Cybersecurity professionals play a crucial role in safeguarding organizations in an era of unprecedented digital threat evolution. A key figure leading this charge is Nivathan Athiganoor Somasundharam, a multi-cloud security expert with vast certifications from AWS, CNCF—Kubernetes, CompTia, Hashicorp, and Azure.
With deep expertise in DevSecOps, identity security, Zero Trust, and privileged access management (PAM), Nivathan has been instrumental in helping organizations build resilient and secure infrastructures. As a DevSecOps practitioner, he is passionate about embedding security into every phase of the software development lifecycle, enabling seamless and safe operations in the cloud.
Currently, Nivathan is a Technical Account Manager at Teleport; Nivathan guides enterprises through complex areas such as infrastructure access management, access auditing, adopting Zero Trust, etc. His blend of cybersecurity and DevOps expertise enables companies to integrate security seamlessly into their workflows while maintaining agility and efficiency.
Beyond his technical contributions, Nivathan is also an active contributor to the cybersecurity community. He shares knowledge through blogs, whitepapers, articles, conference speeches, webinars, open-source projects, and mentoring. His ability to simplify complex security concepts and drive impactful implementations makes him a sought-after expert in the field.
In an interview conducted by Anish Miller (Deputy Editor, CIOLook), Nivathan shared his insights on the future of cybersecurity, how organizations can accelerate adopting Zero Trust, and how DevSecOps is revolutionizing and changing the platform engineering and security team practices.
Can you share your journey in cybersecurity and what led you to specialize in DevSecOps and Zero Trust?
During the early days of my career, I was deeply passionate about distributed systems and cloud computing, which led me to master architecting and building solutions using cloud technologies and containers. As a DevOps practitioner, I recognized that security is always a shared responsibility between DevOps and the security team. This realization prompted me to advocate for DevSecOps practices in every organization I worked with, emphasizing a ‘security first’ mindset when designing solutions.
Over the years, my focus gradually shifted toward identity and access management (IAM) and Zero Trust security, given the importance of securing digital identities. I observed that attackers consistently targeted the identity stack, a noticeable trend. This led me to explore privileged access management (PAM), Just-in-Time (JIT) access controls, and identity security as a whole.
My experience with AWS, GCP, Azure, and Kubernetes security has further solidified my understanding of cloud-based identity challenges, an essential skill for cybersecurity practitioners in today’s cloud-first world. The shift toward passwordless and secret-less authentication, Zero-Trust architecture, DevSecOps, and automation-driven security excites me because it shapes the future of cybersecurity.
Can you provide some key Identity security practices that must be part of the zero-trust strategy?
Based on my research and experience, here are the most critical identity security practices:
- Enforce Multi-Factor Authentication – Ensure all users implement and enforce multi-factor authentication, taking advantage of biometric-based MFA.
2. Implement Just-in-Time Access – Achieving the least privilege is vital, and providing default access to critical resources is a poor practice. Just-in-time access helps organizations avoid granting crucial access by default and provides access it only when needed.
3. Continuous Identity Verification – Verifying user access during critical times and identifying anomalous login patterns or behaviors helps organizations prevent attacks and breaches.
4. Centralized Permission Management – Maintaining a single source of truth for all roles and permissions simplifies the process of provisioning and de-provisioning access for individuals. It also facilitates easier audits.
5. Secure Non-Human Identities—Avoid storing secrets on machines or hardcoding them. Instead, leverage machine workload management tools like Spiffe.
How does one approach implementing just-in-time access and ensure it is adopted?
Just-in-time access gives temporary access to a particular set of resources for a specific time. In today’s world, there are so many resources, and grouping them and giving them access is hard and impossible. So, to tackle this, we can differentiate resources that someone will need access to most of the time, and a few resources will be required only when there is a need, not all the time, and the user can request that resource when needed. By practicing this, we avoid assumptions and have clear roles with the least privileges.
Adoption is completed based on how well the workflow and the roles are designed, and those access requests should be routed to the right person who can act on them. Also, automating the approval for the request makes the system much more intelligent and avoids friction in the long run.
“Is multi-cloud real?” How can multi-cloud environments be managed and governed securely?
Yes, multi-cloud is real. Organizations use multiple cloud providers primarily for these reasons: the first primary reason is to avoid vendor lock-in and leverage different clouds for various workloads or use cases. One common trend I have observed is using AWS for core infrastructure and GCP for AI/ML workloads. Additionally, mergers and acquisitions often result in the use of multi-cloud environments.
Managing a multi-cloud setup can be challenging, but to face this reality, we must learn and adapt to the new normal of a multi-cloud environment and prepare ourselves accordingly. Leveraging a Cloud Native Application Protection Platform (CNAPP) is also crucial. Furthermore, utilizing Infrastructure as Code (IaC) is critical when managing the infrastructure.
What are the key future trends in securing workloads in the cloud and DevSecOps?
Identity security will remain the primary focus, with increasing attention on securing non-human identities by eliminating secrets. This will drive the evolution of Zero Trust adoption. With the advancement of artificial intelligence, we will harness AI’s power in cybersecurity, especially in cloud infrastructure security threat detection and remediation.
DevSecOps will gain widespread adoption, and both product and security teams will share security responsibilities. Overall, AI will save us time by automating many operations and enabling us to identify and remediate discovered threats more quickly than before.