IT NEXT Issue 2 Volume 6 by Manan Mushtaq

IT SecurITy SpecIal

JULY 2011 / ` 75 VoLUme 02 / IssUe 06

Rules: What IT Rules 2011 and its clauses mean to CISOs

Big Q: Strategies to build robust security model

46 Boss talk

stRategy: Security chiefs share tips to address mobility risks

i ation l Salv Visha SG, Inform C Bank F ,I up, HD CISO ro G ty Securi

Getting the basics right Pg 06

la h Jha Ravis s Manager, m Syste Hotels t Triden

n e M w e n e Th k c a l B n i

hal ment, t Panc Bhara isk Manage R , Head l Payments a ia Nation tion of Ind ra Corpo

dekar h Dan Shiris T, Tata I , d a Ltd He rvices Telese

s elve s m e m th mbat r a s hief s to co asingly c y re rit ol Secu new to m an inc ld Pg 14 with ks fro tedwor is onnec the r rc inte

A 9.9 Media Publication

Editorial

Line of Defence The economic downturn had a cascading effect on the spending patterns of almost every business. In order to safeguard their profit margins, companies started rolling back their investments. When such a regime of budgetary cuts was in place, the department of IT security could not hope to escape unscathed. However, now light has started emerging at the end of the tunnel. There is anticipation of renewed economic growth. The IT security spend appears to be bouncing back. IDC’s recent study shows that India’s enterprise security market in 2011 was $255 mn. It has grown by 17 per cent over the last fiscal. With global economies on the uptrend, the Indian companies too have been revising their growth figures. As businesses expand, there is a natural progression towards greater communication, transactions, online interactions and processes. This directly impacts the security systems and framework. Companies simply can’t ignore the risks of losing information or even the prospect of being the victim of a malicious piece of coding. A strict line of control or defence for protecting the infrastructure, data and information is the need of the hour. The ‘New Men in Black’ across industry segments, have pulled up their socks to design a robust security framework to protect their IT infrastructure and networks, and to prevent data leaks from external and internal sources. The current security special issue of IT Next gives an account of the journey that the CISOs (new Men in Black) have embarked upon for securing their business framework and creating a risk-free zone. It is an enriching experience to get insights into the various strategies, similar to the ones adopted by the two men in black who saved NewYork city from the threatening aliens. We have their views on how they managed to convince the cost -conscious management that an increased outlay for security was worth it. In most cases, they have been able to select the appropriate tools and solutions for managing their comprehensive security framework. The single clear mandate that every security head seems to have imbibed goes like this: ‘Information, data, networks and infrastructure should not be compromised’.

“CISOs have not left any stone unturned in creating a zero risk environment” GeeTha NaNdIkoTkur

Blogs To Watch! Cloud to change the traditional security market play: http://blogs.forrester.com/ jonathan_penn/10-10-20-why_ cloud_radically_changes_the_ face_of_the_security_market Consumer PC security (end-point) growing: http://blogs.forrester.com/ jonathan_penn/10-06-11evolving_consumer_security_ market_beyond_pc National cyber security policy to create national level nodal agency: http://vasantv.blogspot. com/2011/04/national-cybersecurity-policy.html India to spend $10 bn on security technology products: http://www.indianexpress. com/news/us-firms-totap-homeland-securitymarket-in/746640/ Your views and opinion matter to us. Send your feedback on stories and the magazine at editor@ itnext..in or SMS us at 567678 (type ITNEXT<space>your feedback)

j u ly 2 0 1 1 | itnext

Content For the l atest technology uPDates go to itnext.in

iT Security Special

Page

j u l y 2 0 1 1 Volume 02 | Issue 06

Facebook: http://www.facebook.com/pages/ItNext/157660007585974 Twitter: http://t witter.com/itnext LinkedIn http://www.linkedin.com/ groups?gid=2261770 &trk=myg_ugrp_ovr

w e n e Th ack

l B n i n e M

h es wit mselv n e h t m ro a arm isks f hiefs r c e y d h t t l i at or Secur comb ted w onnec ols to c o r t e t w ne ly in asing incre

Cover Story

BoSS talk

IntervIew

c ov er des IgN & I magINg: aNIL T c over phoTog raphy: jITeN gaNdhI

22 Security VerticalS

Best security practices and strategies adopted by the chief security officers across the industry segments such as retail, insurance, telecom, banking and government: 1. retail: Securing the retail network 2. Insurance: Insuring by securing 3. telecom: Vouching for data safety 4. Banking: Fear of risking data 5. Government: Tightens security fence

46 Feature Mobility: Security chiefs have been tackling risks emerging from the increased use of mobile devices with the right tools

50 community View Security chiefs speak about emerging security challenges, and the right tools, technologies and techniques to counter them

itnext | j u ly 2 0 1 1

06 Makings of true leaders| Anwer Bagdadi, CIO & Executive Director, Parafora Technologies

68 Cloud is about managing| Scott Chasin, CTO, McAfee: on why security is a constraint in cloud adoption

itnext.in

ManaGeMent

Cover Story

Managing Director: dr pramath raj sinha Printer & Publisher: vikas gupta

Case study | Intelligent security systems deployed by the chief security officers of IT, telecom, insurance and FMCG companies to address the security challenges, besides building a strong security framework 36

BHaRti aiRtEL

eDItorIal Group editor: r giridhar executive editor: geetha Nandikotkur associate editor: shashwat dc Managing editor: sangita Thakur Sub editor: radhika haswani

PEPsiCo

DeSIGn

Sr Creative Director: jayan K Narayanan art Directors: binesh sreedharan & anil vK associate art Director: pc anoop visualiser: prasanth Tr, anil T Sr Designers: joffy jose, anoop verma Nv baiju, chander dange & sristi maurya Designers: suneesh K, shigil N & charu dwivedi Chief Photographer: subhojit paul Photographer: jiten gandhi

Cognizant

BHaRti aXa

InSIGhtS

64 it rules 2011

What kind of security initiatives are the CISOs taking to adhere to the IT Act 2008

the BIG Q 73 Business Case | IT security

off the Shelf 80 toshiba thrive | Toshiba

SaleS & MarketInG

seeks to thrive amongst tablets. An insight into the hot product arrivals in the technology market

Brand Manager: siddhant raizada (09873555231) national Manager-events & Special Projects: mahantesh godi (09880436623) national Manager -Print , online & events: sachin mhashilkar (09920348755) South: b N raghavendra (09845381683)) north: deepak sharma (09811791110) west: hafeez shaikh (09833103611) assistant Brand Manager: swati sharma ad co-ordination/Scheduling: Kishan singh

reGularS

strategies around building a robust security model

Editorial _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 01

CuBe Chat

Industry Update _ _ _ _ _ _ _ _ _ 08

78 I like to be on my toes|

Tech Indulge _ _ _ _ _ _ _ _ _ _ _ _ _82

“Find opportunities in challenges,” says Prajwal Kumar, Sr Mgr, IT, ACG Worldwide

Open Debate _ _ _ _ _ _ _ _ _ _ _ _ _83

Inbox _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 04

ProDuCtIon & loGIStICS Sr. GM operations: shivshankar m hiremath Production executive: vilas mhatre logistics: mp singh, mohamed ansari, shashi shekhar singh

My Log _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 84

offICe aDDreSS nine Dot nine Mediaworx Pvt ltd A-262 Defence Colony, New Delhi-110024, India Certain content in this publication is copyright Ziff Davis Enterprise Inc, and has been reprinted under license. eWEEK, Baseline and CIO Insight are registered trademarks of Ziff Davis Enterprise Holdings, Inc.

Page

advertiser index saP isaCa symantec eMC Cisco iBM dell

iFC 05 07 11 13 iBC BC

pLease r ecycLe ThIs magazINe aNd remove INserTs beFore recycLINg

Published, Printed and Owned by Nine Dot Nine Mediaworx Private Ltd. Published and printed on their behalf by Vikas Gupta. Published at A-262 Defence Colony, New Delhi-110024, India. Printed at Silver Point Press Pvt Ltd., A-403, TTC Ind. Area, Near Anthony Motors, Mahape, Navi Mumbai-400701, District Thane. Editor: Vikas Gupta

j u ly 2 0 1 1 | itnext

INBoX it next

COVER STORY | DATA CENTRE MODELS

JUNe 2011 / ` 75 volUme 02 / issUe 05

VDI: Enterprises have a close watch and set high expectations

BoSS talk How to address organisational crisis

05 BIg Q

Finding the right CRM solution Pg 49

Play your cards right

Play your Cards right

Play Your Cards Right

Strategy: Best practices in cloud marketing

K T Rajan, Director-Operations, IS & Projects, Allergan India

New techNologies aNd services complicate data centre decisions pg 12

volume 02 | issue 05

do you Want to Be neXt!

juNe 2011

BY N GE E T H A

New technologies and services complicate data centre decisions

ITNEXT | J U N E 2 0 1 1

Cover Story.indd 12

C I M AG I NG : JOF F Y JOSE

P H OTOG RAP H Y: RAD H AKRI SH NA

K T Rajan, Director-Operations, IS & Projects, Allergan India

IT NEXT ThaNks ITs ReadeRs for the warm respoNse

hange is inevitable. For years, IT heads and managers have been dealing with the aspects of change management, resilience, performance, response time, resolution time and much more in their endeavour to create best practices and values. They have been leveraging technology and tapping right opportunities to leapfrog the competition. The senior IT managers have been instrumental in creating compelling business differentiation within the organisation by introducing much needed changes and opting for the best technologies. IT Next’s feature on data centre sourcing model is an attempt to provide insights into various models that are in existence. The focus is also on the factors that IT heads consider when they are choosing the best model to match their requirements.

J U N E 2 0 1 1 | ITNEXT

5/27/2011 10:02:13 PM

Cover Story.indd 13

5/27/2011 10:02:37 PM

iT nEXT ValuEs yOur fEEDBaCK

We want to know what you think about the magazine, and how we can make it a better read. your comments will go a long way in making IT NEXT the preferred publication for the community. send your comments, compliments, complaints or questions about the magazine to editor@itnext.in.

The article on various certifications in IT Next is a great reading material. It provides insights into various options available in technical certifications and makes it easier for all to make the right choice. For most of those in full time jobs, it is a tough task to take-up full time management or related courses or equip themselves with degrees. It would be ideal to look at the various certification options available and study while working.

www.linkedin.com/ groups?gid= 2261770&trk= myg_ugrp_ovr 300 members

Read this issue oNlINe http://www.itnext. in/resources/ magazine

KaushiK. Kumar Pre-sales, iT & systems, Orange, Business services

itnext | j u ly 2 0 1 1

K T rajan, Director, Operations & iT, Project management. allergan Technologies

The stories and features that IT Next publishes is quite relevant to the IT managers. I find most of the senior IT managers and IT heads interested in HR related features. The IT managers always find the articles around the new career opportunities more interesting as they aspire to move up the value chain. Since IT Next tries to provide insights on varied subjects which enable readers to rise in their careers, articles around it would absorb the readers’ attention. Features about ways to find careers overseas and the foreign regulatory patterns, legalities involved in migrating to different geographies, etc., would be interesting to read.

Vishal ananD GuPTa

I find IT Next to be unique in its own way as it covers specific issues which are relevant to the community including that of senior level IT profession and IT management group. I appreciate the content which speaks about the trends and happenings in the IT industry and helps readers to update themselves on the IT industry. The interesting element is that there is a conglomeration of articles from across professionals and experts which makes it an interesting read. The section ‘Cube Chat’ is the most sought after, as I get to see my peers sharing their thoughts from their professional and personal experiences. The recent cover story on ‘Data Storage’ has caught my attention and has a recall value. As a reader, I would like to have features or articles around technological innovations, stories about start-ups, features around e-commerce and how IT is used , mentorship programmes, networking and relationship building, etc., management related stories, besides some insights into venture capital markets and trend features around outsourcing and medical tourism in the forthcoming issue would be welcomed. There is some improvement required in the online content management to bring about certain changes in its look and feel.

I must say that the layout of the IT Next facilitates easy reading with appropriate size and format and most relevant content. I think the cloud computing aspect was covered very well in one of the issues which provided a wider perspective in a most comprehensive manner. In my opinion, to make it more interesting, a good medley of technology and management articles pertaining to ICT would add greater value. The human aspect of technology adoption and its relevance in today’s context will generate good interest amongst the readers. IT Next could probably partner with some ‘Gold Standard’ management publications and re-run some of their esoteric articles for the benefit of the large section of IT Next readers.

it next<space> <your feedback> and send it to

567678 *special rates apply

manish sinha, head, iT, On-dot Couriers

(Note: Letters have been edited minimally, for brevity and clarity)

Demonstrate your value without saying a word.

