Rajnish: Anindya welcome to the podcast and thanks for coming over.

Anindya: Thanks Rajnish and greetings to you and your listeners on world Energy Environment Week. I'm delighted to share my thoughts on the subject, but I would like to just place a key caveat that this should not be construed to be the views of Shell. Thank you.

Rajnish: My first question to you Anindya. How do you think a carbon price can help abate emissions?

Anindya: Yeah, that's a great question Rajneesh and there is a short answer and a slightly more evolved answer, so let me attempt both. The short answer is that greenhouse gas emissions carbon emissions have an externality, and the cost is borne by the society, and not necessarily by the emitter. Carbon pricing strives to place a cost on the emitter and thereby putting the sort of cost where the burden is. But if you sort of dig up a little deeper, the whole carbon pricing policy intervention is a clear nudge that Governments can give to various players across the economy on what they need to do. And there's various aspects that we should explore in this context, first is the competitive disadvantage of the first movers. There are companies right now who are contemplating climate action, but they find that such action involves costs which brings in a competitive disadvantage to them vis a vis with their competitors and therefore they do think twice before implementing major programs. A carbon pricing across a sector will ensure that all sector players are having the same level playing field and start taking the same steps and ideally this moves into an economy wide coverage, so I think that's very important to make sure that the early movers don't get disadvantaged. Secondly, there is a policy outlook signalling that this is very important. Companies right now are struggling to see what the pricing, carbon pricing or any compliance framework will look like in the coming years and decades. So, if the government can clearly indicate that this is going to be the carbon pricing methodology that the government will adopt and how it will progressively change over time, companies will be in a position to make the right technology choices back to green technology and make their investments that are well tested against such a carbon pricing regime. On the case on this case, also another aspect we need to talk about is resource mobilization. So carbon pricing of course also yields resources for the government whether it's a carbon tax or a market based mechanism like the ETS and the government, then can direct some of this to supporting new technologies. Green technologies that are not proven, for example, if it wants to support offshore wind or biofuels but also maybe use it to address the needs of just transition, so there are going to be sections of society which will be burdened by higher cost of the energy transition and some of this will be available for that. Another aspect I think we should also consider when talking about carbon pricing is globally various countries are adopting carbon pricing where there's tax or emissions traded systems and to make sure that there are no carbon leakages these countries are likely to impose a border adjustment mechanism as Europe is considering. So, if Indian companies have to operate or export into these markets then they'll have to demonstrate that they have carbon pricing domestically. So that's very important for Indian companies to achieve, I mean India has a huge trade with Europe for example of 36 or $37 billion and the part of that will get impacted by this. And the other advantage of integrating to global markets is that Indian players will have access to much deeper and wider markets for carbon offsets. For example, they are on the buy side or sell side.

Rajnish: So Anindya I agree with you, I think carbon prices are the talk of the day. Now the big question basically, which is there when you look in the case of India is should India go for a carbon tax or should it go for an emission based or a market based trading mechanism? What do you think are the pros and cons to the two and you refer to that while you're answering the earlier question?

Anindya: Yes, indeed, these are the two popular models which various countries have experimented with over the last several years. So, the advantage for India is that India can certainly benefit from the experiences of these countries and get sort of rich learnings out of it. Carbon tax in terms of implementation is perhaps much less complex, though politically less acceptable because it's it will be very transparently seen to be adding to the cost to the customers or taxpayers, as the case may be also, it needs to sit within the existing taxation framework and jurisdictional sensitivities, and I know Ernst & Young has already presented an analysis on how this can be done. As for emissions trading, there is a possibility that the existing market-based mechanisms for energy efficiency, which is the path scheme and the eCerts and the renewable energy, which is the RPO and RECs, could be brought under a carbon framework which could then be expanded to a functional emissions trading scheme. However, the complexities of the market design that address the needs of a progressive decarbonization without causing market failure needs to be carefully considered.

Rajnish: I agree with you Anindya, I think carbon taxes are easier and as you gave there are pros and cons to each of the approach. Now, given that we have a blank piece of paper in India as of this point of time, what would be your advice to our clients as to how they should think about this and go ahead?

