IN PERSON
A key consideration for governments across the globe is the extent to which to rely upon outsourced vs. in-house cyber security talent
Michael Sentonas, McAfee VP and CTO (Asia Pacific) discusses security
50
egov / www.egovonline.net / February 2012
grid name IN PERSON
Michael Sentonas
Vice President and Chief Technology Officer, Asia Pacific, McAfee
“There is an immense opportunity
IN THE e-Governance space”
W
McAfee Vice President and Chief Technology Officer, Asia
hat would be some of the most critical security threats the Indian government faces?
Governments globally face threats to key assets. These threats can range from hacktivism, attacks on critical infrastructure through state-sponsored cyber sabotage and intellectual property theft. Increased penetration of mobile devices means more mobile government workers and increased potential for data leakage and for malware penetrating into the network if security policies and technical mechanisms are insufficient. Second, as the Unique Identity (UID) project rolls out, ensuring utmost protection for the IDs and data associated with each record would be critical. The Indian government is already planning a comprehensive security strategy to protect this project. Third, outsourcing protections will be critical – and this revolves around legislative policy or laws which the government should be instituting – since so much of Indian economy relies upon outsourcing.
What are your views on security of public information in India, particularly with respect to the UID programme?
Pacific, Michael Sentonas is responsible for driving the integrated security architectures and platforms that have propelled McAfee into a leadership position in digital security, with a focus on the Asia Pacific region. With a background in sales and engineering, he has been able to drive innovation and optimise product direction and development in the company. He has over fifteen years experience in the IT industry, focusing on internet
Currently, security adoption across government enterprises is largely restricted to perimeter security and malware protection. However, the UID is one programme which takes stringent steps to preserve and maintain critical citizen data. It has been structured in a way so as to prevent any sort of data leakage, as it deals with confidential individual information. The privacy of the individual is respected and this will be one of the major reasons for the success of the project.
security solutions with past
What is McAfee’s play in the government sector? Could you share with us some your major initiatives in this sector?
major security challenges to
There is an immense opportunity in the e-Governance space for technology and related companies in India. Industry reports estimate it to be in the region of $ 6-10 billion over the next 2-3 years. At McAfee, we are very bullish about the Government vertical globally and this strategy translates into the Indian context as well. We have
government sector
roles including software development, security consulting and management. In an email interview with eGov, he talks about the government business and McAfee involvement in the
February 2012 / www.egovonline.net / egov
51
IN PERSON
increased. Nearly 30 percent believed their company was not prepared for a cyberattack and more than 40 percent expect a major cyberattack within the next year. In a country such as India, much of the critical infrastructure is with Public Sector Undertakings and hence owned by the government. Because of their inherent economic importance, such assets make strong targets for political sabotage, data infiltration and extortion.
• Key network areas – IT, Operations and New Smart Grid Projects – should be overseen by a single security authority responsible for interconnectedness and synergies necessary across all three as compared to a silo-based approach. It is advisable to have a single security authority as to enable holistic protection of the assets. • A strong data governance plan that classifies data as per its value needs
“Compliance never equates to security so an over-focus on
regulation diminishes the importance of
other important security controls a separate team globally as well as in India that has been institutionalised for managing government projects; bearing testimony of our concentrated focus on this sector. The initiation of large projects such as UID project, r-APDRP (restructured-Accelerated Power Development and Reforms Programme) etc., and the international phenomenon of terrorism moving into the cyber domain implies that IT security will continue to grow in importance for the Indian government. We are working together with a number of Indian government agencies and ministries through our channel partners to help develop coordinated strategies to tackle the lacunae in India’s defences.
What is McAfee’s advice to protect critical infrastructure from cyber attacks? In April 2011, McAfee and the Center for Strategic and International Studies (CSIS) came out with findings from the Critical Infrastructures report that reflects the cost and impact of cyberattacks on critical infrastructure such as power grids, oil, gas and water. The survey of 200 IT security executives from critical electricity infrastructure enterprises in 14 countries found that 40 percent of executives believed that their industry’s vulnerability had
52
egov / www.egovonline.net / February 2012
McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. McAfee products empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security
Managing security issues is certainly a challenge for the government in India because there are manpower as well as cost-related challenges to deal with. A key consideration for governments across the globe is the extent to which to rely upon outsourced vs. in-house cyber security talent. There is also a worldwide belief that regulation will somehow solve network security related concerns. Compliance never equates to security so an over-focus on regulation diminishes the importance of other important security controls. Therefore spending budget wisely to ensure the government achieves the right level of security means balancing compliance with security and the right level of in-house talent to do so.
What would be the key components of a comprehensive security plan for protecting the country’s critical infrastructure? A highly sophisticated network security posture is needed to guard critical establishments from premeditated attacks. We recommend adhering to a 5 step risk-based checklist to create a strong network control which will minimize such attacks:
to be developed. Post this, a relevant plan to safeguard vital data (at rest on the network, in transit within/to/ from the network, and in peripherals and mobile devices) can be executed. • Cyber attacks can also be instigated through a weak vendor network, as a result of which hackers can gain direct access to the critical infrastructure. Vendors should be selected carefully and made to validate their security standards. When vendors notify new patches or other urgent actions over a possible threat, the recommended mitigation steps must be assigned high priority. • Daily vulnerability assessment to understand potential weaknesses especially when new devices/applications are added to the network is also needed. It is also important to maintain regular checks when the control system becomes IP-enabled. • There has been an increasing trend in the deployment of ‘whitelisting’, a technology which blocks all unauthorized executables or applications and obviates the need for regular updates which require downtime on the network. It is also suitable for devices which are purpose-built – such as control systems; or those that run only limited applications – such as servers.