Edit
Vol 2. No. 1. April, 2019
ENTERPRISE SECURITY: A JOURNEY IN THE DIGITAL WORLD
Chairman of the Board Viveck Goenka
T
Sr. Vice President - BPD Neil Viegas Asst. Vice President - BPD Harit Mohanty Editor Srikanth RP* Sr. Associate Editor Sudipta Dev Assistant Editor Nivedan Prakash Delhi Mohd Ujaley Sandhya Michu Mumbai Abhishek Raval Mohit Rathod Salvi Mittal
Nivedan Prakash nivedan.prakash@expressindia.com
DESIGN Asst. Art Director Pravin Temble Chief Designer Prasad Tate Senior Graphic Designer Rekha Bisht Layout Designer Vinayak Mestry Photo Editor Sandeep Patil DIGITALTEAM Head of Internet Viraj Mehta MARKETING Ravi Nair Prabhas Jha Durgaprasad Talithaya Debnarayan Dutta Ajanta Sengupta Aparna Tawde Praveen Soman Circulation Mohan Varadkar Scheduling Arvind Mane PRODUCTION General Manager B R Tipnis Production Co-ordinator Dhananjay Nidre
he threat landscape is evolving at an unprecedented rate, and with every breach, a company’s survival may be put on the line. It is imperative for business leaders and security professionals to better understand the threat environment and make informed decisions that protect business-critical data. Both, CISOs and the business stakeholders, have the responsibility to address these emerging challenges. The business impact of security incidents and an evolving regulatory landscape have taken Board level cognizance, which is evident with the fact that a CISO is now getting ample support from the Board. This refers not only for the IT security budget, but also for getting the related manpower. The visibility of the CISO and the information security department is increasing in the Board and as a result, budgets are generally available with adequate reasoning. This is where we are seeing continued end-user spending for security products and services. In such a scenario, enterprises are keen to adopt solutions and technologies which would help them to
forecast and avert cyber security breaches in real time, which will only ensure that the industry witnesses numerous cyber security products claiming ML capabilities. Moreover, emerging technologies such as blockchain, IoT, Quantum Computing are disrupting the security technology landscape and offering unique use cases for innovation. Ashutosh Jain, CISO, Axis Bank suggests that the plethora of emerging technologies are now so advanced that the real challenge lies in understanding and dealing with the complexity of the emerging technologies and the risks germinating from them. According to Sameer Ratolikar, enterprises should develop the cyber security framework revolving around four pillars – Protect, Detect, Respond and Recovery. Each pillar further would have a list of controls. This framework would break down the siloed controls and give good visibility over the cyber kill chain. And this has to be backed by adequate organisation structure and a strong governance and measurement around it.
IMPORTANT Whilst care is taken prior to acceptance of advertising copy, it is not possible to verify its contents. The Indian Express (P) Ltd. cannot be held responsible for such contents, nor for any loss or damages incurred as a result of transactions with companies, associations or individuals advertising in its newspapers or publications. We therefore recommend that readers make necessary inquiries before sending any monies or entering into any agreements with advertisers or otherwise acting on an advertisement in any manner whatsoever. Computer Reseller News® REGD. WITH RNI UNDER NO. MAHENG/75607/2018. Printed and Published by Vaidehi Thakar on behalf of The Indian Express (P) Limited and Printed at Indigo Press (India) Pvt.Ltd., Plot No.1C/716, Off. Dadoji Konddeo Cross Road, Byculla (East), Mumbai 400027 and Published at 1st floor, Express Towers, Nariman Point, Mumbai 400021. Editor: Srikanth RP * * Responsible for selection of news under the PRB Act. (Editorial & Administrative Offices: Express Towers, 1st floor, Nariman Point, Mumbai 400021) Copyright © 2017. The Indian Express (P) Ltd. All rights reserved throughout the world. Reproduction in any manner, electronic or otherwise, in whole or in part, without prior written permission is prohibited.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 3
Content
5 | Cover Story 26 | Email Security is one of the key areas for 2019 Naga Mallikarjuna Rao Junnuri, CISO, Syndicate Bank 28 | ‘Financial services are highly targeted for security hacks and breaches’ Mani Kant Singh, Head IT & CISO, Orbis Financial Corporation 29 | ‘Basic security hygiene is not enough to safeguard digital transformation’ Amit Ghodekar, VP Cyber Security, Motilal Oswal Financial Services 6 | Cybersecurity is the fundamental enabler of the digital economy Sanjay Bahl, Director General, CERT-In 8 | CISO’s role has become more of a Chief Cyber Risk Manager Sameer Ratolikar, EVP & CISO, HDFC Bank 9 | The ecosystem has to come together to protect each other Ashutosh Jain, CISO, Axis Bank 10 | Security related visibility tools will be game changers Rajesh Thapar, CISO, Yes Bank 12 | CISO’s should think strategically and align business priorities with security Uday Deshpande, Group CISO, Larsen and Toubro 14 | ‘A CISO should act as a critical business partner’ Prashant Dhanodkar, CISO, SBI General Insurance Company 15 | How a CISO can play it smart Jagmohan Singh, CISO, Canara Bank 16 | CISO’s are going beyond traditional responsibilities Bithal Bhardwaj, Group CISO Global Regions, GE India
4 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
17 | ‘We have a well-defined information security governance framework’ V Swaminathan, Head - Corp Audit & Assurance, Godrej Industries 18 | Ensuring powerful and multi-layered safeguards Barry Cook, Privacy and Group Data Protection Officer, VFS Global
Thought Leader 30 | Artificial Intelligence reshaping risk management in the BFSI sector Rajesh Jogi, Head – Risk Hub India & APAC Risk at Royal Bank of Scotland
CXO Speak
20 | Security is a key enabler for digitisation Ramchandra Hegde, VP, Global Information Security, and IT Compliance, Genpact
34 | Visibility into edge of enterprises is key to generate actionable insights Deep Agarwal, Regional Director India, Zebra Technologies
21 | ‘Information security is a journey and not a destination’ Satyanandan Atyam, VP, CRO, Max Bupa Health Insurance
36 | ‘We are reducing frauds and abuse with Data Analytics’ Vikas Arora, IBM Cloud and Cognitive Software Leader, IBM India/South Asia
22 | Crafting the security roadmap for indiabulls group Rohit Kachroo, CISO, Indiabulls Group 24 | Mobile and portable devices increase the risk of casual data loss Jitendra Mishra, VP-Chief Information Officer, Wanbury 25 | ‘Operational technology is now converging IT in manufacturing sector’ Saurabh Kaushik, Head-IT Security, Lupin
Case Study 32 | Why Kerala’s Cyberdome project is an idea which must be replicated at the national level Manoj Abraham IPS, Inspector General of Police & Nodal Officer, Cyberdome Range Office, Thiruvanathapuram 38 | AI can help alleviate current skills gap facing security teams Indu Bhushan, CEO of Ayushman Bharat
D
igital businesses are constantly maturing, hence IT leaders must evolve their thinking to be in tune with this new era of rapid growth, for scaling up digital businesses. Disruptive technologies are playing a major role in revamping the business strategies as they change the economics of business models. The strong focus on cyber security shows the necessity of creating a secure base for a digital business that shields the
organisation and clients. However, to strengthen the security against cyber threats, the security torchbearers, CISOs are combining measures to harden informationprocessing assets, securing the modern enterprise in a digital world. Team CRN spoke to security leaders from across the industry about their security approach and their evolving roles as CISOs. Read More...
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 5
Cover Story
CYBERSECURITY IS THE FUNDAMENTAL ENABLER OF THE DIGITAL ECONOMY CERT-In has launched Cyber Swachhta Kendra, which is the Botnet Cleaning and Malware Analysis Centre. It is based on a public-private partnership model and they work alongwith the industries, ISPs, and the academia By Salvi Mittal
T
he world has moved towards the cyber-physical biological space which is globalised, and in this globalised era, international trade, investments, and technology are connected inseparably within the global supply chains. Globalisation of trade and investments means that no state can manage its economy independently. Internationalisation of culture and communication using technology is encouraging the development of mass disruption and commodification. In the 80s and 90s, there were separate global economy and cyber space which later started to merge in. “Today, the cyberspace is overlapping the social, technological, psychological and economic domains. The intersection of these four domains demands availability and accessibility and at the same time, safety and security,” Sanjay Bahl, Director General, CERT-In asserted at the recently held Express Technology Sabha, in Kochi. Today, the majority of data resides with private organisations. Bahl defined the ecosystem as volatile, uncertain, and ambiguous. However, it is important to consider what that means from a security perspective. “It is volatile, because there is a large attack surface, there is an emergence of vulnerabilities with no patches available. It is uncertain as the users have no idea – where do the assets and
6 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
“
TODAY,THE CYBERSPACE IS OVERLAPPING THE SOCIAL,TECHNOLOGICAL, PSYCHOLOGICALAND ECONOMIC DOMAINS.THE INTERSECTION OFTHESE FOUR DOMAINS DEMANDS AVAILABILITYAND ACCESSIBILITYAND ATTHE SAME TIME,SAFETYAND SECURITY SANJAY BAHL, DIRECTOR GENERAL,CERT-IN
data reside. Implementation of new technologies in the existing infrastructure is creating complexities. The capacity building, the skills required in building this new digital era – will we be able to provide those skill sets or create new digital divides,” remarked Bahl. By 2020, the value of personalised data will be 1 trillion Euros, he quoted from a research by Europian Commission. As this trend grows, there will be an increasingly growing conflict between the value of data and individual privacy. Cybersecurity is the fundamental enabler of the digital economy and hence there is a need to have trust and confidence on the digital infrastructure and devices. Bahl points out that India is transforming itself as a digital economy built on three key areas – digital infrastructure as the utility for every citizen, governance and services on demand, and digital empowerment of citizens. Since the country is dependent on digital infrastructure and devices, which are under sophisticated attack every day. These cyber attacks have evolved from being the disruption to destruction. The attacks erode the user’s trust, and the cost of attacks have increased by 50 per cent in the last few years. “Considering the last quarter of 2018, victims paid an average of over US$ 6,700 as ransom, and it is assumed that
CERT-In
these ransomware attacks will happen in every 14 seconds in 2019. The global damage that is caused by cyber attacks is estimated at three trillion dollars annually. Whereas, the aggregate damages caused by natural disasters like hurricanes, floods, etc., all put together are estimated at US$ 306 million,” he said. Bahl further highlighted statistics from a recent report; 34 per cent of business executives perceive information security as the key driver to competitive advantages, and 32 per cent of businesses perceive it as the enabler of business efficiency. As CERT-In responds to cyber incidents in a rapid fashion, it monitors and prevents organisations, issuing vulnerability alerts, etc. “We provide cyber assurance, which is the fundamental process required to manage the operational risk and technical safeguards. We are offering cyber intelligence at a macro level,” he said. In a world with diminishing geographies, the industry needs collaborations and co-operation to
move forward in this cyber journey. He continued to discuss the challenges that CERT-In faces with high volumes and pressures. In 2015, CERT-In was looking at co-ordination and response activities in every 10 minutes; whereas, now it is in every two-and-a-half minutes, he explained. CERT-In conducts table-top activities, where they give hypothetical situations and request the participants to react as the situation unfolds. The organisations are given a situation where they have to co-ordinate within and outside their ecosystem. They also organise awareness programs for the board members, in order to educate them on cybersecurity and how they can support their CISOs and the organisation from a security perspective. He further said that CERT-In is also looking at situational awareness, in order to detect and respond to intrusions to digital infrastructures. CERT-In has launched Cyber Swachhta Kendra which is the Botnet Cleaning and Malware Analysis Centre. It is on a public-private partnership model and
they work along the industries, ISPs, and academia. Under this centre, CERTIn identifies the devices which can be affected with botnets and provides the free tools to clean up the systems. Since CERT-In is only aware of the IP, and doesn’t know who is sitting behind botnets, ISP alerts the organisation about the infection. The industry provides free tools to clean the system and academia provides the research on the new cybersecurity trends. Today, they have over 200 organisations connected on Cyber Swachhta Kendra. They have also introduced National Cybersecurity Coordination for situational awareness, which is providing a detailed or macro level view for agencies to work together on the same platform. Thus, the role of the government is to provide a widespread of e-governance services which can defend from attacks, safeguard the social and cultural fabric of the society, incentify the industry for cyber practices and understand the risks associated with the technologies and improve the services.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 7
Cover Story
HDFC Bank
CISO’S ROLE HAS BECOME MORE OF A CHIEF CYBER RISK MANAGER With digital and payment ecosystem coming up, demanding regulatory expectations around cybersecurity and growing awareness about data protection among customers, a CISO’s role has become more of a Chief Cyber Risk Manager, says Sameer Ratolikar, EVP & CISO, HDFC Bank As enterprise environments get more digitised, how is it changing the security dynamics? There is clearly an information explosion and revolution in SMACP (social, mobility, analytics, cloud, payments) domains by emerging fintech companies. This has resulted in a change in the security landscape – be it security trends or security threats. Some of the positive security trends include: ◗ Cyber security in banks has become a business aspect and is a part of the board agenda now ◗ With GDPR applicability and obligation, there is a clear focus on customer data protection ◗ Cyber resiliency has gained significant focus because people have realised that apart from protection against cyber attacks, detection and response are equally crucial for effective threat management ◗ Machine Learning and AI have gained a lot of momentum as the focus has moved to reduction in dwell time ◗ New areas like automation in incident response, threat hunting, aggregation of threat intelligence in a platform are becoming essential strategic tools All these trends and threat landscape have given lot of visibility to CISO's role and the function has become extremely important.
