Cloud security is more advanced than ever, says McAfee’s Sekhar Sarukkai

Enterprise trust in the cloud is increasing — but what else can be gained from a cloud-native security approach? McAfee is a leader in this field and VP Sekhar Sarukkai tells Digital Bulletin why security should be an enabler for cloud adoption

Cloud computing is a cornerstone of the transformation era. Adoption rates continue to soar as companies discover the gains to be made with a cloud-aligned strategy; through 2022, Gartner estimates that growth in enterprise IT spending on cloud-based solutions will exceed more traditional offerings.

But one factor that’s held cloud back from even faster growth has been a lingering concern over security. While the major public cloud providers have invested heavily in security development and products, businesses managing more diverse environments have harboured worries around the security of data and the safety of applications in the cloud.

The rising prominence of edge computing and ‘micro data centres’ may extend these concerns, but evidence is also emerging that enterprise is moving from a position of doubt to a position of trust when it comes to cloud security.

McAfee is one company that’s mission is to deliver comprehensive security, in its own words ‘from device-to-cloud’. In June, it released a special edition of its Cloud Risk and Adoption report and one finding stood out: for the first time, more than half of surveyed organisations (52%) said they experience better security in the cloud than in on-premise IT environments. For Sekhai Sarukkai, VP in cloud security at McAfee, this represents a significant milestone.

“I’ve never seen that before, and it’s a tipping point in some sense,” he tells Digital Bulletin. “CIOs, CISOs, boards of directors; they are feeling more comfortable that cloud is secure.”

The report — which combined the feedback of 1,000 global companies with billions of anonymised cloud events from McAfee’s products — also highlighted the business potential offered by cloud security services. Eighty-seven percent of respondents revealed that they’ve enjoyed some form of business acceleration because of such services.

This will be music to the ears of Sarukkai, who has been a key individual in McAfee’s transition from an antivirus software developer to a specialist in end-to-end enterprise security. The new-look McAfee was formed in January last year when it acquired Skyhigh Networks, a recognised leader in cloud security — and a startup co-founded by Sarukkai and his business partners, Kaushik Narayan and Rajiv Gupta.

Sarukkai, a former computer scientist for NASA, has an impeccable record when it comes to startups. The successful merger with McAfee was the third instance where one of his companies had been scooped up by an industry big-hitter; Confluent Software, a web services firm, was bought by Oblix (now owned by Oracle) in 2004 and policy management software startup Securent caught the attention of Cisco, who paid $100 million for control in 2007.

Skyhigh Networks went to market in 2012 after Sarukkai and his co-founders spotted the need for a reliable security solution on high-potential cloud technology.

“CIOs, CISOs, boards of directors; they are feeling more comfortable that cloud is secure”

“We knew CIOs were saying that this cloud thing was going to be real but the biggest problem they were facing was that they had no idea what cloud services would be used by businesses and employees — or what risk they were exposing the enterprise to,” explains Sarukkai.

“Our point at the time was that, because applications and data were going outside of the enterprise perimeter, it would be possible for employees or partners to get access to these applications and data, completely bypassing your enterprise edge. The result was a lack of visibility and understanding of who was using what applications, what kind of data was being stored there and what kind of control was held.

“Traditional security investments had been around protecting your enterprise edge and your data centre edge. We thought you needed something like a virtual cloud edge; an edge around all the cloud services that your enterprise is using. That was the genesis of our thinking around cloud security; to provide that visibility and control to cloud-deployed applications. The notion that we talked about is the great blueprint for enterprises today.”

Skyhigh Networks went on to build a product that guaranteed cloud visibility and risk assessment, usage and threat analytics and seamless access policy enforcement and data security for its customers. It boasted a client roster that included BMC Software, Cisco, CAA, Equinix and Diebold among many others.

On the face of it, its combination with McAfee seemed an unlikely one. Two companies operating very successfully in different areas of the security space, Skyhigh Networks was thriving on the back of investments from Greylock Partners and Sequoia while McAfee had a well-established brand and business model for endpoint security. As it happened, it was a case of opposites attracting to meet the enterprise security challenge.

Sarukkai admits that Skyhigh Networks wasn’t actively looking for a buyer when approached by Chris Young, CEO at McAfee.

