Shielding Networks for Greater Effi ciency: April 2008 Issue

ov www .e go v o nl ine . ne t

THE E-GOVERNMENT MAGAZINE FOR ASIA & THE MIDDLE EAST

Creating Trust in Electronic Environment Controller of Certifying Authorities Government of India

IS S N 0 97 3 - 1 61 X

VOLUME 4

| ISSUE 4 | APRIL 2008

Privacy Laws and Citizens

INDIAN RAILWAYS

INFORMATION MANAGEMENT AND DECISION SUPPORT SYSTEMS IN RAILROADS INTERNET TICKETING PROJECT INDIAN RAILWAYS KEY IT INITIATIVES

INDUSTRY PERSPECTIVE

SECURITY SOLUTIONS FOR THE PUBLIC SECTOR SECURE TRANSACTIONS THROUGH STRINGENT REGULATIONS PROTECTING CRITICAL INFRASTRUCTURE

Shielding Networks for Greater Efficiency

7 Tracks 50 Countries 75 Thematic Sessions 200 Companies

29 - 31 July 2008 Pragati Maidan, New Delhi Organisers

knowledge for change

4,000 Delegates

Co-organiser

Department of Information Technology, Ministry of Communications & IT Government of India

Supporting partners

速

UN Global Alliance for ICT and Development

The World Bank e-Thematic Group

eINDIA2008 Thematic Tracks

eINDIA2008 Exhibitors

Call for Papers! The organisers invite papers for the egov conference. Abstracts should be submitted at www.eINDIA.net.in/abstract. For sponsorship and exhibition enquiry, contact: Gautam Navin (+91-9818125257), egov@eINDIA.net.in

www.eINDIA.net.in

w w w . e g o v o n l i n e . n e t | volume 4 | issue 4 | april 2008

COVER FEATURE

Creating Trust in Electronic Environment Interview: Dr N Vijayaditya,Controller of Certifying Authorities, Ministry of

Communications and Information Technology, Government of India

COMMENTARY

Privacy Laws and Citizens Thomas B Riley, International Expert on e-Governance and e-Government

INDUSTRY PERSPECTIVE

16 22

Protecting Critical Infrastructure Interview: Jerry Cochran, Senior Security Strategist, Microsoft Corporation

7 Myths About IP Access Control to the Door Tom Heiser, Vice President, Networked Access Solutions, HID Global, Eli Gorovici,

President and CEO, DVTel Inc.

Secure Transactions Through Stringent Regulations

Interview: Hemal Patel, CEO, Elitecore Technologies

Security Solutions for the Public Sector Interview: Chris Fedde, President and COO, Safenet Inc.

29-31 July 2008 Pragati Maidan New Delhi, India

NEGP COMPONENT: CAPACITY BUILDING

COUNTRY INITIATIVE

Capacity Building for Good Governance Interview: S R Das, e-Governance Group, Ministry of Communications and

Information Technology, Government of India

www.eINDIA.net.in

GTZ: Economic Development Through e-Governance

Hannes Karkowski, Senior Advisor, GTZ, Ricarda Elena Joie Wildemann, Technical Advisor, GTZ

MCONNECT

News

INDIAN RAILWAYS

Internet Ticketing Project Sanjay Aggarwal, General Manager, IRCTC, Ministry of Railways, Government of

India

Information Management and Decision Support Systems in Railroads

Manoj Jain, Head, Government, Defence and Utility Business, India and South Asia, Satyam Ashish Raj, Senior Consultant, Travel and Logistics Unit, Satyam

Key IT Initiatives

PRODUCT PROFILE

Check Point: Securing the Internet

April 2008

ov egov is a monthly magazine providing a much needed platform to the voices of various stakeholders in the arena of e-Government, apart from being a repository of valuable information and meaningful discussion on issues of e-Governance in general, and eGovernment in particular -both to the specialist and the generalist. Contributions to egov magazine should be in the form of articles, case studies, book reviews, event reports and news related to e-Government projects and initiatives, which are of immense value for practitioners, professionals, corporates and academicians. We would like the contributors to follow these guidelines, while submitting their material for publication.

ARTICLES / CASE STUDIES should not exceed

2500 words. For book reviews and event report, the word limit is 800. AN ABSTRACT of the article/case study not exceeding 200 words should be submitted along with the article/case study. ALL ARTICLES / CASE STUDIES should provide proper references. Authors should give in writing stating that the work is new and has not been published in any form so far. BOOK REVIEWS should include details of the book like the title, name of the author(s), publisher, year of publication, price and number of pages and also send the cover photograph of the book in JPEG/TIFF (resolution 300 dpi). Book reviews of books on e-Governance related themes, published from

year 2002 onwards, are preferable. In case of website, provide the URL. MANUSCRIPTS should be typed in a standard printable font (Times New Roman 12 font size, titles in bold) and submitted either through mail or post. RELEVANT FIGURES of adequate quality (300 dpi) should be submitted in JPEG/ TIFF format. A BRIEF BIO-DATA and passport size photograph(s) of the author(s) must be enclosed. ALL CONTRIBUTIONS ARE SUBJECT TO APPROVAL BY THE PUBLISHER.

Please send in your papers/articles/comments to: The Editor, egov, G-4, Sector 39, NOIDA (UP) 201 301, India. tel: +91 120 2502180-85, fax: +91 120 2500060, email: info@egovonline.net

Your daily cup of hot tea with hot e-Government news!

LOG ON TO WWW.EGOVONLINE.NET

www.egovonline.net

ov volume 4 | issue 4 | april 2008 PRESIDENT

EDITORIAL

Dr. M P Narayanan EDITOR-IN-CHIEF

Ravi Gupta

Security sans freedom?

GROUP DIRECTORS

Maneesh Prasad Sanjay Kumar ASSISTANT EDITOR

Prachi Shirur RESEARCH A SSOCIATE

L. Chaitanya Kishore Reddy SR. SUB EDITOR

Nilakshi Barooah RESEARCH ASSISTANT

Mike Godwin in his brilliant book “cyber rights, defending free speech in the digital age” alludes to the issue of rights and freedom in cyberspace. The issues at stake that he challenges include a wide array of topics like forgeries, copyright abuse, pseudonyms, right to privacy, cryptography, security, hidden agendas, etc. Yet, there is a critical need for e-Governance programmes across the world to consider them as critical factors to ensure smooth operations of the governments when they move from a physical office to a cyber-operated services at all levels. These are issues that get debated under the platform of Internet Governance.

Neha Sabharwal MARKETING

Gautam Navin mobile: +91 9818125257 email: gautam@csdms.in Debabrata Ray mobile: +91 9899650692 email: debabrata@csdms.in SALES EXCUTIVE

Santosh Kumar Gupta mobile: +91 9891192996 email: santosh@egovonline.net SR. GRAPHIC DESIGNER

Bishwajeet Kumar Singh

Privacy laws and citizens include a fine balance between privacy and security. In a commentary Thomas B. Riley, with over two decades of international experience shares the importance of maintaining this balance. Several new technologies and security tools are being developed, these include IP access control to the doors, RFID technology, digital signature encryption and verification systems, identity protection, database securities, etc. Central to the implementation of secure services of e-Government to its citizens, clients or intra-departmental processes is the need to build capacities both at the national level and in the state/provincial levels. This is critical to ensure that the transition is smooth and fulfils the mandate of good governance.

GRAPHIC DESIGNERS

Om Prakash Thakur Chandrakesh Bihari Lal (James) WEB MAINTAINANCE

Zia Salahuddin, Amit Pal Santosh Kumar Singh SUBSCRIPTIONS & CIRCULATION

Lipika Dutta (+91 9871481708) Manoj Kumar (+91 9210816901) EDITORIAL CORRESPONDENCE

Success stories from the Indian Railways in its use of information technology servicing the largest railway network is worth a special mention. There has been both back-end and front-end integration of the nationalised services and it ranges from procurement to efficient tracking and controls to servicing the citizens. The Internet Ticketing Project, IRCTC is the biggest e-Commerce venture in India, seeing an annual growth of 300%. In this issue we are covering three articles providing a perspective of the Railway industry. Do let us know how you enjoyed this issue!

eGov G-4 Sector 39 NOIDA 201301, India tel: +91 120 2502181-85 fax: +91 120 2500060 email: info@egovonline.net PRINTED BY

R P Printers, Noida, India egov does not neccesarily subscribe to the views expressed in this publication. All views expressed in the magazine are those of the contributors. egov is not responsible or accountable for any loss incurred, directly or indirectly as a result of the information provided. egov is published & marketed in collaboration with Elets Technomedia Pvt. Ltd. (www.elets.in) © Centre for Science, Development and Media Studies 2008 www.csdms.in

April 2008

Ravi Gupta Ravi.Gupta@csdms.in

COVER INTERVIEW

Creating Trust in Electronic Environment

Dr N Vijayaditya, Controller of Certifying Authorities, Ministry of Communications and Information Technology, Government of India 8}

www.egovonline.net

Digital transactions are central to the effective implementation of e-Governance. How does the Controller of Certifying Authorities (CCA) facilitate secure e-Governance? The Controller of Certifying Authority (CCA) is responsible for issuing the licenses to the Certifying Authority (CA). In other words, the whole procedure is controlled by the CCA. Digital Certificates are issued by the Certifying Authority to the various users as well as the individual user. There are certain procedures that are followed in the issuance of certificates which are stipulated by the CA in the standards issued by them. The CA is regularly audited by the third party on an annual basis. Therefore, there are clearly laid out procedures for the Certifying Authorities. These procedures are regularly noted for various operational as well as technological changes. Most of these certificates are issued in a smart card or a USB mode. The major advantage is that once a person digitally signs, anybody who makes modifications in the card can be noted easily. When we say a certificate is digitally signed, there is content and when you apply your USB token or a smart card, it generates a 40 byte character which is sent along with the document. Therefore, if users want to check the genuineness of a document, they can verify the document. If it comes back with 40 bytes, it implies that it is correct and there is no modification in the content. In e-Governance, for instance under MCA 21 (Ministry of Company Affairs) Project, Digital Certificates are used for uploading the content. In future, one cannot say that a particular document was not signed by a person or a particular content is not correct because non-repudiation is only possible through digital signatures. There are many other security systems that can be faltered, whereas, in digital signature this cannot be done. DGFT, IFFCO, RBI are some of the departments that are using inter bank transfers through digital signatures. High Courts are using digital signatures for their judgements as they ensure authenticity of transactions over Internet.

Public Infrastructure is secured in the country. In addition to this, he also audits all the Certifying Authorities on a regular basis. Stringent procedures are followed as laid down under the IT Act for this process. Are there any other Government Departments in the pipeline, which are planning to apply security solutions in their services? Yes, there are many departments in the government that have applied security solutions in their services. The Income Tax Department has initiated the process. The Passport Department is planning to make Passports into e-Passport. However, the procedure will be different from the one followed by others. Nevertheless, they will also be issued Digital Certificates for their operations. What are the major security concerns in cyberspace? What are the steps taken by CCA to ensure the trust in, and security of, e-Transactions? There are many security issues in the cyberspace. One is regarding the genuineness and security (from virus, malware, spyware, etc.) of the emails received. For instance, when a person is carrying out a transaction, how does he/she ensure that it is not hijacked in-between the process. The computer may be safe and secure but, the concern is regarding the safety of the network. Thus, there are lot of issues related to the security in cyberspace. Each of the segments has to be secured. The operations, applications and the systems have to be secured along with the networks. In fact, each and every part has to be secured so that trustworthy transactions are ensured.

As far as the technology is concerned, we provide the highest level of security in electronic transactions

What is the role of the CCA? Under the IT Act 2000, how are the electronic records authenticated? The Control of Certifying Authorities is under Section 17 of the IT Act 2000. Presently, the CCA is responsible for all the Public Key Infrastructure such as the process of issuing the licenses to various Certifying Authorities, the procedure to be followed, etc. CCA is responsible for the safe custody of the Digital Certificates of the Certifying Authorities and the Certifying Authorities are responsible for the certificates that are issued by them. Thus, the whole operation of the Public Key Infrastructure and its security is stipulated by the rules and regulations issued by the Controller. The Controller ensures that the ov

April 2008

Could you tell us more about the Public Key Infrastructure and the services offered by it? What are the major security concerns in this regard? Out of all the mechanisms, Public Key Infrastructure is given utmost importance. Generally, when we have to encrypt something, we use a code that is known to both the parties involved in a transaction so that we can exchange it. The problem here is with a third person, who needs a separate code. The other security solution that exists is called the Public Key Security. There are two keys, and each person or each entity, will have two keys/codes â&#x20AC;&#x201C; one is Public and the other is Private. The technology is such that these two work in conjunction. If you encrypt with one of them you can only decrypt with the other and vice versa. The technology for Public Key Infrastructure is such, that if a person has to sign something digitally, he/she uses their Private Key. It remains with them and they do not give it to anybody. But their Public Key is available to anyone who wants to use it. Once, another person has access to his/her 9

COVER INTERVIEW

This system has been used in banks such as HDFC, ICICI and others for DMAT accounts to certify the statements regularly. A chain of sequence is used to give the authenticity so that it cannot be repudiated. Without knowing the 40 byte character for security, the content cannot be regenerated. Through the reverse mechanism, encrypted information can be sent to a particular person using the Public Key of that person available on the Internet. In any other operation it is easy to copy the fingerprints and it can be used. Whereas, here it cannot be used. This is the highest level of security for transactions on the Internet.

signature and the Public Key, the other person can verify it and see whether he/she has sent it. Another issue is that how does one know that it is his/her authentic Public Key. The certificate for this purpose is issued by a Certifying Authority. When they have a Public-Private Key pair, they take their Public Key to a Certifying Authority. The Certifying Authority issues a Digital Signature Certificate, which is essentially a certificate containing a Public Key and binding it with a digital signature. That is how the technology works and in this way all the Certifying Authorities with the CCA at the root complies the Public and Private Key Infrastructure. With CCA at the root, we have issued 700,000 certificates which is an estimate of the key infrastructure. Each person has a unique key that can not be replicated. Thus, when somebody signs with the digital signature of the Private Key, the content differs as the signature varies. Therefore they cannot generate a key using a different mechanism and it varies from certificate to certificate.