Résumés/CVs may list your experience and knowledge, but an ISACA® certification designation after your name proves it.

www.isaca.org/certification-ITnext

December Exam Date: 10 December 2011 Registration Deadline: 5 October 2011

Boss talk | Anwer BAgdAdi

ManageMenT: Leadership

Makings of True Leaders

re leaders born or made? The debate rages on with both camps pontificating on the issue. But if truth be told, leadership is a learning process in the environment in which one operates. It’s the circumstances, both good and bad, that shape an individual into a leader. The saying, experience is the best teacher, holds true, as it helps in the evolution of a leader and leadership values. Leadership is a constant process of refining oneself and developing skills, which can be emulated by others, or would enable others to follow you.

“Leaders should lead the team to create something extraordinary and be result oriented”

Get the Basics Right

Leveraging technology In the past, technology or IT was looked down upon in most large organisations and considered as a sundry division. The opportunity to prove your leadership skills was minimal here. However, with time, technology has proved itself, and is today, driving the vision of most management teams. As technology heads, you can leverage IT to drive innovations, create performance-oriented work culture, increase operational efficiency, which would result in

itnext | j u ly 2 0 1 1

SuggESTIOn BOX

business growth and thus, prove your leadership qualities. Technology provides the platform to grow, forge new alliances, work out business strategies and exhibit your leadership attributes during any crisis, be it business, finance related or transactional.

Best ingredients

This interesting book talks about reaching that threshold beyond which it would make enormous difference. it is a book about social changes but is equally applicable to almost any facet of life

For people management, the most important leadership quality is absolute honesty. A true leader is transparent in his approach, honest in his dealings and maintains clear communication during any situation, especially when one is struck with a crisis. For the IT managers, specifically, it is imperative to have a great relationship with customers: through appropriate assessment of their problem, display of right skill set and clear communication. People management also involves handling your team, reposing confidence in them and finding ways to assign specific tasks to each member. All the while, the leader must ensure that he or she is in control of the situation.

writer:MAlcolM gl A dwell PuBlisher:little, Brown & co. Price: approx $20

The Author is CIO & Executive Director, Parafora Technologies

Photo grAPhy: ji te n gAnd hi

Leaders are not made in heaven; let’s rest the case. Individuals who aspire to become leaders or develop leadership skills need to get their basics right. To begin with, a leader must have shared vision and ensure that the rub-off effect is felt by his team. S/he must be able to solve any complicated issue, inspire the team and be a mentor to them. Those who exhibit leadership qualities are constantly endeavouring to develop and evolve as better leaders and decision-makers. Ability to articulate your vision with clarity and utmost honesty and provide a larger picture for the benefit of all, is a very critical component of being a leader.

Next-generation reputation-based technology The fastest, most effective endpoint protection anywhere Built for virtual environments

Symantec Endpoint Protection 12

It takes just seconds for today’s polymorphic malware to mutate into millions of threats, but now it has met its match. Introducing Symantec Endpoint Protection 12—simply the fastest, most effective reputation-based protection ever created.* Improve the security of your information, devices, and employees.

* Sources: PassMark Software, “Enterprise Endpoint Protection Performance Benchmarks,” February 2011. AV-Test GmbH, “Remediation Testing Report” and “Real World Testing Report,” February 2011. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Symantec, and may or may not be implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions. Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign is a registered trademark of VeriSign, Inc.

update

Apple Plans New iPhone for September Tech Trends | Come September, and you could lay your hands on

the iPhone 5 that is incorporated with things like â&#x20AC;&#x201D; a stronger chip for data processing, an A5 Processor, and a rather advanced 8 megapixel camera. The faster chip will enable a faster loading of programs, which has already become the hallmark of many Android powered devices from the likes of Samsung. According to people familiar with the product, the iPhone 5 will run on the iOS 5 operating system, which Apple had showcased

oP deskt

Telluride, iOS 5 to run on every Apple mobile device and has improved messaging and photosharing capabilities

Consumer PC usage is down by 20% since 2008 Weekly time spent on home Pc hours (numbers in %)

35 30

significant drop in the use of consumer desktops owing to the increased use of smartphones and tablet Pcs

+10%

30%

33%

-20%

communication

Productivity education

Games

Video

Photos

2006

2008

source: Forrester alphawI se, morgan stanley research (FeB 2011)

itnext | j u ly 2 0 1 1

internet

Work

26%

2010

music

trends deals products servIces people

at its developer conference. Codenamed â&#x20AC;&#x153;Tellurideâ&#x20AC;?, the iOS 5 is designed to run on almost every mobile device that Apple produces, and it features, amongst other things, improved messaging and photosharing capabilities. There are also reports suggesting that the visual design of the device could be different from iPhone models. The iOS 5 upgraded with cloud integration, music streaming and voice interface comes with 4G connectivity along with social networking too. A new report from International Data Corporation (IDC) shows that this year Apple is projected to account for 18.2 per cent of the global smartphone market, and this is way below the market share of 38.9 per cent that devices running Android are expected to account for. Apple is also working towards incorporating a few improvements in its third tablet device, the iPad 3. The screen resolution in iPad 3 could be few times higher than what we have in iPad 2, similar to what we currently have in the iPhone 4. There is also strong buzz about Apple finally making an entry into the TV space. Reports indicate that the Apple TV will be integrated with FaceTime and iTunes, and it will have many compelling possibilities for playing video games. Users will be able to pipe their iPad games directly into their Apple TV and enjoy a larger screen experience. Connectivity with the Internet, and availability of large number of apps, will also be a plus point.

I llustratIon: BInes h sree dharan

Update i n d u s t r y

Fully touChsCreen Model

a tough tablet

new ChiPs For ultra-books

sleek and stylish nokia n9 is a 3.9-inch, fully touchscreen model, and has an 8-megapixel camera with carl Zeiss optics. True hd 16:9 video capture and playback is supported.

Panasonic has unveiled a stylish toughbook tablet, which is capable of withstanding few drops and some moisture. The 10.1-inch model runs on Android, and has a highbrightness matter display for readability in sunlight.

intel has launched low-voltage versions of its second-generation core processors that run at lower frequencies and have a power rating of 17 watts. These are for ultraportable laptops.

“White Spaces” to Create Super WiFi in UK Tech Trends | Microsoft is leading the technology consortium that is set to begin trails in Cambridge, UK for the creation of what could turn out to be WiFi networks on steroids. BBC, British Sky Broadcasting and BT are amongst the consortium members. The plan is to use the socalled “White Spaces” spectrum, which are basically the unused bits of spectrum between myriad UHF television channels. This spectrum is no longer needed as advanced nations have abandoned analog television broadcasting and gone all-digital. If the trails conducted under a close scrutiny of regulators in

WiFi networks soon to hit Asian market with India as a focus

Cambridge become successful, it might lead to other European countries allowing WiFi for mobile broadband networks on the “White Spaces” spectrum. Perhaps then other countries in

around the world

Asia region, including India, will also follow suit. With demand for net connected smartphones, tablets and other devices skyrocketing to new levels, there is urgent need for additional radio spectrum to take care of the connectivity related issues. The “White Spaces” spectrum is considered to be a good option as it can lead to WiFi networks that can work for longer distances and are not constrained by concrete walls. Once White Spaces spectrum is put in use for creating super WiFi networks, it will serve the purpose of alleviating pressure on overburdened mobile networks so that smartphone users are not plagued by dropped calls and slow Web connections.

quIck Byte

Apple Might Dump Samsung For TSMC The ongoing legal dispute over patents between Apple and Samsung has now started affecting their business ties. According to sources, Apple is now seriously considering the idea of dropping Samsung as a vendor for the next-generation of A6 processors that will go into iPhone, iPad and many other devices from the company. It is rumoured that Apple will have partnership with Taiwan Semiconductor Manufacturing Company (TSMC) to outsource chip designing for future devices.

warren east, ceo, arm holdIngs talkIng aBout hIs company’s plans For Future growth

“We have a huge share in smartphones and tablets. Now we would like to expand into digital TV. We are trying to build small chips for digital TV”

j u ly 2 0 1 1 | itnext

update

Entire IT Sector will have Impact from Cloud Tech Trends | IDC/IDG con-

interview sATish joshi Global Head, Product Engineering Services, Patni Technologies

badly while making a transition to the cloud during the next three years. Half of the respondents felt that by that time security issues would be addressed convincingly. This would lead to a major acceleration towards cloud space by 2015. The segment of mobile optimised cloud service will also witness phenomenal growth.

Enterprise Software Revenue up by 9.5% in 2011 Poland, India, China and Brazil,less nexT connecT | Worldwide enterprise affected by the latest economic software revenue is on pace to surpass downturn, are expected to heavily $267 bn in 2011, a 9.5% increase from invest in enterprise software revenue of $244 bn in 2010, according initiatives in the next few years to to Gartner, Inc. The enterprise softbuild IT infrastructures necessary on ware market is projected for continued a global scale. growth in 2012, with revenue Enterprise software forecast to reach $288 bn. SoFTWArE rEVENuE spending in North America is â&#x20AC;&#x153;The market for enterprise To bE forecast to reach $121.2 bn in software continues to 2011, up from 2010 revenue of recover well following the $112.9 bn. In Western Europe 2009 downturn,â&#x20AC;? says the spending is forecast to billioN Joanne Correia, Managing by 2012 reach $78.3 bn in 2011, from Vice President at Gartner. source: gartner 2010 revenue of $70.3 bn. Emerging countries like

$288

itnext | j u ly 2 0 1 1

NEXT CONNECT: which are the top security challenges faced by you in the cloud computing space? Joshi: security-focussed design tasks include data leak prevention, data encryption to network/host security, vulnerability, patch management, etc. There is a need for strong identity management, access, policy management, and data sanitisation. which are the key applications you use/or intend to use through the cloud space? We have moved the internal applications to public cloud. our enterprise application portfolio which includes erP, finance, hr, project management and resource management, run in a virtualised environment even now. We have seen huge benefits from server consolidation, reduction on compute power provisioning time and elimination of downtime during physical machine upgrades. how do you rate the effectiveness of going in for virtualisation? We have achieved a server consolidation ratio of 12:1 for its iT infrastructure services and development environments and a ratio of 6:1 for production systems. it further reduced datacenter power consumption by 30 per cent, rack space by 30 per cent, server provisioning time from half a day to 30 minutes. From a services standpoint, we have helped our customers understand and choose the best from a myriad of options. by jitender singh

I llustratIon: BInes h sree dharan

The Survey reveals major acceleration towards cloud space by 2015

photo graphy: Jayan k narayanan

ducted a survey at the Cloud Leadership Forum, organised at Hyatt Regency, Silicon Valley on June 20-21. It shows that cloud computing will have significant impact on IT organisations, vendors and on the enterprises they support. More than 70 per cent of the respondents were of the view that a third of all IT organisations will be providers of cloud services to customers by 2014. One third of the Fortune 1000 enterprises would deploy at least one business critical system in cloud, according to 80 per cent of the respondents. Almost 80 per cent of those surveyed stated that by 2015, some of the most powerful players in the industry could be those who have strong foothold in the cloud service segment. It is possible for some who are doing well today to stumble

update

Violent Video Games Qualify The law to ban the sale of such games was passed in 2005 by the state of California

Tech Trends | There is no dearth of

video games that are too violent for kids. But can such games be banned for sale to kids in USA? The state of California wanted to have a law banning the sale of such video games, but the US Supreme Court has ruled that any such ban would violate First Amendment free speech rights, and hence was unconstitutional. The court voted 7-2 against the law proposed by the state of California, with justices Clarence Thomas and Stephen Breyer dissenting. The opinion written by Justice Antonin Scalia said, “Video games qualify for First Amendment protection. Like protected books,

bloG

the death of lulzsec lulzsec has reached the end of its lifecycle. The notorious hacker group, whose activities have created havoc on the internet during the last few months, has suddenly announced that it is dissolving itself. The announcement was made on the Twitter account of lulz security. no reasons for the disbandment were given, but according to sources, the move is a result of increasing pressure from law enforcement agencies. The pressure could also be from rival hackers, who seem to have joined the hunt, and have started posting information that could help in identifying the sex member lulzsec group. only few days ago a teenager in britain had been arrested on the charges of being connected with one of the group’s attacks. on its part the lulzsec group has been saying that there is nothing strange about their intention to dissolve the group, as they had always planned this to be a 50-day hacking exercise. during the days of rampage on internet, the lulzsec group was responsible for taking down government sites, compromising Web servers, posting police files and consumer data to the Web, and taunting a host of gaming companies and others.