Anindya: Indeed, that's a very important I think question to consider for countries so companies at this point in time as various regulatory changes are likely to happen in the coming future. Well, one can never be certain as to when a compliance framework for carbon will emerge in India, but we have seen a compliance framework in energy efficiency and renewable energy that was successfully implemented. We are also hearing of an RPO type framework for green hydrogen progressive Indian companies are already beginning their decarbonization journeys by implementing internal carbon pricing. CDP's annual report mentions 31 companies already having an internal common price or companies are signing up to the SBTI's or making commitments under RE 100 EP 100 EV 100 type commitments. But to ensure a sustainable future and a social license to operate, companies will need to transparently share their plans to adhere to carbon budgets available so as to achieve the climate action goals agreed by the international community such companies will withstand any shocks that could credibly arise from external carbon pricing, whether through taxes or market-based mechanism.

Back to podcast

Podcast transcript: How businesses can adopt Zero Trust Architecture for cybersecurity

14 min | 12 April 2023

In conversation with:

Shivaprakash Abburu
EY India Technology Consulting Partner

Ashish: Hello, this is Ashish Kuttikal, welcoming you to a new episode of EY Tech Trends podcast series, where we look at the most important issues that India Inc needs to know in its digitization journey. Today, we are discussing cyber security, more specifically, zero trust architecture, or also known as ZTA, a new approach in cyber security that is gaining favor. With more and more enterprises adopting an always online mode and cloud technologies, cyber security is now one of the biggest business risks globally. In India alone, the number of cyber security incidents has grown exponentially post-pandemic with the increased adoption of cloud, work from anywhere and the digital transformation journeys of clients.

ZTA is one of the newest approaches to ensuring security. And to explain how zero trust architecture works, we have Shivaprakash S Abburu, EY India’s Cybersecurity Consulting Partner joining me. Shivaprakash comes with over 26 years of experience in cyber security, cutting across sectors, domains and roles, encompassing technology consulting, architecture consulting, system engineering, sales, presales, global technology ecosystems and business unit management. He has led several large-scale national and global cyber security transformation programs across all domains in cybersecurity, including multiple engagements in MENA, Nordics and Americas.

Ashish: Welcome to the podcast, Shiv, and thanks so much for taking the time to join us.

Shiv: Good morning, Ashish. Great to be here.

Ashish: Shiv, my first question is why the need for ZTA when there are many other cybersecurity measures already in place?

Shiv: Well, Ashish, first of all, ZTA as an architecture principle has been in vogue for almost four decades. But there is a push now to adopt ZTA, primarily because of three aspects. The first is adoption of cloud in most organizations to improve and speed up their adoption of digital transformation. As soon as customers start to move to the cloud, bid for workloads or for any other services, the traditional notion of network being the perimeter of an organization diminishes. The new perimeter of the enterprise IT landscape has become that identity. When I talk about identity, it means identity of the person entities involved, which would be the human users, and also the identities of non-person entities involved.

As soon as the network ceases to be the perimeter of an enterprise IT landscape, the dimension of the threat vectors that an organization must deal with or is exposed to changes completely. The earlier architecture principles or the current security measures in place in most organizations have been built and deployed keeping in mind a threat vector which is outside. This means the threat is emanating from outside the organization and compromising an asset which is inside the organization.

That approach assumes the network to be the perimeter. As soon as the network ceases to be the perimeter, the dimension of threat vectors increases by two more domains. The second domain, which would be apart from the outside-in domain, would be the inside-in domain. We call this lateral movement, which means attacks moving inside the organization or emanating inside and compromising an asset inside the organization.

The third dimension is the inside-out; originating inside the organization and compromising an asset outside the organization’s IT landscape. The third dimension is where the cloud adoption is leading to increased exposure because as soon as I move to the cloud as an organization, my workload compute and services sit outside the perimeter of my organization. They are on a public or a private cloud, which is where the inside and the inside-outside threat vectors have started evolving dramatically.

We are at an inflection point, which is why the ZTA principle is getting a lot of attention because the traditional measures cater only to the first threat vector or the first type of threat manifestation while ZTA helps organizations improve their defenses by bringing in the perspective of the other two threat vectors as well.

Ashish: Can you tell us how ZTA works?

Shiv: The core principle of ZTA is ‘never trust, always verify’. This applies to every access that any person, entity or non-person entity has to an enterprise resource, whether the resource is within the organization or on cloud or with a third-party vendor.

The implicit trust that we have today, or used to have for our own employees in granting access to a particular enterprise resource or for vendors in granting access to a particular resource without the necessary level of verification, has to change. Every access request cannot be implicitly trusted and must be verified before it is approved or denied. Or another option could be that access is granted, but at a lower level of privilege.