What are some of the e-Transactions carried out within the government agencies and for government services? As far as technology is concerned, we provide the highest level of security in electronic transactions. When you have to work on the Internet for net banking, DMAT trading, filing income tax returns, etc. digital signature authenticates the person and provides the integrity of the content. The transactions cannot be repudiated and denied. These are the factors required for e-Commerce transactions. We are talking more about products, so we are based on electronics. Suppose, I take a print out of a paper that is digitally signed with 40 bytes, in a printed form, anybody can change it. But in the electronic form, if the content is changed, it automatically alerts you about the modifications. This is because there is a strong relation between the content and privacy. Does the current Indian regulatory and certifying laws have adequate security related aspects? How often are these laws updated, considering the growing security threats? The Certifying Authority has created a procedure for issuing secure transactions. It is today, the highest level of security in this context. As the technology is fast changing, we have to regularly deal with it and make appropriate changes. Nevertheless, the procedures used, are quite adequate. In cyber space, what is secure today is not secure tomorrow. Therefore, we make sure that the system we use ensures the highest level of security and for this we follow certain encryption technologies of a very high level. In the future, we have to see what is to be done. There are many people carrying out e-Transactions, for net banking, e-Tendering, etc. When they upload it, they digitally sign it. They use the Public Key, encrypt and transmit it. This way they cannot personally encrypt and change the content until the whole team of 6 â&#x20AC;&#x201C; 7 people is present. Yet, if you are just transmitting a file, you have access to it, from any computer. Suppose, two people are responsible for the tendering, and their Public Key is used for encrypting the whole thing, until both of them use their Private Keys, they cannot encrypt it. So, this is the highest level of security that is possible.

Learn more about digital signatures and cybersecurity issues at egov India 2008. For details log on to www.eINDIA.net.in

www.egovonline.net

COMMENTARY

Privacy Laws and Citizens In the development of e-Government practices and principles over the years, privacy and security have become key factors to ensure success of online programmes Thomas B. Riley

Thomas B Riley has been involved in government policies including freedom of information and privacy for the past 38 years in many countries around the world. He has been an international expert on e-Governance and e-Government since 1987

PRIVACY AND MOBILE TECHNOLOGIES: WHAT ARE THE RISKS?

Ever changing and emerging technologies continue to present challenges to our individual privacy. In a world in which mobile technologies make it possible to be online at any given moment and in any place, day or night can result in privacy breaches. Mobile phones represent a challenge to protecting our individual privacy because they are ubiquitous and now have the capacity to store multiple pieces of data. Security and privacy are primary issues in using mobile phones. Mobile phones are now key technologies in adapting e-Government policies and programmes. Increasingly, public servants and citizens alike walk around with mobiles that 12 }

contain programmes, addresses, saved text messages and different forms of information, that are equal to the amount of data that can be found on laptop and desktop computers. Ubiquitous access to the Internet, to oneâ&#x20AC;&#x2122;s own computer and other functions are now common by public sector officials and people in the private sector. Carrying around a mobile has its advantages and its risks. For example, there are many stories in newspapers around the world regarding the theft of millions of pieces of data by cyber thieves. Some of this is a result of hacking. Much of the risk comes from people who leave sensitive government data in their laptops which in turn gets stolen. This is why policies are needed to prevent and protect loss of sensitive or secret government data. www.egovonline.net

One of the most enduring policy issues is privacy. In the development of e-Government practices and principles over the years, privacy and security have become key factors to ensure success of online programmes. Both of these are important issues due to the changing nature of technologies and the way people react and use these technologies. From an e-Government perspective, in government, the new technologies are invaluable in connecting with citizens. In surveys on e-Government implementation, the issue that came to light was of people wanting assurance regarding safety of their personal information. Beyond privacy there are the security issues on a broader scale, where we are seeing the rise in spam, spyware, ad-aware, phishing, identity fraud and a host of other hacker activities (good or bad) that make people uneasy when going online. Governments who have evolved e-Government and digital strategies have put a lot of emphasis on the importance of security and on ensuring that secure networks are viable. e-Government is growing at a rapid rate around the world. It is now estimated that 94% of countries in the world have some form of online services. The degree of e-Government programmes varies greatly from country to country. However, it is clear that with e-Government online services there is a need to ensure that a whole series of policy measures are needed. As noted above, one of the essential policies for good governance is privacy laws and security measures to protect individuals who go online to take advantage of online government programmes and services. Privacy and security are essential to ensure the growth of e-Government. Another emerging issue is the importance of technologies that enhance online privacy and ensure that individuals’ personal privacy is protected. Privacy is important in the minds of individuals and a lack of privacy or security and the possibility that an individual’s personal information might be used for purposes other than what they are providing for, on the online service, can have deleterious effects on an e-Government programme. In a democracy, technologies that inhibit or potentially erode privacy then become important social and legal issues.

One of the essential policies for good governance is privacy laws and security measures to protect individuals who go online to take advantage of online government programmes and services. Privacy and security are essential to ensure the growth of e-Government PRIVACY AS A HUMAN VALUE: WHY PRIVACY

Endemic to all privacy laws are a set of fair information practices that set the boundaries for protection of the individual while allowing a certain latitude for organisations to use personal information when necessary and allowed by law. Privacy laws, those who administer them, and a public who value their privacy and speak out when necessary against potential abuses of these laws, are essential. Privacy laws are the walls ov

April 2008

that protect individuals against a possibly intrusive society. These laws have acted as the barriers against intrusiveness and met, to some degree, the expectations of protection from outside sources using one’s personal information. In our growing surveillance society, the walls between the private and the public are beginning to crumble. More and more organisations, governments included, now know more about individuals than ever before in history. In the United States, there is a Federal Privacy Act. All fifty states in the Union have some form of a privacy law. It is the same in Canada with a Privacy Act (1982) in place at the Federal levels and all ten provinces and three territories have some form of privacy legislation. The United Kingdom, Australia and New Zealand follow the same course. There are now numerous National Privacy or Data Protection (European designation for privacy) laws around the world. These laws are prevalent in North America, Europe, New Zealand and Australia with other countries following to bring in similar laws. The European Union Directive on Data Protection requires all twenty-seven member countries to have data protection (privacy) laws as a prerequisite to be a member of the Union. These laws are universal in their coverage, dealing with both the public and the private sectors. The Fair Information Principles set out in the Directive are to be enshrined in all the laws enacted by the member countries. One of the clauses found in the Directive states that a member country might prohibit the flow of personal information to another country if the latter does not have an adequate level of privacy protection. This means that individual countries can prohibit the flow of personal information to another country if it is judged that the country to which the information is being sent does not have some form of privacy protection. There is also the Council of Europe’s Convention on the Protection of Personal Information (1982) and the OECD (Organisation for Economic Co-operation and Development) Guidelines on the Protection of Data (1980). These instruments were originally developed over the concerns about automated information and the power to harm the individual. However, the European Union Directive mandates that both automated and manual files are protected. 13

COMMENTARY

Europeans see privacy as a human rights issue. Many might argue that it is a non-tariff trade barrier as it could restrict trade practices by disallowing the sending of personal information to other countries without laws and policies to adequately protect such information. However, the essence of all data protection and privacy laws is to protect the individual from having his or her information misused or abused. This has in it elements of making organisations accountable for what they do with personal information which they collect, while also endowing certain rights on the individual who provides the information. The European Commission Directive on Data Protection, in its preamble, stresses that this is a human rights initiative.

FAIR INFORMATION PRACTICES

The following are the Fair Information Practices recognised in all data protection and privacy laws around the world. All international conventions, laws, guidelines and policies, essentially incorporate three basic principles, that is: 1. The individual has the right to inspect his or her own files kept by an organisation; 2. Specific administrative principles setting out the collection, storage and dissemination of information. These principles lay out: a) how the information shall be collected, b) how long it shall be stored before being destroyed (usually only seven years), c) that the information is kept secure and only accessed by authorised users, d) what the limitations shall be on sharing the information with others, e) the necessity to use the information only for the purpose for which it was gathered, f) that the consent of the individual must be gained if the data is to be used for another purpose, g) the right of the individual to have access to the file (in whatever form) containing the information, to determine its contents and veracity, h) The right to have false, misleading or erroneous information in the file either deleted or corrected, i) The right to make a notification in the file if the information is not corrected or deleted, and, under the final principle; 3. The individual shall have the right of appeal to a body independent of government, if the individual believes one of the principles has been violated. One of the more important functions of privacy officials are informing individuals of their rights under their respective

laws and identifying emerging trends and issues in society posing privacy threats. What is all this concern about privacy? What does this mean to cultures where the concept of privacy is very different? Databases created by public or private sector organisations are usually subject to criticism if the databases in any way contain personal information. Thus, it is important to assess why people are concerned about the possible abuses of their personal information. It is also important to set out how easy it is to collect identifiable information in today’s technological environment.

Databases created by public or private sector organisations are usually subject to criticism if the databases in any way contain personal information. Thus, it is important to assess why people are concerned about the possible abuses of their personal information KEY ISSUES

The main features regarding privacy laws and citizens are: • All citizens where countries have privacy legislation have equal privacy rights. • There are now billions of pieces of information in thousands of databases, floating around the Internet. • The ‘cookie’ technology can track a person’s behaviour and preferences and computers can now be programmed to ‘talk’ to each other. • Private sector organisations are using personal information to increasingly market products, services and goods but not necessarily getting informed consent from individuals to use their personal information. • Citizens want the right to be able to consent to the use of their own personal information. • There is a rising awareness of citizens about the need for deeper protections of their personal information, i.e. taking responsible action to protect one’s own personal information when possible. • While there are currently many data protection/privacy laws in place, measures are still needed to assure citizens that their personal information is not being abused. • Educational measures from Offices of Privacy Commissioners and Data Protection Registrars/ Commissioners contribute to raising privacy awareness amongst the public.

Read egov articles online @ www.egovonline.net 14

www.egovonline.net

INDUSTRY PERSPECTIVE

Protecting Critical Infrastructure

“We see India as a key developing area for Critical Infrastructure Protection (CIP). There is a lot of scope for leadership. Some of the work that is done in India is very encouraging from the development perspective”, says Jerry Cochran, Senior Security Strategist, Microsoft Corporation 16 }

www.egovonline.net

You lead Microsoft’s efforts for Critical Infrastructure Protection (CIP) and cyber security exercise at various levels. Please elaborate upon the need for protecting the Critical Infrastructure. National security, economic security and public health safety are the major areas which come under the purview of Critical Infrastructure Protection (CIP). The Government typically organises these sectors into silos of activities such as the energy, transportation, banking and finance sector, and all of these undertake activities to protect that Critical Infrastructure. However, it is important to separate Critical Information Infrastructure (CII) and to differentiate it from Critical Infrastructure, as CII encompasses information and communication technology assets, that cut across all sectors. Whether you are in the banking or finance or oil and natural gas sector, you are dependent upon the telecom and IT products to run that infrastructure. So when we are talking about CII, we are talking about protecting those cross-cutting interdependencies. When we talk about cyber security it directly applies to that, because they are pieces of infrastructure that are dependent, they have IT infrastructure that is cross-cutting. It is important to note that IT and communication has a very virtual and logical identity, they are not a set of physical assets. Therefore, they can not be organised into silos and we need to see what each of these are, and approach them from the IT and communication perspective. In India we see that the Critical Infrastructure is gradually moving into the private hands. There are two ways – first of all, the government itself wants the private sector to make more and more investments. Secondly, the government is privatising its own state owned enterprises either partially or fully. Your comments. In every country in the world, what we have observed is that there are different drivers of the government and the private sector – operators and owners that impact upon the policy and regulation. There are different regimes in different parts of the world. For example in the United States about 85% of the Critical Infrastructure is owned by the private sector. If you take another country like Australia, most of the Critical

April 2008

Infrastructure is owned by the government. In Norway, almost 99% of the Critical Infrastructure is owned by the government too. Therefore, they do not have to deal much with the private sector. In India, it is seen that there is a combination of the public and the private. The government’s focus is on what are its core competencies and create and provide opportunities for the private sector. The government should invest in what they are best at and create incentives for the private sector. In every country there is a different policy and regulatory landscape on how the decisions are made. One important thing is to acknowledge the fact that what might work for a particular country may or may not work for another. What may work for the US may not work for India or Australia. Whether it is a developed country or a developing country, the governments need to decide what is best suited for them. Please tell us about the need for a layered approach to CIP. First of all, the idea is that at a higher level, there is a need to acknowledge the importance of CIP in national and economic security and public health safety. The Government of India has done that in further provisions and amendments in the IT Act or going towards recognising Critical Infrastructure and understanding that there is a dependency on that Critical Infrastructure upon Information and Communication Technologies and it is important to manage risks. It is also important to recognise what you want to accomplish at the village level, at the city level, and at the national level and what you want to acknowledge and achieve in that infrastructure. This can be worked through the joint efforts of the government and the private sector. What are the different kinds of threats to Critical Infrastructure? In terms of threats, almost all countries are taking an allhazards approach and not just against cyber threat. This is because of the fact that the way someone can hack into the control panel or shut down a power grid, someone like a terrorist can also blow something up which does not have a cyber component at all. So in terms of protecting the Critical Infrastructure, there has to be an overall protection from all threats including threats from terrorists and natural

INDUSTRY PERSPECTIVE

disasters. For example, in the US, hurricane Katrina had a devastating effect on the information and communication systems, telecom systems and power of that region. Similarly, in the twin tower terrorist attack of 9/11, the telecom and communication systems of that region were affected, which directly hit the New York Stock Exchange. Threats are therefore of various kinds, natural and man made, intentional and unintentional.

the infrastructure is continuously moving into private hands and that will change the entire risk equation so it has to be continuously reassessed and redone. The point is, that we want to create a culture of regulating security across the public and the private sector. The process has to be supported by legislation. This is one of the reasons, why the IT Security Act in India is going to continually evolve and some of the proposals for amendments could be implemented.

