speed IT, right. So, there is this traditional IT that is going at a speed but it's mostly the systems of records. So, there you have your enterprise data sitting there and then you want to serve your customer personalizing. So, the personalized experience are giving each of these, each of the customer, creating them as special and giving them special experience is a key to differentiate and you can do that without using technology. And we talked about almost all of this in the previous presentations like when they talk about, you know, doing, giving a cool mobile application which is personalized for that individual or whether it is analyzing tons of data, you know, the social data whether it is a Facebook, Twitter or the other data and giving that personalized experience. Or we talked about some of the things that how cloud becomes ubiquitous, right, to do that, you know, the systems of engagement part. So, you have a traditional thing which is the systems of records and then the new systems which needs to run at a faster pace to give you that personalized experience that is the, you know, the new applications that are born in the cloud or these are, you know, the hybrid applications that are becoming the new normal. So, we have talked about most of this. I want to touch up on one of the other things that has been, that has not been discussed so far is one of the things has this cognitive capability. So, you see that, that has soon becoming one of the additions to this digital transformation. So, most enterprises are trying to build applications that are, you know, intelligent that help you in the decision making. So, these are the cognitive capabilities that are getting built into the applications. Now, we all know this is happening and this is happening right now that this transformation is happening. There is also the marketing material, also the analyst material which says that so many persons, so many billion dollars to be invested to be done in the next few years of the digital enterprise. But the key messages here is that API economy is getting real. So, each of these enterprises are becoming what you call a source and a consumer both from an ecosystem standpoint and then all of us are striving to give it that unique experience. And like I said, cognitive will be one of the key changes or one of the new additions that we will see when we discuss digital transformation. Government simply put, there is a lot of push to move to the digital economy. The simple in a picture that I am representing here is nothing but the jam trinity, the gender, other and the mobile. So, the different way to look at this is gender is nothing but your asset, your money, your asset. Now, you are having a new way to access, transact and do stuff with your assets online and other like it was discussed multiple times that's the identity system. And Dr. Rai also spoke about this that the identity is actually becoming a new period. So, when I say that it's all based on the identity whether you decide whether to give access to this person to this person or asset or not. And then the mobile becomes a friend of the user experience which has to be backed up with a lot of analytics, a lot of compute in the back end with a plug. So, government is doing this, the enterprises are moving towards this. So, in all these cases to summarize there are these things that we talked about yesterday like digital speed ID where the businesses are becoming social, they want to engage with you. So, there is this ecosystem that you might be consuming a set of AVI from one set of business partners, you build your service and then you become a service provider for somebody else who will add value to that particular set of services. And so, this thing is happening right now. So, you can take multiple examples set of multiple industries, you will find that even just take the example of other itself. There is nothing but a single API. You put in your set of biometrics, it will tell you who are you, this is your identity. But just look at the amount of capabilities and the amount of opportunities that you have to innovate. Just today it is possible when few years back somebody told me that you can send money from one other company to another other company. It is possible because of that good set of AVI that are available to you. Very powerful. So, you can imagine the number of applications that it is an open playing field. So, anybody can innovate using that set of AVI's. And we know how many times today you go walking to a bank for doing anything. The ATMs actually change that industry. You never have to see a banker these days until it is very, very specific to you or something. Otherwise you go to your ATM, you go to your internet banking, and you do the things that you want to pass on. So similarly, you can imagine how this API can change the entire system. For example, your bank account is now portable just like your mobile number. So whichever number you have, whichever other number or whichever bank you have linked to your other number, that becomes your bank account. Now, all of this is good. So, let us try to see this from a security pair of eyes, right? Now, I told that, you know, hybrid cloud is becoming the new dark look. So, can all of us have some assets in-house and there are these new systems that we are taking from the cloud? There is a changing set of line of business that's going and taking, you know, SaaS applications. That's one of the data points that I've shown that, you know, more and more you will see that people or the line of business are tempted to buy things as a service. So what happens? All of this is like, you end up with a hybrid cloud model where what you have is like, you know, you have your traditional enterprise stuff on the right-hand side and then you try to expose them as APIs which can be consumed by applications in the cloud. So you are trying to see how to make my mainframe data or some Oracle database into a certain set of APIs that can be consumed by my applications that are willing to engage with me, engage with the customer, right? Then there are these... So in this case, it all becomes, as a security guy, how can I ensure that by things which are core to me which are existing in-house are secured and how do I make sure that there is secure transmission of data across, like the data in transit is protected and how do I secure that the data in the cloud is secured. Then we have the new general companies which are like the born in the cloud companies. So we heard microservices yesterday that is nothing but a cloud-media programming model where you think of a solution built of multiple services. You have the other company, you have weather data, you have the GPS data, you have the location APIs. Put them together and you build your applications. So the new Uber's of the world, they don't have any IT in their infrastructure. I believe they're enterprise. It's all in the cloud. Now you have to think about what does it happen if I'm having all my data in the cloud? What happens if the cloud provider goes off one day? What is the availability