“We were the leader; we were a pioneer in the space and we saw that this problem of cloud security was not going away, plus we had some very strong backing. But what really made us look at being acquired by McAfee were our early conversations with Chris,” says Sarukkai. “We really had a mind merge, if you will, with how Chris was thinking about the evolution of security and where he saw the industry going.”

The evolution was for full ‘device-to-cloud’ security, and that vision has become McAfee’s slogan. Cloud, thanks to Skyhigh Networks, is now as prominent a part of McAfee’s proposition as its endpoint security expertise and Sarukkai, Narayan and Gupta are senior decision-makers within the organisation.

“We were very clear that we were going to be standalone, that we were going to be a critical leg of the stool for McAfee’s strategic direction,” Sarukkai outlines.

“We were cloud-native and cloud-centric, and McAfee was very strong on the endpoint business. We didn’t have any overlap but Chris and McAfee had a commitment to device-to-cloud. That was our first point in the decision-making process.

“The second was that McAfee’s sales team was selling to the same type of customers that we were selling our cloud security product to. For us to extend our lead in the market and take our technology and product to a larger base of customers faster, it made sense to stand on the shoulders of a giant in McAfee.”

“We truly want to use security as an enabler for cloud adoption, rather than an impediment on the road to adopting cloud”

Skyhigh Networks’ cloud security offering has now developed into the flagship McAfee MVISION, which offers data protection, a shield to cyberattacks and full security visibility and control across all IaaS, PaaS and SaaS clouds as well as devices, networks and on-premise environments.

Recognised industry-wide as the leading cloud access security broker (CASB), McAfee’s integrations with the dominant public cloud providers have been crucial to its success.

“When Microsoft announced Teams, which I believe is their fastest-growing cloud-hosted product, we were the only CASB vendor which was part of that announcement and we are still the only CASB vendor to support Microsoft Teams natively,” says Sarukkai.

“If you switch over to AWS, it has a huge ecosystem of vendors, both security vendors and non-security vendors — but if you look at their partner portfolio, we are the only CASB vendor which has the highest level of partnership. They actually reviewed our architecture to ensure that it is appropriate for AWS and we’re on the AWS Security Configuration Checklist, which is really unique for a CASB vendor. Our partnerships with these large IaaS and SaaS companies is an acknowledgement that we are a leader.”

Technology advancements have changed the enterprise security game and automation is now the primary enabler for McAfee’s ‘device-to-cloud’ solution. Without automation, end-to-end providers would simply fail to build the security postures demanded by today’s environments.

The security industry is overflowing with standalone products and new solutions continue to emerge — increasingly, therefore, the desire from users is for a ‘single pane’ view of their postures. The benefits of automation are seen by providers, customers and end users, explains Sarukkai, simplifying a complex yet critical business function.

“It’s been a perennial problem with security and the way we’re addressing that is through consistency, but also through co-opting other participants in the ecosystem,” he adds. “When you go and talk to customers’ CIOs and you try telling them that you have another product, the first question they will have is: is this going to add more work for my team? This is where automation comes in.

“Traditional security investments had been around protecting your enterprise edge and your data centre edge. We thought you needed something like a virtual cloud edge; an edge around all the cloud services that your enterprise is using”

“For example, let’s say I’m an employee and I upload a file into the cloud and McAfee says there’s some account information inside. In the traditional world, what happens is an incident gets created, somebody in the data protection team has to review it manually and then release it. Co-option is about making the end user part of the solution.

“In our case what happens is, when you upload a file, the end user gets a notification, either live or through an email, and it will say ‘You’re uploading a file and it has sensitive data. Did you mean to upload it? If you did, what is the business justification?’ If it’s an error, the user can delete that file and update it without the sensitive information. The security team still gets full visibility — every one of those activities from the end user is still autologged — but it is not the critical part in resolving every single incident.”

Analytics and real-time feedback, alongside automation, will be the other vital components in future security systems, according to Sarukkai. Consequently, it won’t be long before any remaining doubts around cloud security are replaced by excitement about a supply of up-to-the-minute, actionable insights from cloud-native solutions.

“There is increasingly a need for real-time analytics,” finishes Sarukkai. “There are some very interesting technologies that we’re working on which will enable us to reach the promise of breaking security silos, for example. Artificial intelligence and the real-time aspect of that will become critical for the security space.

“We truly want to use security as an enabler for cloud adoption, rather than an impediment on the road to adopting cloud.”