IBM saved $50 Mn usIng green energy

IBM has already surpassed Its goal of reducIng carBon eMIssIons by 16.7 per cent from 2005 to 2012

In its new corporate social responsibility report, IBM says that it has saved $50 mn in the past two years by taking recourse to thousands of energy efficiency projects. These green initiatives include efficient lighting and better operating schedules for moving to cloud. IBM aims to eliminate 1.1 mn (mwh) of energy use by 2012. It intends to reduce carbon emissions by 12 per cent by 2012. 12

itnext | j u ly 2 0 1 1

IllustratIo n: ano op pc

NEWS @

plays and movies, they communicate ideas through familiar literary devices and features distinctive to the medium.”The decision went on to say, “The State wishes to create a wholly new category of content-based regulation that is permissible only for speech directed at children. That is unprecedented and mistaken.” Joining Scalia’s objection Justice Sonia Sotomayor asked “Could you get rid of rap music?” as the lyrics “talk about killing people.” The law was passed by the state of California in 2005. Since then the law had already been invalidated by a pair of lower federal courts, and now the US Supreme court has also rejected it.

tech trends

photo graphy: Jayan k narayanan

update

j u ly 2 0 1 1 | itnext

from leftBharat Panchal, Head, Risk Management, National Payments Corporation Of India Vishal Salvi, CISO, ISG, Information Security Group, HDFC Bank Ravish Jhala, Systems Manager, Trident Hotels Shirish Dandekar, Head, IT, Tata Teleservices Ltd

itnext | j u ly 2 0 1 1

iT Security Special coverstory | overview

The ne w

Men in

Black

Securit y with ne chiefs arm th em w risks f tools to com selves rom an bat the i n c interco r nnecte easingly d worl d by N g e e t ha P h oto g r a P

h y : J it e N

ga N d h i

im ag iN g : a

N il t

j u ly 2 0 1 1 | itnext

iT Security Special

photography: Jiten ga ndhi maging: shigil n

cover story | overview

he refrain that ‘an organisation’s information or data security can only be as strong as its weakest link— the people’, has now percolated across the entire IT establishment. Only a while ago the idea of IT security used to be taken for granted by most management, but that has now changed. Today, issues related to IT security are hotly debate in corporate boardrooms. The change in attitude towards IT security is also a result of the instances of information leakage or data loss that have caused widespread losses in the past. Lessons learnt from such incidents have led to a redefining of the IT security policy. The evolution of the recent security policy framework prescribed by the Government of India under the IT Rules, 2011, to protect personally identifiable information or PII from being compromised, is a testimony to this effect. This law came into effect from April 11, 2011. IT security landscape is undergoing a metamorphosis in its treatment and understanding. The need for regulatory compliance and the emergence of increasingly sophisticated security threats, both from inside and outside the organisation, make it imperative to have a better security regime in place. IT Next embarked on a study to seek insights into various trends evolving in the security landscape. The aim

was to discover how chief security officers of various organisations are trying to prevent cyber crime: What kind of security practices are being put into place? What new tools and technologies have been deployed as a counter measure? Some of the insights that we have received come in the form of write-ups of security heads by describing their experiences in handling security related matters. We also have case studies on how the industry verticals like banking, government, insurance, telecom and retail have evolved their security methods.

Changing trends The modern hacker is much more sophisticated and he has many more ways of accessing secret data. Ambarish Deshpande, Director-Sales, McAfee India sees Web 2.0 as a relatively open system in which it is easy to expose or lose data. That is why newer security technologies like web application firewalls, intrusion prevention systems and web security technologies are important. “Mobility factors have led to increased data leakage, because of which security heads have started deploying enterprise mobility management tools,” says Deshpande.

“In large enterprises where a number of critical legacy systems and specialised devices are used, integrating logs from the required data sources to SIEM is a challenge” Sunil Varkey, Head, Information Security, Idea Cellular, Aditya Birla Group

itnext | j u ly 2 0 1 1

“Since Biometrics relies on physical characteristics, it is considered to be more secure and is frequently deployed as a single-factor authentication”

According to Ajay Goel, Managing Director, India & Forrester Research finding, based on a survey conducted SAARC, Symantec, consumerisation of IT has been the key amongst IT managers that stated that 75 per cent of the IT driver to evolving newer security concerns, as 70 per cent managers were concerned about the security risks emerging of the Indian enterprises witness growth in smartphones, from mobile devices. Phua goes on to say, “About 40 per connecting to the network, the primary cause of data leakage. cent of the IT managers said that they allowed or supported “Mobility aspect is leading to greater security threats, as Windows mobile, iPhone and iPads. IDC expects Android 10 bn non-PC devices connect to the internet today and that smartphone market share to increase from 16.3 to 24.6 per number is expected to grow to almost 20 bn by 2014. Besides, cent between 2010 and 2014.” collaboration in enterprise too is following the consumer While the threats are increasing exponentially and are route, as enterprises leverage social media for effective escalating the challenges faced by security heads, it is critical communication,” informs Goel. to understand if IT spend is keeping pace. The three major security trends that Kartik Shahani, Country Manager, RSA India & SAARC, observes are: Security Spend security for cloud in a virtualised environment, data loss Gartner opines that the organisational security spend is spiprevention and evolving threats that will drive advanced r a l l i n g , thanks to the proliferation of varied devices and security measures. According to him, methods used in investigating and neutralising invisible authentication, a fine-tuned threats. Matthew Cheung, Principal Research T Indian I technology to provide users with Analyst, Gartner, says that every aspect of the security secure, simple-to-use internet identities infrastructure, be it endpoint, network, email, spend to and adaptive authentication tools, is in other applications, etc., are prone to security reach demand for fraud detection that monitors threats and the traditional tools are unable to and authenticates customer activity based meet the requirements. There is no compreon risk levels, institutional policies and hensive tool available. However, according to customer segmentation. Cheung, the global IT security spend, which y b n As a trend, Clarence Phua, Director, stands at $16.5 bn in 2011 is estimated to reach millio 15 Sales for ASEAN & India, Sophos, finds 0 $26 bn by 2015. This will have a cascading 2 smartphone security to be the leading effect on Indian markets. He estimates the IT er rtn concern among IT managers. He quotes the spending amongst the Indian organisations source: ga

$307

j u ly 2 0 1 1 | itnext

photog raphy: s. ra dhakri shna imag ing: bi nesh s re edharan

Upasna Saluja, operational resiliency manager, product, infrastructure risk management, investment & advisory, thomson reuters

Security e applianc o t t e mark h c u o t

per cent standing at $130 mn in 2011, with to be to the tune of $167 mn, which is foresoftware product market enjoying a 59 per casted to move up to $307 mn by 2015. cent market share. “The security appliance About 40 per cent of this market will be market is growing at a CAGR of 20 per cent, enveloping security services related spend. which would account for $62 mn. This is likely Interestingly, Cheung admits that UTM bags 2011 millioncein to cannibalise the security software market,” a larger share with 22 per cent in the enterprise sour : idC says Singh. The IT spend as per Singh’s security space. Endpoint solutions will stand analyses is around $292 mn and it is more on at a 10 per cent of the market share. The rest of software solutions deployment. He finds identity and access the spending might get spread across various management gaining momentum with 79 per cent market other solutions, which could be network related, application share. “SCTM (security control and threat management) specifics tools, etc. “There is increased deployment of DLP which envelopes ID and access management, vulnerability (data loss prevention) solutions by organisations to address tools and various other applications is gaining ground,” compliance and data privacy concerns,” says Cheung. maintains Singh. He estimates that endpoint solutions are Arun Kumar Singh, Lead Analyst, IDC, vouches that growing at 13 per cent, network security market at 12 per cent IT security is a hot market today as they are driven by growth, UTM growth at over 20 per cent, IPS at around 18 per three factors. “The first factor is that as large enterprises cent and applications security layer such as email and other adopt social media applications, and also provide mobility web-based market is growing at 39 per cent. features, implementing cloud applications, public and Vic Mankotia, Vice President, Solution Sales, CA hosting models, they end up having a system in place that Technologies, explains that consumerisation of IT is leading might facilitate data leak or loss. The second factor is the to many customers opting for security of Identity, Access, increase in threats on a national level, which might result Authentication. Mankotia finds banking and finance to be in financial and human loss. The third is related to the the top spenders in security, while healthcare, telecom and financial sector bound by the compliance and regulatory power sector trail behind. mandates,” informs Singh. According to him, market About 80 per cent of security heads across various industry consolidation in the security space, with mergers and segments, who participated in the IT Next security survey, acquisitions between hardware and software players, is seem to be spending to ensure business continuity and disaster redefining the security roadmap. recovery. Over 60 per cent have inclination towards spending There is traction in web-based tools such as content due to internal policy, compliance and for other reasons. Kamal management applications, anti-spam and compliance. Sharma, Group CIO & Head-operations, Mindlance, finds that Singh finds security market growing at a CAGR of 16

photography: Jiten gandhi maging: anoop pC

$62

“Pay as you use concept is being tried out by most companies as one can focus on the core business and leave technology to the vendors” Suresh Menon Ceo, sme infotech

itnext | j u ly 2 0 1 1

iT Security Special cover story | overview

“The risk assessment checks have helped in identifying the gaps in the current security state as compared to the requirement” Mehriar Patel, CIO, Globus

of transactions in compliance with international standards,” informs Dr K N Ingalagi, Chief Manager, MIS, Bangalore Metropolitan Transport Corporation (BMTC). According to Bhaskar Bhakthavatsalu, Regional Director, India & SAARC, Check Point, 3D security framework, which re-defines security as a three-dimensional business process combining policies, people and enforcement for stronger protection across all layers of security, is now gaining popularity. “To achieve the level of protection needed in the 21st century, security needs to grow from a collection of disparate

his customers might be prone to cyber threats in a big way. Sharma expects government spend on the security tools for its e-governance projects to go up, because there exists room for data leakage. “I see a good jump of 7 per cent in spending by the pharma customers. It is estimated that BFSI stands at 37 per cent market share in terms of spending in security deployments,” says Sharma.

Solutions at Play

Information and Event Management (SIEM) tool being the core of any security incident response centre, helps in identifying the right security solutions for business requirement. “For large enterprises which use critical legacy systems and specialised devices, integrating logs from the required data sources to SIEM is a challenge,” says Varkey. Availability of out-of-the-box connectors to integrate the logs or the flexibility to develop required connectors is important. PSUs such as BMTC are conscious of the safety of their infrastructure and data. BMTC spends almost Rs 1 crore on security deployments, and the procurement is made by following the procedures laid down by the state government. “BMTC is introducing common mobility card to ensure safety

technologies to an effective business process. With 3D Security, corporations can implement a blueprint for security that goes beyond technology to ensure the integrity of all information,” informs Bhakthavatsalu. Another innovation that Bhakthavatsalu points out from a security platform standpoint, is the software blade architecture, which enables organisations to easily and efficiently tailor their network security infrastructure to meet critical and targeted business security needs — all the while maintaining network performance service level agreements (SLAs). Upasna Saluja, Operational Resiliency Manager, Product, Infrastructure Risk Management, Investment & Advisory, Thomson Reuters, recommends the use of biometric

j u ly 2 0 1 1 | itnext

photo graphy: Jite n gand hi magi ng: s hig il n

Most security chiefs intend trying new ways to address their specific security needs. Information security management framework, which centres on information assurance, risk management and information classification, seems to be most popular amongst the CISOs. Besides, risk evaluation tools such as SIEM or other standards have been extensively used. A methodical approach is being taken to address the security concerns with appropriate tools and standards by the security heads. Sunil Varkey, CIO, Idea Cellular, Aditya Birla Group, opines that Security

iT Security Special

photography: s. radhakrishna imaging: binesh s reedharan

cover story | overview

solutions that are the panacea to all access control problems. “Since biometrics relies on physical characteristics, it is considered to be more secure and is frequently deployed as a single-factor authentication. However, the trend is moving towards two-factor authentication scheme, in which a PIN or password is provided for better security,” points Saluja. As per IT Next’s survey, over 90 per cent of the security chiefs have deployed firewalls and anti-virus tools; over 50 per cent of the security officers have deployed tools for policy control and SSL (secure sockets layer) and user access control; over 40 per cent of the CISOs have been using User Access Control (UAC), Data encryption and Network Admission Control (NAC) solutions. The study indicates that there is a huge potential for DLP, disk encryption, GRC (governance, risk and compliance), IDS, IPS solutions, which are all on cards. Abhilash Sonawane, VP, Product Management, Cyberoam, opines that with the emergence of borderless networks, organisations are conscious about confidentiality, integrity and availability (CIA) information. Customers are inclined towards using access controls, authentication and non-repudiating tools to meet compliance standards. “Not surprisingly, all the top software services companies, IT-enabled services companies, and BPO outfits are going in for security certifications like BS 7799 or ISO 17799,” maintains Sonawane. He does not fail to mention RBI’s recent regulatory guidelines to protect customer confidentiality and SEBI’s risk management framework for mutual funds.