8 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
As a result, what is required now; are the enterprises upto the mark? My view is that enterprises should develop the cyber security framework revolving around four pillars viz, Protect, Detect, Respond and Recovery. Each pillar further would have a list of controls. This framework would break down the siloed controls and give good visibility over the cyber kill chain. This has to be backed by adequate organisation structure and a strong governance and measurement around it. I have seen the focus is clearly on cyber security risks like credit risk, market risk, etc.
Often, it is said that enterprises are failing to follow the standard security hygiene. Can this be seen as a consequence of digitisation? I would not like to generalise the gaps; but these processes are
extremely crucial to manage cyber threats effectively. When we collect the WannaCry and Not-Petya incidents, we can see they were mostly successful in organisations where patch management either wasn't designed or executed properly. In addition to these processes, inventory of authorised software and hardware, privilege ID monitoring, vulnerability management, password management are also crucial. Budget is an also an issue when the case is not presented in a simple language, but contains technical jargons. The information security budget should be proposed in a business language to the board and senior management.
Are people still the weakest link? These days, hackers are targeting employees by sending a spear phishing mail, making them click on malicious attachment and planting a malware on their machines. Once the malware is planted, it carries out a lateral movement and captures the credentials. When identity has become a perimeter and we are living in a hyper-connected world, social media and other channels can create a data leakage issue if employees ignorantly upload any classified documents pertaining to their organisation. Employee awareness on compliance to the security policies and usage of technologies is crucial to ensure holistic and effective cyber security programme.
Cover Story
Axis Bank
THE ECOSYSTEM HAS TO COME TOGETHER TO PROTECT EACH OTHER In case an incident happens in one part of the system, the partners should be willing to share the same with the entire ecosystem. This process needs to happen seamlessly, says Ashutosh Jain, CISO, Axis Bank By Abhishek Raval
A
s the banks are becoming digitally evolved, it dovetails into organisations getting more interconnected with each other as a result, data, IP, transactions, etc., gets shared using technology tools. In such a scenario, banks have to adopt a wholesome security approach to safeguard the interest of the customers. It not only requires securing the organisation’s IT infrastructure but also that of the entire ecosystem. What has changed, after the wave of digitisation that is spreading fast, is the new threats, which didn’t exist before. The API web getting created around institutions needs breach protection as the digital supply chain players are highly connected. There are technical solutions available to neutralise these deficiencies. But the fundamental issue is not with selecting the technologies, but the mindset. “Some supply chain players may be hesitant in sharing any security related information updates, which may be due to various reasons, however, information sharing and collaboration is the key. In case an incident happens in one part of the system, the partners should be willing to share the same with the entire ecosystem. This process needs to happen seamlessl,” says Ashutosh Jain, CISO, Axis Bank.
technologies are now so advanced that the real challenge lies in understanding and dealing with the complexity of the emerging technologies and the risks germinating from them,” adds Jain.
Changing role of CISO
Communicating with the board: Keep it simple The Board understands the need for strengthening the security system at all levels. The need for strengthening the IT security has never been an issue. “The Board understands the requirements. CISO’s prioritisation and what delivery matters the most. Generally the boards of all financial institutions are concerned about the readiness of their respective companies. Board members are curious about the time frame required to plug any cyber security gaps, as are general breaches are made known in media or otherwise. In such cases, it is better to avoid communicating the technical complexities and keeping it simple for Board and top management briefings,” states Jain. “The plethora of emerging
The CISOs should continue to remain technically focused and keep up to the speed with the organisation’s business topology. Some of the skillsets, that will be in demand in the security industry include security operations, threat modeling, data scientists, who have the knack to extract or decipher the threats which are low and slow, etc. Whenever any organisation suffers security incident, big or small, the leadership and technical preparedness always get tested. Lack of well-rounded understanding of these technologies may be big impediment for security professional in-charge of such investigations. The CISO is also responsible for continuous monitoring in organisations. The CISOs should move the needle from basic risk approach to an advanced threat discovery mindset, to look for specific opportunities of data leakage, malware infection to save the reputation damage. Different organisations have different teams for conducting audits, which should work hand in hand with IT and CISO to ensure alignment of priorities and hence results.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 9
Cover Story
SECURITY RELATED VISIBILITY TOOLS WILL BE GAME CHANGERS The importance of infrastructure protection was always there; however, visibility tools like traffic behaviour analysers, deception technologies, and security analytics will be the game changers, says Rajesh Thapar, CISO, Yes Bank By Abhishek Raval
T
he wave of digitisation has metamorphosed banking into an operational model that is more interactive and open, having more mediums to exchange information (Internet, mobile, APIs, etc) vis-a-vis before when the physical branches were more prevalent. In the current scheme of operations, when digitisation is picking pace, identity theft is the most prominent reason of most of the breaches in the recent past and thus, managing identity related aspects is of paramount importance, be it the identity of the host, server, IP address or even the device.
Rising cases of identity based attacks Hitherto, the identity of the person was a natural authentication, because the transactions were happening in the branch. “With digitisation, it is very important to authenticate the sender of the traffic first, to establish if the person or the interfacing infrastructure or application component is the same as it claims to be. As organisations continue to find more value in digitisation, several novel ways are being explored to tackle the issue of these impending threats while balancing the ‘openness’ and seamless nature of conducting communication and business. Identity validation and authentication of transactions in addition to having the
10 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
right authorisation checks in place has become very important. Standards and protocols will become even more important for communicating application / devices and systems and most importantly, non-repudiable trust among all transacting entities with AAA (Authentication- AuthorisationAuditing), should be of paramount importance,” says Rajesh Thapar, CISO, Yes Bank. In the banking delivery channels, methods of authentication have been continuously evolving over the years. Fraudsters are organising themselves to align with social engineering techniques. “In this background, it’s very important that dynamic Multi Factor Authentications (MFAs) are put in place; real-time transaction monitoring happens by putting context to every
transaction in terms of the customer behaviour and to confirm behavioural trends observed in the past. This also has to be correlated with multiple channels,” states Thapar. In the organisational parlance, it becomes much more challenging. For example, in the API banking scenario, the bank trusts the server, host or IP of the corporate or partner. The authorisation, in this case has to be calibrated on a need to access, with clients also given access on utility-only basis. Banks should exercise limits on what and how often an API can perform with adequate logging. Authentication, Authorisation and Limit enforcement are the three important characteristics of security enforcement in an API banking scenario.
Robust authentication mechanisms While authentication is important, be it through OTP, biometric, PIN based, etc, the fundamental reason why cyber breaches happen is due to lack of security awareness and also due to the gaps in primary controls like inadequate user access management, patch management, gaps in asset inventory and lack of visibility of traffic in networks, etc. This is an open invitation for hackers to intrude. “If we don’t know the inventory, where the hosts are, how will the assessment and risk mitigations
Yes Bank
be complete? For example, Privileged Identity Management (PIM) will not be managed well, in the absence of correct inventory of hosts and identities,” says Thapar. Moreover, financial institutions should map their crown jewels i.e, the core infrastructure and periodically review the adequacy of controls. Once the infrastructure is properly documented and designed, appropriate controls have to be put at the right place. They have to be with regular patch management, scanned periodically, and users entitlements reviewed to commensurate access with the business need only. The movements of internal traffic have to be tracked too, to check for any aberrations. For example, some critical tools like the User Entity Behaviour Analytics (UEBA) tool profiles entities and employee access behaviour and helps in protection against insider threats.
Prevention is important, but detection is paramount From a CISO perspective, prevention is definitely important, detection is also very important because sophistication of attacks has now reached different levels wherein it may not be practical to prevent all cyber threats. “The point is, when these controls are breached, what is the visibility layer, in order to track the hacker,” says Thapar, stressing that while prevention is important, detection holds more importance, because the hacker will someday be able to sneak into the system. It’s important to have the right tools to track and trace the traffic. “CISOs are trying to get handle of the ‘unknownunknown’ problem for which prevention controls may not be feasible. This can be done by certain improvements in the technology eco-system or process improvements, which can be as follows: Hitherto, there was talk about network segmentation. Time has come for application segmentation, which allows the app to talk to only certain components, rather than have a flat conversation scenario, where all the servers are talking to each other. This micro segmentation is being enforced, but it may still not mitigate against all threats and detect what is not fully
prevented,” says Thapar. Apart from the Security Information and Event Management (SIEM) tool, usage of big data analytics and big data lakes is also picking up. While SIEM helps to monitor and analyse data traffic in real-time and may extend upto a few hours, big data analytical solutions can pick up trends from old data, which normally wouldn’t have been observed in traditional SIEMs. Security vendors are now integrating AI and ML piece into these solutions, which enhances visibility in the IT infrastructure. Additionally, deception technologies can be used to name fake assets as crown jewels, e.g. the fake identities can be named as an active directory or a swift server, which might lure the hacker into attempting to access the system. The importance of infrastructure protection was always there, however visibility led tools like traffic behaviour analysers, deception technologies, security analytics will be the game changers. Thapar is of the view that the detection leg will have to be beefed up by the CISOs, followed by a fitted response and resilience strategy. The orchestration tools will play an important role in timely responding to the attack, in such a manner that the damage is contained and the genuine traffic is still allowed to operate, wherever feasible. However, this requires the right thresholds underneath to operate in the way it is supposed to, under the given circumstances.
Customised training Owing to rapid digitisation today and underlying interconnects, following the usual compliance ordinances and securing systems and infrastructure alone is not enough. Adding a ‘human element’ to the equation is very important. The idea that the problem is universal in nature and needs to be addressed with a sense of shared responsibility across functions, teams and individuals is being taken up as a part of change management exercises within organisations and ingrained in their core strategy and organisational culture. Most organisations today have a topdown approach to manage cyber risks
and organisation structures are evolving fast. In addition to making employees ready to tackle future risks, Boards are also being upskilled to respond better and organisations are open to having at least one specialist Board member. It is also becoming increasingly important for organisations to align the business unit, the technology function and security team. IT projects are being designed and implemented with security in-built from the beginning and not as an afterthought. With most organisations clearly demarcating the roles of CISO and CTO, conflict of interest is contained and consequently risk. Increasing focus from various regulators is also ensuring that organisations evolve to take these threats seriously. Commenting on this, Thapar says, “Organisations must build their risk frameworks around the three pillars of People, Processes and Technologies (PPT). Awareness within the organisation must be of paramount importance. People should be as much a part of the process as are security systems and formal information security governance mandates. Continuous training to apprise employees regarding organisation, function as well as individual-level threats should be undertaken.” Secondly, businesses need to ramp up processes to counter risks. Risk appetite of the organisation needs to be well documented in addition to having a robust remediation plan in place. The focus needs to be on primary controls – have good asset management practices, logical access controls, network segregation, anti APT, malware protection, etc., and make awareness a priority, not just within but also among customers. Back-up this process with proper secondary controls in order to supplement the primary controls. Deploying right tools is essential too. For instance, having a multi-factor authentication to prevent breaches and implementing constant context- aware transaction scrutiny for early detection and warnings. The PPT frameworks implemented needs to ensure that organisations are well-equipped to identify and mitigate cyber risks as proactively possible.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 11
Cover Story
CISO’S SHOULD THINK STRATEGICALLY AND ALIGN BUSINESS PRIORITIES WITH SECURITY In the light of the changing technology landscape, it’s very important for CISOs to adopt a particular security framework. This will instill a basic information security discipline among the various stakeholders in the enterprise environment, feels Uday Deshpande, Group CISO, Larsen and Toubro By Abhishek Raval
T
he barrage of evolutionary concepts like blockchain, AI, etc are enhancing the efficiency and productivity of the organisation. As a parallel, these digitisation initiatives are also bringing along challenges on the security front. It’s becoming challenging for CISOs to protect the content that is getting exposed online, because of a multitude of data streams getting generated due to digitisation. Most organisations are moving towards a perimeterless environment, which is blurring the boundaries between the company’s internal and external environment. The data'- both structured and unstructured, is getting exposed online. The Information Security (InfoSec) professionals are finding it increasingly challenging to secure this information in absence of effective discovery and classification machinery. The regulatory environment is also active and the data protection law, which has many similarities with the GDPR will also make it challenging in terms of identifying the personal data and then
12 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
reported. Coin mining doesn't cease the company operations but hampers overall productivity,” says Uday Deshpande, Group CISO, Larsen and Toubro. So what is becoming important for CISOs ? Agility to detect and respond to these incidents. The key is reduce Mean time to detect (MTTD) and mean time to respond (MTTR) to the best extent possible so as to reduce impacts of the incident. giving the adequate protection layers to the specific information such as employee and customer sensitive data. At this juncture, when there is a shadow IT environment, because of the increasing scope of interconnectivity between different digital platforms, it is becoming difficult to get the visibility of the data - where does it reside, in what format and who is the custodian. The adversaries are also becoming very sophisticated. “The last year belonged to ransomware. This year, many instances of hacking computer systems for coin mining have been
Importance of a base level security framework In the light of the changing technology landscape, it’s very important for CISOs to adopt a particular security framework like NIST, SCIPC, ISD, Information Security Forum, ISO 27001, etc. This will instill a basic information security discipline among the various stakeholders in the enterprise environment. The discipline should be measured and maintained on a sustained basis. Some of the important domains of information security - end user, network, software,
Larsen and Toubro
internet, should have stringent controls and organisations as a part of the security framework should have mechanisms to measure the effectiveness of the controls put in place. The need is also to improve upon the existent practices on a regular basis. “The most important aspect is not to have these practices being conducted as a routine task, for the sake of compliance and just to tick mark the doables, but to implement, embrace and measure them in letter and spirit,” says Deshpande. It’s found in many organisations that inspite of having acceptable usage policies, many executives ask for exceptions. It’s important to have a dedicated arrangement for such cases. The executives should be clearly communicated that the exception will be given but only with the caveat that the data flow in their device will be monitored. Unless these policies are not clearly communicated and adhered to, people will continue to make mistakes, whether advertently or inadvertently. Thus the primary role of the CISO in the organisation is to review the effective implementation of information security policies. The CISOs should measure, improve and report the findings to the management through risk governance.