What are some of the features of Microsoft-based solution for protecting Critical Infrastructure such as rail, roads, ports, power and water supplies? Protection of Critical Infrastructure requires setting or defining the roles for the public and the private sector in the risk management process. The government sets various goals and functions that are to be performed from their end. There are some critical functions that they want to provide in terms of the economy, national security, etc. Therefore, they can work in Public Private Partnership (PPP) in order to provide the citizens with the Critical Infrastructure such as power and water. The owners and the operators can get together and figure out the risks, prioritise the risks and find solutions to those risks. You can also see how to analyse those risks, you can look for existing medications and also look for further medications for those risks. The owners and the operators in a case like the US, where almost 85% of the Critical Infrastructure is owned by the private sector would know the best way to protect the Critical Infrastructure. Similarly, in the case of Norway, it is the government who does the same. But it is important to know how these critical functions are put together and to know what are the critical inter-dependencies and intersecting points. The other important key point is building operations or response frameworks. You have a cyber incident or a natural incident, or a terrorist incident, regardless of the origin, there needs to be a way to respond and recover every aspect of the Critical Infrastructure assets. In the operational response framework, the government may have an operational response capability. Even a private sector company like the Microsoft can have an instant response capability, however, often what we find is that those are not aligned. For example, in the cyber security arena, CERT India can have a specific way that they respond to India and India’s specific events. There can be an industry consortium that has sectoral Internet response mechanisms. In US, we call it Internet Sharing and Analysis Centre (ISAC). In Microsoft, we have our own security response for our own product vulnerabilities and yet we do not collaborate or align our operational response framework across those layers of the individual private sector or government. In the US, what we do every two years is a National Cyber Security Exercise under the Department of Home and Security. This exercise really seeks to align those three layers – the government, the sector and the owner – which is the operator. And finally, there is a need to have a continuous set of interactive cycles. You can not just assess the risks of Critical Infrastructure and provide some control, mitigate risks and then walk away, since the landscape is constantly changing and the infrastructure itself is constantly changing. In India,

What is Microsoft doing about CIP within the overall umbrella framework of Trustworthy Computing? Please tell us about some of your government sector projects in this area. Trustworthy Computing is an initiative started by Microsoft in 2002 and it really changed the way Microsoft builds its software and the culture in the company. They have four pillars – security, privacy, reliability and business practices. If you see them from a pure Microsoft product point of view, there may be a huge need for change. But if you look at them from a Critical Infrastructure point of view, I may need to worry about security of Critical Infrastructure, data protection and privacy. The business practise is very important especially what the consumers, the government and the industry view about Microsoft as a company. Are we open and transparent? Are we working on multiple products and solutions? Are we following the government’s rules and regulations? These are all the issues that we are trying to work on, in order to build the Trustworthy Computing. In CIP and Trustworthy Computing, we are really working on three to four fronts. One of them is Software Assurance. Software Assurance is a complete way of improving the security of softwares. It is also about software and security life-cycles and how do we reduce the number of vulnerabilities and improve the life-cycle of our products. For example, how do we know when a developer checks something in the resource stream and how do we know that the developer had an access or that he was authorised with a check-in code? How do you know before our softwares walk out of the door, that they are free of viruses? How do we know that all the binaries have digital signatures, so that when you get it as a customer you can verify if this is the file that Microsoft wants me to have? So there is integrity mechanism for the integrity of softwares and also assurance management to reduce the number of vulnerabilities. The first one is working with the government on software assurance and with the industry and the private sector. The second area is CIP policy dealing and engaging in conversations with different governments from time to time. For example in India, Microsoft, as part of the consortium has provided feedback on the IT Act and made recommendations on amendments. The next area is what I would call operational CIP. Operational CIP is all about how do we bring industry requirements for operational response framework, how do we bring them to align with our own processes. It is also about how we give everything that is needed by the government as each government is different. It is to ensure that Microsoft approaches different governments in a different way. The final one is CIP alignment. This is where we work to

www.egovonline.net

INDUSTRY PERSPECTIVE

make our products better-suited for Critical Infrastructure. Most of the control systems in the world, such as transportation, electricity generation, oil and gas and water supply are all run by control systems and a large number of those operating systems have some aspect of windows operating systems. Whether it is the data base server system running windows or it is the operator control that controls the windows running, windows touches all aspects of the control systems. So what can we do in the control system? How can we collaborate with different vendors of control systems such as Siemens, AVG, etc? There are different vendors of control systems that are making their solutions on windows. One example is that we are getting them to use the security development life cycle, so when they are developing their own software upon Microsoft, they are following the same security and development practices that we are following. What are the best practices that are followed in the United States? One of the things that we see in the United States from a maturity perspective is that we have a very close information sharing relationship with the government and private sector. We share information on vulnerabilities. For example, US CERT will call Microsoft security response centre before they release a bulletin that is related to our software or put up on a blog or published as a best practices white paper. Other examples would include things that we do from a risk management perspective. In the IT sector in US, we have decided to take a different approach, as I said, IT sector assets are not physical, they are difficult to manage. Protecting assets in Washington and New York may be important for Microsoft but from the point of view of IT infrastructure, it probably does not matter. It is more important to know what Microsoft provides in the eco-system and how do we protect that, so that we take a very function based approach. So the provision of products and services or the ability to provide Internet management or the types of softwares are more important than the physical facilities. Who are the other market players in CIP and what are the competitive ventures Microsoft has under taken? One of the competencies of Microsoft is that we have really improved our security systems. If you look at other vendors in the market such as Oracle or Apple who have recently started and came in the spotlight in order to fix vulnerabilities, Apple in the last two years has started on the security vulnerabilities. Where as we have been working on that since 2002, and this really gives us an opportunity to differentiate ourselves. Also we have had a long term relationship with the US government and other governments in CIP. In Microsoft, we have a mature practice for Critical Infrastructure. One of the things that we find in Critical Infrastructure is that some of our very top competitors, such as Oracle or Symantec or McAfee, are actually some of our best partners. We may have differences in product competition, but when it comes to protecting infrastructure, we are all in the same boards and committees. We work together with Symantec or IBM to make recommendations to the government. 20

You said your competitors are your partners, so is there any challenge of interoperability in CIP? If we look at ways to secure and manage the Critical Infrastructure, we have to do away with interoperability. For example, the US government is working on the information sharing technology, so that different agencies within the US government can share information about vulnerabilities, incidents and attacks. The US government is building a common framework to enable the Critical Infrastructure. What are your plans to expand your market in the field of CIP in India? We see India as a key developing area for CIP. There is a lot of scope for leadership. Some of the work that is done in India is very encouraging from the development perspective. Microsoft would really want to continue the engagement in the best practice perspective. We would also like to continue our engagement with associations like CERT India. We would like to help the government in shaping its IT Policy in a holistic manner. We want to continue our engagement and foster and evolve our relationship. There are also a lot of opportunities for partners in India. India is a key IT skill area. Microsoft has a keen interest in investing in India. We have our offices in India and we look for future partnership in India. As you mentioned in the US, CIP is under the private sector and in Norway it is under the government. India on the other hand is in the middle. Where do you exactly think India to be? India has taken some key steps towards CIP. Firstly, in terms of its defined government policy perspective. They have recognised the importance of CIP, the importance of Public Private Partnership (PPP), public health and safety dependent upon infrastructure. They have also recognised the difference between infrastructure in general and information infrastructure. In terms of the other aspects of India, like the US has its allies with other countries such as UK and Canada, in the developing world we can locate China and India. India is very promising because of the fact that India has a mixed private and public ownership. What we also see is the policy landscape and the drive for democracy and social responsibility, by the government and business. India is very promising. Therefore we are very interested in furthering that engagement with India. Which one of the two â&#x20AC;&#x201C; control by the industry or control by the government do you think has an edge over the other? For a country like Norway, which is small in terms of surface area, population and single language, the control by the government works well. For a country like United States, which is so large and so vast, or for a country like India with huge infrastructure, it is hard to imagine the government to work for CIP. So we would prefer a strong Public-Private Partnership (PPP) because we depend heavily on the government for creating a conducive environment. www.egovonline.net

INDUSTRY PERSPECTIVE

7 Myths about IP Access Control to the Door Why IP to the door? There are considerable differences between today’s legacy access control and the emerging technology of IP directly to the door. Following are 7 commonly heard myths with respect to IP access control to the door. MYTH 1. THERE IS NO DIFFERENCE BETWEEN IP ACCESS CONTROL AND TRADITIONAL ACCESS CONTROL.

De-myth: There is a huge difference between IP and traditional or RS485 (multi-drop) in the access control world. Access control, as we have known it to date, can be compared to the video world using digital video recorders. Even though DVRs, as well as access control panels, can sit on a network, all cable to the actual edge device is traditional copper cable, proprietary to that system. Edge IP does for access control what IP cameras did for video. Software can now talk directly to the edge device with nothing but network in between. The control panel concept goes away for access control just as the DVR goes away for IP video. As a result, both video and access control can now be truly scalable in increments of one access point, with predictability of cost. This also results in a significant reduction in infrastructure cost as well. IP-based distributed processing allows for modular and economical system expansion. An IP-based system supports integration as a means of migration from legacy systems and provides a cost-effective bridge to the future. The IP-to-the door system manufacturer ensures a consistent product version and consistent upgrade path. Training and product support also take on a more holistic approach without requiring the end user to act as a middleman between various vendors. What’s more, an IP-based system ensures the latest standards-based software, networking, and hardware technology. An IP-based system means one user interface. A single user interface simplifies installation and is easier to learn and use. With one common interface, there is no more duplication of system administration and other tasks. For example, a user learns to set up a card reader using the same skills required to set up a camera. In addition, a single user login provides simple and secure access to all security functions. The system’s use of existing IP infrastructure eliminates significant wiring and installation costs. IP network nodes, including cameras and card/biometric readers, can all be managed by a corporate network management tool. Another difference between IP access control and traditional access control is the issue of Power over Ethernet or PoE, which can be argued as a positive or a negative. On the positive side, 22 }

most network closets already have emergency power to the network devices and they will continue to operate even when power to the building is lost, while traditional power requires battery back-up. PoE provides the same advantage to the IP access approach. The bigger issue is power to the locking device that may be required to unlock at loss of power to the building in order to meet fire code. It is more likely that installers will use PoE for the reader, but traditional power to the locking device. www.egovonline.net

MYTH 2. IP ACCESS CONTROL IS UNTESTED AND UNPROVEN WHEN COMPARED TO A TRADITIONAL, HARD-WIRED SOLUTION.

environment that is not available to the traditional access control world.

De-myth: Depending on the configuration of the hardware a chief security officer selects, IP access control is as reliable, or even more reliable than the traditional topology of multi-reader controllers. With multi-door controllers, a single point of failure could cause multiple doors to become inoperable. With IP access control, each door is independent of other doors, so a single point of failure will only cause one door to be inoperable. Today’s networks allow for layers of redundancy, so even if a network component fails, there are backup communications paths that can reroute the event transmissions around the problem component.

MYTH 5: IP ACCESS CONTROL COSTS MORE AND UPGRADING TO IP ACCESS CONTROL REQUIRES A ‘FORK LIFT’ UPGRADE.

MYTH 3: IP ACCESS CONTROL IS MORE SUSCEPTIBLE TO FAILURE OR “WHAT HAPPENS WHEN MY NETWORK GOES DOWN?”

De-myth: In today’s corporate environment, the network gets more attention and care than it used to simply because the network is carrying the information that keeps the company in business. As long as IP access still has power, the only impact of network communications failure is that the events will not be transmitted to the host application when the event occurs. The door still works and employees can still enter, with all the events being buffered. Once the network communication path is re-established, all events that took place during failure will be transmitted to the host. Communications loss is a universal problem that affects Ethernet and serially connected devices in the same way. Keep in mind that the network rarely goes down, because it is the backbone of the entire business. One of the beauties of networked-based information is the fact that information can be rerouted in less than 100 milliseconds by finding an alternative path. No legacy access control solution has this level of reliability.

MYTH 4: IP ACCESS CONTROL IS MORE VULNERABLE TO SECURITY BREACHES OR HACKERS THAT CAN OPEN DOORS.

De-myth: IP access control is no different than any other device on the network. Network security measures that block unauthorised access to the network (and devices) should be employed, whether it is through a local connection or Virtual Private Network (VPN). With any Ethernet connection, care must be taken not to expose the connection in unprotected environments (like on the outside of a perimeter door). This is just good common sense. With IP access control, you have the option of separating the reader from the controller without losing any functionality, and gaining the ability to keep the network connection within the protected space. IP access control benefits from the $5 billion network security market which provides a powerful, secured ov

April 2008

De-myth: In most cases, IP access control costs less than traditional access control topologies. Cost savings occur not only in the cost of the devices themselves, but also in the cost to run and maintain the associated wiring. With traditional topologies, a bundle of cables is run from a closet out to the door. This wiring is run separately from the other communications wiring in a building and is singular in purpose. With IP access control, the wiring to the door is the same wiring used for the computers, phones, and IP cameras. Being able to combine the access control communications cable installation into a larger wiring contract leads to a lower cost per door. In the instances where an existing access control system is in place, IP access control can be layered on top of it for new doors, which means a fork lift upgrade is not always necessary.

MYTH 6: CUSTOMERS SACRIFICE FUNCTIONALITY WHEN THEY MOVE TO AN IP-BASED ACCESS CONTROL SYSTEM.

De-myth: On the contrary, IP access control has more benefits and functionality than traditional access control. Both systems use a server as a host computer and all of your features and functionality will generally be the same. However, while most traditional access control does not allow for bi-directional communications to the door, TCP/IP does such communications. Functionality like writing to smart cards and driving LCD displays is not possible with Wiegand wiring. Predictable cost per door is another benefit of IP access control. With traditional access control using multi-door controllers, the first door is always more expensive than the second because the controller is part of the cost of the first door. With IP access control, each door gets the same components so the cost is fixed for each door. Budgeting is a simple matter of math rather than an exercise in determining where there is a spare port in a multi-door controller.

MYTH 7: INTEGRATED SYSTEMS ARE FINE; UNIFIED SYSTEMS (ACCESS CONTROL AND VIDEO SURVEILLANCE) ARE OVERRATED, UNPROVEN.

De-myth: Integration means only that two products work together. ‘Unification’, on the other hand, means a single, multifunctional application with unified security, administration, log-ins, and unified responses to events along with fully coordinated failover capabilities. In this increasingly integrated, converged security world, the next evolutionary 23

INDUSTRY PERSPECTIVE

step is inevitably greater unification of systems and capabilities – seamless operation back and forth between, for example, access control and video. If both systems are unified into one application the overall benefits to the end-user are even greater and more far-reaching than anything simple integration has provided up until now. Unification solves many shortcomings that exist with integration: Integrated systems require logging into the separate systems to programme coordinated responses to system events. Failure to programme either system properly can result in unpredictable results and neither system can detect the programming inconsistency and warn the user. Technical support teams are often not able to resolve the problems efficiently because they are not aware of the inconsistencies, thus increasing the total cost of ownership and system downtime. As long as these systems are kept separate and joined only by integration, there will always be two different road maps with two different agendas. Only when you start to think about these two applications as unified, do we create true value to the end-user and the installer.