“BMTC is introducing common mobility card to ensure safety of transactions in compliance with international standards” Dr K n ingalagi, Chief Manager, MIS, Bangalore Metropolitan Transport Corporation (BMTC)

itnext | j u ly 2 0 1 1

According to Vishak Raman, Regional Director, India and SAARC, Fortinet, customers are deploying standards such as PCI, SOX, ISO 27001, HIPAA, Advanced TCA and GLBA. “The challenge is with regard to commoditisation of products, resulting in price aggression and lower value per deal,” says Raman. Bikash Barai, CEO and Co founder, iViZ Security finds increasing adoption of application penetration testing tools, which assure zero false positives, leads to better performance in business terms. Harvinder S Rajwant, Vice President, Borderless Networks-Securty, Cisco Systems avers that the concept of a perimeter in an enterprise is blurring fast, and this has

iT Security Special cover story | overview

intensified the challenge of ensuring security across multiple access points. “The trend calls for the security heads to build protection with secure usage practices and policies in their risk management strategies,” says Rajwant. “Identity Based Networking Services (IBNS), an integrated solution comprising hardware switches, besides offering authentication, access control, and user policies to secure network connectivity and resources, also enables enterprises to increase user productivity, reduce operating costs, increase visibility and enforce policy compliance,” he informs.

Best Security Practices The CSOs/CISOs have put their best foot forward in adopting the best security management practices with effective standards in place. Various organisations that did not have a standard framework are investing into ISO standards, going all out to convince their top management. It is not just that, the CISOs are also ensuring that their outsourced partner too has such standards in place. For instance, the IT Next survey indicated that over 60 per cent of the security heads have ISO 270001 standard in place, while nearly 20 per cent have opted for TechNet and ISA. The study revealed that a majority of the customers would go in for new standards CSI, ISF, BS2599, etc., in the near future. As per the study, over 80 per cent of the CISOs have gone in for access management and majority have deployed intrusion management, patch management and content management solutions. There is increasing focus in the audit and assessment tools to ensure risk free environment. For instance, the banking segment has gone in for private cloud and is trying out SaaS model around deploying security solutions. Telecom sector is setting up SoC to achieve the return on security investment, besides introducing multi-factor authentication integrated with identity management and SAP-GRC solutions. Cloud and virtualisation are being tried out in a big way across manufacturing, FMCG, telecom and insurance sectors. Suresh Menon, CEO, SME Infotech, maintains that virtualisation and SaaS model is gaining momentum in the security space. “Pay as you use concept is being tried out by most companies, as one can focus on the core business and leave technology to the vendors. It will avoid the hassle of setting up a data-center and business continuity is faster in the event of a disaster,” observes Menon. Organisations are adhering to the National Cyber Security Policy and creating national level nodal agency on cyber security under CERT. The CISOs are putting in place a

key recommendations The Information Security Management Programme must be rolled out to meet compliance audits such as PCI-DSS or ISO 27001. Here are some of the key recommendations: Establish a comprehensive Information Security Management programme covering all aspects including people, processes and technology Establish and implement Security Systems Development lifecycle Policy and procedure to develop secure code for your web applications Regularly assess your internet-facing infrastructure for any vulnerability and fix them Conduct rigorous information security training for the entire staff Establish strong security policies, procedures and technical controls for mobile devices such as laptops, palmtops and other handheld devices use ‘Out of Band’ verification mechanisms to prevent against fraudulent transactions

national cyber alert system for early warning and response. There are local incident response teams at key locations. Interestingly, government is creating CISO post across department. There is a leaning towards deployment of open standards to work out an effective security framework. For instance, Mehriar Patel, CIO of Globus, has introduced a mechanism for risk assessment in order to design a new security framework and invest in user management and education for internal audience. “The risk assessment checks have helped in identifying the gaps in the current security state as compared to the requirement. It then helps in designing and implementing solutions to close those gaps and ensure ongoing conformity,” informs Patel. Felix Mohan, Sr VP & CISO, Bharti Airtel Ltd, has used cloud-based vulnerability scanning services, and is looking at such cloud-based services for securing web traffic and email against malware and attacks. “We are using virtualisation, which has introduced the requirement of security solutions that specifically address hypervisor risks, and virtual machine zoning, malware protection and firewalling, which traditional security solutions either fail to address or do so only partially,” admits Mohan. As a best security practice, Amit Nath, country manager, Trend Micro recommends that organisations ensure to keep their security policies updated with regular reviews to keep it in sync with quarterly performance objectives. “Regular scan for rogue or unknown access points or use of network management systems are critical, with change default management passwords and secure set identifier (SSIDs) on access points.”

j u ly 2 0 1 1 | itnext

g n i R u c e S the Retail k R o w net le festy i l d n he ion a fash lies t , f y o r z t hods ataz ndus e met tail i razzm s e i e r v h e f t d ark o tha who d Behin y N gee nals hallm b o i s e i s r t s tha secu rofe data f IT p l o a k c i r t i wo ep cr to ke

etail, the most glamorous industry, is firmly linked to fashion and lifestyle, but it also encompasses a rather sensitive aspect — data security. There must be a security system in place to enable employees to handle customer data without fear of leakage or misuse. Therefore, it is critical to create awareness amongst users about relevant security threats. To address various security objectives and challenges, retail IT heads have been putting a privacy policy in place. Many a chief information security officer (CISO) said their key priority is to safeguard confidentiality, integrity and availability of the company’s information. CISOs across the retail segment are aiming to build a foolproof security systems with a logical risk-based approach, using finite resources and definite timelines.

Security Priorities & Challenges For Globus’s Mehriar Patel, CTO & Head-IT, the challenge is to have an effective security framework to deal with malware and virus attacks. While for some others, the priority is ensuring good information security and business continuity

iTnexT | j u ly 2 0 1 1

governance through management support and stakeholder involvement. “The biggest challenge for some CISOs is to ensure that every employee joining the organisation is aware of the role s/he plays in keeping information secure. Half the battle is won when there is adequate awareness,” they say. Pertisth Mankotia, Head-IT, Sheelafoam Pvt Ltd, aspires for security against data leakage, data corruption, virus attacks, etc. The challenge, Mankotia feels, is to handle two kinds of security — physical as well as logical. Interestingly, Sheelafoam discovered several security loopholes within the system after a risk assessment by Ernst & Young. “We had to tighten our security measures with stringent policies and tools to prevent potential data leakage,” informs Mankotia.

Security Tools in Action But these threats have not deterred the IT and security heads in retail from investing in vital technologies and solutions. It was essential for them to review the security policies and procedures and bring in relevance with changing threat phenomena. “Some who revamped business continuity plan, implemented security information and event

it Security Special

cover story | verticals: retail other functionalities and checking if it supported the latest OS and all the devices,” informed Patel. Patel’s idea was to limit the access of critical data like finance, operation and marketing, to respective department heads only.

“We deployed UTM boxes, manageable multi-layer switches, CCTV cameras, etc., to make our infrastructure and data secure with appropriate passwords”

management (SIEM) solutions found the ArcSight SIEM evaluation tool has met their requirements in terms of log retention, compliance and threat management.” After the audit assessment, Mankotia’s task grew multi-fold and he went ahead to create separate DM zones for each of the product range, be it LAN, Servers, PPN, MPLS, etc. He created a secure policy framework around them. “We deployed UTM boxes, manageable multi-layer switches, CCTV cameras, etc., to make our infrastructure and data secure with appropriate passwords,” says Mankotia. With over 200 users accessing Business Intelligence application on mobile devices within the company, Mankotia has to deploy the best possible encryption tools. Globus’s Patel upgraded Sonicwall’s UTM tools to incorporate data leakage prevention systems, which give all levels of security on a single framework, and are also very manageable, so that information is easily accessible to different layers of the business. “It called for different phases of implementation process including problem identification, brainstorming with the vendor, deploying it without interrupting

Surprisingly retailers, who work on stringent budgets, have been spending on regular security audit. IT heads have been awarded budgets to deploy best of breed solutions. IDC too sees an increase in retail IT spend to the tune of 20 per cent. The retail companies have witnessed almost over 25 per cent business growth during the current fiscal year. As a best security practice, companies have rolled out ‘Hygiene Control,’ an awareness campaign to test and certify each employee, on where he or she stands in terms of adhering to security policy and procedures. Some companies are spending about 12 per cent of the total IT budget on security deployments. However, some It heads say that the best practices essentially revolve around the fundamental principles of Need to Know, Maker Checker concept, least privilege, sound documentation (do what you write and write what you do), etc. Amidst constraints, Sheelafoam’s Mankotia has invested around Rs 30 lakh on deploying UTM and manageable layer 3 switches to check data leakage and created 12 DM zones to ensure privacy. A risk assessment will be done to design a new security framework and invest in user management and education for internal audience. “These best practices help in identifying the gaps in the current security state and then designing and implementing solutions to plug them and ensure conformity,” informs Patel.

Going Forward Security heads look at data loss prevention as the key requirement while strengthening the control around software. Mankotia will opt for a DLP as an immediate need, and put a single signoff policy across functionalities such as ERP, BI and others. Others see DLP system, encrypted USB computing environment solution, as immediate needs. They also talks about tracking emerging trends around converging security platforms, cloud computing and virtualisation. Regulatory framework compliance also needs to be taken into account. Patel will focus on practices that centre on mobile security and virtualisation environment. Inputs from Megha Banduni Rai

j u ly 2 0 1 1 | iTnexT

Photog raPhy: Subho jit Paul | iMagi Ng: SuNeeS h K

Pertisth Mankotia, Head, IT, Sheelafoam Pvt. ltd

Best Practices

it Security Special

cover story | verticals: iNsuraNce

security. We also need to secure mobility, conduct risk and vulnerability assessment of web applications, and keep track of end point security and web server availability.”

he insurance sector has witnessed a sea change in the last two to three years. With Insurance Regulatory and Development authority (IRDA) as the key regulator, the sector has opened up to private players who have forged joint ventures with established financial institutions. New insurance products have become available, and a new model of conducting business has taken root in the online space and other channels. However, the growing competition and the increase in number of products have also resulted in certain information security issues that pose a challenge to the insurance industry. The Chief Information Security Officers (CISOs) in the insurance sector have clearly laid down their priorities for risk management. As insurance sector is privy to sensitive information, it is necessary to have stringent safeguards for protecting customer information. Parag Deodhar, Chief Risk Officer and Vice PresidentProgram Management and Process Excellence, Bharti AXA General Insurance Co. Ltd., identifies data loss prevention as his priority. His is working on strategies for securing data with new technology initiatives around internet, e-commerce applications and mobile computing. Vinayak Khadye, Chief Technology Officer India First Life Insurance company Ltd., agrees with his peer when he says, “Our thrust is on meeting compliance and regulatory requirements, minimise security related incidents, protect company assets and data

Security Challenges & Spending Evolution of Web 2.0 and mobility within the organisation have increased challenges for Bharti’s Deodhar, and this prompted him to go for internal audit and certification of the highest order. However, with the business growing at a very rapid pace and changes in the organisation with regard to people, processes, products and technologies, the vital challenge for Deodhar is to ensure control over confidential information including customer data. Vinayak Khadye of India First Life Insurance company, has to demonstrate the ROI on security solutions, besides training and educating the users on security issues and implement a security framework and policies that do not hinder business growth. “A plethora of challenges exist in data security, mobile device management, risk assessment and web server security and deploying right tools to address these is critical,” admits Khadye. The situation calls for increased investments. Springboard’s latest report shows that in terms of overall spend, industry-specific solutions dominate IT budgets of insurance companies, and include applications for claims management, policy administration, underwriting and sales. According to IT managers, insurance sector’s top IT investment priority is slated to be around deploying CRM solutions, web development of in-house solutions, adoption of SoA and telecom, voice and video over IP solutions. The IT

g n i R u inBYSSecuRing as or h t c e s ith nce ts w sura c n u i d e try o h w pr of t ndus i e p n e u h f ng hat t ew o peni a sl ats t n e i The o r d h etha t lte y N ge rity b u c r resu e e ts unt ndan must co atte

iTnexT | j u ly 2 0 1 1

“We have implemented email archival solutions on cloud: clean email and web filtering. The services will enforce email preservation and legal holds”

Solutions Meeting Security needs While the IT managers deploy the regular end-point solutions as a default, there are certain elements of security, which are focused on bringing in the necessary safeguards. For instance, Khadye made significant investments around deploying internet facing web application scan for malware, service alerts, application vulnerabilities and system vulnerabilities Security as a Service (Saas). Besides, designing and implementing of network and data centre, three-tier architecture such as network zoning, dual firewalls, redundancy, email and web security with McAfee SIG, establishing business continuity policy and a DR environment have been key security investments. Bharti Axa is the first company to go in for ISO27001 across all functions and branches — a significant deployment for its security head. The standard has helped Deodhar to bring in stringent security policy framework. However, the insurance sector is predominantly relying on email archival and cleaning and online security scan on cloud with multilayered security approach with no hardware, software and no operational costs. Some solutions pertaining to this sector, say security heads, include information rights management, virtualisation,

security, mobility security management, risk assessment and vulnerability assessment of web servers. The UID programme could also offer ways for identity confirmation and access management of end customers.

