Data Security Bar Must be RaisedDSCI CEO Pushes for a Higher Level of Protection
"What we promoting is, yes, certifications are one part - they are absolutely fine; go ahead with that," Bajaj says. "But look at your infrastructure. Look at the applications which are running. Look at the people and all the kinds of processes that are operational. Focus on those, and you will get to know the threat environment in more detail, and then you can build appropriate controls to protect them."
Bajaj is CEO of DSCI, and his quote describes the organization's philosophy toward data protection. In an exclusive interview about data protection in India, Bajaj is complimentary of banks' efforts.
"Banking and telecom are at the forefront of providing the best security technology," he says. "Technology implementation and security implementation, I would say, are on par with what is being rolled out elsewhere in the world."
But, also like other global organizations, India's banks are challenged to implement effective new authentication methods, as well as to educate their banking customers regarding information security practices.
"Security is very difficult to implement because it is not a one-time solution," Bajaj says. "It calls for vigilance on a 24/7 basis. There is no relenting on this at any time of the year."
Among the topics Baja touches upon in this interview:
- Today's biggest threats to data and privacy;
- The strengths and weaknesses of India's current data/privacy protection standards;
- How banks are responding to the evolution of technology and data threats.
Bajaj has over 30 years of experience in various capacities in the IT industry. Prior to joining NASSCOM, he was the Global Head, Information Risk Management Practice, Global Consulting Practice, TCS. He was the Founder Director of Computer Emergency Response Team (CERT-In), Ministry of Communications and IT, Government of India. He was the co-chair of Indo-US Cyber Security Forum for a year. As the Deputy Controller of Certifying Authorities, he established the techno-legal framework for public key infrastructure in the country. Before that, he served as a Deputy Director General, National Informatics Centre (NIC). He led large projects in Finance and Banking, most notable being the Customs EDI Project that introduced near paperless working, based on workflow, in the custom houses in India.
Dr. Bajaj established a vigorous work plan of DSCI under which best practices for data security and privacy protection and frameworks have been developed. He is engaged in building DSCI into a self-regulatory organization using best practices, acceptance by regulators in other countries, speedier trial of cyber crimes, and dispute resolution by developing an ecosystem around DSCI.
Following is an edited transcript of a recent interview with Dr. Bajaj, as conducted by Tom Field, Editorial Director of Information Security Media Group.
DSCI's RoleTOM FIELD: If you can, why don't you tell us a little bit about the role of DSCI?
KAMLESH BAJAJ: So far as the Data Security Counsel of India is concerned, it's an industry initiative to focus on data protection in India. The primary objective is to tell the clients all over the world who are outsourcing their IT and business operations to India that India is a secure destination. Our mission is to create trustworthiness of Indian companies, to give assurance to clients worldwide that India is a secure destination for outsourcing, that their privacy and protection of customer data are entwined to global best practices, and these are followed by the industry.
Today's Top ThreatsFIELD: To set the stage for us, what would you say are today's biggest threats to data and privacy in India?
BAJAJ: I would say primarily there is no difference in terms of threats which the India companies face from those that you find in the world. Everywhere the threats are both external threats - the attacks from outside that are stealing corporate information or personal information - and the insider threats, which are basically misusing of privileges.
Then I would say that every company is rolling out their applications, and they are being rolled out as business opportunity to make information available from different platforms, mobile technology, or financial transactions for example. This new technology is also making use of the many insecure applications which are there on the common platform. So these are by far, I would say, the totality of threats which the Indian companies see. As I said, much like any other company anywhere in the world.
Data Protection StandardsFIELD: Well let's talk about some of the current data and privacy protection standards in India. What do you see as the strengths of these standards?
BAJAJ: The Indian data protection regime I would say is fairly strong because it mandates that companies in India, which are processing sensitive personal information, must implement reasonable security practices. Now "reasonable" depends on the kind of information, assets that one is protecting ... and then the contractual obligations are exercised as well in the data protection regime that companies must comply with ... as part of the contract.
