Harry Wong, CEO & Co-Founder and Zen Leow, CTO & Co-Founder
Harry Wong, the CEO and co-founder of Nebulas Tree, a firm that delivers cybersecurity solutions and services with in-depth domain knowledge and proficiency, says, “In our more than a decade of experience in the cybersecurity space, we saw clients often associate IAM engagement with high risk, integration complexities, and adoption challenges.” He further explains that they often hear the horror stories of million-dollar IAM engagement turn into white elephant because of organizational resistance, many integration touchpoints with proprietary and legacy systems, or excessive coupling of processes. Even after the clients successfully commission an IAM solution, maintaining it became ever so challenging and unsustainable. To address these challenges, Nebulas Tree adopts a unique “simplicity is beauty” approach to IAM. The company considers having an IAM as not a means to an end. It doesn’t mean that just because IAM can help automate processes, organizations should fully migrate their processes into the system, fire their entire team of HR and IT support personnel, and let IAM do the work. Such an act not only creates fear and resistance; it also destroys the intimate knowledge of an organization and processes that the personnel hold. “We always advocate to our clients to have a balance of simplicity, be realistic in their needs and take a phased approach to arrive to their equitable outcome. We probe our clients to go back to their problem statements and ask themselves what was the original intention while utilizing our knowledge and experience in IAM to help them steer clear of risky pitfalls,” says Wong.
From an application security perspective, Nebulas Tree believes that the starting point in a security program encompasses putting in place security measures in three primary areas— systematic control at the user identity, securing the application logic itself, and protecting the data holy grail. It is from here that the company derives its three core security services. Nebulas Tree’s “Managing Identities” services has to do with the fundamentals of user account lifecycle management, password management, entitlements, and access management in an application. Traditionally, these are managed manually in an organization, which resulted in privileges creeping over time and accounts not being deleted after the user left. “We leverage on a combination of best in class identity and Access Management solution to automate these processes together with directory consolidation to clean-up accounts in the process, thereby helping our clients achieve their desired result,” remarks Wong. Besides, the company’s Single Sign-On and robust authentication services provide clients with a unified authentication and authorization framework that incorporates multi-factor authentication to their applications.
On the other hand, Nebulas Tree’s “Securing Application” services deal with putting security measures into the software such as authentication and authorization, encryption, audit and logging, and reducing security vulnerabilities at the code level. Often application teams develop their applications in silos, and an organization may end-up having many inconsistent ways to perform the above-said functions. Furthermore, they may introduce various security vulnerabilities to their application and resulting in costly remediation efforts. “Our solution uses a combination of web application firewall, API gateway, RASP (run-time-application-self-protect) to protect applications against application layer attacks and also incorporate our unified authentication and authorization framework to provide enhanced security and consistent application on-boarding process via the framework,” explains Wong.
Finally, Nebulas Tree’s “Securing Digital Assets” services cater to protecting the organization’s Holy Grail, which is essentially their data.
The key here is to skillfully weave security into their business processes and customer journey experiences to bring about visible business benefits.
“We found that clients can have very creative ways to store data and some of these unknowingly bypasses their security mechanisms and are susceptible to data breaches. It’s analogous to putting a huge padlock over your house door but leaving your windows open and valuables lying around in your house,” observes Wong. To this end, the company provides consultancy to assist their clients in developing the data classification process and incorporating detective and preventive mechanisms to monitor accesses and protect their data from unauthorized access.
Organizations that implement IAM know it’s a lengthy project, and the rate at which technology evolves is scary. “If you try connecting these two dots, it essentially boils down to how to execute an IAM project at a rate where you complete and commission the system before the next major improvement or software upgrade comes in,” opinions Wong. As a result, Nebulas Tree emphasizes precision, speed, and efficiency of delivering an engagement to avoid putting clients into a never-ending loop of a ‘next-major-version’ upgrade. Another issue is the upfront investment of IAM engagement of a reasonable scale, which is not small to start with. To this end, the company wants to make security as affordable as possible for their clients.
Nebulas Tree follows a unique principle of “empowering businesses with value-driven security” for customer engagement. By understanding the clients’ objectives, the company makes recommendations and craft out security strategies that would incorporate identity management, application security, and data protection that gels with their digital transformation goals while guiding clients through different stages of attaining security maturity. “Typically, organizations see security spending as cost liability. The key here is to skillfully weave security into their business processes and customer journey experiences to bring about visible business benefits,” says Wong.
In an IAM solution implementation highlight, a client needed to integrate their Single Sign-On solution (Identity Provider - IdP) with a service virtualization platform solution (Service Provider - SP) using SAML2.0. However, the integration failed because SP was unable to accept the SAML Response from the IdP. The client raised support tickets to both solution providers hoping to get a resolution, but both providers insisted the issue is not with their product resulting in an impasse. In the end, Nebulas Tree built their own IdP and SP module to demonstrate that with the correct SAML 2.0 specification, the IdP and SP would have no issues parsing SAML requests and responses. “We were able to pin point the issue to the SP which for some unknown reason strip off control characters from the SAML Content resulting in the failure. The findings were brought up to the SP product support team and they were able to release a patch to address the flaw, bringing a successful close to the project,” explains Wong.
Wong reckons that Nebulas Tree is lucky to be in the right place at the right time. Just this year, the Government of Singapore announced it would pump in SG$1 billion into improving its cybersecurity posture over the next three years. This has put the company right in the epicentre to tap into the massive pool of opportunities. “At the moment we don’t see cybersecurity as being ‘dying’ ‘rather we see a trajectory of demand growing in the next 10 years at least,” says Wong. Likewise, Wong sees pent-up IAM demands in the APAC region where cybersecurity has matured over the years, and there is a high degree of awareness towards the needs of IAM. In the last two years, Nebulas Tree has started market outreach to some of these countries. “Having said that, as a young company, brand building is our top priority. We wouldn’t want to be overly hasty in our expansion plan overseas. However we are always on a lookout for suitable partners with similar philosophy to collaborate and enter the market together,” he concludes.