of this? Who is backing up my data? What is the business continuity? So all of these are security threats. Is the data safe in the cloud? Is it encrypted? All of those things, right? Talk about mobile. So these are any reference architecture that leads to these set of things that, you know, as architects we can go and look up these patterns, how, you know, these are the various patterns in which the digital transformation is happening. So mobile, like I said, is that user experience that we deliver on behalf of the end user. But there is a strong backend. The mobile backend is a service that is backing up this particular user experience. From a security standpoint, there was a study that, you know, for almost 100% of the application that you have on the app stores or specifically on Android, there is 100% hacked version of that also available. So you have things like... So within the mobile, again, you know, the attack surface again becomes larger. You're not only required to secure the backend part, but also the device side and the transaction part. So I'll give you the details of the solution elements. So first, I want to make sure that all of us are at the same pace when we talk about the different patterns of digital transformation. I'm sure that all of you in this room would have touched one of these patterns one day or the other in your day-to-day life. Let's talk about e-commerce. So there is... This is one big revolution happening. They could cut the Amazon and snap deal stuff that we are experiencing today. It's very easy for us to... We just need to search for one item and if you haven't cleared your cookie or your cash in the browser, it keeps reminding you that you have to buy that soap or that perfume every day, every site that you visit there will be a site bar coming up. So this is, again, giving you personalized recommendations that the power bank that you wanted to buy it was 1,200 rupees, now it's very stated that you might want to just click and buy that. But again, what you have to realize is that there is your data, whether it is in the form of Facebook or whatever, that is being used to give you back that same, you know, the personalized experience. Again, the way that this is transforming is like you look at building cognitive capabilities into some of these solutions. I could just go and check, okay, I'm visiting Pataram Sami Temple in Trivandrum. What dress should I be wearing? So I can actually tell you these are the, these are the, you know, the attack that is recommended for you for a visit to this temple, right? So these sort of capabilities are very good. It enriches the user experience, but at the same time, the attack service for the bad guy keeps on increasing. Let's talk about IoT. Sir talked about it in his top concerns, right? Fifty million or maybe it's a bigger number that more and more things are getting connected. Talk about connected cars. Talk about smart homes, smart cities. The foundation is nothing but building blocks are here, right? These are building components that you need to deliver the IoT capabilities. So you need to have the capability to identify each and every device, whether it is a smart meter, whether it is any digital device that you take the rate of cut. And in fact, the attack that happened on the, you know, some attack triggered from the North America all the way to the nuclear power plant was through a SCADA line, exploiting at the level three, level four device and then going all up to the control systems, right? I don't know how many of you read this news? This was last week or the week before that. 200-year-old, maybe 100-plus year-old hotel in Austria. You can imagine the time there, right? This is the winter and it is cold. It is snowing all outside. There was a hacker who locked out 200 of its guests out of that hotel. What he did was he hacked into the system which issues this, you know, the digital keys for the doors. So, I mean, the key or the cards that are issued for the doors. So, it was a ransomware attack. The hotel had no option but to pay the ransomware. Pay for that ransom, like the details that they have shared is something like this. It's 1400 euros to get it unlocked and get the guest back into the hotel. But it is more than that when they are asking to transact in Bitcoins and ransom certain bigger amount to their Bitcoin account where nobody can drag this and nobody can, you know, then it becomes how do I know the incident response and all of those things. So, this is, again, the attack services are increasing. We talked about data analytics. This is, again, there are multiple sources of information that ecosystem, like, you know, somebody's end product becomes the input for the next person in that chain. So, you're collecting a lot of these data, analyzing it and then setting it to for analysis. I'll also talk about cognitive in that context, which is nothing but, you know, you have systems today that are aiding people to make certain decisions. Like, it is happening across all the industries. Like, if I talk about the hotel industry itself, like, Hilton has employed, like, a robot to actually lead you and take questions and answers for your frequently asked questions. So, if you have a ground proof that it is trained and then you create a model and then when the actual system, actual questions hits that system, then it knows how to respond based on how this train. So, these are the components that are there in that architecture. But more importantly, you look at how it is changing the industry, whether it is a hotel industry or you take, for example, the lift or the guys who move, the guys who, you know, do elevator business, right? I could just say, like, you know, in my connected car, take me to Lila Palace Point Road, Old Airport Road, it will take me there. They're taking, they're in the lift and say, open group conference, I don't know which floor I should press or anything like that. It will take me to the right place. So, there are things like this happening where cognitive capabilities is being added to each of the capabilities, right? Again, from the attack surface, there are mostly stuff around privacy concerns that comes into play. Like, how much of data you are willing to share to get the benefits that you are looking for. So, this is a different form of the chart, the pie chart that Sir shared, which was all about the different sorts of attacks. And that was a very India-specific chart in terms of the attack vectors there. So, this is a worldwide chart where you see the attacks are growing over the years, whether it is DDOS, whether it is SQL injection, whether it is process scripting. These are all things that we know we can avoid, but other abilities would exist in software and that's why we have our job also. But having said that, you'll see that the attack is getting more and more sophisticated. The attack is more and more targeted. That is what we call the advanced persistent threats where the hacker really knows what he wants to get out of it. So, if one path is failing, he's going to come back and look at a different path