As organizations transform digitally, so should their approach to cybersecurity.
From a cybersecurity perspective, there are three important areas that digital businesses today need to pay attention to – applications, data, and the edge:
- Applications ― For many businesses, apps sit at the center of their customer engagement and experience. Companies are rolling out and popularizing new apps and features at a furious pace, accelerating the development process by using libraries from open-source code. Such apps are vulnerable to cyber-attacks.
- Data ― Many organizations have woken up to the fact that they are doing precious little to the reams of customer data that sit with them. They are now maneuvering them for data-driven insights, and moving their data to the cloud for better agility, cost efficiency and collaboration. Both actions expose sensitive business and customer information to new risks.
- The edge ― IoT has matured and many use cases of the technology have emerged in recent times. For instance, edge computing enables in-hospital patient monitoring, predictive maintenance in factories, road traffic management, smart homes, and cloud gaming. To consumers and an increasing number of organizations, IoT is becoming foundational to their lives and businesses. Protection of the network edge is therefore paramount.
Cybersecurity provider Imperva takes a unique approach to cyber-defense by integrating application security, data security and edge security, protecting organizations through all stages of their digital transformation journey. To find out more, CybersecAsia posed some questions to George Lee, Regional VP, Asia Pacific & Japan, Imperva:
What do you see as key cybersecurity issues and trends for the Asia Pacific region in 2022 and beyond?
Lee: The two biggest trends we are seeing in APJ that impacts cybersecurity are rapid digital transformation, and the tightening of regulations around data privacy and protection.
Covid-19 is driving APJ organizations to accelerate their transformation. Many are intensifying their use of software, applications and application programming interfaces (APIs) to improve customer experience. However, these are often inadequately protected.
APIs, in particular, while they underpin modern innovation, introduce complex risks for organizations that are embracing the cloud native application development model. Abuses of APIs, in particular, are predicted by Gartner to move from an infrequent to a most-frequent attack vector by 2022, resulting in data breaches for enterprise web applications.
We’re also seeing governments in APJ placing greater emphasis on data privacy and protection, and will see them pass more laws in the coming years to give bite to their intentions. Managing this additional regulatory burden will be a challenge for many organizations, but the penalties for non-compliance will be steep for both organizations and their senior executives.
What are some challenges and opportunities for organizations in the region as they strive to meet tightening data privacy regulations?
Lee: Many of these data privacy or protection laws will include the right to be forgotten, the right to know what data they have, the right to rectify errors, and the right to port personal data. Compliance will be a problem for many organizations, as most firms do not have a grasp of where that data is stored, how it’s controlled or who has access to it. Managing Data Subject Access Requests (DSAR) will also be an operational challenge for companies that operate in multiple jurisdictions.
Many enterprises will find it hard to comply with these new laws because most firms don’t accurately know what personal data it has, where it resides, and who has access to it.
Likewise, if a firm meets with a data breach, compliance laws typically require it to assess the severity of the data security incident and report it accordingly. If the organization doesn’t have an accurate data map, it would be near impossible to do this.
To meet upcoming regulations, businesses need to be able to discover and classify personal data (both structured and unstructured), assess rights and risks efficiently, manage data subject requests, and detect risky data access behavior across the entire estate before an incident occurs.
As enterprises look to recover from the COVID-19 pandemic through digital technologies, what are the three important cybersecurity areas to pay attention to?
Lee: Other than API security and data security which we have pointed out above, software supply chain attacks continue to be a source of concern for APJ enterprises.
Over the last decade we have seen many instances of what happens when the supply chain is tampered with and subsequently tainted. What makes this problem intractable is that every business, whether they acknowledge it or not, relies on a software supply chain for both home grown and third-party applications.
A company may have the best security controls in the world, but it doesn’t mean their vendors across their software supply chain does. An organization’s security controls cannot rely on trusting anything from the ecosystem, even from partners. Companies also need to think beyond just their immediate set of vendors and account for a vendor’s vendor.
This means organizations have to adopt a threat model that covers all parts of the supply chain, including Nth-party code. Security teams must evolve their application security strategies to focus on the discovery and mitigation of security risks in both first- and third-party applications and services.
How is Imperva innovating its approach to cyber-defense to help organizations integrate application security, data security and edge security, for protection throughout all stages of their digital journey?
Lee: Over the last couple of years, digital transformation has accelerated as businesses grew more reliant on digital transactions and experiences. That is why we’ve focused our growth strategy and innovation on protecting digital experiences, from business logic to APIs, microservices, and the data layer, and from vulnerable, legacy environments to cloud-first organizations.
No other cybersecurity company has taken this integrated approach, combining edge, application security, and data security, across both legacy and modern cloud environments.
Last year, we made some significant headway in our strategy with the acquisition of database security company jSonar and API security leader CloudVector. We also developed a number of innovations including the industry’s first unified security platform Imperva Sonar.
In 2022 we’ll be doubling down on both data security and app security.
We already have the most complete data security solution on the market covering structured, semi-structured and unstructured data across hybrid, cloud and on-prem environments. We’re also helping companies connect data protection with data privacy compliance by streamlining the task of discovering, identifying and protecting personal data. To support this, we are hiring specialist expertise in data security in our priority markets across Asia Pacific.
In the app security space, Imperva is focused on the “shift left” movement, helping organizations adopt DevSecOps. Last year we introduced Imperva Serverless Protection, which helps developers and security teams mitigate the risks in serverless functions. This year we’ll be leveraging our acquisition of CloudVector to strengthen our offering around API security, in recognition of the fact that modern application development has seen a proliferation of APIs and API attacks.
Beyond product innovations, Imperva sees tremendous opportunity in the APJ region and as such is making significant investments here. Our APJ headcount grew 52% last year, and we are continuing to hire this year, making investments across sales, marketing, customer support, professional services and operations to ensure our APJ customers get the localized support they need, when they need it.
At the same time, the company is strengthening its local data center infrastructure in the region with a plan to add three new PoPs in the region in 2022.
Through these investments, Imperva can continue to provide the right level of capacity, speed and protection to its APJ customers while satisfying data sovereignty requirements.