Create your own framework Deshpande also suggests CISOs to create their own framework. One size fits all frameworks might not be possible and give the desired results. “The CISOs should pick only those controls which are really applicable and fits the company’s requirements. The relevant requirements from different frameworks, like NIST, ISF and ISO 27001, etc, should be collected and put together into the customised framework and implemented, in the best possible way in an automated manner, which very well fits the requirements of engineering industries,” he says. The reason being, the sites of engineering industries, at times are located in far fetched areas. There is hardly any technology involved and thus to monitor them becomes challenging. In these scenarios,
automation helps. Moreover, it also helps in actively measuring the different parameters of that site over longer durations and with complete accuracy. Otherwise, there are chances of the local officials fudging the data. The key is to measure the effectiveness of the customised framework. “You can only mature what you have measured and acted for improvements,” states Deshpande.
IT security budget These frameworks ask for technology tools, which have costs involved. The CISOs might not always get the required budgets. “A few years back, the budgets were incident driven. An information security breach incident would probably help in getting budgets approved. However, over a period of time, information security has gained the mind share because of the personal breach incidents like credit card frauds, Facebook related breach incidents, email phishing, etc. There is much more acknowledgement of the potential of the damage these incidents can have on the organisations too,” says Deshpande. This wasn’t the case earlier. The board wasn’t taking information security seriously and nobody was interested in talking about the threat. The CISO now is getting ample support from the board. This refers not only for the IT security budget but also for getting the related manpower. The visibility of the CISO and the InfoSec department is increasing in the board and as a result, budgets are generally available with adequate reasoning. The main challenge for the CISO, is to justify
the budget asked for. The best way is to measure the cost of the incident and justify the budget. The other ponderables for the CISOs include selection of technologies. There are a plethora of options available at the end user, network, periphery and at the cloud level. The key is to collaborate with the right combination of technologies, for them to work with synergy. For example, in case if there is a breach at the laptop level, the information should be shared automatically at the network level and with the required firewalls to block similar traffic.
Inculcating a culture of security Security is 20 per cent technology and 80 per cent human. Before any new technology implementation, security has to be thought of at every stage of the process - designing, testing, production, etc. Every user in the IT chain is a key stakeholder in security.Without diluting the importance of technology tools, the human aspect to information security is crucial. Without the active and alert participation of the employees, customers, etc., organisations will keep on suffering from cyber attacks. Generally, it is found that there are many instances of requests from key employees and in some cases from senior management to have USB access, access to the social media sites and email sites which may ultimately infect the systems. Similarly, if the developer introduces a cross-site scripting or SQL injunction vulnerability because of not following a disciplined approach, it may lead to site crash or data exfiltration attack. A discipline has to be strictly followed, that the code should not go into production without testing. An end-toend secure SDLC has to be followed and practiced. It's important to mention that security is always top driven and the senior management should act as role models. (The views expressed in the article are personal and should not be considered representing the views of the company)
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 13
Cover Story
SBI General Insurance
‘A CISO SHOULD ACT AS A CRITICAL BUSINESS PARTNER’ Prashant Dhanodkar, CISO, SBI General Insurance Company, gives his views on the evolving role of security professionals in the new digital world By Salvi Mittal How is the new digital era impacting the role of CISOs? In today’s digital environment, corporates are aiming to achieve strategic business goals with extensive use of technology. A CISO can no longer stay in merely a conservative and denial mode, but the role demands a CISO to be a critical business partner, an enabler and incorporating more responsibilities within the organisation. My part in the SBI General is to collaborate with the business, support each initiative with the appropriate cybersecurity controls and be a security mentor for the business verticals. I provide them a clear understanding of security goals and organisational risk management objectives.
How can CISOs stay ahead of cyber risks? A CISO is required to revisit and refresh security policies and ensure they are up-to-date for new technological advancement and regulations like GDPR, Indian Data Protection Act & DISHA, etc. A CISO may strengthen the incident response plans and ensure compliance with global standards. The organisational security programs are to be aligned with security frameworks like NIST, ISO, SANS, or PCI DSS if they are not yet aligned. In addition, CISOs are required to be fast and furious learners with a huge appetite, this would help in quick
14 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
in-house security capabilities. Had the cloud technology been understood quickly, the initial time could have been well utilised in leveraging upon the cloud value offerings which come with enhanced security.
How are you mitigating the risks, and linking it back to the business benefits?
understanding of the emerging technologies followed by a fair assessment of cyber security risks associated with those technologies. In the longer run, every modern technology will catalyse the business growth if the coupled cyber risks are addressed appropriately. For instance, two/three years back, the cloud became the buzz word. Cloud adoptions were initially mired due to security myths. Over a period, organisations and the CISO community learned the cloud models, security features offered by cloud providers and the segregation of responsibilities between cloud customer and cloud provider. Today, cloud providers offer very aggressive and robust security foundation, which is much better than traditionally built
A threat source is an actor in the cyber parlance. A CISO needs to play the role of a resilience officer for the organisation. A resilience officer is required to mitigate the risks by countering those threat sources. CISOs should work with the objective of converting the cyber security department into a profit center. The visual demonstration of revenue saved by successfully defending the attack would be helpful for a CISO.
How real is the security skills gap? The cybersecurity skills gap is a much debated topic today at every possible forum, however one must understand at what level it exists. In a country like ours, vast number of engineering/technology graduates are supplied in the services industry every year. Junior security professionals are full of energy and do have an appetite for learning. Most probably the industry is lacking senior overarching leadership with right business acumen who can put multiple pieces together to create a robust cyber ecosystem.
Cover Story
Canara Bank
HOW A CISO CAN PLAY IT SMART Jagmohan Singh, CISO, Canara Bank describes how digital transformation is happening at a rapid pace and the various ways for CISOs to smartly navigate through the many tough challenges By Rachana Jha
C
ISOs today are required to smartly formulate policies and undertake information security vision, duly keeping in mind the infosec strategy as per industry risk perspective, global risks at that point of time, business strategy as well as the regulators’ perspective, while tracking the balance between risk optimisation, business realisation and resource utilisation. “Though the challenges are many, I would like to discuss a few top pain points which disturbs every CISO in the current environment. Firstly , most of the intelligence feeds comes in the form of bad IPs, hashes or url, the same are not sufficient and are very deceptive. Hackers are seen to adopt various techniques to manipulate and bypass such feeds and being able to dig deep into the organisations’ network. Over and above, in case of fileless attacks or In-Memory execution of malicious code/scripts along with legitimate or whitelisted processes, there is a need to consider some different approach which can provide proactive intelligence for timely detection and quick remediation,” says Jagmohan Singh, CISO, Canara Bank. The second biggest challenge is to establish a connect between SOC teams and Red teams. SOC teams need to holistically consider the results of penetration testing or red teaming for improvisation of IOCs/use cases. However, there is a disconnect between the two, which is the major cause of cropping up of weaker controls and subsequent compromises,
as is seen across the industries. “I feel there should be a purple team concept be made mandatory for better exchange of information and well defined collaboration between the two teams in the interest of matured monitoring, early detection and quick reactions,” states Singh. The third challenge, which according to Singh, is the lack of skilled cyber security professionals.
Robust IT security “Apart from following the best practices, correlation of intelligent information from different sources within organisation as well a external/commercial intelligence feeds plays a very crucial role in deriving a robust security posture for any organisation. In fact, apart from preventive controls, detection and response is the ‘mantra’ in current times. However, certain best practices of utmost importance includes;
keeping the security patches updated, following a defined SOP for updation of patches whether its OEM or SI (temporary patches) , when patches are received through mail or remote method a system to ensure its authenticity including approval to apply (using checksum etc) to be ensured,” he informs. Awareness is going to play an important and deciding role in days to come. “We should understand that hackers follow the principal of least resistance. As such, instead of trying time consuming attack vectors, perpetrators are more than happy to use our people for executing what they want. Thus, the spending on creating awareness and trainings on security issues and best practices in infra, coding and development, etc., be considered as a major strategic investment,” he says.
Trends in digitisation business While various technologies are making an impact on the way organisations function, Singh feels there are few technologies which may see larger penetration and amalgamation with digitisation of businesses. “AI is the one which has already started making its way in productivity. With AI for the future, I mean to say augumented intelligence assisting humans in creating user interface, automated decision based intelligent triggering of actions and analytics. Further , we can see greater merger of AI and IoT,” he remarks.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 15
Cover Story
GE India
CISO’S ARE GOING BEYOND TRADITIONAL RESPONSIBILITIES Bithal Bhardwaj, Group CISO - Global Regions, GE India discusses the key aspects that CISOs need to ensure in order to secure an Industrial IoT (IIoT) environment By Salvi Mittal How are emerging digital technologies impacting the role of CISOs? I did like to call emerging technologies in Digital as the A2E suite. These technologies are artificial intelligence, Big Data, Conversational Platforms, Distributed ledger and Edge computing. All these technologies not only hold tremendous potential to disrupt or transform current business models but also operate in the same realms of high volumes of data. In this globally connected data-centric world that is fueled by innovation and agility, both CISOs and regulators have an increasingly challenging job to protect the interests of consumers, businesses and the state itself. It is this ‘data’ that is driving CISOs to continuously calibrate their approach on one side and driving regulators to define data protection legal tools on the other. Continuous media coverage of emerging technologies and cyber incidents has ensured that business leaders are well aware of the impact of cybersecurity on achieving business goals and reputation. That has led to CISOs going beyond their traditional responsibilities and they are now playing an active role in guiding the decision making process of digital businesses.
What are the key challenges for a CISO today? Data breaches continue to increase across the industry, digital threats now
16 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
human like senses or beyond in many cases, that are connected and may have intelligence to help life or processes become easy and intelligent. IoT generates data that can be deemed sensitive and can be manipulated if not secure, to cause disruption or damage of varying degrees. If such IoT devices are part of critical infrastructure or constitute PII data in any organisation then it is likely on the radar to protect, both for regulatory compliance and from an organisation security posture.
have physical consequences, attack vectors are getting sophisticated and the list goes on. But one key challenge that is standing out today across the industry is legal and regulatory environment getting complex across most major economies in the world. New cyber laws and guidelines to protect citizen’s PII data and CII data across sectors are at different stages of development or implementation maturity across different countries, with many countries poised to control or restrict cross-border data transfer for certain data types. For global companies falling under multiple jurisdictions, it means increasing data localisation and protection costs and data liability considerations.
