CISO Anshu Gupta Presents on Security Best Practices

On September 29, 2021, Dasera had the pleasure of welcoming Anshu Gupta to one of our weekly brown bags, a lunch and learn session offered to all internal employees. The topic: a customer/user facing security requirements checklist that all organizations should implement into their products. 

Before we dive in, here’s some background on our guest speaker.

About Anshu Gupta

Anshu is a senior level security executive with over 16 years of hands-on experience building information security programs. With a large array of Fortune 500 companies under his belt, he’s helped some of the industry’s giants streamline and assess their security processes – Microsoft, Salesforce, Oracle, Cisco, and Yahoo to name a few. 

Though these well-established companies have already made a name for themselves within the tech industry, Anshu has also had his fair share in building companies from the ground up. At Coupa Software and Hellosign (now acquired by DropBox), he was their first security hire and developed their entire security program from scratch. He also laid the foundation for better security processes by building out their first information security team. 

Anshu also has a Masters degree in Computer Science from the University of Missouri-Kansas City, and holds many impressive and coveted certifications, including CISM, CISA, PCIP and CIPP. 

Security Presentation Highlights

According to Anshu, security has many different facets, and oftentimes, companies don’t have a holistic understanding of how security programs are built from end-to-end. At the high level, the security function can be split into 5 different domains:

1. Governance, Risk and Compliance (GRC) - policies and procedures companies must enforce to meet industry specific regulatory, state and federal mandates 
2. Security Engineering - where most preventative controls are built
1. Application Security - code level security at the application level
2. Product Security - customer facing features and functionalities 
3. Cloud/Infrastructure Security - back-end infrastructure and processes
3. Security Operations - incident management to detect, contain, and recover from an attack with incident management feeding into problem management
4. Corporate IT Security - protecting end-points in a remote, distributed world where multiple devices and servers are talking to each other
5. Privacy Engineering - translate broad privacy requirements at the engineering level e.g. for consumers to be able to delete/modify/get a copy of their data 

In particular, Anshu touched upon two key components that not only go hand-in-hand, but are lacking in today’s security systems – integration security and logging. Integration security refers to the security of systems in place that allow databases or other softwares like Slack or PagerDuty to communicate with each other for better business decisions at a reduced time to value. The problem with integrating multiple softwares into a single system, however, is that it makes securing data that much more difficult when thousands of users can easily access and manipulate the data that is stored within the confines of these walls. 

As a result, it’s difficult for companies to determine when access keys are compromised, especially when there aren’t logs of when the keys are used – and most importantly, by whom. 

Though retaining and monitoring logs should be an industry gold standard as they reveal every interaction that a user has with data to determine if data is being used safely even among those with access, many systems today still fail to overcome these security risks. Worst yet, some companies don’t even have their query logging turned on to be able to detect and prevent data misuse in the first place.

Q1. What’s the number one gap or deficiency in software development that has led to security issues?

Most companies don’t have a threat modeling practice in place. In fact, there’s a lack of awareness since data compliance standards or industry frameworks don’t require it. Threat modeling can help proactively identify and prioritize all potential threats so that companies can protect their most valuable assets. Combined with user behavior analytics, this can help identify any source of risk down to data use behaviors.

Q2. If you had to solve one problem in data security, what would it be?

One area of concern is that companies lose sight of their data when it gets transferred across third party systems and SaaS applications. There’s no magic wand when it comes to securing data. But what companies can do to resolve this discovery issue is to implement an automated system that can track and identify where sensitive data is stored or moved to at all times. 

Thank you very much, Anshu, for providing your extensive security knowledge and insights to us at Dasera.