IT’S AN IP-TO-THE-DOOR FUTURE

In the future, unified platforms will grow into powerful solutions when combined with information security, business continuity planning and data/content analysis. When the traditional data from access control becomes highly available, usable information on the network, we will see tremendous opportunity to make employees more efficient while making the business environment safer. Tom Heiser is vice president of Networked Access Solutions for HID Global, with responsibility for setting the business objectives, strategy development and tactical action plans for VertX and IP devices on a worldwide basis. Prior to joining HID Global, Heiser was with Tyco Safety Products, where he was director of product management for Access Control and Video Systems (ACVS). Eli Gorovici is president and CEO of DVTel Inc. He has more than 15 years of senior management experience in the digital data communications industry. Previously, Gorovici was vice president, global sales and marketing, for NICE Systems’ Visual Interaction Management Division

Gramin Vikas Rath: Enabling Rural Economy Speck Systems Ltd. has launched a Mobile System called Gramin Vikas Rath (GVR). It is a unique concept in tapping the potential of rural India by empowering farming communities to become vibrant entities and significant contributors in the country’s progress. The villagers will have easy access to the Rath at their door steps providing them with information on important aspects of land, soil, environment etc. The GVR aims at utilising Geo-spatial information to deliver precise, relevant information to the farming community. The initiative aims at greater market access and price information leading to a collateral effect on Local Market Conditions; linkage with professional skills and consultancy for identifying and developing possible products/services in synergy with local conditions; direct access for rural seller to urban buyer as well as rural buyer which provides larger consumer base; socio economic awareness; multiplier effect in understanding and implementation of rural development schemes and increased community participation; direct feedback from ground to government when needed. In the initial phase, one Mobile Unit will be provided to a cluster of 50 villages owned and operated by young local entrepreneurs with the technical support of Speck Systems Ltd. The GVR enabled with broadband will also disseminate the information pertaining to different market yards of the state for enabling the farmers to decide where and what price to sell their produce. The GVR will enable the farming communities by bringing tecnhology to their doorsteps. It will help them in obtaining information and offer them better connectivity with various agencies such as - government. buyers, NGOs / Support organisations. Eventually, the GVR will mould itself towards delivery mechanisms for private sector services such as education, tele-medicine, agri-business

development and disaster management. Overall, the concept is about direct delivery of e-Government services through extensive community participation. The mobile units and kiosks may also be utilised for other information campaigns of the government such as health care, HIV/AIDS, and other government schemes and programmes related to rural development. A screen with LCD projector will be provided to the van for this purpose. GVR represents the application of geo-spatial expertise at the grassroots level opening the doors for better management of land and resources for the farming community and also facilitates several initiatives of e-Governance, thereby accelerating the wheels of progress for rural India. There is a huge potential that lies hidden in these areas which accounts for 70% of India’s population. Initiatives such as GVR will go a long way in bringing a convergence of awareness and www.specksystems.com development.

www.egovonline.net

INDUSTRY PERSPECTIVE

Secure Transactions Through Stringent Regulations

â&#x20AC;&#x153;What is different in India is that the government is taking online services to the villages and spending on taking Internet to rural India, unlike the US where the corporates do thisâ&#x20AC;?, says Hemal Patel, CEO, Elitecore Technologies ov

April 2008

INDUSTRY PERSPECTIVE

What brings you to India and what are your plans to expand here? I came to India to do my Internet Service Provider Project in 1998, when the government started e-Regulating ISP policy and I had an ISP in Portorican Islands then. From what I see, most of the IT companies have a revenue dependency on foreign companies. But our government is taking many initiatives, so there has to be a local market. If I make a product, there will be a local market for it. That is when we came up with the billing solutions. There is a huge demand for IT here, and that is what I saw, that if I build a product and try to sell it here, as I do understand this market better than the US, there will be demand here and there is room for a lot of growth. Please tell our readers about Cyberoam and why you decided to establish it in Ahmadabad (Gujarat) in particular? I knew that where ever I come out with the product, there will be competition. Either one innovates a new product, with a completely breakthrough technology, which also takes time of adaptability in the market, or work in a competitive market with a product that is price competitive. So, we needed to build more value in less price in order to compete and being in Ahmadabad helped in that respect. We do everything remotely except sales, pre-sales and channel related marketing. Other than these three, everything else can be done remotely like logistics, payments etc., which helps us to maintain our cost structure. It obviously has its challenges, like the mind set of people, as there is no concept of drop shift. I had to face that challenge. I feel work should be done in research and development and designing of the product and it should be sold in a drop shift kind of a model. On the way, Elitecore Technologies came up with two products; Cyberoam Internet security products and telecom billing solutions. In both we have done significant work, we started with India and spread into the surrounding countries and last year we started work in the United States. In the US, the enforcement of regulation is very strict so whether you are a small company or a large enterprise, the regulatory compliance and law enforcement does not change and you can take advantage of that to position your product. Recently, we were funded by Carliol, which is one of the biggest equity players in the United States, which boosted everybodyâ&#x20AC;&#x2122;s confidence and we could feel that we are on the right track. From the inception of the company till about seven years, we did not raise any funds. And we took it from the initial investment of only half a million dollar, all the way to nine million dollar without any fund raising. However, now for our growth, we needed to raise money and so we do, for expansion. Since you have experience in various countries, what is your opinion of the global picture in terms of network and security, especially in the United States? Mostly security solutions are out of need, out of competition and out of regulatory obligations. I feel that the United 26

States tends to be a little bit ahead in implementing them, as compared to other countries. In regard to security compliance, we looked at three things. One of them is HIPPA- Health Insurance Privacy Protection Act in the US. Under this particular act the subset dealing with IT mentions that all IT infrastructure in the health care industry should protect the patientâ&#x20AC;&#x2122;s information, the data should not only be encrypted but there should also be monitioring as to who is transferring what data. If your security is tied up to a desktop, it is difficult to know who is sending the data as terminals are often shared by many in the health industry, that is where we come in. Another industry where IT security regulations are implemented, is in the financial sector. The cyber SOX compliance Act for financial public companies, states that IT departments must monitor the unencrypted information going in and out of a financial organisation and all the data must be stored for 7 years. So there are information trapped monitors and in our device, the pattern allows us to drive the same performance as a regular network device and it does not impact the performance. This device is especially for the SME (Small and Medium Enterprise) market as big corporations can spend money even for a single threat but small industries can not spend on all of them and even if they did then they would need people to maintain all of it. The third law which is most prominent, and I feel which is most missing in the rest of the world is CIPA (Child Internet Protection Act). The US government has a CIPA Act which they are not enforcing yet, but the way they triggered it, is that the federal government would give schools upto 100% funding for Internet bandwidth only if they are CIPA compliant, which means that the children are protected from accessing all malicious sites. Also, their activities on the Internet are monitored. We are trying to position for that. However, CIPA is not seen so much anywhere outside the US in the education industry. How our product works is that we have an engine which is called the categorisation engine defined by the content of a particular website, which works just like a virus. Taking the most popular world sites, we have an auto rule based engine, based on rules, it categorises what kind of site is there. However, there are sites that remain uncategorised, for which the auto engine carries out manual categorisation. So far, we have about 11million sites categorised. Where do you think India stands on the matter of security compliance? The only thing that I do not see coming to India is the patient protection law in the near future. However, what I do see is a lot of forensic and cyber laws. The education industry is similar to health. In a school, Internet is still not a part of the education system. However, we are moving towards it. The health care industry security laws will then follow later. So I feel that in India, the financial sector is growing by implementing new technologies and I would say that the technology growth in financial sector in India would be more than the US. Thus, I personally feel that the government will be looking at the financial sector more than the other two verticals right now, as the financial industry is growing faster www.egovonline.net

and I think all the Indian financial companies are investing heavily on technology and have leap frogged all the way from not having any to having cutting edge technology. Coming to the data and conversion billing solutions, BSNL and MTNL are usuing internet so how are you incorporating the privacy and security element there? We work with BSNL and provide billing solutions, customer care and sales care. Many vendors are providing billing solutions but the owner of the consumer data is not the solution provider, it is the service provider, so they have to provide the protection. However, I do not think security is a critical element as BSNL and MTNL payments are still not online, so even with very less security implemented, not much can go wrong, unlike the US where my payment information

is with the service provider. Whenever they implement that, they have to bring the protection. Right now BSNL and MTNL have password protection for the website which is through SSL (Secure Socket Layer) which is an encrypted format and can not be read in the middle. In India, the use of credit cards for online payments is yet not widespread, and also people have yet to develop trust in online transactions which will come with more stringent protection laws and they have to be enforced effectively. When the government steps in and allows the entire financial industry to accept credit cards and if they do not protect their customers, they would be penalised for that, only such kind of law enforcement will give confidence to the consumer in online transactions. These are very open areas and I am sure that we and the governments can contribute a lot into this. What role is Cyberoam playing in the field of security to promote e-Governance? What do you think about the National e-Governance Plan? US Government now has a lot of initiatives on bringing ov

April 2008

everything online and promoting e-Governance activities, they provide everything online. However, they want to protect their systems too, for which they use devices like firewall etc. In my opinion, in the United States, the government has been paying more attention to the protection of the security and privacy of citizens, than other countries. Whereas, in emerging markets like ours, the laws on Internet security in the educational industry are quite open I would say. However, that is changing. NASSCOM is taking big initiatives on security awareness. We are proud that we are one of the security appliance companies here and we are also working with NASSCOM and other companies to raise the awareness levels about the importance of security. Here, I think the media also plays a very important role in making the decision makers aware of the emerging security threats and also about regulary compliance, especially in verticals like education where the security threat is more eminent. Our contribution would be joining hands with organisations like NASSCOM, regional organisations like GESIA (Gujarat Electronics and Software Industries Association) in Gujarat and go out and make faculties of universities, future decision makers and professionals studying in various institutes, aware of the importance of network security. We do have deployment in various government verticals, for example, ISRO is one where we have deployed security. In India, we have also been involved with the Gujarat state government in the implementation of the GSWAN (Gujarat State Wide Area Network). However, dealing with state governments in US, cyberoam works with educational institutions that are governed by the state governments and not federal government. Right now we are working with New Jersy, New York and Conneticut. What I think of the National e-Governance Project is that it is a very good step, that each person has to communicate a faster response, consider your tax payers as your customers and even though all that has now started, the procedure to the end user has not really developed. The application of government services online is yet to become more effective. In the US, the government gives flexibility to the citizens, an option that people who have accessibility can make transactions online but if they do not (in rural America for instance) they can make the payments manually. What is different in India is that the government is taking online services to the villages and spending on taking Internet to rural India, unlike the US where the corporates do this, but they do not go where there is no benefit. So here also we have leapfrogged compared to the US government by setting up CSCs and kiosks in the remote areas and working towards last mile connectivity. The government is doing great work and I am sure that all their approaches are well thought. The end user confidence, however, needs to be increased in online transactions which will come with better regulations and will drive things in a more positive direction. So, one by one all services can be made online, The Indian Railways for example has taken amazing initiatives and that is the way it should be. So if there are more laws on protection and security in transactions for citizens rather than only forensics, it would be really helpful. 27

INDUSTRY PERSPECTIVE

Security Solutions for the Public Sector

â&#x20AC;&#x153;Governments tend to leave the security decisions to their integrators, our recommendation is that it is a mistake, as governments need direct access to security, even if the security comes through integratorsâ&#x20AC;?, says Chris Fedde, President and COO, Safenet Inc. 28 }

www.egovonline.net

In your opinion, how important is information security for the public sector? Information security is much more important now than it ever was. There has been a long history of governments protecting government information. However, they took a long time to learn how to do that- to learn how to build infrastructures and to protect government secrets. But now, what is more challenging to them, is protecting individuals’ identities, and more importantly, information related to individuals. Since information is now electronic and all the areas that hold information are connected, the threats are learning how to access that information. What is becoming more important in the public sector is the ability to protect that. By more important, I mean more challenging. As it is a new area for the governments, it has taken a different set of security equipments, products and procedures to protect individual information than what they are used to, as far as protecting infrastructure is concerned. Our expectation is that we will be able to bring expertise that we have, things we have learned and will be able to be good suppliers to India in this initiative. What is the vision/goal of Safenet, being the global leader in information security. Our vision has always been to be one of the largest ‘pure security’ providers. In other words, there is nothing in Safenet that is not security related. That is all we do. Our belief is - if we are going to provide security to the most demanding customers, by demanding customers I mean, financial institutions and governments, and very large global companies, then we are going to have to understand all of those industries, all those verticals from a systems point of view, and then let that understanding dictate our product strategy. So our belief is that if we are going to be suppliers to those kind of industries, then we are going to have to be a large security supplier with lots of technologies because none of these products, none of these systems, none of these problems get solved with a specific set of technologies. Everything is an accumulation of technologies that are used in different ways. Thus, our vision is to be one of the largest pure security suppliers so that we can continue to be successful at these very high levels. We work with very important verticals, on a global scale. There are not many companies that are bigger than us that are just security providers. So, our mission is to keep expanding the verticals that we can supply. That means that we have to maintain our size and our profitability as it is our profitability that allows us to turn dollars back into engineering for that product development. Like many high tech companies, we have a very large percentage of employees that are engineers, which is almost half of the total employees, that is a lot of engineer horse power that has to be pointed at exactly the right direction for our future products. What are some of the key security solutions that Safenet offers for government sector and private sector organisations? What are your company’s competitive advantages in light of other such players in the market? One of our corporate objectives is to be a supplier in areas that we would say were under-served. Areas that do not ov

April 2008

have adequate security are usually the areas that require high level of security If we have successfully identified those areas then we will be one of the largest or the largest suppliers, because that is what we look for. We are presently in these general categories so to say. On the out set, I would say, one category is the authentication category, which includes various products and technologies that are needed to generate identities, to protect identities, to distribute identities. Since all these apply to systems or infrastructure that has to be protected, we concentrate on this vertical. Another vertical is securing high speed communication. This includes high speed optical encryptors. Our biggest customers in this area are governments, financial institutions and the likes. Here, we are talking about big iron encryptors of very high speed. In the case of government, we apply it to satellite communications. Third vertical is protecting softwares. People who have the rights to software want to protect it against piracy. They want to license it and want to make sure they get paid for the licenses. We have products that we customise to their

There has been a long history of the governments protecting government information, and they took a long time to learn how to do that- to learn how to build infrastructures, to protect government secrets. But now, what is more challenging to them, is protecting individuals’ identities, and more importantly, information related to individuals software that safeguards their interest. Most of the time, it is a physical token, like a USP token, as they need the highest level of security. The fourth one, which is least known but is very important to us, is taking the technologies from the first three and providing those as embedded technologies to other commercial companies that want to put security in their products. We provide designs to custom integrated circuit vendors, we also provide circuits to telephone industries. A high percentage of phones have Safenet security, even though you would not associate Safenet with the telephone industry. That is the kind of reach that we have into the real commercial industry. Regarding India, what do you think about the markets here and how aware do you think is the government here regarding information security compared to other countries? India is doing things that most large countries are doing now, that is, taking steps to protect identities, protect individuals, protect their rights and it is doing it with the intention of employing very modern techniques. Even if you look at smart cards, which is of course not new, there are technologies in new smart cards that are new. If you look at what the Indian Government is specifying for e-Governance for passports, it is not just smart cards, it is smart cards with micro processor 29