Security Best Practices A start-up such as India First has opted to go the cloud way. Khadye says, “We have implemented email archival solutions on cloud clean email and web filtering. The services will enforce email preservation and legal holds, accelerate legal discovery and HR enquiries, and quick response to audit requests using advanced search functionality.” Web filtering according to Khadye monitors and controls all web content, provides real-time scanning of requested web pages, protects from web-borne malaware, deploys multi-layered defences against new and known malawares. Deodhar has set up a good training and awareness programme, which takes of from the point where an employee gets inducted. “We also have a global security team which interacts regularly with CISOs across group companies through a formal security exchange programme. A global SOC further helps monitor and manage incidents proactively,” he adds.

insuring the Future As a standard, most security heads have set the agenda to go in for ISO 27001 implementation and certification. The priority across companies would be to enhance end-point security management by implementing data loss prevention, IRM, identity and access management, data encryption, load balancing eBusiness and mobile computing security tools. A database activity-monitoring tool is also the need of the hour.

j u ly 2 0 1 1 | iTnexT

Photog raPhy: jiteN gaNd hi | iMag iNg: S uNeeS h K

spends in the BFSI segment is expected to grow to $2.7 bn by 2013, with a CAGR of 14.2 per cent, with the insurance sector being a prominent contributor to the same. The security related budget in the insurance space is at par with the industry standard. Khadye maintains that the total IT security budget for the year at India First, which has a capital base of Rs 455 crore, is about 5-7 per cent of the total IT spend. Bharti Axa, for instance, spends about Rs 8 to 10 lakh on certification and auditing for its teams. According to Deodhar, an approximate amount of Rs 30 lakh is spent on procuring standards to streamline processes and polices and the IT investment is quite high.

Vinayak Khadye, CTO, India life Insurance Co ltd

m o c tele

S e h c u o v ta SafetY da

ing andl h d . To arte s st data a r h e y , IT str nsum aion indu f co m m o r o o e c f h gele lanc le in uttin a b c v a The t f a u o l tual ost is va a vir yah d th o etha r l a g p u g yN e b t de s s safe u tion rts m solu e expe g d e

s the telecom services industry shifts from being a purely voice-oriented sector to a databased revenue model, it has to gear up to face various risks along with the possibility of escalation in fraud cases. The security policy and framework in this industry needs to undergo a seminal change. Given that there are 742.12 mn telecom subscribers in the country, there can be no dearth of challenges that the telecom segment faces. The task of handling the data of so many consumers is, by itself, exceedingly complex. The telecom providers are bound by the IT Amendment Act, which mandates ensuring privacy of customer information, which if breached, entails a penalty of up to Rs 5 crore. In such a scenario, the security challenges for the service providers are immense.

Priority Area The CISOs have their security priorities laid around managing risk of third party and outsourcing activities. They must also have comprehensive data security, the ability to manage third party-related vulnerabilities, and be able to meet internal and external compliance requirements, such as UASL license conditions, and all the IT Act and Rules. For Shirish

iTnexT | j u ly 2 0 1 1

Dandekar, Head-IT, Tata Teleservices Ltd (TTL), the increasing risks from outsourcing activities, given that the entire IT is outsourced to a third party, is a major challenge. There is risk of data loss due to vulnerabilities through new routes that might damage the organisationâ&#x20AC;&#x2122;s reputation. While, enhancing organisational security culture and awareness has been the top challenge for Felix Mohan, Sr VP & CISO, Bharti Airtel Ltd. He must grapple with issues related to things like growing consumerisation of IT, increased user-base in the organisation and the risks arising out of virtualisation and cloud computing.

Solutions that Help As Airtel migrates to a data-based revenue model from being a voice-based one, Mohan opted for a host of advanced security solutions. â&#x20AC;&#x153;We operate in 13 circles in the country and have 29 certifications including ISO270001, and we carry out periodic stringent audit by BSI to assess our security framework,â&#x20AC;? says Mohan. The key implementation for Airtel has been the adoption of BS-25999 certification across seven circles. Now it is in the process of extending this certification to other circles, besides implementing enterprise wide LAN zoning. Mohan says that it does not make sense to repose too much trust in a mediocre solution. He has framed strict SLAs with IBM. He also carries out on-site security reviews of part-

it Security Special

ners and makes it compelling for them to obtain Type I and spends about 5 to 10 per cent of the IT budget on security Type 2 SAS 70 certifications. Airtel has ensured end-user deployments. Airtel’s Mohan opines that on an average security through implementation of comprehensive IAM, about Rs 60 lakh is required towards certifications and it is including single sign-on, network access control (NAC), a recurring cost. “For instance, the BSI standard audit cost IPSec, VPN, two factor authentication, endpoint security and per day would be about Rs 20,000, to just look at peripheral DLP at gateway and endpoints. Security awareness and trainapplications and one can assess the total cost of audit or ing is also an on-going initiative here. assessments,” informs Mohan. However, the security heads TTL’s prime task was to set up security operations centres are encouraged by the telecom services growth in the Indian (SoC) to achieve the return on security investment, which market, which IDC has estimated to be around $57 bn by 2012. runs into a few crores. Dandekar has implemented multiTo ensure that the customer data is well protected, factor authentication solution to control fraudulent activities Dandekar has signed up a master agreement with the and segregation of duties within applications by integrating identity management solution with SAP-GRC. He had to deal with increasing complexity of “I could IT infrastructure, multiple threat foresee better vectors and demand for a uniform information security and single view. Besides, concerns around improper implementation incident management of access controls, users granted with zero or less with conflicting and overlapping business disruption” privileges resulting in fraudulent activities causing financial and Shirish Dandekar, reputation loss, prompted him to go Head IT, Tata Teleservices ltd in for risk certain evaluation tools. Another problem area for TTL was diverse user-base comprising employees, business partners and government agencies connected via different networks including PDSN, broadband and intranet. Dandekar zeroed in on deploying SIEM tools from RSA, VPN based multi-factor authentication technology, identity management, governance risk and compliance from SUN and SAP-GRC. To implement them, he had to integrate complex and heterogeneous network with SIEM solution and customise as per TTL’s requirements. Ensuring stability of product was important, besides noncompany’s outsourced partner TCS, with proper background availability of details in applications like role description, verification carried out and regular perimeter assessment user details, etc., and technical challenges of integrating check done at service provider’s onsite facility. non-SAP applications with SAP-GRC solutions could not be ruled out. Despite resistance from business users during What’s in Store initial stages and adhering to deadlines, Dandekar and team For the Rs 67,000-crore TTL, which has just gone in for saw the benefits. “I could foresee better information security ISO27001 certification standard and will be extending it to incident management with zero or less business disruption; other business streams to develop a security policy frameimproved user satisfaction; secured access to IT users; work. Mohan observes a trend of integrating DLP, DRM reduced fraudulent activities and significant costs savings and content management solutions with endpoint security through leveraging of existing IT investment and technology and encryption and says, “Cloud security solutions based with reduced time and resources,” Dandekar says. on robust IAM and encryption technologies are emerging.” CISOs have been making significant investments into Airtel plans to deploy DRM, mobile security, data base IPS, new technology deployments and standards to streamline enterprise encryption and data masking tools in future to the policy framework. According to Dandekar, the company bridge the security gaps.

j u ly 2 0 1 1 | iTnexT

Photo graPhy: ji te N ga Ndhi | iMagiNg: SuNe eSh K

cover story | verticals: telecom

it Security Special

cover story | verticals: baNkiNg

here is an ongoing debate on whether IT related services should be delivered or managed within the bank, or should it be outsourced. Banks are expecting the outsourced service organisations to understand their business and bring in the relevant changes. The RBI mandate to appoint CIOs and steering committees on information security at the board level is, thus ,a welcome move. Analysts such as KPMG point out that the unique aspect about information security in banking industry is that the security posture of a bank does not depend solely on the safeguards and practices implemented by the bank. It is equally dependent on the awareness level of users and quality of end-user terminals. When it comes to computing on the cloud in the Indian banking sector, CIOs restrain themselves from embracing

ulatory compliance also poses a challenge. RBI has issued guidelines on the issues of information security and IT governance. It has dwelt upon the controls that a bank should have in place before putting data on the cloud. The idea of third party managing entire regulatory procedures, audits and certifications, is deterring banks from moving to the cloud. Prasad C V G, CIO of ING Vysya Bank puts security as their topmost priority, adding that the bankâ&#x20AC;&#x2122;s focus is on compliance with new RBI Information Security Guidelines. However, there is a gradual migration towards third party players when it comes to managing and monitoring of security services and this might pave the way for adoption of cloud security. For instance, ING Vysya has a 24x7 security monitoring service by third party vendor. Yusuf Lanewala, IT consultant to various banks such

R a e f S Bank ta a d k S i to R as s, sa e c i v ser data r of loud c a e e f t a the loud priv , as lic c s for b t t u s p p o so n to ave c bank i rai atio to s r a g i NduN o a m s b s a d er an m eg h hind s by e c i v loss ser

this new technology, as they intend to keep their sensitive data secure. Questions like where is my data, who can access my data and whose responsibility is security when data is in transit between the cloud provider and the end user, etc., are some of their concerns. Other challenges revolve around regulation, location of the cloud, liability and recoverability in the cloud.

Challenges & Recommendations The biggest challenge in front of IT managers in the banking sector is addressing the risk of sensitive data being leaked, misused, or even misplaced when placed in the cloud. Reg-

iTnexT | j u ly 2 0 1 1

as Saraswat Bank, Abhyudaya Bank and Punjab National Bank, identifies three key challenges facing IT heads: first is the cyber laws, which he feels are weak and difficult to enforce; second is the ineffective data privacy laws and the third is the poor data secrecy laws. He also says that many banks, especially the smaller ones, do not have effective IT security policies and practices in place. Vishal Salvi, CISO, ISG, Information Security Group, HDFC Bank, says, â&#x20AC;&#x153;The key challenge is to build security designs around the cloud. Understanding migration from one environment to the cloud is another area which should be considered.â&#x20AC;? Rakesh Sinha, Director of Banking & Capital

Markets, Microsoft, says that it is not only necessary for banks to go in for the highest security controls, but also have their systems audited by external agencies. Sinha favours imposing monetary penalties on cloud service providers in case of a breach of information, while Salvi believes that banking sector would be the last one to opt for public cloud computing. However, Sinha says, “Indian banking IT heads are showing great interest in cloud computing.”

“SaaS has gained acceptance amongst Indian banks, as it allows full control over the data unlike the cloud” Prasad C V G CIO, ING Vysya Bank

Private Cloud Takes the Lead bills, etc. Managing data centres also requires large teams. These are the factors that are forcing banks to look at the cloud.” He adds that public cloud offers obvious benefits such as pay per use model, data backup, economies of scale, SLAs and the user company need not invest in infrastructure.

Banks Look at Virtualisation & SaaS If we look carefully, virtualisation and Software as a Service (SaaS) are the underlying elements of cloud computing. There has been prominent adoption of these two technologies in the BFSI segment. Lanewala says that several banks have adopted SaaS; most notably Regional Rural Banks (RRBs) attached to SBI and several small cooperative banks. “There are several IT services vendors providing this service with software and data centre infrastructure being owned by the vendor. Banks pay either a per transaction fee or as per location fee for the basic CBS service and an additional fees for various add-on services. Other cloud-based services such as Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) have also been adopted by a couple of banks,” he adds. ING Vysya bank uses next-level virtualisation for its core production systems. Says Prasad, “SaaS has gained acceptance amongst Indian banks, as it allows full control over the data unlike the cloud.”