How should CISOs design or plan for a secure IoT infrastructure? IoT, if simply put, are devices with
Can you tell us what are some of the key things that enterprise practitioners need to prepare to roll-out a secure Industrial IoT (IIoT) environment? Unlike traditional data breaches, where it’s mostly about sourcing and selling stolen information, cyberattacks on industrial and critical infrastructure are often motivated by malicious intent to disrupt operations, which can place people, property, or the environment at risk. Many, however, remain unfamiliar with this intensifying risk landscape and/or lack insight into how to apply cyber security practices, especially within OT or IIoT that run large factories or critical infrastructure. Some of the hygiene preparatory actions that practitioners must adopt include understanding the differences between enterprise IT and OT environment from an organisational, operational, and architecture standpoint.
Cover Story
Godrej Industries
‘WE HAVE A WELLDEFINED INFORMATION SECURITY GOVERNANCE FRAMEWORK’ V Swaminathan, Head - Corp Audit & Assurance, Godrej Industries, discusses the security framework in the group, and highlights how India's first Data Protection Law will be impacting them By Salvi Mittal Please provide the information security overview at Godrej Industries At Godrej Industries, we believe that information security can be achieved as a result of collective efforts between business, IT and the information security team. Support from the top management is crucial when it comes to establishing an effective information security framework. We have a welldefined information security governance framework with definite roles and responsibilities across each business unit.
pertaining to value delivered by the solutions post which such initiatives are taken up for implementation. Also, in the manufacturing industry, implementation of information security controls at a factory setup is challenging. The workforce at the factory setup is more of operational in nature and so there is an inherent gap in the requisite information security skill set. To bridge this gap, we conduct periodic information security trainings at the factory sites and also conduct assessments to verify the design and effectiveness of these controls.
How do you fit security within your corporate culture?
How will the new data protection law affect you?
While an organisation can have all the advanced tools and monitoring mechanisms in place, information security initiatives can be effective only when the people recognise and acknowledge their responsibility towards it. We try to implement measures so as to create an all-inclusive information security organisation. We have a defined code of conduct, which is signed off by employees at the time of on boarding. We conduct regular awareness sessions on the changes in the information security landscape, its impact on organisations and how as employees we can be mindful of risks.
What are the possible challenges in your industry and how are you mitigating the same? In the manufacturing industry, information security is not highly regulated as opposed to that in the financial and banking industry. Accordingly, a lot of effort has to be invested in convincing the business for implementation of any new security initiative. To tackle this, we periodically present updates on information security threat landscape and the corresponding solutions, which are followed by constructive discussions
We give high importance to customer data privacy and the upcoming data protection laws will help us instill the same in our culture. We initiated the discussions and comprehensive assessments of our data protection framework. We perceived this as not just a compliance requirement but as best practice and accordingly we implemented these controls not only for our European customers but for Indian customers as well. So by the time Indian data protection bill was introduced, we already had some of these internal controls implemented.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 17
Cover Story
ENSURING POWERFUL AND MULTI-LAYERED SAFEGUARDS To comply with GDPR, VFS Global has implemented a 13-point privacy framework that enables the company to operationalise the requirements of the GDPR, and measure compliance with it. Barry Cook, Privacy and Group Data Protection Officer, VFS Global, gives the details By Salvi Mittal
A
data protection officer is an independent governance role that manages a company’s compliance with existing data protection laws of the land in which the company operates. It is not part of the operational teams and has a reporting line directly to the highest level of management. Barry Cook is Privacy and Group Data Protection Officer at VFS Global, who is accountable for ensuring that the company handles the personal data of visa applicants and its employees in a manner that is compliant with the law and also with the company’s own internal data protection policies, to ensure that the privacy of this data is maintained at all times during its life-cycle.
Data privacy overview As a company, VFS Global operates across over 140 countries and handles large volumes of applicant information (for visas and citizen services). The company is one of just 35 per cent of global companies that are GDPRcompliant (as per a Talend report published in September 2018). This means that they are complying with demanding standards set by the various aspects of the European data protection regulation, which came into effect in May 2018. Similarly, they are compliant with data protection
18 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
regulations of all countries they serve and operate in. Modern data protection laws seek to find a good balance between the rights of the individual and the interests of organisations who process that data. Putting personal data processing in a robust and workable data protection and privacy framework is a high priority at VFS Global. "We have in place a complex, robust and multi-layered safeguards at the digital (server infrastructure) and physical (at our Visa Application Centres or VACs) levels so that the high standards set by GDPR forms the global baseline for data protection," says Cook. In order to be updated, they also
monitor the development of data protection laws in the countries that they operate. This way the company can be proactive to ensure that it stays compliant to new laws as well ensuring that the processes are effective and don’t result in increased administrative burden at the VAC level. Even before GDPR, the company has always had strong information security practices in place, with robust frameworks for handling data and an existing compliance-driven culture, as per the strict requirements laid down by client governments. "To comply with GDPR, we have implemented a 13-point privacy framework that enables us to operationalise the requirements of the GDPR, and measure compliance with it," he adds. Cook further explains by giving an example, “We put in place various processes for receiving consent from applicants for storage of their personal data, online and offline. Extensive training of our staff has also been part of our preparations. Many companies are looking at GDPR compliance as a means to strengthen their data and privacy norms, and naturally so, since this new era of data regulations heralds a data revolution.” In the last few years, the conversations around data protection and data privacy have underscored a better understanding of the core
VFS Global
philosophy of management of personal data. It is important to remember that organisations simply ‘borrow’ an individual’s personal data for the purposes of performing a task. No more than that specific task. “The best-case scenario for allowing flexible transfer of data, while also ensuring the security of personal data, is based on the standard of ‘adequacy of transfer’. This means one country or organisation must determine that another country or organisation has sufficient data protection safeguards to ensure that the rights and freedoms of individuals travel with their data. Once the country or organisation is satisfied that the destination country has adequate safeguards in place, data can be transferred easily. Clearly, this must be underpinned by the capability of national data protection agencies to be able to perform checks of compliance and to be able to take corrective or punitive action if required,” mentions Cook.
Mitigating security challenges As the world’s largest visa service provider that handles sensitive information of millions of applicants in more than 140 countries, for 61 client governments, it has always been incumbent on VFS to put rigorous data security checks in place. "As such, in terms of technical and organisation measures for data security, we were already at an advanced level even before the GDPR – having attained ISO 27001 certification for Information Security Management Systems, our IT teams were well aligned with operating with strict controls. We also utilise sophisticated cyber security and threat detection tools as the nature of our business demands this," he reveals. An important aspect of data privacy controls is ensuring employees across the global operations are adequately sensitised to the context and necessity of the protocols. So the company had to initiate a global internal awareness campaign to explain the basics of data privacy concepts to employees and this greatly facilitated the adoption of the data protection processes and procedures
“
AS THE WORLD’S LARGESTVISA SERVICE PROVIDER THAT HANDLES SENSITIVE INFORMATION OF MILLIONS OFAPPLICANTS IN MORE THAN 140 COUNTRIES,FOR 61 CLIENT GOVERNMENTS,IT HAS ALWAYS BEEN INCUMBENT ON VFS TO PUT RIGOROUS DATA SECURITY CHECKS IN PLACE.IN TERMS OFTECHNICALAND ORGANISATION MEASURES FOR DATA SECURITY,WE WERE ALREADYATAN ADVANCED LEVEL EVEN BEFORE THE GDPR
that followed. Large organisations who are attempting this for the first time may find this a challenging task, but it is an essential one, believes Cook.
Strategic approach Data breaches are an expected risk to any organisation that is processing personal data. Therefore, it is vital to have in place both technical and organisational measures that detect, mitigate and recover from data breach, such that the risk to the personal data involved is minimised. "At VFS Global, we use some very sophisticated detection tools that alert the security team of a potential incident. However, technology can only go so far and we recognise the value of the human element when it comes to data breach prevention. We encourage our employees to be very vigilant about risks which might manifest themselves at any time," he states.
Impact of AI Artificial Intelligence (AI) is the latest trend in data processing and as such has the potential to greatly change the way in which visa processing is performed. “That said, we have to look at just how AI based process will take decisions. One of the fundamental tenets of AI is that the algorithm ‘learns’ from each decision made. A classic example of this is VFS Global’s first digital employee ViVA, the firstever chatbot in the visa services space. ViVA offers applicants round-the-clock support for visa queries, akin to any highly trained customer support executive. In effect, AI has to go to school to learn how to make decisions that are fair as well ethically and morally correct. This is where the privacy professional has to ensure that privacy by design is built in from the very start,” he explains.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 19
Cover Story
Genpact
SECURITY IS A KEY ENABLER FOR DIGITISATION Ramchandra Hegde, Vice President, Global Information Security, and IT Compliance, Genpact explains how the CISO's role is multi-dimensional and the type of risks they face What are the challenges faced by CISOs on the InfoSec front? While the specifics will vary by industry and company, the CISO’s role is multi-dimensional, having aspects spanning strategy, operations and execution, risk management and regulatory compliance. CISOs have to understand an organisation’s business objectives and imperatives, its risk appetite and threat and regulatory landscape, and accordingly build and run a program, which involves influencing and orchestrating a number of moving parts across the enterprise – all in an environment of rapidly evolving threats, technological changes and ever increasing digitisation. Additionally, having core internal security capabilities is a requirement for most organisations, and in the current situation with demand far outstripping supply, getting and keeping the right talent is a big challenge.
In the digitisation era, can we say that security is foundational and acts a key enabler? Security is foundational and is a key enabler for digitisation and helping organisations build digital trust with their customers. First, core hygiene practices e.g. vulnerability management, identity and access management are critical and are baseline measures. Second, security controls specific to cloud hosting (configuration management and visibility), and digital asset security (dynamic and static testing) need to be in place. Finally, newer concepts relevant to cloud and digitisation (containers, DevOps, IoT) need to be understood and appropriate security controls designed and integrated.
20 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
one might be aware of good practices yet not follow it if it is too difficult or they have not fully internalised the risk. Thus organisations should look beyond just awareness as in broadcasting good practices. Good design of systems and security controls and usage of “nudges” (concepts from behavioural economics) are examples of how an organisation can be more effective in this area.
What is your view on IT budgets? Are CISOs getting enough?
Please share some best practices to be followed to maintain a robust IT security posture There is no silver bullet. While the latest advanced technologies and tools get a lot of attention and are required in some cases, there is no shortcut to following the basic principles and getting core hygiene in place across the key pillars of security - people, process, technologies, and partnerships. Also, while there is a lot of focus on acquiring security technologies, deploying them optimally and utilising their capabilities well is essential to realising the benefits. Security is also a risk management function, and it’s imperative to have the lens of risk and weave that into security processes.
How important is awareness as a good number of breaches happen due to the insiders not following the security hygiene practices? Again, a foundational element of security is people. There is also a distinction between being aware and a true behaviour or culture change – e.g.
With the increasing broader awareness of the threat environment, impact of breaches and destructive attacks, and penalties under laws and regulations, I would think most organisations would understand the criticality of information security and support it with appropriate funding. Getting funding is only one dimension though, if, for example the technologies procured are not adequately utilised, the desired outcomes will not be met. Also, integrating security into processes and creating a security culture are all other critical aspects which must be addressed to get security right, so aside from funding, management needs to ensure there is broader overall support and sponsorship for the program.
Do CISOs have a say in board meetings? Given its criticality to businesses, information security is definitely an area for Board oversight, and while the specifics of which Committee(s), topics covered, frequency, etc., will vary by organisation, the CISO has an important role in ensuring the Board is apprised of the company’s infosec posture and addressing questions they have.
Cover Story
Max Bupa Health Insurance
‘INFORMATION SECURITY IS A JOURNEY AND NOT A DESTINATION’ Satyanandan Atyam, Vice President, CRO, Max Bupa Health Insurance, describes the challenges faced by CISOs, how they are mitigating the same and what are the best practices to be followed to maintain a robust IT security
C
hallenges faced by CISOs are manifold. To champion the information security agenda in the business organisation, the CISO should be able to bring the future into the present so that he can do something about it now. This ability to provide the visibility of a future prepared organisation to business is critical. “The capability to bring the bottom up risk assessment on the technology controls, which could help to gauge if the organisation is future ready, and convincing the management is needed. The CISOs do not get the mandate to make the organisation future ready. They struggle to get the organisation operate with security controls as per the risk assessment of existing risks. The challenge around budgets approvals for information security initiatives is a pertinent issue because RoI’s for such investments cannot be arrived. Though there have been attempts to create models around the RoI calculation, there has always been a challenge to convince the CFO organisation,” says Satyanandan Atyam, Vice President, CRO, Max Bupa Health Insurance.
Best practices Atyam believes that information security is a journey and not a destination. There are always new challenges to meet. Executing a security strategic plan is a critical success factor for organisations that truly want to maximise their ability to manage information risk. Committing to
operations and may include financial implications, reputational damage, or loss of business opportunities. This will help in prioritisation of efforts. Firms need to be aware of what policies and procedures they currently have in place including what solutions and controls can be added by their IT vendor to enhance their security,” avers Atyam.