INDUSTRY PERSPECTIVE

type of capabilities. So, I think they are doing things that we see most countries doing on that scale and they are also doing it in such a way that they can achieve convenience for people and reduce costs. It has not been until recently that all this has been done- raise security, raise convenience, reduce costs. That is a unique combination, but it is achievable now. I also

The governments need to have direct access to the security providers as very often the integrators do not have the security knowledge and therefore are prone to make mistakes

think that their timing is very interesting as they are doing it at a point of time where they can identify how to get that done and get it done right and not have to spend a lot of time testing pilots and trials. They are going straight to systems integrators, to security providers, to get it right the first time by using very modern, state-of-the-art solutions to do that. Another example of where other countries started in a wrong direction and had to change later was that they used smart cards or any other tokens for identities without realising that they had to use the same infrastructure, the same token, for lets say physical security too. From what I have been reading, the Indian Government does realise it and it does seem like they are taking advantage of what is going on at a global scale and executing it in a manner that should lead to success. What are the various areas where Safenet is working in India? As mentioned, it is an interesting period for India overall. A lot of things are happening, infrastructure is being rolled out. There are two- three specific segments that we look at, one of them is banking and finance, another one is authentication solutions where we provide smart cards and tokens. Another space is in terms of software protection. As IT development in general, that is taking place in India, is an area of interest for us because that forms one third of the total commercial security business. Another important area for us is securing the links. If we talk about the State Wide Area Networks and various defence related projects, we have link encryptors that we believe can add value to the infrastructure out there. So both in terms of providing infrastructure security solution to the end user, as well as enabling our ISPs to develop secure solutions, so that it becomes a distinguishing factor for them when they are competing against others, is what we want to work at.

providers as very often the integrators do not have the security knowledge and therefore are prone to make mistakes. Thus, people, especially people like us, who have experience in the field, want to help the government understand the security implications because it has to be built right from top even if we end up providing it through a third party, which, we usually do. But buffering themselves from the security vendors is a mistake and will lead to less than ideal solutions. Could you tell us about Safenetâ&#x20AC;&#x2122;s work with the public sector? We have always found it to our advantage to be very open with the information flow to government. In other words, most companies seem to build walls, have proprietary issues and try to stay separate from information sharing back with the government. However, we find it to our advantage to be open to the public sector. Because the public sector is such an important part of our business, we are used to spending our money to uniquely address the public sector. That means that we have to be able to tell them where we are going. We have to solicit from them, as to where they see their programmes and know where they are trying to get, so that it affects our product development, so that we can make changes to our products to better meet their requirements. Thus, we have never turned down a chance to share what we are doing with the public sector. Could you tell our readers about Safnetâ&#x20AC;&#x2122;s border line security solutions and how it helps the governments? There was a realisation by us from a security stand point that when you are protecting even a network, you cannot just interpret that in a traditional way and by that we mean that a network, and virtually all networks are global. They are highly comprised of people who are not physically present, who are remotely accessible, who may not be employees, who may be partners. And as it gets more and more wireless, which

What are your suggestions to the government officials planning and implementing the e-Government projects and programmes in terms of security risk management? Governments tend to leave the security decisions to their integrators, our recommendation is that it is a mistake, as governments need direct access to security, even if the security comes through integrators, which it probably will. The governments need to have direct access to the security 30

www.egovonline.net

obviously it is, then it proliferates to a point where networks have no boundaries and historically, security issues have been solved through boundaries. Security, through the ages has always been brought by building walls, and in the case of electronic security, with electronic equivalent of walls. Thus, the history has always been to isolate and protect. However, our belief was that the whole model was doomed to failure because networks did not look like that, and if they ever did, surely they do not now. What we tried to do, especially with the government (as most governments are traditional thinkers) was to make them understand that you cannot solve security issues by building walls, electronic or physical. You have to look at a network as not having any edges, not having any defined boundaries to protect. And once you look at it that way, the whole method by which you solve network security changes radically. It was our belief, that that it is the only way to address security requirements in the future. The governments for a long time said that they understood that

it was how the commercial markets were evolving but they were not going to. However, it did not work that way as the government markets, with time, tend to go virtually the same direction as the commercial markets. There are almost no exceptions to that. They may resist it for security reasons, they might take longer for lots of valid reasons but governments almost always eventually follow the same architectural concepts as the commercial sector. If we look at the commercial side, the boundaries have since long lost any meaning. It will eventually be there at the government side too. This has been our philosophy, as we design our security products, to understand that there are no longer any edges that we can guard anymore, that we have to protect networks in a different manner, whether they are commercial or government. Could you tell us a little more about Safenetâ&#x20AC;&#x2122;s plans to expand in India? We are very excited about the opportunities in India. We are very accustomed to investing for large opportunities, putting people power where we need to, spending where we need to, to address these large opportunities. We take the lead from people working here to tell us what we need to do in order to address the larger markets here. Unlike smaller security companies that can not afford to tailor security to any one customer, we can, if we need to, have security unique to the Indian Government, which again does not automatically mean that we will, but it is an idea that we are certainly comfortable with, if the marketâ&#x20AC;&#x2122;s need be. We expect to use this operation here as the launching point to be able to do larger programmes in India.

India slips on UN e-Government survey In e-Governance readiness, India has fallen from a rank of 87 in 2005 to 113 in 2008 on e-Government readiness. According to the UN e-Government Survey 2008, India has slipped 26 places in the last three years and been overtaken by countries like Maldives (ranked 95), Sri Lanka (101) and even Iran (108). Sweden has surpassed the United States as the leader in the overall e-Readiness index, with Denmark, Norway coming in second and third respectively. The US slipped to fourth place. Pakistan

April 2008

and Bangladesh have both improved and climbed to 131(from 136) and 142 (from 162) respectively. The fourth edition of the UN survey measures the progress made by various member states in drawing and implementing e-Government policies to improve public services. It uses e-participation and web assessment as two broad categories to rank countries on the basis of e-Information, e-Services and e-Tools provided by their governments to meet the demands of transparency and accountability voiced by citizens. In the e-Participation index, India was ranked 49 globally, whereas in the web measurement assessment, which measures the online presence of national websites, with those of the ministries of health, education, welfare, labour and finance of each country, it was ranked 54. www.unpan.org

NeGP COMPONENT: CAPACITY BUILDING

Capacity Building for Good Governance

“We want that within the government, the competence and the capacity is built for taking up e-Governance by themselves”, says S R Das, e-Governance Group, Department of Information Technology, Ministry of Communications and Information Technology, Government of India 32 }

www.egovonline.net

The National e-Governance Plan (NeGP) started in different states at different levels of readiness and aspirations. How did you address the gaps in capacity and synchronise aspirations? The conceptualisation of the National e-Governance Plan (NeGP) started some time in 2004. In early 2005, while formulating NeGP, we found that states are at different levels of readiness and e-Governance initiatives and computerisation of government systems were mainly champion driven. Therefore, for all states to assume the ownership and participate in the National Programme, Capacity Building was considered to be vital at various levels within the government across the country. In March 2005, we provided financial assistance to all the states, so that they can hire professional services for preparing e-Governance road map, detailed requirement of Capacity Building and blueprint report of State Specific Programme within the broader framework of NeGP, which was formally approved in May 2006. Broadly, the report includes vision, mission, present scenario, gap analysis and fund requirement etc. This gave us an overall picture of readiness and aspiration levels of various states. Based on these reports, we formulated a Capacity Building Scheme for all states and union territories (UTs) following a uniform approach. More importantly, we suggested an institutional framework for states and UTs. However, depending on the readiness, population, area and a few other parameters, there are some variations in terms of the magnitude of the implementation. We have been interacting with higher level officials who are involved in the policy and decision making process like Chief Secretary, secretaries and ministers of states. The response has been quite encouraging. We were especially happy to note that political will, both at the Centre and at the state level was very positive. The NeGP has been accepted for improving governance and citizen services. What kind of response did you experience from government employees when the project was initiated? How did you deal with the issues like change of mind sets and attitude in the process of building their capacities? At the operational and working level, we do agree that there are change management issues which need to be seen more carefully. But, I am sure you have not heard of any resentment anywhere against e-Governance as such. Generally, it has been accepted at all levels. There has been a clear signal that e-Governance will not result in harming existing employees. The workforce will continue with the government and they would be suitably trained and adjusted in the setup. More of interactions, empowerment, training to handle new environment etc. are some of the steps that are useful for their inclusive participation and building confidence in the changed environment. Please tell us about the recently approved Capacity Building Scheme under NeGP. We received the government approval for the Capacity Building Scheme in January 2008, which will be implemented in all states and UTs. The scheme suggests establishment of institutional framework for state level strategic decision making, including setting-up of State e-Governance Mission ov

April 2008

Team. This will provide professional manpower support to the policy and decision making process and will help in overall management of the programme and its effective implementation. The scheme also has provisions for orientation courses and specialised training to key public functionaries and senior government officials involved in the programme. Further, we will be strengthening training institutions in states and UTs, so that operator level training can be given on continuous basis. The scheme has an outlay of INR 313 crores to be implemented over a period of three years. The Government of India will be setting up a central Capacity Building Management Cell for coordination and implementation of the scheme, which will be working under the Empowered Committee for CB, under the chairmanship of the Secretary (IT). Give us a brief picture of various stages involved and approach followed in the process of capacity building. For taking up such a programme which has wider implications like transforming the government processes and citizen service delivery system, we believe that vision and policy direction should come from the respective governments at state and UTs. Therefore, the first and foremost task would be to set up e-Governance Programme Steering Council, ideally under the chairmanship of the Chief Minister. For achieving the state policy goals and objectives, an Apex Committee is to be set up to provide strategy direction and oversee the state e-Governance programme and ensure inter departmental coordination. For operationalising the CB Scheme, we suggested that the state governments designate a State Nodal Organisation, which would provide services like selections, contracting for external resources and administrative support to State e-Governance Mission Teams (SeMTs). I was referring to these SeMTs, as the institutional framework is needed for systematic approach to the e-Governance Programme. It is very encouraging to note that most of the states and UTs have already setup the frame work. Next major steps include, establishing SeMTs at the state level, initiating various training programmes and knowledge sharing process and strengthening of the training institutions in states. 33

NeGP COMPONENT: CAPACITY BUILDING

The most challenging job is to get suitable professionals on board in SeMTs. Sourcing of SeMT is envisaged in the following three ways: First, to look for suitable people from within the government organisations and the rest can be recruited from the open market on contract basis. As a fallback arrangement, we may have to consider hiring the services of reputed organisations as a stopgap arrangement. To attract the right kind of professionals we are prepared to give them the market driven compensation. In the present competitive scenario, attrition rate is quite high. Hence, there should be human resource (HR) policy as well as HR management for these professionals. Mere size of SeMTs does not warrant individual states to have their own policy. Therefore, we are arranging recruitment as well as managing suitable HR policy at the central level. We are also taking similar collective initiatives for arranging specialised training, conferences, workshops, knowledge management etc. What is the present state of e-Readiness in terms of capacities nation wide? States which have been aggressive in implementation of e-Governance, even before the formulation of NeGP are the front runners. They have capabilities and capacities within. They often harness external resources efficiently. Some of these states also have organisations like e-Governance societies under their administrative control. Under this Capacity Building Scheme, they would be augmenting themselves. For other states, especially the hilly states, states of North Eastern regions, remotely located Andaman and Nicobar and Lakshadweep etc., capacity gaps do exist. With the implementation of this scheme, I am sure these gaps would be reduced. NeGP cuts across various departments and therefore the need for coordination of various activities arises. Is capacity building process being oriented for these tasks? It is true that e-Governance is not a subject of any specific department. It cuts across all the departments. Therefore, we have an apex body headed by the Cabinet Secretary comprising

of secretaries from various ministries and departments as the members. This committee is quite active and meets almost every month to discuss the status, problems and coordinate issues related to multiple ministries. Similarly, we have also advised all the states to have a State Apex Committee, under the chairmanship of respective chief secretaries. One of the main tasks of SeMT is to provide technical support to this Apex Committee. With fast changing technology how is the Change Management effected to upgrade skills? Change Management is an important aspect for taking NeGP forward. There are two issues of change management that are important: one is human resource (HR) related and the other is technology related, in the implementation process. While the technology part is adequately addressed by implementing agencies, the HR related part would be seen by SeMTs, since every state would have their own way of solving problems. That is why change management is one of the skill sets recommended for SeMT professionals. For this reason, as I have mentioned earlier, State Training Institutes would be upgraded for providing training to the existing staff members. Operation and Maintenance (O&M) is an important aspect of implementation. NeGP has introduced the Public Private Partnership (PPP) concept quite aggressively for O&M support as well as to ensure adequate service level to citizens backed by designing Service Level Agreements (SLAs) and mechanism to monitor SLAs. How is the issue of language resolved for capacity building? In the e-Governance implementation local language is used to the maximum extent possible. When you go down to the basic level, you will find that not just the implementation but also all interactions are in the local language. The citizen awareness programmes are run in local languages. Therefore, at the delivery end like Common Service Centres (CSCs) local workforce is being utilised.

