Cloud and IoT Security: The Makings of McAfee MVISION Cloud
In 2011, Rajiv Gupta, Ph.D., wanted to develop a game-changing idea for the IT field. Then a vice president and general manager at Cisco, his team created the Identity Services Engine at the company Securent, which Cisco acquired in 2007. The product later won Cisco’s internal Pioneer Award. Gupta interviewed scores of executives as part of that research and brainstormed with long-term colleagues Sekhar Sarukkai, who, like Gupta, has a Ph.D. in computer science, and Kaushik Narayan, who was then a principal engineer at Cisco.
“We made it very clear that we would not write a single line of code until we figured out what we were going to do because what happens is technologists, as you probably know, very often get enamored by the technology and then to try and figure out where they can apply it,” Gupta said. “They ask themselves: ‘What is the solution to which I have the answer?’ And I was determined not to do that.”
So the three sat down to come up with five distinct potentially disruptive ideas. The work was something like doing a miniature MBA — evaluating the size of the business opportunity, relevant market trends, the competitive landscape and so forth.
One of those ideas related to the cloud. “There, the feedback was: ‘Hey, I’m using the cloud to store and share documents and I’m finding it very useful. My employees are doing the same, but as a [chief information officer], I have no clue what’s going in and out. My corporate data may be flowing out, but I have no idea.’”
In 2011, cloud computing was clearly on the upswing, but it was difficult to evaluate how big the market might be or that cloud security would become an important element for IoT security. “We took a bet that cloud was going to be big,” Gupta said. And by extension, they assumed cloud security would be a bigger problem over time.
In 2015, the nonprofit Cloud Security Alliance released security guidance for early IoT adopters. The Open Web Application Security Project, also a nonprofit, has cited insecure cloud interfaces as a vital consideration for IoT security relevant to both device manufacturers and developers.
By 2011, Gupta had been fascinated by the potential of cloud computing for two decades — and the prospect of cloud security for nearly as long. Although the concept didn’t get its current name until 1996, according to Technology Review, the concept has a long history. The legendary computer scientist John McCarthy predicted in 1961: “Computing may someday be organized as a public utility just as the telephone system is a public utility.”
Gupta remembers wishing cloud computing existed in 1991 after buying a laptop and thinking it would become obsolete within six months. He didn’t want to worry about obsolescence. All he wanted to do was to use software. “I wondered: ‘Why can’t someone provide [computing] to me as a service and I would pay for as much as I use. And if I want faster performance, I’ll just pay more.’”
So he created a skunkworks project dedicated to the notion of client utility computing. “It really was what you call cloud today, but I called it client utility because my prediction at the time was that it this will become a utility just like we tap into water or electricity.”
“But it was only in 2011, 20 years later, that we decided cloud security would be interesting. And then we set off to address that problem statement,” he said.
Shortly thereafter, Gartner coined the term “cloud access security broker” or CASB, for short. Skyhigh CASB was the first product in the category.
In 2012, Gupta and his two co-founders formally founded Skyhigh Networks dedicated to cloud security, which McAfee eventually acquired in January 2018 for an undisclosed sum.
Earlier this year, the Skyhigh CASB technology, which has been rebranded the McAfee MVISION Cloud became the first product to win Amazon’s AWS Security Competency status and AWS Well-Architected designation. To make that determination, Amazon “did a rigorous technical evaluation of us, and rightly so,” Gupta said, doing a comprehensive review of its architecture, implementation support practices, checking customer references and so forth.
“If I look at what customers need, there’s a lot of AWS adoption. We see that clearly in what MVISION customers are using. And so we work very closely with AWS, Microsoft and others to get technical validation from them.”
In June, McAfee announced updates to MVISION Cloud for AWS including security scans for AWS CloudFormation templates, preemptive risk avoidance and tools for determining the root cause of security or misconfiguration problems.
“AWS has articulated this shared responsibility model, so there is some level of security responsibility that you delegate to the cloud provider,” Gupta said. “You expect the cloud provider to have the infrastructure secure, their server secure, the application secure, the data center secure, the network secure. They have padlocks and so on so forth. That’s the cloud provider’s responsibility. And then there’s the user’s responsibility.”
If an enterprise employee configures a surveillance camera to stream sensitive live data to the internet or if an employee creates a shared document and gives it a public link, that enterprise in question bears the responsibility in addressing it.
“The approach we’ve taken is to work in partnership with the cloud providers as opposed to in conflict with them,” Gupta said. “We leverage their API’s, we engage with them early on, we get feedback, and they view us as a strategic partner as a result of that. We help them achieve their goals by helping remove impediments for enterprises to adopt their service,” he added. “We are following the enterprise shared responsibility model, so it really is a win, win, win.”