InfoSec Is A State Of Mind Of The Organisation

Information Security has been a top concern for CIOs for the last few years. And the importance continues to grow. Key reasons for the same are as follows:

• Digitised, globalised and mobile world, and the need to have instant information

• Newer channels like mobile further fuelled by low cost smart phones/PDAs

• Also as we go along and connectivity becomes ubiquitous, the movement of data from local storage to central storage/cloud

With all the above, hackers are having a field day! The situation is something like this, where instead of wealth being stacked away in private lockers inside secure rooms behind a fake wall, it is now stored in ‘full view’ of public and there are multiple glass doors separating the thieves from the wealth. Now who wouldn’t be tempted? And while there are solutions available to address most specific needs, hackers find a new loophole and as a response to that another solution props up. It’s the most dynamically changing threat landscape. The challenge for CIOs is NOT non-availability of solutions. The key challenges are:

• Over a period of time the solutions deployed have become fragmented and heterogeneous, and hence there is a spaghetti architecture of IS related applications alone

• Since you are addressing the ‘fear’ factor rather than a ‘Business Value,’ it is difficult to put a price or justify Returns on Investment

• Again, many solutions available which don’t really address the ‘security’ need, but play on the ‘fear’ making it difficult to separate oil and water

• And the challenge is not from ‘out’ only, threat resides also ‘with-in’ the organisations

I am touching upon four areas/concepts which are critical to be addressed by anyone wanting ‘comprehensive’ security for their organisations and I am also sharing my personal view on where the industry stands on these. The terminology that I have tried to use is what is universally accepted in the industry, and even if the terminology was coined by a specific vendor – it is by no means an endorsement of the products promoted by that vendor.

Identity and Access Management

The concept has been on the horizon for over a decade. There have been very successful implementations. This is especially the case in large organisations, and more so in banking where the number of applications is largely heterogeneous. Despite the need for security being much higher, implementations have mostly failed for two reasons:

• The integration efforts in changing those applications and integrating them with IAM applications have made projects very complex

• TCO associated with implementations have not justified the benefits

Having said that, I think it is very important that organisations invest time, effort and dollars into this, especially verticals like BFSI where most data is very sensitive viz. confidentiality.

YES Bank has implemented a very innovative solution in this space – simple, effective and absolutely worth the buck! This was involved minimal implementation effort, using an approach diagonally opposite to traditional IAM solutions in this space. Glad to discuss if anyone would like to know more.

Authentication Techniques

From passwords to two-factor to multifactor to token-based, hard or soft, authentication has come a long way. Some key authentication techniques to watch out for include – behavioural authentication, biometric authentication especially voice recognition based authentication. I am particularly very keen on voice-based authentication because of no-requirement for an end point device other than a regular phone/cell phone.

End-to-End Encryption – (Network security & End Point security): This really covers stored data and data in transit. Data on laptops and PDAs/mobile devices is of significant concern due to high level of ‘lost’/’stolen’ cases as also the fact that these devices are used outside the enterprise networks. Data on PCs can still be ‘largely’ secured due to physical security aspects and their being connected to enterprise network. Needless to say, the underlying assumption is that your network is secure, which brings me to the next sub-point on network security Network security is an absolutely critical aspect in this highly connected world. No number of VLANs / router rules / firewalls etc. can provide you enough security. It’s a matter of time! So one needs to really watch out for emerging solutions in this space. But before I forget, on device security while there are quite a few encryption technologies the question to ask really is- in this era of ubiquitous network do you really need to allow data to be stored on these devices altogether ? Sounds insane… wait for 6 months to a year!

User Awareness & Physical Controls

Mostly everyone, including a lot of senior management, believe Infosec is an IT related issue! How wrong could one be? The blueprints of new product designs drawn on paper… do they require security? Specifically in banks, confidential financial information of your clients, does that information need to be protected? Especially when you are talking investment banking where confidentiality is of utmost importance and one breach can actually make the market ‘loose’ faith and shut down the business altogether!

Most organisations fail to implement physical controls; controls around information residing on paper etc. while they implement best of breed solutions for their IT related security. Funny as it sounds user awareness and physical security related aspects cost very little but are most neglected!

The bottom-line before I signoff is that IS is a state of mind of the organisation. It also follows the 80/20 principle – at 20% investment you can easily cover 80% of your risks. For the remaining 20% - choose wisely based on business needs, not based on exciting and cool technologies, which promise the moon.