Insider risk
this process takes resources and time. The best practice/baseline practices for the organisation to maintain a robust security posture are as below: ◗ Identify your crown jewels ◗ wPrioritise the data which needs to be protected ◗ Determine risk appetite basis risk assessment ◗ Implement IT controls basis the risk assessment ◗ Have review and response processes and strategies ◗ Assess the maturity of the cyber security framework-testing methods These should be part of the information security strategy of the organisation.“The process should also determine how each asset impacts your
The breach anatomy will increasingly trend towards either by the errors committed by the insiders or by the malicious insider initiating a connection to the external world. A malicious connection created from a trusted source (inside the organisation) to malicious outsider is always effortless. This change in the attack methods has made it increasingly important to have awareness for the insiders and critical to plug the backdoors of any IT footprint for exploits. “The IT organisations are not control savvy and the vulnerability are left open for exploits. This poor hygiene in the internal IT environments is a risk which needs to be attended, not through an audit mechanism but through IT function driving the security as an agenda,” points out Atyam. The CISO’s budget still piggybacks on the IT budgets. They still are not being provided separate budgets under the ambit of the risk function. This would continue till the point the share of information security initiatives is for the implementation of the IT security controls is higher.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 21
Cover Story
CRAFTING THE SECURITY ROADMAP FOR INDIABULLS GROUP Businesses today are placing themselves in the firing line as they face the biggest challenge of cyber security. Rohit Kachroo, CISO, Indiabulls Group speaks about how he is gearing-up to meet the security needs for Indiabulls and is strapping information management solutions for data protection and regulatory compliance. By Salvi Mittal
R
ecent headlines of security breaches, on the global horizon, outlined the importance of cyber controls. Cyber attacks pose a silent threat for organisations with huge finance damage besides killing investor confidence and denting brand image. Rohit Kachroo, CISO, Indiabulls Group highlights the focused efforts to meet the security needs of the company.
As it is said, “Data is the new Oil”, how is Indiabulls matching up to needs of data protection? Today organisations are backboned with data irrespective of their business domain, hence, it is critical for enterprises to take the utmost effort to safeguard its sensitive business and customer information, not only for sustaining their business, but also predicting about future growth while considering the changing customer behaviour. Data protection has now become the mandatory element within the information security fabric for the financial sector, the obligation of data protection increases many folds onto us as we process various sensitive business and personally identifiable information. Aiming to achieve the secured business environment and fulfilling the Statutory & Regulatory Information Security requirements, we
22 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
have implemented the Security Operations Center, and are running a vulnerability management program. We have also implemented the ISO 27001:2013 controls along with ITGC controls to comply with the regulatory requirements.
What is your security strategy overview? Various global information security surveys discovered that the biggest threat is from the employees with either malicious intent or casual approach or due to unawareness. Although we have
implemented the best available security solutions, still we are focusing towards educating users to lessen the chances to become the victim of an intrusion attempt which targets one of the weakest links in the security chain. ◗ Awareness: In this endeavour, the InfoSec team has already started an initiative named as “SANKALP”, which means commitment. Under the umbrella of SANKALP, a dedicated team is functioning with the responsibility to increase the security awareness across all business locations in various ways. The team has launched a cyber security awareness campaign by the name of “e-Surksha” aiming to create awareness around the cyber hygiene across the organisation. Moreover, every employee has to undergo the mandatory InfoSec training through online TMS module. Additionally, publishing regular newsletters, mailers on important topics as a part of this initiative. Users are encouraged to report security incidents through various channels and get rewards accordingly. ◗ Privacy: The cyber security threats are more potent than ever before, with employees cited as the primary risk. This trend, coupled with the expansion of data privacy laws around the world, has led to the growing realisation that
Indiabulls Group
robust information management solutions are must-have tools for data protection and regulatory compliance. It’s only through a robust Enterprise Information Management strategy and layered thoughtful security practices can protect our organisation and its data. Data privacy has become the important element within the information security fabric when it comes to fulfilling the need for complying with various regulatory and compliance requirement. Being in a financial sector, we are fulfilling all the regulatory and compliance norms of data protection compliance and aiming to imbibe it at the grass root levels for meeting regulatory and compliance goals as the core element of our data protection strategy. ◗ Compliance fulfillment: Strengthening the security control measure to support our business objectives, we have implemented the right management system to gain more control over access to our organisational information.
What kind of bulletproof approach you are adopting to ensure data protection across the organisation and drive the digital strategies? No single security solution is vigorous enough to fully rely upon. To cope with the increasingly sophisticated security threats, solutions should also mature themselves enough to counter the upcoming security challenges. Scrutinising the pre and post solutions implementation scenario, we have observed that remarkable improvement has been achieved pertaining to lowering the security incidents as well as preventing the potential cyber-attacks.
How do you identify and classify the relevant data and churn it out securely? In order to execute an effective information security strategy, data classification is an essential consideration. It allows organisations to identify the business value of unstructured data at the time of
creation, separate valuable information that may be targeted from less valuable information, and make informed decisions about resource allocation to secure data from unauthorised access. Successful data classification determinations the security measures applied to a specific set of data, helped us meet the regulatory requirements for retrieving specific information within a defined timeframe. Ideally, in order to identify and classify relevant data, we take riskbased approach, data classification and data categorisation. Risk-based approach is referred to identifying and understanding of the organisational regulatory and contractual privacy and confidentiality requirements, and then defining data classification objectives by involving key stakeholders, including compliance, legal and business leaders. Under data classification we have classified our information in the four categories which are categorically defined within the policy document, which is formalised and communicated to
each stakeholder at relevant periodicity. Data categorisation is depending upon the sensitivity of business, the data is organised around business processes and driven by process owners. Considering the nature of customer or vendor data is being collected, processed, and transacted are the determining factor for data categorisation. Data location, data flow in and out of our organisation is a key consideration. For example, data storage internally or externally, cloud-based services and devices being used are the determinant factors. Considering the location of data storage, movement of data and classification, protection strategy will be planned. Most important aspect is understanding the potential monetary loss associated with the compromise of datasets, the expectations for safeguarding it and the type of classification level, the business has willing to set. For secure churning of data, we have adopted various security mechanisms such as physical controls as well as logical controls.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 23
Cover Story
Wanbury
MOBILE AND PORTABLE DEVICES INCREASE THE RISK OF CASUAL DATA LOSS Jitendra Mishra, VP-Chief Information Officer, Wanbury speaks about the significance of having a proper security policy in place with clearly outlined processes By Salvi Mittal Please provide us the information security overview at Wanbury Wanbury’s information security roadmap is establishing a line of defense, having a robust IT security framework, policies and procedures that begin secure development lifecycle. Segregation of environments is managed through policy and technologies such as ACLs and firewalls. Restrictions and safeguards are in place to ensure only those personnel and systems that need access receive the appropriate level of access to complete the task utilising the principle of ‘Least Privilege’ as per industry best practice. Policies and processes ensure employees are capable of being effective and efficient without increasing the risk of ‘inside threat’, configuration drift, data leakage or the stability of Wanbury’s services and business operations. All business operations and the company’s service infrastructure are scanned for vulnerabilities, security patch levels and potential configuration issues via specialised solutions. This incorporates daily changes to the database of new threats and vulnerabilities and allows to mitigate quickly and reduce the risk of exploitation. We have employed security techniques such as encryption, restrict the list of people authorised to have access, and require strong authentication for those individuals for them to gain access.
24 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
comply with HIPAA and other privacy regulations. From insider negligence, to the absence of BYOD policy implementations, to unencrypted medical devices, to inadequate security defenses, the risks are high and the implications of cybercrime within the pharmaceutical industry go well beyond the obvious financial damage. It can also impact consumer trust in the business and the company’s reputation and overall stability.
What are the possible challenges in the pharma industry and how are you mitigating the same? Typically, a drug costs more than US$ 2.5 billion to develop and takes 10-15 years to bring to market so there is a need for us to protect drug recipes and research given the richness of the intellectual property (IP). As Wanbury relies more and more on technology to conduct business, our prime focus is to strengthen the IT security, particularly from vulnerable to cybercrime. There are key challenges like IP and regulated data that come in specialised forms. Mobile and portable devices increase the risk of casual data loss. The process of taking therapies and medicines from research through regulatory approval requires years of sharing sensitive data with physicians, clinics, regulators and partners. Drug trials gather large amounts of patient data that we treat with great care to
Can you give us some of your best practices adopted for people, policy and protection? Verify, verify, verify. In a pharmaceutical company, there are many people involved in the development and launch of a drug. From the employees working on each phase to the patients participating in drug trials, the amount of confidential information is massive. Being compliant, is unfortunately not enough to ensure that the data is safeguarded. It takes establishing, implementing and following the right processes around people, policy and protection to support an effective security strategy. Employees are likely to use a myriad of endpoint devices in their work, including desktops, laptops, tablets and removable media. Given all of this, the need for setting who has access to what kinds of information and being able to track how and where that information is being used is critical.
Cover Story
Lupin
‘OPERATIONAL TECHNOLOGY IS NOW CONVERGING IT IN MANUFACTURING SECTOR’ Saurabh Kaushik, Head-IT Security, Lupin, highlights how the Data Privacy Law is impacting a CISO's role and the pharmaceutical industry By Salvi Mittal How is the Data Privacy Law impacting your role? There are conscious efforts by the CISOs across, to ensure that the controls are well put in place and a strong governance mechanism is setup to take care of the security controls’ performance. The security controls required under the Data Privacy Law are essentially not there with most of the companies, and with cloud catching up the speed, enterprises would also need to build the controls in the cloud as well. Since the law requires a lot of investments, time and dedicated focus, the regulation can be thought of in two parts - data privacy, and data protection. Legal teams may be accountable to drive privacy, in terms of contracting with vendors and how data has to be processed within the company. Followed up with the security or infosec teams looking into the technical part and ensuring the data encryption, data leakage prevention solutions, incident and breach management solutions are in place. The companies must shift focus towards having more governance mechanisms to ensure that these breaches are investigated and reported well in advance. Generally, we view this as the combination of legal, HR and IT teams.
How should organisations prepare themselves for the Data Privacy Law? The initial phase should start with Privacy Impact Assessment (PIA) to identify the data locations, types of data whether structured or unstructured and identify the sensitive data. Further, mapping the business functions which are dealing with these data. Moreover, working alongside the legal teams to ensure that the process part is taken care of in terms of policies and contracts.
How is privacy different this year as opposed to the previous years for the pharma industry? Considering that the businesses are
going towards the big data and AI adoption to get the meaningful information to carry on the business operations. A lot of these technologies are consumed through mobile applications, social media, OT and IoT; which would mean the data is no longer in our premises and could be lying anywhere. Applications security solutions like Cloud Access Security Broker (CASB) plays a major role in technical controls, which is new to the manufacturing sector and Operational Technology (OT) being used in any manufacturing setup is now converging a lot with IT. OT always had its own set of problems, with legacy systems and are never security complaint enough, which would further call for more control implementations and collaboration with the different stakeholders. The major problem with OT security has always been that it was never been under direct preview of CISOs, it has always been taken care of by local engineer teams. The industry is exploring ways to protect and govern OT environments. By converging OT with the power of advanced computing, analytics, automation, and connectivity, the OT is allowing companies to make significant operational improvements and to better compete in the modern world.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 25
Cover Story
EMAIL SECURITY IS ONE OF THE KEY AREAS FOR 2019 Naga Mallikarjuna Rao Junnuri, CISO, Syndicate Bank, expresses his views on the present state and progress of digitisation in the BFSI sector, top trends for 2019, and how CISOs should develop themselves as influencers Please explain some major changes the banking sector has undergone in the last two decades We may treat the present state and progress of digitisation as a major disruption in the BFSI sector. In a few years from now, the brick-and-mortar banking may pave way for online banking in its totality. As far as major changes are concerned, that banking has undergone in last few decades, banks first introduced standalone ALPMs for transaction processing and continued with them nearly till 2000. Core banking solutions were launched during 2000 and the process was completed between 2008 and 2010. More ATMs were installed and card transactions had increased. Meanwhile, banks offered internet banking as a product. NPCI came into being in 2009, and by 2011, mobile banking took-off with the emergence of apps and the ease of use thereof. RuPay cards were launched – thanks to the impetus given by the government. Due to the role played by NPCI, there is humongous increase in digital transactions. For example, the transactions through the BHIM UPI app have exploded and recorded a whopping transaction amount of over Rs 1 lakh crore in December 2018. The disruption started in 1991 through reforms, and the banking industry witnessed second disruption during the decade 2000-2010. Now, we are in third stage of this cycle of process maturity. This will continue, and we will see much more of this in the future.