Website Quality CertiďŹ cation Scheme in India Internet acts as an interface between the government and the citizen. The main front-ends of e-Governance are the public websites that provide administrative information and services. The number of users using these sites are increasing day by day. The effectiveness of this direct link to the citizens is highly dependent on the security and quality of the web page. This is true for the public sector in the same way as it is for businesses. Consumers and citizens equally expect easy and secure access to information and services. Globally, a vast number of countries have evolved relevant website quality standards and certification schemes for the benefit of the citizens, website designers and developers. Keeping in view such trends, the Standardisation, Testing and Quality Certification (STQC) Directorate, under the Ministry of Information and Technology, has developed a â&#x20AC;&#x2DC;Website Quality Certification Schemeâ&#x20AC;&#x2122; (WQCS) that ensures comprehensive, reliable and easily navigable websites It is aimed at reducing legal liabilities, security risks as well as help in increasing the accessibility and usability of websites. The sites that participate in the scheme will be benchmarked against the certification scheme requirements. When certified, a website should fulfill broad quality objectives, such as security and data privacy, appropriate accessibility of content and a certain commitment to services and overall performance. Through regular testing, the scheme ensures that quality and security standards are met. Thus, it serves the needs of the citizens and supports the government in fulfilling its social responsibility. Furthermore, it will positively affect the customer orientation of Indian websites in general. The scheme is thereby promoting eBusiness, while supporting the National www.stqc.nic.in eGovernance Program (NeGP).

www.egovonline.net

COUNTRY INITIATIVE

Economic Development through e-Governance

INFORMATION IS A DRIVER FOR DEVELOPMENT

Nargis Begum, mother of four children, is a crop farmer in Bangladesh. One day she found out that her beans were affected by a disease. She approached the local ICT centre where she received the available information on the treatment for a small amount of money (8 US Cents). Mrs. Begum saved her year’s produce worth BDT 1,500 (US$ 22). This is only one of the many cases in which ‘Katalyst’ facilitated activities that improved the lives of rural people. Implemented by German Technical Cooperation (GTZ) International Services and Swisscontact, Katalyst is replicating the rural information centre model in partnership with Grameen Telecom and Grameen Phone on a much bigger scale in Bangladesh. Similarly, successful projects in the field of international cooperation are being implemented in over 120 countries. In India, GTZ has been actively involved for almost 40 years, partnering with the central government and various state agencies. Based on their world-wide experiences, GTZ has built up a strong expertise in the field of capacity development and dealing with complex reforms and change processes. e-Governance is one important element of the overall portfolio, incorporating more than 30 years of experience in implementing good governance projects all over the world. Given the Indian interest in e-Governance and Germany’s successful experiences with large e-Governance schemes, the Indian and German governments decided to cooperate on that ground. In a jointly signed cooperation agreement, they started a 21 million EURO (about 1211 million INR) project called ‘Economic Development through e-Governance’ in 2007. The project is currently implemented by the Indian Standardisation and Testing Quality Certification (STQC) and GTZ. The cooperation aims at developing an e-Governance Conformity Assessment Framework (CAF), using Germany’s ‘Standards and Architectures for e-Government applications as a reference point. The CAF will improve the quality of e-Governance applications and services and increase the user’s confidence in the use of online solutions. ov

April 2008

Moreover, specific trainings will be designed for Small and Medium Sized Enterprises (SMEs), enabling them to access e-Governance services as users, as well as to create business through e-Governance, giving more people access to the most valuable resource of the modern world - information. As Naris Begum from Bangladesh said: “Information provided by the rural ICT centre not only saved my beans but also saved my family, as my four children and the livelihoods of my paralysed husband depends on me.”

Hannes Karkowski (Hannes.Karkowski@gtz.de) is senior advisor at the German Technical Cooperation (GTZ) in New Delhi, India. Before coming to India, he worked as the GTZ project manager of Metalogo, an award winning local eGovernance project in Chile, Colombia, Honduras and Peru. Hannes’ professional interests include eGovernance, good governance and ICT4Development in general.

Ricarda Elena Joie Wildemann (Ricarda.Wildemann@gtz.de) Dr. MSc, is working as a technical advisor at the German Technical Cooperation (GTZ) in New Delhi. She is involved in an eGovernance project, a cooperation of the Government of India and the Federal Ministry of Economic Relation and Development (BMZ). She studied at the University of Passau (Germany), at the University College London (UK), the Universitat Pompeu Fabra in Barcelona (Spain), the London School of Economics (UK) and wrote her doctorate on IT-Offshoring from Germany to India at the University of Erlangen-Nürnberg.

INDIAN RAILWAYS

Internet Ticketing Project To make rail ticket booking a hassle free affair for the public, IRCTC started Internet Ticketing Reservation Project. The spirit behind the project was to dissuade the customers from going to Railway Resevation Counters instead to take the Passenger Reservation System to the customers. Sanjay Aggarwal INTRODUCTION

INTERNET TICKETING

Indian Railway has set up a public sector company, Indian Railway Catering and Tourism Corporation Limited (IRCTC), owned by the Ministry of Railways. IRCTC launched its website http://www.irctc.co.in on 3rd August, 2002 for the purpose of railway ticket booking through Internet. Since its inception it has emerged as one of the largest online payment Internet site in India with annual growth of more than 300 percent. On an average more than 75,000 tickets are sold through IRCTC’s website in a day. IRCTC provides tickets to the public in the comforts of their home/residence instead of visiting the ‘Railway Reservation Centres’ for booking. The delivery of tickets is made either through the courier or a person can himself take the print out for travelling. By doing this, IRCTC is not only saving the time of the public but also saving their cost of travelling to these centres. For Railways it is saving on their infrastructure like buildings, air-conditioning, electricity, furniture, staff etc. The spirit behind the project was that instead of the customers going to Passenger Reservation System (PRS), the PRS should be brought to the customer.

Internet ticketing operations of IRCTC were launched in collaboration with the Centre for Railway Information Systems (CRIS). Tickets for train journeys in India can be booked including tatkal tickets on the Internet, on the website www. irctc.co.in, by any user after registering at the site.

INITIATIVE TAKEN

To make rail ticket booking a hassle free affair for the public, IRCTC started Internet Ticketing Reservation Project. Under this project, IRCTC started online booking of two types of rail ticket, namely i-Ticket and e-Ticket. Before the initiation of the project of IRCTC, booking of rail tickets all over the country was done at the Railway Reservation Centres. Long queues at reservation centres were a common sight. Public had to face the difficulty of visiting these centres besides wasting their precious time. Indian Railways had to spend huge resources to improve its infrastructure to deal with such long queues at their reservation centres. The entire Internet Ticketing concept was conceived, formulated and implemented by IRCTC within a record time span of less than nine months. 36 }

PAYMENT OPTIONS

Payments for tickets can be made either by credit cards or by debit cards of certain banks. For customers who are not credit worthy, IRCTC offers Net Banking. This facility is available to users who have their accounts in more than 27 banks for direct debit payment. This is the largest integration of banks for payment through a website in India. IRCTC has Internet Banking facility with ICICI, HDFC, Citibank, IDBI, Bank of Punjab, UTI Bank, State Bank of India, Centurion Bank, Punjab National Bank, ABN AMRO, Corporation Bank, Oriental Bank of Commerce, Syndicate Bank, etc. Transactions carried out on the site are secure since the site is VeriSign certified and financial data is transferred across the Internet in encrypted mode (128 bit encryption). For customers who do not have credit cards, access to net banking or who do not want to use credit cards or net banking facility due to security or any other reason, IRCTC offers them cash card payment options from ITZ Cash Cards, I-Cash Card and Done Cash Card. By opting for Cash Cards, exposure of the customers while transacting over the net is limited to very small amount. Thus, IRCTC offers varied and secure payment options for its customers.

i-TICKET

i-Ticket is the ticket which is booked by the Customer, is printed from IRCTC’s operation centre and subsequently www.egovonline.net

page. The users have to give the photo identity card details of any one of the passengers, while booking the ticket (who is called as Master Passenger). At present only confirmed and RAC (Reservation Against Cancellation) tickets can be booked through e-Reservation. e-Ticketing facility for waitlisted passengers will be launched shortly. To make e-Ticket more user friendly, cancellation of Master Passenger can now be done by the users and any of the remaining Passengers can be converted to a Master Passenger. Other Initiatives taken through the project: IRCTC AGENTS

delivered to the user’s home or office or any other address of their choice in over 200 cities in India within 48 to 72 hours. The i-Ticket can be cancelled at any computerised reservation counter across the country by submitting a cancellation requisition form along with the ticket. The amount is credited back to the credit card account / bank account of the user. Other facilities like change of name, change of boarding point etc., are also available across the counters.

e-TICKETING

e-Ticketing facility was extended to Rail Travellers’ Service Agents (RTSA’s) during 2006. The main aim of providing this facility is to provide rail ticket to customers who do not have the online booking or payment facility, mainly in rural areas. This facility was extended to International Air Transport Association (IATA), Travel Agents Association of India (TAAI), Travel Agents Federation of India (TAFI) agents also. Under the Internet Cafe scheme, major organisations like Sify, Done Card, ITZ Cash Card, Hughes communication etc. are registered for e-Ticketing facility. Like wise, various state government’s like Andhra Pradesh (e-Seva), Rajasthan (e-Mitra), UP (e-Suvidha), Kerala (Akshaya Project), Karnataka (Bangalore One) etc. are registered. Until now, more than 20,000 agents are enrolled for this e-Ticketing facility and on an average basis they book

On 12th August, 2005, IRCTC launched the e-Ticketing services on pilot basis. On 24th February, 2006, e-Ticketing services were launched for all trains. The users do not not have to carry a physical ticket with them. In fact they can take printout of the Electronic Reservation Slip (ERS) in the specified proforma and travel. While travelling, the users have to carry the ERS along with the relevant photo identity card issued by the government in original, which together constitute the travel authority. To avail this service, the users can log on to www.irctc.co.in and book their ticket on the Internet just like any normal booking, and selecting ‘e-Ticket’ in the Plan My Travel ov

April 2008

INDIAN RAILWAYS

more than five lakh tickets per month which constitute 22 percent of entire Internet bookings with IRCTC. Further, some of the agents are working outside India in Nepal, Sharjah, Singapore, Canada, Thailand and Kenya as well.

SCHEME FOR FREQUENT TRAVELLERS (SOFT)

On 20th February, 2006, a Scheme for Frequent Travellers (SOFT) was launched which offers generous reward points to loyal customers and these points can be redeemed for free railway tickets. Apart from SOFT, SBI credit cards in collaboration with IRCTC has launched a Co-branded Rail Credit Card. Performance of SOFT The scheme has been able to attract more than 50,000 customers so far. Mumbai Suburban Season Tickets (MSST) IRCTC has launched a new service for the convenience of MSST passengers. Registered users of www.irctc.co.in can book their MSST through Internet. Users can purchase a fresh season ticket valid from two days up to ten days from the date of booking. Service charge is not levied upon the customer for this service.

AWARDS

Certifying the unique benefits of this project the following awards have been conferred on the project:

•

Awarded the ‘National Award for e-Governance, 200708’ jointly by Deaprtment of IT, Government of India and Government of Haryana. • Awarded the ‘Best e-Governed Project G2C - Urban and Rural’ by Computer Society of India in November, 2007. • Awarded the ‘Genius of the Web Award 2007’ for Best e-Gov Public Sector Undertaking Site by CNBC. • Awarded the ‘IT Application of the Year 2005’ by PC Quest Magazine. • Awarded the ‘e-Retailer of the Year’ by ICICI Bank Retail Excellence Award, 2005. • Awarded the ‘PATH BREAKER OF THE YEAR’ award by Data Quest Magazine in December 2004. • Awarded the ‘MAXIMUM SOCIAL IMPACT’ by PC Quest magazine in their IT Implementation Award for the year 2004. The steady growth of IRCTC’s Internet ticketing project emphasise an increasing acceptance of the Internet ticketing system over time. In general, the conclusion is that if e-Governance initiatives fulfill a perceived consumer need, they are acceptable to a wide range and increasing number of customers.

Sanjay Aggarwal, General Manager (Operations) IRCTC, is a career bureaucrat of Indian Railways with more than 20 years of experience in Construction, Logistics and General Administration.

A Tribute to Sir Arthur C. Clarke Science fiction writer and visionary Sir Arthur C. Clarke, who made exceptional contribution in the field of telecommunication left for his heavenly abode on 19 March 2008, in Colombo, Sri Lanka, at the age of 90. Born on 16 December, 1917, in Minehead, Somerset in the United Kingdom, he moved to Sri Lanka; then called Ceylon, in 1956. His demise is deeply mourned by the international telecommunication community who will remember Sir Arthur for making popular the concept of using the geostationary orbit for communications. His contributions include papers such as ‘Extra-terrestrial Relays-Can Rocket Stations Give World-wide Radio Coverage?’ published in British Magazine Wireless World. The paper established the feasibility of artificial satellites as relay stations for Earth-based communications. Nearly two decades later, in 1964, Syncom 3 became the first geostationary satellite to finally fulfill Clarke’s prediction. Later that year, Syncom 3 was used to relay television coverage of the Summer Olympic Games in Tokyo to the United States-the first television transmission over the Pacific Ocean. Now, there are hundreds of satellites in orbit and providing communications to

millions of people around the globe. In 1954, Clarke had also proposed using satellites in meteorology. Today, we cannot imagine predicting the weather without using dedicated meteorological satellites. He has authored more than 80 books involving science, and science fiction. His short story ‘The Sentinel’ served as the basis for Stanley Kubrick’s 1968 film ‘2001: A Space Odyssey’. His other famous works include The Exploration of Space, The Promise of Space, The Fountains of Paradise, his semiautobiographical novel Glide Path, and Childhood’s End. Before his death, Clarke had just reviewed the manuscript of his latest novel, The Last Theorem. People from all walks of life have sent their condolences. Sri Lanka’s President Mahinda Rajapaksa was ‘deeply saddened’ by Clarke’s death and said that, “Sir Arthur made important intellectual, cultural and scientific contributions to Sri Lankan development, while engaged in his scientific research and creative writing that earned him well-deserved praise the world over.” Apart from this, a Book of Condolence for Sir Arthur C. Clarke is open for signature at the ITU headquarters (Tower building) from 26 March to 4 April 2008. His demise is a great loss to the world telecommunication community.

www.egovonline.net

INDIAN RAILWAYS

Information Management and Decision Support Systems in Railroads Railroads require an integrated business application solution comprising of Business Intelligence and DW components to unlock the value of information hidden in enterprise systems Manoj Jain & Ashish Raj

Indian Railways, for whom Freight Transport accounts for 70% revenues, as a case in point, have the following issues: • Higher demand for Freight and Passenger transport, with planned economic growth • Need for capacity enhancement in the Railway network over the next 10-15 years • Technological upgradation for better maintenance of railway assets • Greater competition from roadways, with major investments in highway network upgradation • Increase freight market share through higher availability of services at competitive prices • Greater attention to passenger services and safety • Heavily subsidised passenger fares, distorted passenger pricing • Upgradation of the Railway Production units for improved efficiency and productivity

Freight revenue enhancement Passenger revenue enhancement Improved and optimised service In most railroads the systems in the organisation are geared to run the train services. The same basic operational data about the trains, services, locations and rolling stock is manually keyed into several systems for the purpose of producing Management Information Systems (MIS). These are un-integrated stand-alone systems. The MIS currently is therefore fragmented, inaccurate and time consuming. It gives different answers to the same question depending upon which system has been interrogated. • • •

Through the following diagram, Key Result Areas of a typical railroad company are illustrated:

Railroad organisations are using IT for greater efficiency in the following three key areas – ov

April 2008

Few inadequacies in these systems are: • The same basic information from different systems does not match • Users have no faith in Management Information System (MIS) • There is a high level of frustration with the timeliness & quality of data • Multiple applications are costly, and inaccurate The systems also have limitations in their ability to provide an integrated framework to manipulate historical data and provide a common platform for complex analytics. 39

INDIAN RAILWAYS

THE NEED OF THE HOUR FOR RAILROADS IS TO HAVE A

• • • • • • • • •

Single point Management Information and Decision Support System (MI & DSS) To provide aggregate performance information with drill down facility To provide Historical Trend Analysis What-if Analysis and simulation Customer Behavioral Analysis Customer Service Analysis Revenue and Profitability Analysis Operations Analysis Sales Analysis

Technology applications from Satyam help the rail industry evolve business solutions in enhancing revenue growth, while reducing cost through efficient operations, maintenance, asset utilization and capacity management. Satyam provides end-to-end railroad/transit application management services, including:

HUMAN RESOURCE ANALYSIS

The typical evolution of Business Intelligence (BI) maturity is as per the table below. Most railroads are in the “Information Access” stage and aspire to be in the “Performance Management” space. Railroads require an integrated business application solution comprising of BI and DW components to unlock the value of information hidden in enterprise systems. Providing users with real-time, easy, and intuitive access to key operational metrics to monitor the health of the business and quickly react to changes in the business environment.