and make sure that it takes the data out. At the same time, on the other side, so there was a set of things that were discussed as challenges, or the enterprise or government or anybody, the challenge has been how to bring all of these things together to understand what is happening. It's a difficult task because there are like 85 different tools or 85 different tools from 45 different vendors. What is the network side? Does it know what is the type of attack happening in the application side? So, unless you bring together both of these and know that this is an attack that is coming from Russia or from a particular IP location, which you don't expect such traffic into your application, you wouldn't have the intelligence to tell that, okay, that is a suspect and I should look into that. So, the other key challenge has been embracing cloud or mobile. What are the concerns there? How many of you here working on the security side of things? A few. So, these are very commodity in the market, I guess. So, there is a lot of demand for security professionals. And in fact, there has been a push from the NASCARB side, the National Skills Development side to build security professionals. And the estimate is like we've given a target to say, I guess, what million security professionals by 2020? And NASCARB and Skills Development Council has put out certain, you know, the roles and associated skills. So, quickly on the security architecture for this, we have to have the, you know, the following, the eight red boxes. I know it's not readable from there, but it is essentially securing your, you know, managing the identity and access, securing your infrastructure, securing your data. And then, talking about the main part is around the disability part. So, these three things are the core for whether you're doing mobile or whether you're doing cloud. So, if you're, there are the last CCICA conference, there was the chief from the cloud security, we already said, okay, if your workloads are moving to cloud, if your workloads are moving to cloud, better make sure that your security is also moving to cloud. Because we know traditionally security has been delivered as physical boxes, like, you know, boxes which are, which are like optimized to perform or throughput and all of that. Whether you take an intrusion prevention system or an SIEN solution, all of these are delivered as physical devices. Hardware, which is optimized. So, now you need to have the same capabilities as APIs, as SaaS services, as virtual machines available to be deployed in the cloud as well. So, you have, so you have that, you know, your workload deployed in the cloud so you should be able to deploy the security services also around it. Now, talking about mobile, there was a question that, can you mandate, you know, that all the mobiles be passed? So, I can give you, like, you know, some standards on how the enterprise is like for us and the company, there might be like 400,000 laptops and mobile phones that the employees might be using. But they'll be like that one person, two person or eight person guys who have not passed their machine on time. So, the solution is not that, you know, we will have a wonderful world where everything is passed and nothing is more than a month. I don't think that there would be a day like that. There will be at least one or two, there will be jail-driven devices, there will be router devices. So, as a security architect, your attention should be to look at how can I secure even a jail program or a router table. So, when you look at the mobile architecture, you have to secure the device, you have to secure the transaction, you have to secure the end port, the back end as well. So, you have an end-to-end transactional security. So, the ways that we do it today, so, if you're using an iPhone or an Android application, I know that you typically log into my banding system from a band load at these times of the hour. And then in the back end, you see a different signature of your device and it is coming from a different network. I should then step up the authentication. So, I might ask you for your grandmother's name or your school where you studied and all that. So that I can have multi-factor authentication to determine that it is indeed you that is coming to my system with the device that has a hardware network. Right? Of course, I don't have enough time to go through all of these issues, but I want to leave with some of the stuff that is happening today so we are familiar with this exercise where we actually have been, you know, right away with the way that we use to protect our assets, right? We build the force multiple defense in depth so that and then we put our crown jewels inside that. This is changing to what Dr. Wright referred that we need information from all the other sources to compare and study what is happening. So what is happening across infrastructure, application, network and the solutions. You should have data from all of this and then be able to correlate and say, okay, these three events from these three different domains tells me that this is an attack happening to take out this particular data or something like that. Right? So this is where the next generation SIEM or security information and event management systems are going. But I would also want to leave you with what could be the future or what is happening now is actually security itself has become a big data problem. So imagine just a company like Shell, for example, there are like 20 million events produced every day and how do you tell people that out of this 20 million security events which one that I should look at. So throwing people like that is not the answer. You can't have like 200,000 people looking at these 20 million events. So what you have need is like systems which will understand this domain. You train these cognitive systems to understand security domain so that it can tell you that out of this 20 million events these are the 200 that you iterate further to 20 and these are the two important events that you should immediately act on which actually maps to your risk at the enterprise level. So with that, I think I've run out of time. In summary, they can't be a 100% secured system and the digital transformation whether we like it or not will keep happening. But there are few things that we as architects we as responsible citizens can do. So there is a good set of forums and things for the bad guys. So you can go to the dark web and get credit card numbers, you can get the hacked versions but there are no good forums for the good guys. So the good guys should actually come collaborate so that let's say something went wrong in Andhra Pradesh it doesn't cascade to other states. Right? Timely sharing of information and creating a trusted circle becomes one of the key essential things. And as I mentioned, identity becomes the perimeter for everything and giving context-based access and controlling access to each and every resource there and stepping up our differences against this bad world would need some cognitive help also. So this is where I believe that