In the wake of recent breaches, do you think there was lack of accountability; and do you think 26 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
security of web facing systems and processes, and critical infrastructure of the organisation. Within this, the challenge is imbibing security culture at all levels which include all stakeholders. It is not easy to alter the default behaviour of employees or customers. Unfortunately, basic cyber hygiene is lacking in the industry. CISOs should develop themselves as influencers, so that others will look up to them. Another includes continuous evolvution of complexity in technology. Incident response in such cases is challenging due to the increase in number of security breaches in new ways, where putting up defence to ward-off/ mitigate each and every security incident is not possible.
that automation is possible? Accountability is a specific thing, limited to the incident. Sometimes, accountability can’t be fixed, particularly in the case of systemic breaches. In the wake of sudden explosion of digital products and services, it is an overwhelming task to come out with security products to mitigate each and every attack. Residual risk is like a remainder after putting in place all the security controls. Automation is possible to a great extent. Going forward, AI and data analytics will play a major role in security operations. However, we will have technology at one end, and people who are considered the weakest link, at the other end. Complete security is a myth and not possible in real world.
What are the challenges faced by CISOs on the InfoSec front? The greatest challenge that CISOs face now, is ensuring cyber security –
While the wave of digitisation is shaping the future of businesses, it’s also bringing the challenge to robustly secure the very critical customer facing and the native IT infrastructure; please share your views? The digital world is moving rapidly and is challenging the security domain to keep the pace. When new digital products are launched, they certainly have a deadline for the launch. During this stage, security takes the backseat. Then over a period of time, security solutions are put in place. Even AI takes some time to self-learn and secure; the initial period is unsecured and vulnerable. To address this, security should be part of software development as well as deployment. Further, defence in depth approach should be adopted and managed on continuous basis for critical applications and native IT infrastructure.
Syndicate Bank
What are some of the best practices to be followed to maintain a robust IT security posture? The best practices start from having a direction in the form of robust customised security policies and procedures in place. Even the frameworks prescribed by the regulatory authorities are to be looked at from the relevance point of view of the organisation. Security should be practical and aligned to business objectives. A risk-based approach to security should include well informed and cyber hygienic people, clear and implementable process and manageable technology.
In which areas of the banking industry, technologies like AI can be useful? The banking industry is customer centric, where performance is crucial. With the help of importanceperformance matrix created by AI, banks can make intelligent investments where it is required the most. Banks can deliver more with well deployed investments which may have a positive impact on their bottom-line.
Do you think there is lack of awareness, due to which the insiders are not following the security hygiene practices? Yes, this is one of the major areas of concern. We may call it as an issue of ‘security culture’. In the past decade, the industry has invested in and deployed technology operations for businesses. Their work culture does not include security culture. Now, as breaches are on rise, it is high time to adopt a two-pronged approach. On one side, security practice should be made mandatory for all, having as far as possible centralised security control to minimise insider threats. Whereas on the other side, year-long calendar should be in place for imparting user awareness and security hygiene practices.
Are CISOs getting enough in terms of IT budgets? Since 2016, banks have deployed
“
AI AND DATAANALYTICS WILL PLAYA MAJOR ROLE IN SECURITY OPERATIONS.HOWEVER,WE WILL HAVE TECHNOLOGYAT ONE END,AND PEOPLE WHO ARE CONSIDERED THE WEAKEST LINK,ATTHE OTHER END. SECURITY SHOULD BE PRACTICALAND ALIGNED TO BUSINESS OBJECTIVES.A RISK-BASED APPROACH TO SECURITY SHOULD INCLUDE WELL INFORMED AND CYBER HYGIENIC PEOPLE,CLEAR AND IMPLEMENTABLE PROCESS AND MANAGEABLE TECHNOLOGY
various technology products for securing business from cyber risks. RBI’s Cyber Security Framework was the guiding force behind these investments. Largely, these investments have helped banks in pulling together various security processes in silos into a cohesive practice for enhanced monitoring and understanding of the overall security posture. The next thing to do is to get the best out of these processes. However, as investment on security is a continuous thing due to the high obsolescence of technology in use, IT budgets will definitely increase, where the implementations are required and mandatory. But getting enough is again confined and specific to the needs and
affordability of the organisation.
What would be the top trends for 2019? We may see increased automation on the security front. Banks may upgrade cyber security using ML and AI, and prioritise data security. Breaches may continue due to lack of awareness, cyber hygiene, attribution and accountability. Fileless, self-propagating malware may be on the increase. More and more companies may transfer their risk in the form of cyber liability insurance. Furthermore, email security is one of the key trends for 2019, as phishing will continue to dominate the threat landscape.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 27
Cover Story
Orbis Financial Corporation
‘FINANCIAL SERVICES ARE HIGHLY TARGETED FOR SECURITY HACKS AND BREACHES’ Mani Kant Singh, Head IT & CISO, Orbis Financial Corporation focuses on how his company is proactively taking prompt situational analysis in mitigating cyber threats By Salvi Mittal
A
pplication security is not static anymore, it has to be dynamic besides meeting business requirements. One time setup of rules cannot be considered as a security strategy. We have to have constantly evolving processes to implement different methods of risk assessment, governance profiles and auditing mechanisms for both internal and external users. A robust application security is having faster, reliable yet flexible governance.
What is your security strategy overview at Orbis? Security and data protection is of primary importance at Orbis. We follow many standards like ISO 27001 and global regulations like GDPR. Besides, we have implemented multilevel data protection mechanisms like DLP and UBA to monitor all data in motion and rest. At Orbis we see security strategy embracing people, processes, and technology. Addition to the security awareness for various levels, we have made it mandatory for the internal employees instead of making it as a ritual.
What are the possible challenges in your industry and how are you mitigating the same? 28 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
rigid access control systems, proactive monitoring, and automated rules.
What are the challenges you face being a CISO for a financial company?
Financial services are highly targeted for security hacks and breaches. A few of the challenges include efficiency in operations, the privacy of customer data, nonavailability of skilled talent, and so forth. Orbis is proactive and foresees the situation, makes a prompt situation analysis in mitigating the challenges through fast and secured end to end transactions. Regular investment for improving cybersecurity controls, internal training, continuous audits tools, and third-party testing – certification. We ensure the flexibility of access to data ensuring data security and governance by the end to end workflows, multi-factor authentication,
Besides requirements of compliance with government and industry regulations, new technologies footprints and unknown security flaws. CISOs confront many challenges like insider threats, mitigating Zero Day threats, DDoS attacks, cyber ransomware, DevOps security, and securing the legacy infrastructure. Searching for the right skill sets is another taxing task for CISOs, challenges are a partial list of neverending lists.
What is the next big technology in your roadmap? Use of AI and Machine Learning in managing risks like credit, operations, market, and compliance. Embedding AI in risk management would very soon shift our focus towards analytics and curb losses in a proactive manner. Further, we aspire to implement deep learning. Deep learning is the offshoot of machine learning and AI will be used to construct predictive models, provide data-driven algorithms to perform better than the traditional model technologies.
Cover Story
Motilal Oswal Financial Services
‘BASIC SECURITY HYGIENE IS NOT ENOUGH TO SAFEGUARD DIGITAL TRANSFORMATION’ Amit Ghodekar, VP Cyber Security, Motilal Oswal Financial Services talks about the company’s initiative around digital security Please give us an overview of digital security roadmap for Motilal Oswal Evolution of digital platforms and disruption is a key game changer for the business. It’s really helping the business to spread its reach and acquire new avenues to generate business. These changes are imperative and we are now evolving ourselves to handle digital risks along with traditional risks. We are focusing on the cutting-edge technologies, our digital road-map is creating the baseline for our business transformation. There are a lot of elements to our digital journey, we are heavily levering chatbots, Robotic Process Automation, AI, ML, social media, etc. Since the organisation is aggressive about the digital, the basic security hygiene is not enough to safeguard our interest. To address this we are working at a granular level on how we can address the digital security risk for people, process and technology to safeguard our interests.
How cutting-edge cyber security solutions are helping you? We are continuously evaluating the new age technologies available in cyber security domain, For example, Advanced Persistent Threats (APTs), so have got together the best in class technologies, and created a workplace which could help us to mitigate any kind of risk to the organisation. For the
levels. Our entire ecosystem is dependent on the multiple perimeters levels and is strong and resilient.
What are the recent security projects that you are driving?
threats which are coming from digital assets we are in implementation stage of some of the sophisticated technologies which not only detects but also can prevent us from the attack in real-time. We are evaluating behavioural base tools and technologies which has the capabilities to integrate with AI and ML based systems. Currently, we are largely automating the systems and building the capabilities to identify the threats on real-time bases.
How are you boosting your defense strategy? We are aggressively working on the defense-in-depth, which do not allow any attack to go beyond particular
We have worked lot on making our endpoints resilient, for that we are utilising various endpoint solution which can identify and prevents threats on real-time basis, this includes to have a capability to monitor suspicious malware, content filtering, advance anti-viruses, real-time threat detection, and prevention, etc., the end point security comprises of securing our critical infrastructure as well. We are thinking more on proactive cyber defense as our main strategy to become cyber resilient which includes investing in cyber security tools & technologies, adapting new processes and nurturing talents in cyber security.
How is AI impacting the security landscape? AI will create scenarios and algorithms offering real-time actionable alerts. The major pain point is the humongous number of alerts and notifications, complicating the situations for the security professional in order to identify the actionable alerts. AI and ML are actually helping in reducing the number of alerts, it identifies the real alerts and further materialises them into a threat which can be mitigated on real-time basis.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 29
Thought Leader
ARTIFICIAL INTELLIGENCE RESHAPING RISK MANAGEMENT IN THE BFSI SECTOR Just as AI will evolve from mundane and repetitive tasks to more complex pattern recognition for decision making, the evolution of AI within Risk Management is likely to span across three phases.
A
banker wants to induct a new client, Corporate X, for the bank. His colleague in Risk taps a few keys on the Risk Portal…and lo! All the relevant details are immediately flashed…Corporate X’s banking history, credibility, the bank’s funding appetite and recommendations. The portal even calls out red flags such as a likely management shake-up (deciphered from social media); potential litigation and even industry headwinds. Seems like a scene out of a Sci-fi movie? Welcome to the future, for this could be the likely scenario of the BFSI sector, thanks to Artificial Intelligence (AI). AI is the ability of a computer or robot to perform a task that requires human intelligence – assimilating and processing data, making decisions, or challenging choices. Machine Learning (or ML) enables AI to self-learn and respond, using data it is exposed to (just like a human brain). Risk management is about using wide ranging perspectives for providing insight, oversight and challenge to bring balance to the efforts of the bank in driving towards its strategic goals. Banks and Financial Institutions are driving transformation initiatives to strengthen Risk Management performance whilst achieving efficiency; and AI may well prove a game-changer here.