This system would distill operational data and would use predictive analysis to enable Railroads to make betterinformed decisions for all aspects of the business—from route profitability and network growth to platform modernisation and equipment utilisation—to best determine areas in which to invest or divest. This would enable analysis and reporting of shipment performance and rolling stock asset utilisation. Railroads need to identify opportunities to increase the productivity of wagons and deliver improved reporting to internal and external stakeholders. This tool will allow multiple groups to view, monitor and address issues from both the shipment performance and asset utilisation perspectives. One way to manage such a diverse organisation is to use continuous feedback to gain visibility of the ‘result’. The feedback allows management to compare the planned result to the actual result and adjust the action accordingly. 40

Business Intelligence Solutions Track inspection system Signal asset tracking system Safety audit Bridge planner Equipment distribution and management Car accounting systems Rail yard information management Satyam’s Rail competency covers both the Passenger and Freight segment. It has • 175 man years of experience in Rail industry • Tie up with Indian Railways Institute for Signal Engineering and Telecommunications (IRISET) for periodical training • One of the largest IT consulting practise for Railroad industry in India • Been rated as “Strongest” for consulting capabilities among Indian IT vendors Satyam’s partial list of customers include the largest railroad in North America, Australia’s largest rail operator, Japan Railway Group, Australian Rail Corporation and a leading train company in UK, to name a few. • • • • • • • •

Mr. Manoj Jain heads Satyam’s Government, Defence & Utility Business in India & South Asia.

Mr. Ashish Raj is a Senior Consultant at Satyam’s Travel & Logistics unit.

www.egovonline.net

INDIAN RAILWAYS

Key IT Initiatives INTRODUCTION

Indian Railways is one of the largest and busiest rail networks in the world and an important mode of public transportation in India. Since its inception, 155 years ago, the Indian Railways has contributed significantly to India’s transport needs and economic growth. Today, Indian Railways ranks among the top five National Railway Systems in terms of size and scale and is poised to emerge as a world class railway system. The developmental role of the railways is particularly important in India, in both passenger and freight sectors. It has been performing a valuable social role in passenger sector by providing affordable means of relatively safe and efficient transportation for millions of passengers daily. As a carrier of bulk freight such as ores and minerals, grains, fertilisers, mineral oils, iron and steel, container cargo etc., the cost advantages of the railways are well known. In consonance with the increased expectations and present requirements various IT related measures have been taken for making Indian Railways one of the most efficient railway network in the world.

response time of less than a second for local transactions and less than three seconds for network transactions. As there were no case studies available to support the premise that an application like CONCERT can be migrated to RDBMS without any performance issues, there was a need to carry out a Proof of Concept (POC) project. This POC included load simulation and response time analysis of important use cases like reservation, availability enquiry, PNR enquiry, charting, summary and Driving Trailer Car (DTC).

PROJECT DESCRIPTION

It is proposed to have a Disaster Management Site in Secunderabad catering to the five PRS sites. A POC for the study of feasibility and performance related issues has been planned. This will be followed up by a pilot project for Disaster Management Site of PRS-Delhi which will identify business processes and implementation issues. Subsequently, All India Disaster Management Site Implementation would be undertaken for all five PRS sites

PASSENGER RESERVATION SYSTEM

CURRENT STATUS

Centre for Railway Information Systems (CRIS) software called Countrywide Network of Computerised Enhanced Reservation and Ticketing (CONCERT), based on stateof-the-art client server technology, has been installed at all the Passenger Reservation System (PRS). Complete networking of PRS has proved to be a conducive for the passengers who are able to book accommodation on any train from any location. Currently, PRS is running at more than 1,400 locations more than 5,000 terminals, and is handling more than 3,000 trains, involving more than one million passenger transactions per day, with a peak of 1.8 million passengers on a day in March 2007. CRIS is responsible for maintenance and enhancement to CONCERT Software. System hardware maintenance management is also being done by CRIS.

Disaster Recovery (DR) capable SAN Storage boxes have been procured and installed at Delhi, Kolkata, Chennai and Mumbai PRS sites as a part of PRS upgradation. Scope of POC is being worked out with private players for testing the storage data replication software between Delhi and Secunderabad.

PRS MIGRATION OF DATABASE FROM FLAT FILES TO RDBMS

CRIS had submitted a proposal for porting of CONCERT to open hardware and software platform called Relational Data Base Management System (RDBMS). CONCERT is a very complex legacy application consisting of 2.5 million lines of code, involving complex business logic. It supports more than 1 million reservation/cancellation/modification transactions and 10 million enquiries in a day. It delivers a ov

April 2008

TTE’S HAND HELD TERMINALS PROJECT (HHT PROJECT)

The envisaged objective of this project is to computerise the on-board passenger interface operations, performed manually by the Traveling Ticket Examiners (TTEs). Under this project, the TTEs will be provided with a Handheld Computing Terminal (HHT), which will be linked, to the Central Reservation Computer through a wireless network (GPRS provided by Bharat Sanchar Nigam Limited). As a pilot project, this is to be implemented on New Delhi Amritsar Shatabdi, New Delhi Dehradun Shatabdi, Mumbai Ahmedabad Shatabdi and Mumbai - Amritsar Golden Temple Mail Express trains in two phases.

CURRENT STATUS

•

The application software for the first phase has been developed and internally tested. However, as per latest 41

INDIAN RAILWAYS

AUTOMATIC TICKET VENDING MACHINES (ATVMS)

Initially, a work for 300 ATVMs was sanctioned for Mumbai area. Subsequently, 450 more ATVMs were sanctioned for other Railways. 117 ATVMs have been made functional on the Western Railways suburban system by 11th October 2007. August 2006

March 2007

June 2007

No. of tickets issued per day (in millions)

2.086

2.59

3.098

No. of passengers handled per day (in millions)

4.664

0.803

10.758

Earnings per day (in INR/millions)

130.3

161.1

198.1

COMMERCIAL PORTAL

•

requirements, modifications in the applications are being carried out. On-train testing has been conducted on New DelhiLucnkow Shatabdi, New Delhi-Amritsar Shatabdi and Kashi-Vishwanath Express on the GPRS connection leased from BSNL for testing the network availability on moving trains. TTEs of the Amritsar Shatabdi route were given training and hands-on practice in a workshop organised by CRIS.

UNRESERVED TICKET SYSTEM (UTS)

UTS was started by the Indian Railways on 15th August 2002, at 23 stations of Delhi area over Northern Railways as a pilot project. The UTS was subsequently expanded to other important stations of Northern Railways and thereafter to other Railways starting from East Central Railways. This system is functioning at 2882 counters on 892 locations over Indian Railways as on 2nd October 2007. The comparative position of UTS indicating the number of locations where UTS was functioning is given as under: Around 23,000 UTS are expected by 31st March 2009. Railway Board has sanctioned a proposal for “Capacity Enhancement and Disaster Management System of UTS Servers” over Indian Railways. The comparative position of ticketing being handled by UTS as on August 2006, March 2007 and June 2007 is given as under:

In his budget speech for 2007-08, the Hon’ble Minister for Railways Shri Lalu Prasad Yadav mentioned that “A Commercial Portal will be developed in the next three years for yield management, especially, to attract traffic for returning empty and filling up vacant seats.” With the above end in view, interactions were held with IT majors like TCS, WIPRO, INFOSYS etc. Specifications with regard to user requirements for three modules of Passenger Business, Parcel Business and Freight Business for the Commercial Portal have been finalised and the same were furnished to CRIS for making out the RFQ. The functions of auction of empty seats/berths and online bidding of rakes in empty flow direction to generate additional revenue will be included only after clarifications on the issue is obtained from a Legal Adviser.

INTEGRATED COACH MANAGEMENT SYSTEM (ICMS)

The ICMS modules are hosted on central servers located in CRIS and accessed by remote locations via the Freight Operations Information System (FOIS) network. There are 338 terminals from 196 locations connected to ICMS. These 196 locations cover zonal headquarters (16, including Konkan Railways, but excluding NCR where the terminal is not operative due to connectivity issues), divisional headquarters, stations and yards.

SOFTWARE MODULES Coaching Stock Management Module

Position as on

No. of Locations

31.03.2003

31.03.2005

126

31.03.2006

588

02.10.2007

892

This module tracks status and utilisation of individual coaches over Indian Railways. It became operational in April 2006 with Nizamuddin Station as the first location. Its usage has gradually increased since then. The module has been extensively field tested and debugged. It meets all functional end use requirements set down for this module. www.egovonline.net

INDIAN RAILWAYS

Punctuality Module

The Punctuality Module was made operational in February 2004 and was migrated to the new system in September 2006. All reports produced manually in the Board were implemented accordingly and made available online. These reports have been tested and vetted by the concerned officials from the Punctuality Cell of Railway Board. Maintenance Module

Maintenance module has been recently added to the scope of Integrated Coaching Management System (ICMS). The end user requirements were collected from the Zonal Railways and sent by Board in May 2007. These requirements are however, only indicators of differing perceptions of the end users and cannot be taken as user requirements. Therefore, only two major depots and one minor depot shall be covered at this stage. However, solution that is developed would permit fast rollout to all locations as soon as that part is sanctioned.

USER ACCEPTANCE

Both the COIS and Punctuality Modules of ICMS have been accepted by the users and these have been adopted by all the Zonal Railways. However, new functional and usability requirements have emerged as the system began to be adopted. Therefore, a second development cycle to address user requirements in Version 2 of ICMS has been taken up.

FREIGHT OPERATION INFORMATION SYSTEM

FOIS is an online transaction processing based application providing a ‘track and trace’ solution for account of cargo, freight and rolling stock assets of Indian Railways. It is a system assisting managers for monitoring and management of assets for optimum utilisation and providing timely information to the customer for supply chain management. The current phase of FOIS comprises of two modules - Rake Management System (RMS) for handling the train operations and Terminal Management System (TMS) for commercial processes of Indian Railway’s core business. The application has three-tier client server architecture using RDBMS, Middleware and Front-end. The system generates more than 1200 reports either online or through mailbox accessed by web.

the Railway network in India for operations planning, control and logistics management. Reports and queries are being customised for specific users.

TERMINAL MANAGEMENT SYSTEM (TMS)

TMS has already been deployed at around 500 locations and, with the availability of V-sat connectivity, it is expected to cover all major handling terminals (521 locations) to issue online Railway Receipts (RRs) by the end of the financial year. Currently, online RRs are being generated at more than 300 locations. It has now been proposed by the Railways to commission new TMS locations at places where at least five outward and inward rakes are handled in a month. Complete deployment of TMS shall facilitate invoice based consignment tracking, instant RR generation and track instances of unconnected/wrongly delivered wagons. The system also has provision for booking consignments from customer centres. Currently, major customers are being provided the load pipeline with expected date and time of arrival of their consignment at destination point through a daily e-mail.

e-PAYMENT OF FREIGHT

A pilot project started in January 2005, for electronic payment of freight for coal booked for Badarpur Thermal Power Station (BTPS) from Katrasgarh and is now being implemented at all locations on East Central Railways (ECR) from where coal loading is done for BTPS. The originating point electronically intimates the freight charges to the customer’s bank. After receipt of successful transaction a RR is printed at the originating point and handed over to the consignor. It is a synchronous transaction and the reply is received within 150 seconds under normal circumstances. After signing on tripartite agreement between Railways, Customers and the Bankers, the facility is going to be extended on IR. Currently, three such agreements are under process of finalisation (one each in CR, WR and SWR). With e-Payment system, it would be possible to adopt centralised billing system for large customers doing regular loading/unloading across Indian Railways.

RAKE MANAGEMENT SYSTEM (RMS)

About 2200 reporting and monitoring devices have been commissioned at more than 700 locations, out of which around 240 locations are exclusively reporting for RMS module. These locations and devices have been networked through railway owned digital microwave and OFC complemented by dedicated lease lines and V-sat hired from BSNL and Hughes Escorts Communications Limited (HECL). RMS provides instant access to load/train pipeline information, status of rakes and rolling stock assets across 44

www.egovonline.net

CONTROL OFFICE APPLICATION

The Control Office Application (COA) was developed as a pilot project and the implementation has been planned in three phases. After gap analysis of the first phase divisions, the customisation of software has been completed. The commissioning of the COA software will be dove tailed with the hardware installation and is expected to be completed by the end of March 2008.

The project would has specially designed component on eLearning. The project will also identify staff who have not received specific trainings and arrange trainings accordingly. The IT arm of Indian Railways, CRIS, would be implementing the project.

IT PROJECTS OF IRCTC Web Based Rail Reservation System

PARCEL MANAGEMENT SYSTEM

The project for computerisation of parcel services at seven stations of Delhi - Howrah corridor (New Delhi, Delhi, Kanpur, Allahabad, Gaya, Howrah and Sealdah) was sanctioned in September 2005. Software development for the project, has been completed by CRIS. Full scale implementation was completed at New Delhi and Delhi stations in June 2007. The PMS developed by CRIS enables end to end tracking of parcels (from booking to delivery) through bar coding and automatic capture of weight from electronic weighing machines.

For selling e and i-Tickets of Indian Railways, IRCTC has designed an e-Commerce portal where the web based rail reservations are done. It was launched in the year 2002 and sale of tickets has reached to 45,000 tickets per day from few hundreds. www.irctc.co.in has more than 40 lakh registered users and in terms of transactions, it is the biggest e-Commerce site of India. Tourism Portal

IRCTC has also designed a tourism portal www. railtourismindia.com which facilitates online booking of tourist trains like Buddhist train; fairy queen with agents modules, cab booking, train booking and hotel booking facilities.

CREW MANAGEMENT SYSTEM (CMS)

The pilot phase of the CMS project has been completed. The modules like freight, shunting, coaching, SMS call server and alerts, crew monitoring, caution order, circulars, quiz for evaluation of crew knowledge, has been completed as well. Over 150 CMS implementers have been trained through regular training batches since September 2007.

WEB ENABLED CLAIMS PHASE-II (REFUND GOODS, RCT AND SUBSIDIARY CLAIMS)

Sanctioned in June 2005, the project covers the implementation at 48 locations. The software development for the three subgroups has been completed and tested by the Railways Claims Tribunal (RCT). The refund goods application has already been implemented with effect from1st July 2006, at all the Zonal Railways.

