National Security Mindset for Building Defense Apps in the Cloud

Nandish Mattikalli, chief engineer in the intelligence solutions business at BAE Systems, explains how his team builds apps for global defense.

By Tom Mangan

By Tom Mangan November 11, 2021

The dire consequences of security breaches are never far from the minds of software developers in the defense sector. While they share the universal desire to build cloud-native apps that take advantage of modern tools and methodologies, they realize the security stakes are much higher.  

“We all know any defense project, if compromised, can have grave, grave consequences for our national security,” said Dr. Nandish Mattikalli, chief engineer in the Intelligence Solutions business at BAE Systems, the U.S. arm of BAE System’s plc, Europe’s largest defense contractor. 

Related

Unifying Software Testing Across Hybrid and Multicloud Systems

In an interview with The Forecast, Dr. Mattikalli talked about a defense contractor’s mindset when developing cloud-native applications. That mindset starts with understanding the threat landscape in modern multicloud environments and adopting security strategies that reduce the risks of damaging breaches.

His thoughts have relevance far beyond the realm of tanks, fighter jets and nuclear submarines. 

Dr. Mattikalli pointed to the May 2021 ransomware attack on Colonial Pipeline, which dried up gasoline supplies along the Eastern Seaboard for several days. 

“A lot of our infrastructure is vulnerable,” he said.

Understanding the Infrastructure Threat Landscape

Dr. Mattikalli has seen the threat landscape expand over the course of a career that took him from the India Institute of Technology (IIT) in Mumbai to Trinity College at Cambridge University in the UK, where he earned his doctorate.

Today, he’s based in McLean, Virginia, working primarily with US defense contractors via BAE Systems Inc. While BAE Systems manufactures a broad portfolio of war-fighting hardware, it also works as a system integrator and services provider that helps its customers implement software and harden their defenses against pervasive cyberattacks. 

Related

BAE Systems Moves Government Defense Projects to Hybrid Multicloud

“The United States’ attack surface has significantly increased,” he said. “And, there is an interest from nation-states to disrupt our operations across industries.” 

It's not just outsiders, he noted, pointing to the infamous Edward Snowden data leak from the National Security Agency. 

“Insider threats are much more prevalent and more dangerous,” he said. Insiders don’t have to be malicious or traitorous: They just have to click on the wrong malware link to propagate an attack throughout a network.

Ransomware bots are relentless. Advanced persistent threats (APTs) pose a risk of widespread infiltration of enterprise IT systems. Once adversaries sneak into a network, they soon have the run of the place if the security is weak. 

“You'd be surprised how easy it is to get to know the underlying infrastructure components of an enterprise network,” Dr. Mattikalli said. It takes little effort to identify authorization mechanisms and underlying database structures, he added.

Related

IT Career Opportunities Swirl Around Security

“For a smart hacker, it is not hard to find out how a system is built and configured,” he said.

He explained that security in the cloud is fraught because of the shared-security model. While cloud providers have a strong incentive to harden their infrastructure, their customers must hold up their end of the security bargain. There’s a risk of a breakdown during the handoff of duties from provider to customer.

“With multicloud operations, it’s exponentially harder to make that shared-security responsibility model work,” Dr. Mattikalli said. 

Each cloud provider has slightly different tools, configurations and methodologies that affect the migration and modulation of workloads, applications and data. These and many other variables complicate the prospect of preventing a cyberattack or recovering from one after the fact.

Adopting an Effective Defense Posture When Building Web-Native Apps

Security can be reactive: monitoring systems, identifying threats and deciding how to react. But it also should be proactive: developing software with built-in defenses.

Because public cloud providers’ reputation rides on their ability to secure their infrastructure, developers may assume cloud infrastructure is secure. 

“At the same time, it takes a collaborative effort to communicate the needs of security between various teams” involved in cloud-native development, Dr. Mattikalli said.  App-development teams must work together to ensure that security features are built in at the data and application levels.

Related

How to Find and Fix Real Security Threats in Virtual Desktop Infrastructure Deployments

This philosophy also must extend to the DevSecOps methodologies applied to newer technologies like container-based architectures

“Hardening containers is a significant emphasis,” Mattikalli said.  

Moreover, developers are moving toward a zero-trust philosophy to security. “As system designers and architects, we make sure that we have proper firewalls and security control mechanisms at various levels,” he added. “It is not sufficient to say, ‘I have control access to the network and inside the network, it's a free-for-all.’ That’s a thing of the past,” Mattikalli said.

With zero trust, each network user has access only to the applications or data their duties require. They can’t just wander around on a network whose default setting is to trust them not to misuse their authority. 

Zero-trust security protocols baked into the development of cloud-native apps can do things like block access to an application’s data even if somebody has improperly accessed the application, Dr. Mattikalli said. Database permissions can be protected at the level of individual cells or rows.

Securing Virtualized Cloud Infrastructure

Cloud computing typically happens in a virtual manner: Software emulates the operations of servers, switches and storage via hyperconverged infrastructure (HCI). A well-designed HCI software suite dramatically shrinks the time required to spin up development environments. 

Thanks to HCI’s use of automation, operations that formerly took days or even weeks can be done in minutes in many cases.

This makes HCI software an appealing option for software developers, including those in high-security fields like defense and cybersecurity. HCI uses a hypervisor to manage the components within its environment. Nutanix’s AHV hypervisor, for instance, comes in handy for BAE Systems developers.

“It really provides us a foundation layer to deploy the infrastructure and resources,” Dr. Mattikalli said. A subset of Nutanix’s software suite is Karbon, which manages Kubernetes clusters for cloud-native developers. This allows push-button deployment and operation of IT systems, he added.

Nutanix HCI supplies a unified console for multi-cloud operations. 

“One team without knowing too many details about the multiple clouds can manage, secure and implement the policies of security across the cloud everywhere,” Dr. Mattikalli said.

Combining robust HCI software with a zero-trust philosophy through every stage of software development helps even the most security-minded organizations take advantage of the agility and scale of multicloud environments. 

Thus, Dr. Mattikalli and his colleagues rely on speed, agility and scale to secure their competitive footing. 

“As our adversaries change the game, we are also upping our capabilities and rapidly evolving as well,” he said.

Feature image by BAE Systems.

Tom Mangan is a contributing writer. He is a veteran B2B technology writer and editor, specializing in cloud computing and digital transformation. Contact him on his website or LinkedIn.

© 2021 Nutanix, Inc. All rights reserved. For additional legal information, please go here.