30 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
“
BANKS AND FINANCIAL INSTITUTIONS ARE DRIVING TRANSFORMATION INITIATIVES TO STRENGTHEN RISK MANAGEMENT PERFORMANCE WHILST ACHIEVING EFFICIENCY; AND AI MAYWELL PROVE A GAMECHANGER HERE
In a financial institution, everyone has a responsibility for the management of risk in their day-to-day activities. Business functions (typically designated the first line of defence – FLoD) own and manage their risks through processes and controls; with insights, oversight and challenge from Risk Management (typically designated the second line of defence – SLoD). AI could be deployed across the lines of defence covering various risk management activities. Just as AI will evolve from mundane and repetitive tasks to more complex pattern recognition for decision making, the evolution of AI within Risk Management is likely to span across three phases. Initially, AI may be used to gather valuable insights for deeper understanding of Risk to enable better decisions. This could be followed by usage of AI in Risk Oversight for providing frameworks, standards and controls within which risk activities can be executed, and to inspect specific aspects of risk taking to ensure they comply with specified frameworks and standards, and highlight exceptions for scrutiny including those in AI installations in the Business. Once AI acquires stability and maturity, it could be used to provide an independent point of view on key risk decisions and challenge the FLoD independently. In short, AI could
Royal Bank of Scotland
provide insights to aid Risk Managers, gradually evolving to low-end decision making and later to performing independent checks of processes including of AI deployed in the Business. For instance, AI may be utilized to process patterns in data to identify new risks, and alert Risk Managers in diverse areas such as transaction screening for financial crime, client due diligence or shaping credit appetite in real time based on information processed from commodity prices and currency fluctuations. Of course, Risk managers too will need to evolve. Risk managers will be required mainly for high-end application of judgement such as assessing the sources of data fed to AI; review the evolution of the AI algorithms as well as the results; and for devising and maintaining the frameworks for the management of risk. Whilst this reality is still somewhat distant, AI will supplant some low end roles sooner. The advantages of applying AI in the Risk domain are many. Speed of delivery, integrating multiple systems to gather and analyse data, and
providing consistent insights with reduced human bias to Risk Managers through real time dashboards are obvious ones, albeit aided by the need to streamline data plumbing just to be able to implement AI. The BFSI sector has already started moving in this direction, but it will be years before AI would be in a position to comprehensively help manage risks for a Bank/ FI unsupervised. Second, it would take some time for AI to achieve the expertise of human experience. An experienced Risk professional would flexibly factor in diverse elements like politics, economics and corporate dynamics to make decisions, while it may be challenging to bring such flexibility within AI’s purview. Therefore, patience would be vital to achieve that level of sophistication. The pace of adoption of technology suggests that this evolution will likely be exponential rather than linear beyond an initial inflexion point. It would be somewhat naïve to assume that AI would eliminate risks for the BFSI sector; rather it would likely transform risk. For one, the success of
AI would depend on the relevance and quality of the data sources fed into it. Bad data is as much a risk for AI as a defectively evolving algorithm. In addition, technology, no matter how robust, does have an element of vulnerability to cyber threats. Films have shown myriad doomsday scenarios of machines going rogue (take your pick!). But immediate concerns centre around the unintended consequences of computer programs reaching bizarre conclusions through defectively re-writing their own algorithms, exposing the institution and its clients to unplanned risk. If we get it right, AI can transform Risk Management with incisive analytics and cognitive computing beyond the realm of human capacity. If AI is founded on defective data or programs, it could result in perverse results, potentially triggering serious consequences yet to be seen. What does the future hold? Maybe only AI can tell… Authored by Rajesh Jogi, Head – Risk Hub India & APAC Risk at Royal Bank of Scotland
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 31
Case Study
WHY KERALA’S CYBERDOME PROJECT IS AN IDEA WHICH MUST BE REPLICATED AT THE NATIONAL LEVEL Project Head: Manoj Abraham IPS, Inspector General of Police & Nodal Officer, Cyberdome Range Office,Thiruvanathapuram
I
n the rapidly growing and changing digital world, the investigation of cyber crimes and ensuring cyber security for citizens is one of the most challenging area for the Law Enforcement Agencies (LEAs). Since today’s cyber-crimes, involve the use of most modern and sophisticated technologies, as well as anonymity over the internet, it becomes extremely difficult, for the police, to investigate these kinds of crimes. The cyber criminals now work in a border-less environment, with legal systems of multiple jurisdictions. To make things worse, cyber crime has been evolving at an astonishing rate. Unfortunately, the police system is not equipped to take a pivotal role in cyber crime investigations and prevention of cyber crimes. Taking into account the broader impact of cyber crimes and challenges in the cyber space, Kerala Police initiated this Project for the establishment of a Hi-tech Centre for Cyber Security and Innovations at the Technopark Campus, Trivandrum, Kerala. Cyberdome is a technological research and development centre of Kerala Police Department, conceived as a cyber centre of excellence in cyber security, as well as technology augmentation for effective policing. It envisages as a high tech public-private partnership centre of collaboration for
32 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
different stakeholders in the domain of cyber security and handling of cyber crimes in a proactive manner. One of the main objectives of the Cyberdome is to prevent cyber crimes through developing a cyber threat resilient ecosystem in the state to defend against the growing threat of cyber attacks by synergizing with other departments and nodal agencies of the state. Cyberdome makes a collective coordination among the Government departments and agencies, academia, research groups, non-profitable organizations, individual experts from the community, ethical hackers, private organizations, and other law
enforcement agencies in the country with an aim of providing a safe and secure cyber world for each and every citizen in the state. The primary objective of Cyberdome is to prevent cyber crimes and ensure that our cyber resources are secured.
The importance of collaboration To effectively tackle cybercrime, adequate cross–border provisions are required and international cooperation and mutual assistance within law enforcement, and between the other agencies, needs to be enhanced. Governments cannot contain these cyber threats single-handedly through
Kerala Cyberdome
domestic measures alone. Neither should governments be left to grapple with this danger on their own any longer, as the expertise and skill to combat these cyber threats are largely dispersed across the globe. Hence the solution is that to create collaboration with private sector and academia to conform rapidly changing technology world. National cyber security policy also affirms in developing effective public – private partnerships models. Active partnership with the private sector is essential, not only to share intelligence and evidence, but also in the development of technical tools and measures for law enforcement to prevent online criminality. The academic community also has an important part to play in the research and development of such measures. Cyberdome is a pioneering project as it brings together Government Departments, Law Enforcement Agencies, Industry, Academia, International Organizations and experts from the public domain for collaborating on cyber security to enhance the capabilities of the state in dealing with cyber threats as well as to provide security to the Digital Assets of the state. Law enforcement agencies can provide real case based scenarios and requirements for research and implement new products as well as services, that will provide benefit for all stakeholders to make their infrastructure secure. An online cyber crime reporting system will be hosted to report online crimes as well as to report vulnerabilities of the websites, Apps, Services as a responsible informer. Cyberdome collaborates with around 10 national and International organisations, more than 500 IT professionals working around the globe, Nodal Officers from all major banks, around 3 Universities, more than 750 odd students and 250 Mobile Technicians within its fold. All these individuals are working on an online platform, free of cost, for preventing cyber crimes, spreading awareness on cyber security, creating digital solutions for better service delivery and
THE PRIMARY OBJECTIVE OF CYBERDOME IS TO PREVENT CYBER CRIMES THROUGH DEVELOPING A CYBER THREAT RESILIENT ECOSYSTEM IN THE STATE AND ENSURE THAT THE CYBER RESOURCES ARE SECURED
creating awareness among the public as well as government departments about ransomware and its precautionary steps. Some other effective steps include bursting of child pornographic groups, awareness campaigns for school children and for the general public, awareness campaigns through mass media and social media, Social media surveillance etc.
Major achievements in general for creating a safe cyber world.
●
Tackling threats proactively Analysis is the cornerstone of all modern intelligence-led law enforcement activities and critical to all cyber intelligence purposed. Cyberdome analytical capabilities are based on advanced technology adjusted to the needs of law enforcement. As law enforcement agencies, the police are facing ‘‘real case based scenarios’’ and gaps in research and development. The inadequacy of expertise to deal with the darker side of the exponentially expanding Information Technology is a major roadblock for the Police in India. Acquiring such expertise by recruiting manpower is not a viable option too. Cyberdome envisages to take proactive measures against the evolving cyber threats. In this regard cyberdome regularly conducts VAPT in the Government as well as the private domains and report the same and also gives mitigation steps. The secure coding workshops being conducted by the Cyberdome equips the developers and IT admins of organisations to develop hack proof and secure websites to a large extent. Cyberdome in collaboration with the RBI, Banks, payment gateways and other wallet groups had taken measures to tackle the financial fraud and had been a great success. Cyberdome has also started a ransomware school to understand, analyse and mitigate ransomware infections, create standard operating procedures to deal with ransomware,
●
●
●
●
●
●
●
●
●
●
●
●
●
Performed VAPT (Vulnerability Assessment and Penetration Testing) on more than 100+ sites and reported their vulnerabilities Developed advanced Social Media lab for analytics, Cyber intelligence & monitoring Darknets. A software called Privacy Tracker has been developed in partnership model for preventing piracy of films Defaced or removed around 250+ child porn pages/ porn sites and initiated action against the culprits Ransomware School started to understand, analyse and mitigate ransomware infections Developed a malware analysis lab to analyse the behaviour of malware & its preventive measures Developed a SOC System(Security Operations Centre) for protecting Government digital infrastructure Child Safety awareness program for students, parents & Teachers named- KID GLOVE- implemented throughout the state Conducted around 18 workshops and 22 hackathons for police cyber training Conducted 80 awareness events/ workshops throughout the state, for the public Intensive project to prevent child pornography over social media platforms Developed geospatial application to pin point the location based on mobile cell data Prevention of Online Financial Fraud in association With RBI through a 24X7 OTP fraud Monitoring system 21 MoUs signed with International and National cyber security agencies.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 33
CXO Speak
VISIBILITY INTO EDGE OF ENTERPRISES IS KEY TO GENERATE ACTIONABLE INSIGHTS Deep Agarwal, Regional Director - India, Zebra Technologies talks about the impact of digital technologies on different industries and the company’s data services platform, Savanna. By Mohd Ujaley
Z
ebra Technologies expects 2019 to be the year when the edge of enterprises will become increasingly important as that is where real-time data is captured for enhanced visibility and analytics to generate actionable insights. “There will be a shift towards a more connected, collaborative system where physical and digital entities will converge across multiple channels and models,” said Deep Agarwal, Regional Director – India, Zebra Technologies, adding that “with further development of new technologies people will be increasingly dependent on the immersive experience offered by the smart edge devices that surround them.”
Dominating technologies Augmented Reality and Virtual Reality – Augmented Reality (AR) is an interactive experience where the real, physical world is augmented by computer-generated information. Virtual Reality (VR) is a computer-generated scenario that simulates real-world experiences. While most people think about AR or VR as consumer-centric technologies, both technologies will see increased usage in the enterprise space. Advanced automation driven by AI – Artificial intelligence (AI) is permeating into virtually everything in a data-rich environment, to deliver more adaptable, flexible, and autonomous systems.
34 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
TO ADDRESS THE CUSTOMER NEED FOR ADVANCED DATA CAPABILITIES, ZEBRA INTRODUCED SAVANNA – A DATA SERVICES PLATFORM THAT COLLECTS AND ANALYSES DATA TO DEVELOP AND CREATE INTELLIGENT INSIGHTS AT THE EDGE FOR BUSINESSES Enterprises are seeking to enhance their AI-powered capabilities to deliver a performance edge in a data-rich environment. This will bring more actionable intelligence to workers within their respective workflows and drive higher engagement and better experiences with customers. 5th generation wireless systems (5G) – 5G is a new wireless network technology that has immense potential to be maximized soon. 5G will be mission critical as more devices are connected and more data is being created and will help with mitigating latency challenges as the requirement for more compute power to process data in real-time at the edge continues to grow. Blockchain – Think of blockchain as a
secure digital ledger. Digital information is loaded onto the ledger by trusted sources, to only then be used by trusted sources. Some early areas enterprises are focusing on to leverage blockchain is to solve problems around food safety, the fight against counterfeit goods and fraud, and smart contracts across the supply chain continuum.
Impact of AI, blockchain retail, transport and logistics sector While adoption of AI and automation technologies is steadily increasing globally, we are seeing an increase in adoption by the retail and T&L industry. For instance, supply chain fulfilment transactions are growing exponentially for both B2B and B2C engagements. This exponential growth is driving customers to seek advanced automation. When combined with machine learning (ML) and AI-driven solutions, it’s augmenting the human workforce for enhanced productivity. Inventory management is another area that is leveraging automation and AI to improve worker productivity and accuracy, identify stock outs and order products. Drones are being utilized to complete cycle counts in warehouses. Moving the process of data capture into the air provides on-demand checks and avoids the additional time and expenses spent on having employees access
Zebra Technologies
difficult to reach locations within the warehouse. In terms of product delivery as well, delivery drones and robots are used to cross difficult terrain and carry larger objects. Amazon and UPS are using delivery drones to reach customers in remote locations. An integrated solution with autonomous vehicles and robots or drones demonstrates a more collaborative way of leveraging automation. Meanwhile, think of blockchain as a secure digital ledger. Digital information is loaded onto the ledger by trusted sources, to only then be used by trusted sources. Some early areas enterprises are focusing on to leverage blockchain is to solve problems around food safety, the fight against counterfeit goods and fraud, and smart contracts across the supply chain continuum.
Advance data capabilities As the world becomes more complex and data-driven, businesses want better ways to navigate and automate these complexities without the expense of human capital. Successful enterprises of the future will rely on real-time data and insights into that data to run their businesses efficiently with a competitive edge. Enterprises have sought for years to obtain insights from “Big Data” – large amounts and volumes of data that businesses collect and store on a daily, sometimes instantaneous basis. But in 2019, priority will shift towards “small actionable data” accessible naturally within a workflow, where it is specific to a use case to solve a problem and achieve desired outcomes. In terms of data capture, twodimensional (2D) bar code scanning continues to gain acceptance and outpace the global market as the preferred track and trace method. In the bar code scanning handheld space, the transition from 1D to 2D imaging comprises more than 70% of total handheld scanner sales today. UHF RFID will continue to expand beyond the item level inventory use case in retail back into the supply chain and manufacturing spaces. Over 10 billion UHF RFID tags will be used throughout the retail, manufacturing
and transportation industries in 2018. Healthcare use cases have also started to emerge and show promise in clinical and hospital settings for track and trace use cases. In the future, machine vision holds great promise once some of the constraints (cost, size, speed) are more optimized for historical use case scenarios. It will provide additional value to business applications including pattern recognition, colour recognition, etc. In addition, advanced image recognition software will augment the capabilities to serve many additional applications, such as recognizing produce directly on a grocery scanner, measuring the size of a box or providing quality checks on printed circuit boards in an electronic manufacturing operation. Businesses are looking to expand the capabilities of data capture and the way it is employed to track and trace assets and critical data in an automated fashion. They demand integrated data solutions that not only take data capture to the next level but are also integrated with analytics that offer real-time guidance – generating directional and actionable insights for real-time decision making. In today’s on-demand economy, advanced analytics capabilities enhanced by AI and ML are critical as businesses need the predictive (providing anticipation of what will happen) and prescriptive (providing recommendations on what to do to achieve the desired outcome) insights to turn dark data into actionable data.