The Bottomline Most suitable model for a bank could be a combination of the internal cloud and the public cloud. Internal cloud could be used for all sensitive and critical data and the IT team can have the entire control and accountability. Public cloud can be used to manage non-critical data. Of course, in both the cases it is important that security aspect be taken care of. Private cloud seems to be a good option for the short-term, but in the long run, as the data explodes, it will become impossible to manage.

j u ly 2 0 1 1 | iTnexT

Photo graPh y: S. radhaKriSh Na | iMagi Ng: SuNeeS h K

While scepticism prevails with regard to adoption of public cloud with data security being the prime concern, private cloud adoption seems to be on its way. Says Sinha, “Cooperative banks, as well as a few big banks, in India have been using hosted services for a long time now, which is very similar to private cloud. Advantages of having a public cloud is that the service is offered by renowned big players like Microsoft, Google, Amazon and Force.com, so the client gets a guaranteed and assured service levels. They typically have greater controls for data security.” On the other hand, Salvi believes that banks are more comfortable opting for private cloud. “In private cloud, virtualisation is the key element and banks have been adopting it for quite some time now.” We cannot ignore the key benefits that a public cloud can offer says Sinha. “Most Indian financial institutions have their data centres located in Mumbai. This entails a substantial increase in costs due to real estate, electricity

t n e m n R e v go

S n e t h g i tSecuRitY fence

are that s t e r ec but sts, y to s e v i r r e p t y ial in s are is wh nanc That ment i t . f y r s t a ’ i n p i ation secur gime nt de the n ty re rnal rnme i o e e r t t v u n c o d i e e G ink ed to f IT s nly l proo relat l tha s o r not o o e y N gee att b eaf m v a s o h e t circl ve to also erati ment p n r m i e v s go it i

raditionally the government is considered to be the most conservative in deploying new technologies. Not anymore, as the government machinery can illafford to not update its IT security. Given the fact that government funding in all sectors of IT have risen, as a corollary, so should its spend on security. The recent ruling under the IT Rules Act, 2011, advises security heads to protect customer data and prevent leakage. It has increased the pressure on the CISOs, who now must tighten the security perimeters by deploying state-of-the-art technologies.

ware, internal and external threats, vulnerability and patch management related tools,” says Satya, adding, finding new ways to handle them ups the problem. The core objective of Bharat Panchal, Chief Information Security Officer, National Payments Corporation of India (NPCI), is to consolidate and integrate the multiple systems with varying service levels into a nation-wide, uniform and standard business process for all retail payment systems. “As per the RBI regulations, security is one of the important pillars of our nation’s payments system. It gives confidence to stakeholders if the payment systems can be trusted,” says Panchal. The challenge for him is that despite the best Serious about Security technology and the best brains working with him, the causal Like most industry verticals, the CISOs at various government at t i t u d e of customers makes the security lax. At times departments and organisations have strict priorities — securcustomers carry their username and password in ing infrastructure and data — and related the card jacket itself, he informs. challenges. Satya Voleti, IT security Dr Ingalagi, Chief Manager, MIS, Bangalore specialist, Civil Supplies Department of Metropolitan Transport Corporation, Andhra Pradesh, regards the securing Government of Karnataka, classifies his security of assets related to sensitive business priorities around hardware, software and data, information a priority. He has a system C P n o which need prevention from theft, fire, damage, in place to identify and protect sensitive n o t s misuse or abuse and, or virus attack. and critical information assets. There is device also an effort to create awareness about connect security related issues in management Securing the Fence eb to the w circles and amongst users. “There is a conNPCI has identified the myriad risks in paystant challenge with increasing spam, malment systems, and efforts are on to use best by 2014

20 bn

iTnexT | j u ly 2 0 1 1

it Security Special

solutions from varied vendors to work information security controls, we are also working on how to out a robust security framework. integrate our network and security events/logs to a solution Despite not being very IT savvy, to get deeper knowledge on the security events or incidents,” BMTC’s Ingalagi has deployed endpoint says Panchal. solutions, such as, anti-virus and BMTC has allocated Rs 1 crore towards addressing firewalls. He has also blocked certain security issues and deploying relevant technologies and sensitive websites. “User awareness and tools. “The problems are localised and attended by the staff staff training is important for IT security. deployed and in case of unsolved problems the agencies are Prevention of data leakage is key for us,” contacted,” says Ingalagi. informs Ingalagi. Satya Voleti followed a Secure Future systematic approach Springboard Research, the for securing the market research and advisory infrastructure firm, estimated that the IT “There is a constant by designating spend by India’s public ke y people sector will be to the tune of challenge with to take on the onus of $5.1 bn this year. increasing spam, protecting critical and sensitive The report notes information assets. He prepared that defence, public malware, internal and and distributed the user safety, and taxation and external threats” code of practices, while also finance round up the list of implementing patch management top three segments. About Satya Volelti and endpoint security using best of two-thirds is controlled by Department of Civil Supplies, AP breed solutions from Microsoft-WSUS, the central government, with Nokia Check Point firewall, and Symantec states and local governments anti-virus corporate edition. accounting for 22 per cent and 11 per cent respectively. Ingalgi plans to introduce common mobility card for Best Way to Security the users at BMTC while Panchal has introduced cloud The process has been to implement secure IT policies and services like email management and is in the process of procedures. There is a system of standardisation of software, setting up a new data centre in which virtualisation is hardware and network. Network vulnerability assessment important to ensure optimisation of resources without tests, awareness sessions on IT security for all the busisecurity challenges. ness users including the senior management is NPCI is operating National Finance Switch (NFS) also a must. For instance, Satya’s department and Interbank Mobile Payments Services spends about Rs 20 lakh on an average on (IMPS) at present. “We have deploying security systems. The best pracalready launched “RuPay” tices according to her would be to identity, and “AADHAR (UID) enabled evaluate and recommend security solutions card for people to conduct and technologies. transactions in a more secure Panchal is currently working on Data manner. In times to come, these Loss Prevention for internal usage systems will play a bigger and re-enforces SOC with more role in all aspects of online technology and resources. payments in the country,” “With about 8 to 10 per cent says Panchal. of the capital budget going into Satya is keen on deploying web-based applications around security and take IT security to the next level. Surely, security is a common concern for all players — public or private.

Photo graPhy: a Prabh aKar rao | iMag iNg: S uNeeS h K

cover story | verticals: goverNmeNt

t n u a l f h wittih

p l d

t etec d d l cou ion miss that s n n o a i tr ate olut e and eby neg s ras u o f d ed her ise uni nd t look nauthor andh a b t , a n n h a g u iz tio me Cogn vent the informa ch by a e r e l b a pr ata enti and of d nfid y o t i c bil of ossi the p

ata leakage is intolerable to any organization. Cognizant, in particular, is extremely sensitive to protecting its critical data. The company adheres to the various industry related regulations and the compliance mandates. We spoke to Satish Das, CSO and AVP-ERM of Cognizant, to have his views on the challenges and benefits of deploying the DLP product.

The Need for DLP

leak prevention technology analyses the content, classifies the data and decides whether the data needs to be protected. It can then automatically enforce a pre-determined data protection policy. The idea of meeting compliance regulations was one of the key drivers behind the DLP implementation at Cognizant. The regulations require that specific types of data must be protected and there has to be a system of controls to ensure that requirements are met on an ongoing basis. “This is also an opportunity to raise awareness about the value and proper use of sensitive information,” says Das. “We can reduce risk by learning where valuable information is located, how and where it is being moved, and the level of risk it represents.” In addition to preventing

A data breach incident can lead to loss of critical proprietary intellectual property of the company. Such incidents have the effect of causing damage to the brand. A data loss can also leads to lawsuits. Then there is the issue of meeting the industry related regulations, compliance mandates and state and federal regulations. All these facts make it necessary for a company like Cognizant to have a DLP initiative. The primary requisite of a DLP is to identify sensitive data or content that is critical to an organization, so that the security can be carefully of IT targeted. Explains Satish Das, “Data breach s use a Man ger incidents generally occur when workers are tion DLP solu performing everyday tasks, such as sending e-mail ess to addr that inadvertently contain sensitive information. y it r secu When this happens, a DLP product should be able to flag the content for sensitive keywords and fingerprinted documents or data structures. This is how such a system helps us in mitigating the risk of data leakage.” He further explains that once flagged, data-

39%

iTNexT | j u ly 2 0 1 1

IT Security Special

cover story | CASESTUDY: Cognizant

Pre-implementation Process Choosing the right vendor is often the key factor in the implementation of an IT solution. Cognizant was looking for a vendor who could deliver a DLP solution that was capable of meeting their business requirements. The vendor evaluation process was focused on elements such as Monitoring, Prevention, Centralized Management, Backup and Storage, Ease of Integration, etc. Next step was to design and standardize a framework for fingerprinting sensitive artefacts that are present in the enterprise. The company wanted to define and design policies across business domains. Once the framework was designed, the company decided to follow a phased approach of the DLP implementation, by starting with a detective mechanism of

the policies rather than a preventive mechanism. This strategy was developed with the intention of eliminating the false positives, which are inherent to an organization with a huge user base and dealing with a number of business domains. Final stage was the implementation phase. The company chose a location-wise implementation to trial run the project with a minimal but essential footprint.

Phases of implementation After finalizing on the pre-implementation procedure, it was time to indulge into final action. Here is a glimpse of the step-by-step approach that the company undertook for the implementation: Identifying resources where critical data reside- The first step was to identify all the resources where critical data was residing based on data types. For example, intellectual property could be split into drawings (then divided as CAD, PDF, and GIF) or documents could be segregated into structured, unstructured, labelled and unlabelled data. Types - such as credit cards or ID numbers, could also split personal data. All the above data included 3 levels of sensitive data: namely data in rest, data in- motion and data in use. The company identified these areas before moving on to the next step. Defining list of actions- The next step was to define a list of possible actions to be taken on the above sensitive data. These actions could include data crossing the enterprise boundary; data stored in unauthorized places; the copying, printing, moving, saving, cutting and pasting of data; and business processes that could put the data at risk. Implementing policies-, implementing policies is a big task for any IT head, as it has to be followed in long run by all departments. The company decided to implement policies in a monitoring mode. Cognizant made use of technologies such as keyword matching, pattern matching and fingerprinting to scan the data within the infrastructure. The company plans to take the existing monitoring mode to Prevention mode in a phased manner with simultaneous emphasis on employee awareness program. The reason behind this transformation is to ensure the reduction in false positives. Alert m e ch a n i s mImplementation is not the end of a project. If a proper alert mechanism is not followed, your efforts might be

photo graphy: s. radh akris hna imagi ng: s higi l n

information security breaches of Personally Identifiable Information (PII), Intellectual Property (IP), and other NonPublic Information (NPI), the company wanted that the DLP solution to also mitigate all the risks created by unsafe or noncompliant electronic behaviour.

Satish Das, CSO, AVP, ERM, Cognizant Technologies j u ly 2 0 1 1 | iTNexT

IT Security Special

cover story | CASESTUDY: Cognizant

“Data breach incidents generally occur when workers are performing everyday tasks, such as sending e-mails that inadvertently contain sensitive information” Satish Das, CSO, AVP, ERM, Cognizant Technologies

photography: s. radhakrishna imaging: shigil n

at a risk. Cognizant configured relevant alert mechanisms based on the level of security breach.

Meeting Challenges with Proper Strategy and Policies “As the CISO, I ensure that all employees are aware of security risks and its impact on our business. On a priority basis, we need to find measures to protect systems information and IP. Furthermore, it is a challenge to implement and manage good monitoring, surveillance and forensic systems,” says Das.

Benefits

from the DLP Identifying and analysing data at all control points, including at the endpoint, at the message server, and networks Reducing the risk of high-profile losses of Personally Identifiable Information (PII), Payment Card Industry (PCI) and Protected Health Information (PHI) Prevention of inadvertent or malicious disclosure of sensitive information in a blocking mode Addressing government and industry information protection regulations with ease Prevent violations of general corporate as well as client security and privacy policies

iTNexT | j u ly 2 0 1 1

At the time of DLP implementation, one of the key challenges was to deploy the product with minimal downtime and without disturbing the existing infrastructure. Another challenge was to identify various sources of sensitive data, as Cognizant was catering to clients from various domains. The third challenge was to arrive at a balance between true positives and false positives; this was to ensure that the implementation of DLP did not create business bottlenecks, even as efforts were on to protect sensitive data from being disclosed. The company followed a few best practices such as using the existing frameworks like ISO27001 as a base, understanding what data is most sensitive to their business and knowing where this sensitive data resides. Other best practices such as understanding the risk model, selecting the appropriate controls based on policy were followed to reap best results from the implementation. Managing security centrally and having a workable audit mechanism in place are considered the key factors for constantly improving the product performance. To ensure overall security of the organisation, the company conducts external and internal penetration tests, vulnerability and application tests on regular basis.

Positive ROi from DLP Satish Das says, “We have a NDA with the vendor and have achieved positive returns in the investment in past 12 months.” The comprehensive DLP solution helped Cognizant to find, classify, and control the use of sensitive data throughout the company while providing benefits in the area of data loss, data breach, protecting regulations and client security.

“BEST AWARD I HAVE RECEIVED IN PAST THREE DECADES…”

“NEXT 100 Award

is the crown of all the

recognitions I have received in past 3 decades, while serving in IT field. NEXT100 AWARD RECIPIENT 2010

I congratulate and appreciate the selection team for such a structured approach.” RAVEENDRAN NAGARAJAN GM- Enterprisewide Solutions Sakthi Finance Ltd.

DO YOU WANT TO BE NEXT?

If your answer is “YES!”, then we invite you to participate in NEXT100, an annual awards programme from IT NEXT.

APPLY NOW For the NEXT100, 2011 at www.itnext.in/next 100 Principal Partners

NEXT100 aims to identify India’s top 100 senior IT Managers who have the skills, talent and the spirit to become CIOs. The NEXT100 programme engages with thousands of aspiring CIOs like you, giving them an opportunity to demonstrate their techno-commercial, managerial and leadership skills--and engage with a prestigious committee of CIOs--to support their candidacy. NEXT100 awardees will be profiled in the NEXT100 book which will be sent to India’s top 1000 CIOs. It is now your turn to rise above the rest. Your turn to call the shots. Your turn to BE THE NEXT100.