Just to give you an example, say, I am an employee with access to the CRM system. Now, when I am sitting inside my organization in my office, I might be needed to verify my access request based on a certain level of authentication, which could be multi-factor authentication or some other form. As an employee, I have a particular behavior. For example, I travel four days in a week and the systems inside my organization would know a pattern where every Friday I am in the office but traveling Monday to Thursday. Suddenly, there is an access request to a critical resource that starts from a particular airport to which I do not travel often. That is when a differential level of authorization and authentication starts getting applied. You would observe two principles here. One is continuous verification of an access and an access request irrespective of the type of requesting user or entity. The second is being able to apply a contextual and dynamic security policy to every access request based on other parameters that define the criticality and the risk associated with the particular access.

Ashish: That is very interesting. So why are enterprises moving to ZTA?

Shiv: The traditional methods of securing enterprise assets would no longer suffice because they have been built on the premise of an outside-in threat manifestation. The malicious actor is sitting outside the organization and not inside. But as soon as the network ceases to be the perimeter, anybody and every request made to an enterprise resource, which could be a server, a computer workload or a code or even physical facilities, everything needs to be verified before that particular access is granted or denied. In this context, enterprise IT systems are starting to move toward ZTA.

All of this is obviously colored by the digital transformation journeys, by the movement to the (public, private and hybrid) cloud.

Ashish: What does an enterprise need to do and know to implement ZTA?

Shiv: This is the most interesting part of the conversation. If you take a step back to when we start defining what trust could be, irrespective of domain, trust has a direct line to visibility and visibility is built based on transparency.

The more visibility I have in terms of what is happening in my IT environment — which means the assets, how they are communicating with each other, each asset’s level of exposure and the controls that I am putting in place to mitigate their exposure – (the better). And finally, what is the posture of those controls vis-à-vis the assets, their exposure and efficacy and the sufficiency of those controls? That is the core piece or the starting place for enterprises to focus on as they get on to the ZTA journey.

Once the visibility part of the security framework is in place, then an enterprise needs to look at the areas of their IT estate , which are greenfield or brownfield. It is easy to be able to implement ZTA on a greenfield estate because you are starting afresh. You can choose the type of controls you need, the type of policies and the governance you need. If it is a brownfield estate, then an enterprise will need to look at the opportunities they have to improve the level of verification and the particular control put in for every access request. The starting point of a zero trust journey for any enterprise has to be being able to build a cyber visibility framework.

Ashish: That brings me to my last question of this episode. What factors should companies think about before they decide to adopt ZTA?

Shiv: The first and foremost piece is their exposure to environments that are not completely under their control. What part of their estate and what part of their IT services are running in the data center vis-à-vis what part of their services are running on cloud because depending on that factor, the way they would go about building the cyber visibility framework would change. In the cloud environment, building a cyber visibility framework would take a different level of control implementation than possibly it would take in a, say, completely primary data center.

The second aspect they must look out for is the percentage of non-person entities in their identity ecosystem. Nonperson entities could be bots or APIs, for example. In a FinTech kind of environment, there would be a lot of APIs and there will be a huge API economy.

The third and the most important piece that the organization should look for is whether they have a consolidated data fabric and an identity fabric. If they do not have this, possibly the first starting point, apart from building the cyber visibility framework, would be to have a uniform data fabric and a uniform identity fabric across the organization so that once they start implementing ZTA, it is on top of a common identity platform.

Ashish: Thanks a lot for sparing the time, Shiv. I really enjoyed this conversation. It has been very informative and insightful.

Shiv: Thank you, Ashish.

Ashish: With this, we come to the end of this episode. Visit our website www.ey.com/in to learn more about ZTA or zero trust architecture and leave us comments about other technology topics you would like us to explore. This is your host, Ashish, signing off now. Thank you very much for tuning in.

Back to podcast

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY | Assurance | Consulting | Strategy and Transactions | Tax

About EY

EY is a global leader in assurance, consulting, strategy and transactions, and tax services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no.

ED MMYY

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Topics

General

People

Back to podcast

Podcast transcript: How businesses can adopt Zero Trust Architecture for cybersecurity

14 min | 12 April 2023

Back to podcast

Welcome to EY.com

Topics

General

People

Trending

Back to podcast

Podcast transcript: How businesses can adopt Zero Trust Architecture for cybersecurity

14 min | 12 April 2023

Back to podcast