ERP FOR HUMAN RESOURCE MANAGEMENT SYSTEM

The Indian Railways is planning to introduce Human Resource Management functions through IT platform. In this regard, the IR is adopting a new bidding process for interested IT firms. The Railways has decided to implement the project on a Build, Own, Operate and Transfer (BOOT) basis. The adoption of BOOT model will spare Railways from making heavy upfront investments. From a Railways perspective, the cost would be spread over a longer period and subject to satisfactory project implementation. This is the first software project for the Railways to be taken up on a BOOT basis. The project will help the Railways serve its 1.4 million employees and 1 million pensioners in a better manner. ov

April 2008

INTEGRATED TRAIN ENQUIRY SYSTEM (ITES)

Implementation of ITES based on Public Private Partnership (PPP) model. It has been assigned to IRCTC jointly with CRIS. IRCTC has been responsible for the successful development of the PPP model and overall implementation and management of the project. While CRIS has been responsible for formalising the Architecture and Technology and for the back end integration with PRS and National Train Enquiry System (NTES). Operation and Maintenance of the Zonal Hubs and call centres is being done by the Rail Enquiry Franchisee. ITES consists of four centres (North, South, East and West) to handle calls. Each centre consists of a Zonal Hub and a call centre. The Zonal Hubs are located in the PRS centres at Delhi, Mumbai, Chennai and Howrah. The servers and the IVRS (Integrated Voice Response System) equipment are located at these centres. Enquiries are accessible from all telecom service providers, irrespective of the type of telecom service (basic, mobile, WLL services etc.). The subscriber shall be able to access these services by making a local call through out the country.

FUTURE ACTIVITIES

IRCTC is associating with banks for the issue of e-Ticket from their ATMs. For bookings through ATM kiosks of SBI, UBI, PNB, BOB, Dena Bank, Canara Bank and Indian Bank, POC has been finalised with SBI and UBI and remaining integration is in process. In addition to this, initiatives are being taken for booking tickets through call centres. Courtesy: Indian Railways 45

NEWS BROADBAND CONNECTIVITY IN RURAL INDIA In order to expand broadband connectivity to rural areas under the purview of Universal Service Obligation Fund (USOF), the Indian Telegraph Rules have been amended. The Indian Telegraph has added stream IV under the title ‘Provision of broadband connectivity to villages in a phased manner’. The USOF is working on a scheme for providing ﬁnancial assistance by way of subsidy for the broadband active infrastructure like (Base Transceiver Station) and by utilising the existing passive infrastructure available with the Telecom service providers. The Government has approved a Common Services Centres (CSCs) Scheme for providing support for establishing 100,000 Common Services Centres in 600,000 villages of India. The main objective is to develop a platform that can enable government, private and social sector organisations to align their social and commercial goals for the beneﬁt of the rural population in the remotest corners of the country through a combination of IT-based as well as non-IT-based services. It is also proposed to setup a National Knowledge Network for providing broadband connectivity to knowledge Institutions in the country.

KENYA: ICT FIRM TO LINK RURAL POPULATION The Kenya Data Networks will roll out a Sh210 million initiative geared to expanding its ICT reach. The project called ‘Digital Village Constituency Cluster’ will target the rural population. With the help of project, KDN will install VSat base stations in each of the country’s constituency. The company is aiming to help Kenyans harness the untapped potential in the rural areas while enabling them to acquire relevant ICT skills for the sake of development. KDN will use its butterﬂy product to broaden distribution of local content. Under the programme, each constituency cluster will consist of minimum eight (8) digital units serving commercial, developmental and educational activities within a 15km radius. People will be able to access the Internet through a dedicated wireless infrastructure guaranteeing reliable single hop connectivity. Through a pilot project, KDN will connect 40 constituencies in collaboration with ICTvillage.com and the Youth Enterprise Development Fund amongst other organisations.

INDIA TO BECOME WORLD’S 2nd LARGEST WIRELESS MARKET India will become the world’s second largest wireless network, ousting US to the third slot. China tops the global rank with over 540 million wireless customers in February 2008, followed by the US with 260.50 million and India with 250.93 million. According to the Telecom Regulatory Authority of India (TRAI) the US is adding 2 to 3 million subscribers a month, half of China’s 6 to 7 million, both of which are considerably lower than India’s monthly addition of 8 to 9 million. TRAI also hints that in April, India will meet another landmark by hitting 300 million subscribers, both wireless and wireline. TRAI states that 8.49 million telephone connections have been added during February 2008 against an addition of 8.74 million connections in January 2008, thereby taking the total number of telephone connections

to 290 million at the end of February 2008. Meanwhile, 8.53 million wireless subscribers were added in February, taking the total wireless subscriber base including GSM, CDMA and ﬁxed wireless and local loop to 250 million.

SPECTRUM MANAGEMENT TO BE COMPUTERISED IN INDIA The spectrum management for mobile phones will be computerised by April 2008. This is a $50 million automation project of the Department of Telecom (DoT) in collboration with the World Bank. Till now the spectrum resources are managed manually. The new project would assure that radio frequencies are used effectively across various sections of users, telecom operators, Airport Authority of India, defence forces, police and para-military forces, railways, port authorities, broadcasters etc. The project includes establishing a satellite earth station, 22 terrestrial microwave earth stations, 4 HF/VHF/ UHF ﬁxed monitoring stations and 40 mobile monitoring systems and all of these will have a network with the automated National Radio Spectrum Management and Monitoring System (NRSMMS).

www.egovonline.net

NEWS BANGLADESHIS SPEND LOWEST ON MOBILE PHONE IN SOUTH ASIA

DOT ANNOUNCED 3G SPECTRUM FOR GLOBAL OPERATORS

According to a recent study, conducted by LIRNEasia, Bangladeshis spend less on mobile phone use than any other people in South Asia. Bangladesh ranked No 1 in terms of affordability of cost by the low, medium and high mobile users in both prepaid and post paid, followed by Pakistan, India and Sri Lanka. According to the study, a low prepaid user means a person who talks 68 minutes per month on an average and low post paid user means a 207-minute talking time per month. In the case of medium users, the study considers 175-minute and 535-minute talking time per month for prepaid and post paid customers. And high user means 378-minute talking time for prepaid and 1155- minute talking time for post-paid. In purchasing parity (PPP) terms, reﬂecting affordability, Pakistan has been adjudged the most affordable, followed by Bangladesh, Sri Lanka and India in the prepaid segment. In the SAARC region, Afghans spend the highest on mobile phone use. Among the eight South Asian countries, for the low user, essentially the poorer user, the average monthly cost of using a mobile in Bangladesh is as low as$2.46 per month in case of prepaid. In the case of low users in prepaid basket, Pakistan ($3.34), India ($3.72) and Sri Lanka ($3.83) followed Bangladesh. Afghanistan, Nepal, Bangladesh, Pakistan, India, Bhutan, Sri Lanka and the Maldives were brought under the study. The study found that for high prepaid users average monthly expenditure is $12.31, followed by Pakistan’s $16.92, India’s $18.32 and Sri Lanka’s $20.046. Afghanistan is on the top list in terms of cost that ranges from $8.33 for low user to $43.34 for higher user. In the case of post paid PPP, Bangladesh holds the lowest position at both the medium and high user level. But it has been adjudged the second ($33.83) at low user level, followed by Pakistan ($33.32).

Department of Telecommunications (DoT), Government of India, has announced its plans that will allow new players including foreign operators to get 3G spectrum in India. DoT stated that the new GSM operators will be get a chance to bid for up to 10 MHz of 3G spectrum, or 2 blocks that will help them to launch 3G spectrum successfully. This decision of the DoT overrules the announcement of Telecom Regulatory Authority of India (TRAI) which had announced that only the existing GSM operators will be allowed to bid and for single blocks of 5 MHz spectrum. However, DoT has made provisions for strict licence obligations for operators to meet the 3G bid. If the operators fail to meet the obligations then there could be a cancellation of the spectrum assignment and allocation to a new entrant through auction.

LOW-COST HANDSETS DRIVING MOBILE MARKET: YANKEE GROUP STUDY Low-cost handsets are driving the growth of mobile Industry in India, according to recent study conducted by Yankee Group. According to the study, mobile handsets are costing less than $50 account for 62 per cent of all imported units. The study points out that low-cost CDMA handsets are more popular than GSM in this category. Very low-cost handsets have also become important to the Indian cellular market’s astonishing growth. Sub-$50 models accounted for 62 per cent of all imported units between January and October 2007. CDMA models from 13 vendors dominate this category, comprising 78 per cent of all sub-$50 imports. Currently, the country’s cellular market is continuously adding new subscribers at a world-leading rate of 7-8 million users per month. The broadening availability of ultra low-cost handsets (deﬁned as sub-$35) is also becoming one of the key drivers to subscriber growth. In terms of average selling price, CDMA handsets were found cheaper than GSM low-cost handsets. However, the price gap between CDMA and GSM has narrowed with the introduction of sub-$30 GSM imports from August to October.

April 2008

GHANA’S COMMUNICATION BACKBONE COMPLETED The first phase of the national optic fibre communication backbone project has been completed. The project will reduce the cost of communication and other related services in the country. The first phase, which has dubbed the Southern Loop with an extension to Tamale, is currently on trial. The project will give a path for ICT programmes to be undertaken nationwide and thereby bridge the digital divide between the rural and urban areas. The ICT backbone project was the part of the broadband infrastructure expected to be used to undertake and implement ICT programmes in governance, health, education, commerce and agriculture.

PRODUCT PROFILE

Check Point

Securing the Internet www.checkpoint.com

ABOUT CHECK POINT

Check Point Software Technologies Ltd. is a leader in securing the Internet. The company is a market leader in the worldwide enterprise firewall, personal firewall, data security and VPN markets. Check Pointâ&#x20AC;&#x2122;s pure focus is on IT security with its extensive portfolio of network security, data security and security management solutions. UTM-1 TOTAL SECURITY

UTM-1 Total Security appliances are all-inclusive, turn-key solutions that include everything needed to secure your network in a simple and cost-effective way. Each appliance includes a comprehensive set of security features along with complete security updates, hardware support, and discounted customer support for up to three years. Based on the same Check Point technologies that secure the Fortune 100, UTM1 Total Security appliances deliver uncompromising security while streamlining deployment and administration. UTM1 Total Security appliances offer a complete set of security features including firewall, intrusion prevention, antivirus, anti-spyware, messaging security, web application firewall, VoIP security, instant messaging (IM) and peer-to-peer (P2P) blocking, web filtering, as well as secure site-to-site and remote access connectivity. UTM-1 Total Security is supported by SmartDefence Services, which maintain the most current preemptive security for the Check Point security infrastructure. To help organisations stay ahead of emerging threats and attacks, SmartDefence Services provides real-time updates and configuration advisories for defences and security policies. GATEWAY ANTIVIRUS, ANTI-SPYWARE

Gateway antivirus and anti-spyware are core components of UTM-1. It uses an up-to-date list of antivirus and antispyware signatures and anomaly-based protection to stop viruses and other malware at the gateway. To check for threats hidden inside legitimate content, real-time antivirus scans are performed on POP3, SMTP, FTP, and HTTP services.

WEB FILTERING

UTM-1 Total Security appliances stop inappropriate web surfing with best-of-breed web filtering that covers 20million-plus URLs, and helps define an online acceptable use policy for an organisation. SIMPLE SITE-TO-SITE CONNECTIVITY

With UTM-1 Total Security appliances, the setup of site-tosite VPNs and remote access can be simplified. Manual setup of node-to-node VPN tunnels and security for an entire VPN is replaced by a one-step process, where new sites and remote users are added automatically. SECURE, FLEXIBLE REMOTE ACCESS

UTM-1 Total Security appliances can connect employees and business partners to any organisationâ&#x20AC;&#x2122;s trusted network through flexible IPSec or SSL-based remote access, working seamlessly with a variety of VPN clients. INTEGRATED SMARTCENTRE MANAGEMENT

Integrated SmartCentre Management enables to centrally manage multiple UTM-1 appliances, as well as other Check Point security solutions, from a single console. CENTRALISED, AUTOMATIC UPDATES

SmartDefence Services enable to configure UTM-1 into a preemptive security solution, capable of ensuring your networks are safe from new attacks via ongoing and automatic defence updates.

MESSAGING SECURITY

Uniquely, UTM-1 offers six dimensions of protection against messaging security threats including attacks against the messaging infrastructure, viruses and malware, and advanced forms of spam. Integrated e-mail IPS protects key e-mail server protocols to stop attacks against the messaging infrastructure. To address spam, UTM-1 uses IP-reputation based blocking and advanced pattern matching to stop advanced threats. In addition to signature-based antivirus, UTM-1 Total Security offers zero-hour protection to stop attacks at their onset, when a signature is not available. 48 }

QUICK SETUP

In less than 10 minutes, UTM-1 Total Security appliances can be set up even by nontechnical staff with the first-time configuration wizard. SYSTEM RESTORATION AND BACKUP

If the UTM-1 Total Security appliance becomes misconfigured or nonresponsive, a USB hardware token is included to assist system restoration. The token will restore your UTM-1 device to its factory default settings. www.egovonline.net

The First Asian Monthly Print Magazine on e-Governance

ov Yes, I would like to receive egov magazine for: Subscription INR

Subscription USD

Rs. 2000 Rs. 1500 Rs. 900

250 150 100

3 years* (36 Issues) 2 years (24 Issues) 1 years (12 Issues)

I will pay with

Demand Draft

Subscribe Now !!

Cheque (At Par)

Cash

My personal details: Fist Name .............................................................................................. Last Name ................................................................... Residence Address .................................................................................................................................................................................................... .................................................................................................................................................................................................... City ................................................................................................. Pin ..................................................................................... Phone .................................................................................... Mobile ......................................................................................... Email: .......................................................................................................................................................................................... Office Address .................................................................................................................................................................................................... ..................................................................................................................................................................................................... City ................................................................................................. Pin ..................................................................................... Phone .................................................................................... Mobile ......................................................................................... Email: ..........................................................................................................................................................................................

Please draw Demand Draft/Cheque in favour of: CSDMS G-4, Sector-39, Noida-201 301, India www.egovonline.net

Signature

Terms & Conditions: Allow 3-4 weeks time for the delivery of magazine. • Please add Rs. 50 for outstation cheque. • International subscription is inclusive of postal charges. • Publisher will not be responsible for delays or non delivery of the magazine. For subscription related queries contact: Tel: +91 120 2502181-85 Fax: +91 120 2500060 Email: info@egovonline.net

October 2007