Event By

m c b e

r u c e s tra n a m

harti Airtel Ltd., a corporate powerhouse with annual growth rate of nearly 18% and over 200 million customers, is motivated to have high secure standards in place to ensure efficiency in business operations, while keeping all its valuable data secure. Having deployed ISO2700 for security management, Felix Mohan, Sr.VP & CISO, Bharti Airtel felt the need to deploy solutions that address business continuity management (BCM) to ensure continued operation even when there is a disruption. Hence, Airtel opted for BS 25999, a BCM solution, which minimizes the risks to a large extent. Mohanâ&#x20AC;&#x2122;s main objective behind deploying this standard was to ensure that the

Felix Mohan, Sr VP & CISO, Bharti Airtel 36

iTNexT | j u ly 2 0 1 1

photography: subhojit paul imaging: binesh sreedharan

el i Airt t r a , Bh ity vices us secur r e s ro ts ing i rigo s a u g s n a mer havi geeth usto s about n c y f b u ce ns o serio rk in pla illio y m l b h u Wit do ewo o be fram t s a h

“NEXT 100 AWARD HELPED ME GET MY PROMOTION…”

data centre models | cover story

“This award opened multiple possibilities and instilled a sense of confidence in me. I am better equipped for a CIO job with clear bearings on my qualities and responsibilities. Not to

forget the help I got for my promotion from receiving this award.” NAGESH ASWARTHA AGM-IT SPML Infra Ltd.

NEXT100 AWARD RECIPIENT 2010

DO YOU WANT TO BE NEXT?

If your answer is “YES!”, then we invite you to participate in NEXT100, an annual awards programme from IT NEXT.

APPLY NOW For the NEXT100, 2011 at www.itnext.in/next 100 Principal Partners

Event By

IT Security Special

cover story | CASESTUDY: bhaRti aiRteL

Challenges and Priorities Plethoras of challenges confront Felix Mohan; these range from enhancing the organization’s security, its culture and awareness, to managing the growing consumerization of IT within the organization. There is also the need to mitigate risks emanating from mobile usage and social media access. The risks related to virtualisation and cloud computing also need to be covered; then there has to be the endeavour to detect and recover from advanced persistent threats. The IT rules 2011, which were formulated by the government of India to protect personally identifiable information handled by the organizations, has only served the purpose of increasing the pressure on the service providers to prevent data leakage in any form. The IT rules prescribed clear mandate in ensuring the privacy of the customer data and the breach of the same would call for Rs 5 crore as penalty. “Change in the telecom services business model with the migration from voice based revenue model to that of the data based one has demanded a change in the way security is

addressed,” admits Mohan. “Since we deal with data from millions of customers, it is critical to have comprehensive security system in place. Our priority is also to mitigate insider threat, manage third party related vulnerabilities, meet regulatory compliance such as amended UASL License conditions, IT Act and Rules and so on.”

Security Strategy As a strategy, Mohan decided to outsource IT security management to IBM. At the same time, many of Airtel’s business functionalities have been outsourced to Ericsson, Nokia and few other corporates. Being conscious of the quality of the network service as per the TRAI regulation, Mohan decided on the BS-25999 certification that is completed in seven circles and is under implementation in the rest of six circles. “This BCM certification provides security to business-to-business and business-to-customer dealings. As we deal with various business groups, this standard will enable us to evolve a healthy security framework,” reiterates Mohan. While having these standards in place Mohan felt the need to have regular risk assessment checks and every 10 months there were enhancements in the certifications. Since the scope of certifications was large, the cost involved too was quite high. The recurring cost ran into about Rs 60 lakhs. The telecom sector on an average invested about 5% of the IT budget into security. For instance, the BSI standard audit cost per day would be about Rs 20,000, to just look at peripheral applications and one can assess the total cost of audit or assessments. The company strengthened its security framework with enterprise wide LAN zoning using Trend Micro and McAfee

“Change in the telecom services business model with the migration from voice-based revenue model to that of the databased one has demanded a change in the way security is addressed” Felix Mohan, Sr VP & CISO, Bharti Airtel

iTNexT | j u ly 2 0 1 1

photography: subhojit paul imaging: binesh sreedharan

company’s core functionalities kept working seamlessly, even during the most challenging times. As the company’s business model is already going through a major transformation, such a flawless system was certainly needed to be in place.

IT Security Special

cover story | CASESTUDY: bhaRti aiRteL solutions, besides deploying end-point security and DLP. Identity and access management framework along with converged IT and physical security controls too formed the core framework. As the security got extended to various processes, GRC solution was deployed for smoother operations, and it worked by introducing privileged user management for controlling administrative access and activities.

Best Practices Mohan emphasized on adopting best practices from SAS-70 and for business applications; the rules complied with PCIDSS in context of card transactions. From a procurement standpoint, the security head identified the need for procuring specific controls based on risk assessments and risk appetite of the organization. The procurement is part of a three-year security strategy roadmap. “The effectiveness of compensating controls is evaluated prior to the actual procurement of new solutions. One of the best practices is to use cloud-based vulnerability scanning services and looking at such models for securing web traffic and email against malware and attacks. Airtel uses private cloud model for LAN zoning activity to ensure that the security of each zone is well protected.” Catching with the ongoing virtual trend, Mohan and team use virtualisation along with required security solutions that specifically addressed hypervisor risks, virtual machine zoning, malware protection and firewalling. These are elements that traditional security solutions fail to address completely. Seamless integration of DLP, DRM and content management solutions with endpoint security and encryption are in vogue. The trend that Mohan observes is that virtualised computing environments are becoming ubiquitous and these render traditional security solutions blind to risks that exist at the hypervisor and virtual machine layers. “However, security solutions are emerging, which provide organizations much greater visibility and control in this environment. Cloud security solutions based on robust IAM and encryption technologies are emerging,” observes Mohan. “Enterprise risk management program is one of the exclusive practices that we adopted at Airtel where we have ongoing review of security controls done internally and externally by third parties, which includes formal entity, design and compliance reviews, structured risk assessments and VA/PT,” informs Mohan. According to him, the reviews ensure alignment of people, processes and technology with the controls defined in the organizational information security policies.

Top Priorities Ensure that the company’s core functionalities keep working seamlessly, even during the most challenging times Need to mitigate risks emanating from mobile usage and social media access Mitigate insider threat, third party vulnerabilities BS25999 certification process completed in 7 circles, being done in 6 more

BSI standard audit cost per day would be about Rs 20,000, to just look at peripheral applications Adoption of enterprise risk management programme as a best practice Seamless integration of DlP with DRM (digital rights management), which is purely a customer-oriented solution Objective is to bring down the frauds to zero level

Robust Roadmap

Mohan aims to consolidate the security framework and bridging the gaps. The company works around good gap analysis techniques to ensure that the business requirements meet the security capabilities. There is seamless integration of DLP with DRM (digital rights management), which is purely a customer-oriented solution. “We would need DLP solutions at three stages, one at email gateway. End-points, including at the USB tracking, and printer level to ensure utmost safety,” says Mohan. As part of the DRM, any file that is created is classified and saved on either desktop or laptop with appropriate controls. Mobile security is another area that Airtel is concerned about. SMS based security is being provided and there is provision for security at the server level of each smart phone. Database IPS is on the cards for the company where the data is encrypted and protected by a password. “We deploy Cyber Art tool to protect and manage privileged users. There is record of every action that the administrator does with the customer data using this tool,” informs Mohan. Enterprise encryption platform is the next thing where there are shared services, all the file servers are encrypted, and the management of the data becomes much more stringent. This serves the purpose of bringing frauds to zero level. Data masking tool is most sought after now for Mohan and his team to protect the privacy T of the customers, who might be making of the I s e o transactions with credit cards. The operationo budget g y it r of calls centres are tightly regulated and the u as sec t n e m customer information is masked with high t inves level of security.

j u ly 2 0 1 1 | iTNexT

y t e saf ndards n a h t t i s w

ivy o be pr t e v a h rity ture, g secu ery na in v y ir o e l h p is de , by t tha panies rti AXA a m h o B c by n g e e . e a e c t f a n a a d s r Insu tomer e data eep th ial cus k c u o r t c to ards stand

harti AXA General Insurance Co. Ltd. takes pride in being the first company to bag the ISO27001 certification, which is proving to be extremely helpful in building strong security framework across all its branches. Being associated with the internet driven business, the company is prone to numerous threats. With changing business models in the insurance sector, which involves the adoption of Web 2.0, and the rise of mobility within the organization, such threats are being magnified. Hence, the management opted for IS0 27001 standard. The foremost priority for Parag Deodhar, Chief Risk Officer & VP-program management and process excellence, Bharti AXA General Insurance Co. Ltd., is to take adequate measures for data loss prevention. Such measures are necessary to ensure that the new technology initiatives such as Web 2.0, e-commerce applications and mobile computing methods, remain secure and the data remains protected.

Challenges that Drove the Standards The vital challenge for Deodhar has been to tackle the expansion in business growth, which is moving at a rapid pace. The expansion process brings in umpteen numbers of changes with regard to people, processes, products and technologies. The anxiety to have proper controls over the confidential information, in particular with the customer data, is justifiable. In addition, according to Deodhar, trends such as cloud computing, social networking, wireless networking,

iTNexT | j u ly 2 0 1 1

and mobile computing have increased the security challenges. These risks are magnified with the aspect of zero day vulnerabilities raised across various new OS and applications. Tackling these risks definitely requires a strong certification program, which is geared to enable the creation of a good framework. All these needs are met with ISO 27001.

Deployment Strategy As a financial services company, it became imperative for Bharti AXA to ensure that the customer confidence in the system remained high. “The ISMS framework ensured that we have the right processes and controls in place to protect our customer’s confidential information, besides enabling us to maintain proper controls over our partners and vendors processes,” informs Deodhar. “We Implemented ISO27001 standard across all functionalities including HR, finance, sales to define the requirements for an appropriate ISMS framework,” Deodhar adds. “This helped us in selecting a system of security that is adequate for our needs.” Based on the standard, the company deployed best of breed solution, spreading across endpoint security, end-point encryption, and network security tools like firewalls, IDS\IPS, VPN and various VA\PT tools. Deodhar has absorbed solutions from Symantec,

IT Security Special

cover story | CASESTUDY: bhaRti aXa diligent in ensuring information security and has mandated regular audits for the same. Invariably, the cost factor was the most sensitive and challenging aspect for the security head. For instance, to put an effective ISMS framework and getting people certified is very important and that called for a sizable investment. It would cost anywhere between Rs 8 lakhs to Rs 10 lakhs per certification and evolving such standards across branches would involve large amount of investment. The total cost involved in acquiring the ISO 27001 standard for their company would be quite high. There are also procurement related challenges, as the outsourced partners, who deploy the solutions also need to be ISO certified to justify the deployment of the security framework. The company conducts

photo graphy: s . radhakris hna i maging : ano op p c

Cisco, Qualysgard and outsourced consultants, such as Aujas and Paladion to deploy the same. The entire process of acquiring the IS027001 standard and related tools took about six to 18 months. This period also saw the building of a comprehensive security framework across people, processes and technology. Deodhar had a clear objective to be secure from day one of operations and conduct periodic reviews. He needed to make the necessary changes in the security architecture, infrastructure and deploy additional measures aligned with the changes. Deployment of ISO 27001 had its set of concerns and issues for the security head. â&#x20AC;&#x153;The issue was that of meeting compliance and regulatory requirements of the IRDA and also getting the management to address the cost structure,â&#x20AC;? maintains Deodhar. The regulator has also been very

Parag Deodhar, C RO & VP, program management and process excellence, Bharti AXA General Insurance Co Ltd j u ly 2 0 1 1 | iTNexT

IT Security Special

cover story | CASESTUDY: bhaRti aXa

“By adopting the ISO 27001, we could demonstrate to our customers, shareholders, partners and more importantly the regulator, that we are serious about information security” Parag Deodhar, C RO & VP, Programme Management and Process Excellence, Bharti AXA General Insurance Co ltd

regular audits, VA-PT checks, application security reviews. Bharti AXA had to get its 300-member team certified on different parameters. Besides the certifications, the IT deployments too demanded huge investment.

photo graphy: s . radhakrish na i maging : ano op p c

Benefits Result in Best Practices

“By adopting the ISO 27001, we could demonstrate to our customers, shareholders, partners and more importantly the regulator, that we are serious about having a secure information security system in place,” says Deodhar. “We have been able to minimize the losses arising out of security incidents and related downtime.” The company has observed about 25% growth in its security spend, but this is only an indication of the fact that a disciplined approach is being taken to address security issues. As his peers, Deodhar too believes that security is only as strong as the weakest link – which is people. “We have been able to set up a good training and awareness program right from employee induction to refresher trainings, web based trainings, videos to train our employees and make them our strongest defense,” he says. Deodhar prefers to interact regularly with all CISOs across group companies through a formal security Xchange program. “This helps us understand the latest trends and threats across the world. We have a global SOC which helps us growth in monitor and manage the incidents security proactively,” he maintains. There is spend a good practice followed in terms of

procurement of security tools, which is evaluated at a global level to drive economies of scale.