But on the standards, I would say the first thing that data protection standards are international, and they are not specific to any country. Most of the countries in the world subscribe to the international standards ordered by ISO. So ISO 27001 is the acknowledged certification in this area, and I am happy to inform you that the highest number of ISO 27001 certified organizations are in India.
So then, we are trying to develop practices which would be beyond the ISO 27001. So that is the initial purpose of the DSCI, which gives them assurance which goes beyond 27001 and some of the practices which focus on information flow across the organization. It focuses on the movement of information from that place in that geography to location in India. And within that also we try to identify where are the threats to data and privacy protection.
Weaknesses in StandardsFIELD: Well, Kamlesh, with the current regulations and standards, where do you see weaknesses or opportunities perhaps, and does DSCI plan to address these, this year and beyond?
BAJAJ: To my mind, if the objective of any company is to only get a certification, then you are stopping with what you would like to ensure to the auditor. That is, you anticipate what the auditor is going to ask, and you try to develop your security program for that direction only. Now if you follow that process, then you will surely get the certification, but then what ends up is that you are not actually addressing the threat environment which is specific to your company, the kind of infrastructure you have, the kind of applications which you are running. Both things require a deeper analysis. They should be focused on securing the organization.
So what we are promoting is that yes, certification is one part - that is absolutely fine, you go ahead with that. But then look at your infrastructure, look at the applications which you are running, look at the people and look at all the kind of processes in your operation. Focus on that, and you will get to know the threat environment in more detail, and then you can build appropriate controls to attack that.
So I think that is weakness in the standard or something which we are addressing through the DSCI security [standard], which compromises 16 specific areas, and each of the areas is regularly best practices of how to implement.
Role of BanksFIELD: Let's talk for a few minutes about the banking industry. Kamlesh, how would you say that Indian's banks have responded to the evolution of technology as it has gone more mobile, as well as the data threats that you outlined earlier?
BAJAJ: If you look at the domestic industry in India, then banking industry I would say - banking and telecom of course - they are the forefront of in finding the best security technology, best IT and as well as the security technology. Banks I would say are at the highest level of uptake of the latest technologies and implementation of security quality.
FIELD: What areas did you find that the banks should address most immediately?
BAJAJ: First of all in the internet banking, which of course has been rolled out for the last three to four years, banks are also looking at two-factor authentication. That is, ensuring that you have more than one token or two different ways of identifying yourself. So that is one area. And the other thing is the key challenge is how to educate the customers. Unlike a company an organization in which you are educating your own employees about security awareness, in case of banking it is the exterior customers who are millions in numbers, they have to be educated about security practices as they connect from their homes, their laptops, their own machines. They should be fully patched up. So this I believe is a big challenge for the banking industry.
FIELD: Now, we find elsewhere in the world that the consumer, the citizen at home, generally doesn't follow much of the awareness that we share with them. Is that any different in India?
BAJAJ: No not at all. It is exactly the same. You started facing that challenge I'd say about 10 years ago, and we started about three years ago. So, we are learning from practices and the matters used by some of the western banks, and they are trying to promote the same here as well.
Tips to Improve Data SecurityFIELD: Well, what advice do you give to organizations then that are looking to improve their own data privacy protection, especially with the understanding that the end user or the consumer generally isn't going to take the advice that you offer to them?
BAJAJ: I think organizations first of all must implement a best practices approach. They should study their own environment very carefully ... and there should be clear visibility. Visibility in terms of how the information flows ... and that privacy and security and what we see as disciple and defend.
See, the problem is that security is very difficult to implement because it is not a one-time solution. It requires vigilance 24/7 basis throughout the year. There is no relenting on any of this at any time of the year. So that is why it is difficult to implement. This is a challenge, a continuous challenge with every organization has to face and then keep doing it.