 "Infosource Secures HFDC Bank's Outsourcing Operations")
Have you ever wondered how the much-dreaded tele-marketers get your phone number, pestering you with products and schemes that you may not even be remotely interested in? Well, one of the ways could be through the information that banks send to various associates for purposes such as printing and publishing without appropriate access controls.
Looking at such a scenario from an enterprise perspective, securing confidential customer information and ensuring that it is not misused becomes a priority and the management has to put the necessary technology in place to avoid misuse of data at any stage.
Effective Security Controls
Keeping customer and company data secure is an unspelt commandment when it comes to banking and HDFC Bank has tried to follow it religiously by deploying Infosource, a Seclore security offering. Known for being forward looking and an enthusiastic adopter of technology, let us get behind the scnes to understand what made HDFC Bank choose Infosource.
Vishal Salvi, CISO, HDFC Bank, says, “One of the challenges that we were facing revolved around sending customer data to our business partners for processing, which is later distributed to our customers. We were caught at various points, for instance, how to ensure that it is only the application that is processing at the business provider’s end and how to ensure that the data is not tampered with, extending access to both view and use.”
“In HDFC’s case, there were some unique challenges like the size of the operation. The bank has many outsourcing partners and to figure out what information is going to which outsourcing partner and whether it is information that needs to be protected at all was a challenge,” says Vishal Gupta, director, Seclore.
Implementation Process
According to Salvi, it was a fairly small integration activity and as Infosource wasn’t a core banking application no major change had to be made in the infrastructure. From a vendor application perspective, it can be seen as a medium-level change. “We were in constant touch with our third party business partners, who were working with Seclore, to get the integration in place. The change happened smoothly and successfully. Infosource served our purpose of compatibility and security.”
Why Infosource?
Infosource is a fairly straightforward application, which encrypts information that has to be protected. For this, there are keys that are shared and implemented at the vendor application side and the handshake happens at the application level once the information is released because it is integrated with the application throughout. Salvi says, “Our requirement was that our data should not be seen by anyone and could be opened by the application only. With Infosource, as soon as the application process starts it uses various keys to open the information and processes it and then the future use of the data is determined.”
Gupta explains further, “Infosource is a specialist information security system for outsourcing operations. The way it works is that whenever enterprises are outsourcing and in that process sharing confidential information or customer data with their outsourcing partners, it helps in ensuring that the data is under the control of the enterprise and follows the enterprise’s information security policy and not the vendor’s. The data, which is sent across is encrypted and configured for a specific kind of usage, which could mean restricting the computers or the physical infrastructure on which the information can be used, restricting the number of times that it can be used, the manner of usage of the information etc”.
Benefits
According to Salvi, one of the major benefits accrued from this deployment is the comfort of knowing that the information is safe from end-to-end. “In today’s world, where the boundaries of the organisation’s functionality are disappearing, we are dependent on different business providers to process our customer information. Given that requirement, we still want to control how that information is used and processed by the service providers. Infosource has allowed us to do that.”
“Customers’ confidential information, which would have otherwise left the organisation without any controls, is now getting protected with rights and policies defined by the bank itself and not the vendor,” says Gupta.
HDFC’s Information Security Roadmap
“We have a three-pronged agenda, which includes focusing on policies and governance, and we feel that we have a good foundation there. We have multiple projects including online banking and we continuously ensure that we have the right controls and safeguards in place to protect ourselves from emerging threats. We believe in constant testing and enforcement of policies and processes as well as looking at new risks and vulnerabilities that emanate out of that and having the right programme to drive security implementation,” concludes Salvi.