General AI is applied to identify things when you don’t know what you are looking for. ML is utilized when you know what you are looking for, and you can utilize ML to sharpen your knowledge around known areas and build in rules and logic to create a best next action. With enhanced analytics, businesses are moving from forecasting to intelligently anticipating and predicting both operational and customer needs.
Savanna in India To address the customer need for advanced data capabilities, Zebra introduced Savanna – a data services platform that collects and analyses data to develop and create intelligent insights at the edge for businesses. The response has been positive, and we are currently working with select partners on an early adopter program using Savanna to solve many of the challenges that customers are facing today by jointly developing applications powered by Savanna Data Services and leveraging technologies such as AI, ML, third-party data services and blockchain. Savanna helps enterprise applications to collect and crunch data from Zebra mobile devices, scanners, printers and third- party devices, and analyses it in real-time by delivering quick analytics that businesses can translate into actionable insights. We plan to make this new data services platform more widely available in the very near future.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 35
CXO Speak
AI CAN HELP ALLEVIATE CURRENT SKILLS GAP FACING SECURITY TEAMS Enterprise security has always been a cat and mouse game, with cyber adversaries constantly evolving their attack systems to get past defenses. Can AI based systems help in warding off new age threats and zero day attacks. To get a perspective, CRN India spoke with Vikas Arora, IBM Cloud and Cognitive Software Leader, IBM India/South Asia, who shares his view on how AI can impact enterprise security What are your views on the cyber security landscape in India? Which sectors do you think are the most vulnerable today? Cybercrime is 21st century organized crime. 80% of cyberattacks are driven by highly organized crime rings in which data, tools and expertise is widely shared. It is estimated the cybercrime will cost the global economy more than $2 trillion by 2021 and represents what could be the greatest threat to every company in the world. As per a 2018 IBM Ponemon study, the average mean time to identify data breach in India increased from 170 days from previous year to 188 days. ‘Malicious or criminal attacks’took 219 days on an average to be identified. The report further highlighted that the average mean time to contain data breach in India, increased from 72 days from previous year to 78 days. Average time to contain ‘Malicious or criminal attacks’took 99 days. Today, the implications of a breach span the CSuite, impacting financials, brand, client loyalty, employee privacy, legal/regulatory issues, etc. Security is now part of active board level issue and discussion. CISOs roles are increasingly becoming more complex and the need for them to work closely with C-Suite team and board is on rise. CISOs need to think in new
36 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
Your perspective on the usage of AI in security?
ways about the problem and equip the organization with necessary security tools which can predict, control and respond to threats real-time. From Security Intelligence to Application Security, we see the relevance of Security across verticals. Owing to the nature of their business, we are seeing increased adoption across Financial Services, Telecom, Information & Communications Technology, Retail, and Professional Services, who are looking at infusing AI in their core security solutions.
Cybersecurity is among the most important and pressing challenges of our times. The inadequacy of perimeter-based security controls in protecting enterprises is demonstrated in the increased scale, scope, and frequency of cyber-attacks confronting enterprises today. This problem is further exacerbated by the proliferation and adoption of technologies involving cloud, mobile, and social platforms (often offered as third-party services), which further erode the visibility and control that enterprises have on their security posture. At IBM we strongly believe that safety, security, and trust in AI systems are critical for driving widespread use of this technology for real business applications. AI is the necessary evolution of the cybersecurity industry to keep up with increasingly sophisticated threats and demands on security analysts. Machines and AI excel at different types of tasks that humans are not well suited for; AI will not replace human reasoning and decision making, however it can augment the skills of human security analysts allowing them to do their jobs faster, more accurately and more efficiently. IBM advocates for several approaches to help deal with these challenges, including:
IBM India
◗ Collaborate: As hackers are collaborating on the dark web, the good guys (security professionals spanning both private and public sector) must also improve our methods for collaborating and sharing information on threats (and how to stop them) before they become widely spread. ◗ Utilize Cognitive Security Tools: “Cognitive”security tools which incorporate next-gen, intelligent technologies can help resource strapped security workers stay ahead of threats. For example, Watson for Security has been trained on the language of security. Watson has “read” 2 million cybersecurity documents and can help security analysts parse thousands of natural (human) language research reports that have never before been accessible to modern security tools. ◗ Focus on Response: A slow response to security events has a huge impact on the cost and severity of breaches. The industry should begin to place additional focus on “incident response”–having the right team and plans in place to act quickly after being hit by an attack. Further, we believe, AI can help alleviate some of the effects of the current skills gap facing security teams by making junior analysts more effective. Developing both AI and cybersecurity skillsets will be an important for the next generation security workforce. IBM’s Institute for Business value recently conducted a survey which found that adoption of cognitive security solutions is currently at 7% but is expected to grow three-fold (to 21%) within the next 2-3 years.
Can you give us some examples which showcase how AI will be useful in the ever-changing cyber security space? As cyberattacks grow in volume and complexity, artificial intelligence (AI) is helping under-resourced security operations analysts stay ahead of threats. Curating threat intelligence from millions of research papers, blogs
“
COGNITIVE SECURITYTOOLS LIKE WATSON ARE THE LOGICALAND NECESSARY EVOLUTION OFTHE CYBERSECURITY INDUSTRYTO TRULYTAKE ADVANTAGE OF THE MASSIVE AMOUNT OF INTELLIGENCE THAT EXISTS AND USE ITTO GAIN AN EDGE IN THE INCREASINGLY CHALLENGING BATTLE AGAINST CYBERCRIME
and news stories, AI provides instant insights to help organizations fight through the noise of thousands of daily alerts, drastically reducing response times. Cognitive security tools like Watson are the logical and necessary evolution of the cybersecurity industry to truly take advantage of the massive amount of intelligence that exists and use it to gain an edge in the increasingly challenging battle against cybercrime. Watson is not just designed to simply provide analysts with more intelligence –instead, Watson will guide them to take the correct next steps and actions based on the system’s collective (and contextual) learned body of knowledge. This is all about augmenting the security analyst’s intelligence, enabling them to act with speed, scale and accuracy when researching and responding to threats. For example, Bombay Stock Exchange (India), the oldest stock exchange in Asia and now the fastest exchange in world, has selected IBM Security to design, build and manage a cyber Security Operations Center to safeguard the company’s assets and protect stakeholder data. Under the five-year managed security services
agreement, the center enables aroundthe-clock security event monitoring, event handling, security analysis, incident management and response along with synchronized management of devices, networks and applications.
What’s your view on IBM’s opportunity in India, specifically in the cyber security sector? We are leading the journey towards AI and Intelligent Automation in Cybersecurity. We foresee both being a key priority for CISOs in 2019. Enterprises are looking at driving service agility and resilience in their digital business along with data driven security intelligence which can help them be prepared for any unforeseen threats. We are gaining momentum as the world’s fastest growing enterprise security business due to our differentiation in helping clients apply security intelligence across their infrastructure, applications, cloud, mobile devices, etc.
Can you give some examples or statistics that showcase that IBM is on a strong growth trajectory in India in cyber security space in India? IBM Security is the fastest growing vendor in the global security software market based on Gartner’s most recent security market analysis. Gartner also calls IBM the 3rd largest security software vendor in the world. In India, we grew our Security business – both Software and Services in strong double digits in 2018 with clients spanning across BFSI, Manufacturing, Healthcare to name a few. We have simplified our portfolio to help clients in three strategic areas, “Strategy & Risk”, “Threat Management” and “Digital Trust”. Further, we are focused on top security needs we hear from our customers around advanced threats, cloud security, Mobile and IoT, Compliance Mandates and addressing the skills shortage in the security space. We are already the largest Security provider to the Enterprises in India, and we aim to strengthen this position as we drive our security strategy in 2019.
COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in I 37
Case Study
Ayushman Bharat
‘WE ARE REDUCING FRAUDS AND ABUSE WITH DATA ANALYTICS’ Indu Bhushan, CEO of Ayushman Bharat talks about how IT is helping in overcoming the challenges before the health insurance scheme and how it can be a disruptor in the healthcare space By Sandhya Michu
P
radhan Mantri Jan Arogya Yojana (PMJAY) under Ayushman Bharat, a national health protection scheme to cover over 10 crore poor and vulnerable families (approximately 50 crore beneficiaries), providing coverage of up to Rs 5 lakh per family per year for secondary and tertiary care hospitalisation, is banking heavily on IT for monitoring, maintaining health records and reducing the fraud and abuse of the scheme. Built on open source technology, this massive scheme is currently using data analytics and is exploring the use of emerging technologies like blockchain and chatbots for making it more simple and friendly to the masses. Indu Bhushan, CEO, Ayushman Bharat says, “The year 2018 was tremendous for us as we could roll out Ayushman Bharat in such a short time. The initial momentum has also been really well, without any glitches in terms of IT outage or in any basic design of the scheme.” “IT is a mainstay of our scheme as it helps in identifying, verifications, ecards, recording health data, tracking the persons from admissions to discharge and making the payment. Frauds and abuse control have been reduced with the help of IT. Last, but not least, IT also helps in seeking feedback and grievances from patients and national portability as many people are
38 I COMPUTER RESELLER NEWS I APRIL, 2019 I crn.in
coming from one state to another state confirming their identity,” he informs. Currently, the main challenge is to have a sufficient number of quality hospitals to provide the required service and to design the scheme in a way to check frauds and abuse. “We want to ensure that we can minimise the incidence of fraud and abuse. To ensure that the IT system remains stable and robust, we have been working on establishing the schemes, putting the guidelines together, putting the IT platform together, negotiating with different states, identifying the Mitras and their onboarding and training. A large amount of work was done in the last 7-8 months. Now, we are trying to see how we can improve the quality of services, reduce the
incidents of frauds and deepen the reach of the scheme. These three things are on top of our mind,” he comments. The scheme is strictly monitoring fraud detection. It has appointed five data analytics providers including LexisNexis, Optum, SAS Institute, MFX and Greenojo. “We are working with the five different data analytics team inhouse currently and providing data to states. We have detected some potential frauds. Recently, we did an audit in Jharkhand and found there are potential frauds in two of the hospitals as the numbers of patients were larger than their bed capacities. We have suspended the hospitals until the enquiry is complete,” Bhushan explains. For beneficiaries’ identification, it is working with CDAC and NIC. For transaction management systems and hospital empanelment, TCS has been appointed as the service provider. The scheme is linked to Aadhaar. On privacy and data security, Bhsuhan reiterates, “Our programme is the first in the healthcare space which has data security and privacy policies. It is similar to Aadhaar; however we don’t store the data, we use a token instead. All the information which will not be used in the future is destroyed and the rest of the data is encrypted, so it can’t be misused. We are following ISO/IEC 27000 ISO 27,000. We have 99 controls at various levels of privacy and security.”
REGD.NO.MCS/220/2018-20, PUBLISHED ON 7TH OF EVERY MONTH & POSTED AT MUMBAI PATRIKA CHANNEL SORTING OFFICE, DUE DATE 8TH, 9TH & 10TH OF EVERY MONTH, REGD. WITH RNI UNDER NO. MAHENG/75607/2018.
Organizations are embracing SD-WAN in unprecedented numbers for all of its advantages. However, embracing SD-WAN without a clear understanding of its security implications reduces those advantages to empty promises. Fortinet’s Secure SD-WAN solution delivers on all of the advantages that SD-WAN has to offer but with the added benefit of being part of the Fortinet Security Fabric. Integrated into FortiOS, existing FortiGate customers can easily migrate to Secure SD-WAN. New customers looking to upgrade their WAN infrastructure can leverage FortiGate’s rich mix of networking and security features. Help your customers get the best of both worlds with Fortinet’s Secure SD-WAN.
For details contact: North: Nitin Gupta, E-mail: nitingupta@fortinet.com, M: +91 93103 62598 South: Binu Ninan, E-mail: bninan@fortinet.com, M: +91 98400 36767 West, East, Central: Navin Mehra, E-mail: nmehra@fortinet.com, M: +91 98925 60700
FORTINET SECURITY FABRIC A Security Architecture that’s Broad, Integrated and Automated
www.fortinet.com/whyfortinet