Getting Trendy Bharti AXA is evaluating the various cloud based delivery models and options. Deodhar plans to go in for private cloud option in some time. This is not without a reason. He finds the UID program offering new avenues for financial services industry. The UID will make it possible to deploy new kind of identity and access management tools in order to protect customer data and information. The new IT rules prescribing the mandate to ensure privacy of customer information is putting more pressure on security establishment in the financial services companies. A good amount of investment will be needed to address these mandates. The security head needs to work out a cost effective solutions, while meeting strict security needs. Cloud is being looked at as a cost-effective solution. The immediate agenda for Deodhar going forward is to create user awareness. “With the increase in mobility across the company there is increase in security risks. So it is critical to evolve training modules for employees to enable them to become security conscious. There is acute need for everyone to understand the importance of safeguarding data,” he says. Deodhar is looking at identity and access management, besides data loss prevention solutions. All kinds of eBusiness and mobile computing related security tools are on cards.

25%

iTNexT | j u ly 2 0 1 1

l o c o eing

d e r u c e s

se urpo p e h the es t ven e serv t n u e .b ft ust psi o ues away es m e g P a f r l o e ing the b hing bev A sip r tak g o f n i ns riv res tha of d lutio n gee f ref o y o s b r T s make n right I g threat gin st i inve emer f o care

epsico India Holdings Pvt. Ltd., which is part of the US based FMCG group Pepsico, and has an investment of over $1 billion, needs to maintain an in-depth focus on data and information security. The company, with diverse products, faces great many challenges in securing its infrastructure; this is primarily because its business interests necessitate an exposure to a large number of internal and external audiences. Pepsico India decided to opt for best of breed security tools from diverse functionalities. The company went in for an outsourced model to protect its data and information security from external threats and vulnerabilities. Kapil Pal, Head-Infrastructure and Technology, Pepsico India has the onerous task of ensuring a robust and secure infrastructure that prevents data leakage and provides protection from external threats. photog raphy: subh ojit paul imag ing: shig il n

Kapil Pal, Head Infrastructure & Technology, Pepsico India j u ly 2 0 1 1 | iTNexT

IT Security Special

cover story | CASESTUDY: PePsiCo

Challenging Scenario

Legacy frameworks such as VSAT connectivity, which connects all the warehouses and distribution houses, but has now become obsolete, posing security challenge, as it can be used to leak data or launch external virus attacks. “The MPLS connectivity to varied locations managed by MTNL is prone to security threats and the new challenge is with regard to the company’s data centre being relocated in India from Singapore. HP, as an outsourced partner, runs the data centre.

The structure of FMCG brings in inherent challenges for the security head, as there is close association with wider groups, who might consists of people from different locations and groups. For Kapil Pal, the process of creating a secure system begins at the network layer. “We have huge mobile population, being an FMCG company, which is connected to remotest of locations, through diverse networks,” says Pal. He needs to take into account warehouses spread across various locations, and of 130 distributors Securing with “We are who are geographically spread. Besides Right Strategy evaluating cloud this there are also the C&F agents who As a priority, Pal outare not directly on the company’s sourced its network options and doing tests network. “Since we don’t own the and security infrato analyse best possible network environment and can’t structure managemethods to migrate implement our infosec policies ment to a third party at their end, spread across 80 and in this case, BT to it” locations, where the secondary sale manages the entire and billing happens, there is a big set up. The objective Kapil Pal, Head Infrastructure & Technology, chance for vulnerabilities to creep in, was to go in for centralPepsico India more so because in the end everything is ized management of the connected to our ERP system,” says Pal. network with proper uptime and real time monitoring. “The primary task was to secure our infrastructure using state of the art solutions including intrusion prevention, content filtering, best in class proxy solutions, Gateway, server and end point anti virus suite, multiple firewalls in place at various stages,” informed Pal. To have control over the partners’ network, patch management solutions such as Microsoft System Centre Configuration manager (SCCM) tool have been deployed. BT runs the NoC where it has deployed multiple layered firewalls, mailing solutions, proxy, end-point, and all other security tools, which get monitored remotely. By doing quarterly audit, assessment check at the partner site, Pal ensured that effective standards and certifications are used. Pepsico deploys Foundstone practice to make sure that the partners have right processes and procedures. Running cost on an outsourced framework is huge and crores are spent on having a secure infrastructure.

Pal’s immediate agenda as part of best security practices is to educate the users about information security policies. “We plan to run some campaigns around user communication. This will enable the individuals to adhere to these policies and enable a few top executives to access certain critical tools,” remarked Pal. Pal is evaluating some solutions for cloud computing and conducting tests to analyse the best possible options for migrating to cloud. “We have been speaking to Google for a hosted model where we could do the migration of a few applications such, email exchange to the cloud or SaaS,”he says.

iTNexT | j u ly 2 0 1 1

photog raphy: subh ojit paul imag ing: shig il n

New Strategies

“I GOT PROMOTED…”

data centre models | cover story

“My selection as a winner in NEXT 100 have given me great confidence and provided recognition in the IT Industry. The communication

between ITNEXT and my reporting authorities helped me get promoted.” NEXT100

AWARD RECIPIENT 2010

MILIND RAJHANS Senior Manager IT The AP Mahesh Coop Urban bank Ltd.

DO YOU WANT TO BE NEXT?

If your answer is “YES!”, then we invite you to participate in NEXT100, an annual awards programme from IT NEXT.

APPLY NOW For the NEXT100, 2011 at www.itnext.in/next 100 Principal Partners

Event By

E L I B O m S t K n RIS hau cISO ion erisat m u s n co rise in nisations’ e h t h t s Wi orga variou o of IT, t s e i abilit also vulner y risks are ers are t securi ut IT manag te the sing. B ys to mitiga increa wa ni Rai g new a ba n d u n h i g d e n M i y f sb threat

S s

organisations and individuals to constantly update their onnectivity is a basic need today and with virus scans. Vincent Oh, Regional Pre-Sales Director, McAfee increasing mobility, it is in demand anySEA & India says, “Surreptitious installation of malware where, anytime. People all across the globe are in a seemingly harmless application on a smartphone can becoming increasingly tech savvy and we are inadvertently lead to costly corporate data breaches as it witnessing a trend of mass adoption of mobilallows cyber criminals to access valuable information via ity in most organisations. Employees are not only embraccorporate networks.” ing gadgets like smartphones, laptops, tablets, iPads, According to International Data Corporation iPhones, etc., but also using these (IDC), over 10 bn non-PC devices are connected to devices extensively to access critical the internet today, and this number is expected to apps, such as ERP, CRM, intranets, grow to almost 20 bn by 2014. Analysts such as ABI customer information and personal/ Research estimate that the number of smartphones corporate calendar. No wonder, IT protected by advanced security software will managers are a worried lot, with new non-PC increase five-fold over the next five years and will security threats emerging over the o t s e ic exceed $4 bn by 2014. mobile platform. dev t c McAfee discovers about 60,000 conne unique samples of malware everyday eb to the w and hence, it’s a challenge for

20 bn 14 by 20 IDC Source

itnext | j u ly 2 0 1 1

It Security Special

cover story | feature: Mobility

Opportunity v/s threat Consumerisation of IT can be a boon or a bane, depending on how it’s used. Some obvious benefits for an organisation from mobility are access to business critical information, increase in productivity and efficiency, reduction in operational costs, increased customer and business partner satisfaction, and responsiveness, etc. For instance, Allergan has been using Sales Force Automation (SFA) for a decade now. SFA has multiple functionalities and acts more like a CRM tool. Employees in the field use various mobile devices to connect to business applications for data and also add to it in a centralised system. This data helps in taking key business decisions. KT Rajan, Director, Operations, IS & Projects at Allergan India “It is important explains, “It also helps us know the number of products sold by our competitors and how to have multiple layers our products are moving up in the chain. of firewall and also ensure Together, they enable us to take key business it at the third party server decisions effectively.” At Reliance Capital, the focus is on level for protection” mobility, identification and evaluation of K t Rajan ways to exploit this channel. Murli Nambiar, Director, Operations, IS & Senior Vice President, Group CISO of Reliance Projects, Allergan India Capital says, “Considering the boom in the mobile channel and expected growth, it makes business sense to tap into this.” Employees at Reliance use various mobile devices to access emails. Access to critical corporate systems is evaluated through secure channels like VPN. “Providing access to the corporate resources keeps the team connected at all times, reducing TAT (turn around time) to business exigencies, which often is almost instantaneous,” he adds. At the same time, mobility is leading to higher degree of security risks.

Security trends

j u ly 2 0 1 1 | itnext

Ph otograPhy: S raDhakrI Shna | IMagIng : ShIgIl n

In the past few years, McAfee has seen a steady growth in the number of threats to mobile devices. “We have seen an annual increase of 46 per cent in malware threats,” says Oh. He adds, “Our research and analysis reveals that many of the threats center on platforms such as the Symbian OS, Java 2 Mobile Edition and Android, in that order. We have also observed that many of the insidious malware for the PC platform are being repurposed for the mobile platform. McAfee has identified a trend which shows a shift from the blacklisting approach to virus/ malware prevention to application whitelisting. “This is increasingly considered as an additional and complementary critical arsenal in malware prevention. Application white-listing ensures that only approved and trusted applications are run,” adds Oh.

“we have routed access through VPN

tackling Risks

solution in a secured shell in cases where enterprise

IT heads are well aware of the evercontrol is not possible like in increasing security threats and are exploring new technologies and stratesmartphones and ipads” gies to meet security needs. At Allergan, they have formed a strong strategy around Murli nambiar Senior Vice President, Group CISO, says Nambiar. security. The company follows a thin client Reliance Capital At Foseco concept, which means keeping the client as thin India, almost every as possible. Limited and proper access is given to executive has been each employee as per his/her job role and rank. Rajan provided with a laptop to access believes that it is very important to ensure that the data key business applications and data, via VPN. But accessed through mobile devices is the latest and does they follow a strict security policy and have installed Cisco VPN devices in data centres, as also MPLS circuit between factories and data centres and Cisco Router for the internet lines. Shyam Kalambi, Head, Information Systems, Foseco, India & ASEAN says, “I see a major data leakage threat with the usage of mobile devices. At present, we are evaluating data leakage protection solution with strong encryption tool for all mobile devices. Once the evaluation is done, we might go for more mobility in our organisation. Two years from now, laptops might be replaced by iPads. Latest iPad comes with built-in Cisco VPN. We are evaluating iPads and might bring them in use extensively by mid-term.” Foseco spends between 1-2 per cent of its total IT budget on security, and being the IT Head, Kalambi’s main concern area is data leakage protection. Currently, he is associated with cloud computing project.

not carry any history. Employees have to go through layers of security before being allowed to access data server. He explains, “Another important measure is to have multiple layers of firewalls. We have virtualised servers and third party data centres and ensure a strong firewall at the third party servers too. There is proper SLA and monitoring at this level and our servers too have strong firewall protection.” Reliance uses a combination of data loss prevention solution and security policies on enterprise solutions like BlackBerry. “In cases where enterprise control is not possible, like in smartphones and iPads, we are trying to route access through a VPN solution so that access is provided through a secured shell and no data can be downloaded on the device,”

itnext | j u ly 2 0 1 1

In order to get the benefits of mobility for the organisation, CISOs are being forced to change the way they adopt technology. It is quite possible that sometimes the IT head will have to relax certain restrictions on corporate systems and allow end users to access apps and data from anywhere. Kalambi observes, “If a BlackBerry phone is used by the top hierarchy today and the middle hierarchy tomorrow, then the lower level employees might demand the same soon, thus, increasing the security risks further.” But Nambiar disagrees. “The regulators demand security of data within the organisation and the IT also mandates the same. It is the job of the CISO to provide a secure way of enabling access, and where it is not possible due to technological limitations, it is prudent to apprise senior management about the risks involved.”

Best Practices Organisations can minimise security threats in a mobile environment by adopting certain best practices. For instance, they can control applications that could be exposed to such threats, define policy in terms of providing access to corporate systems, have data leakage prevention solution deployed with robust security framework and review risks on other mobile devices while accessing corporate applications.

Photo graPhy: JI ten ganDhI | IMagIng: Sh IgIl n

is Mobility Driving Role Change?

“I AM NOW THE ‘CHAMP OF THE YEAR’ AT MY COMPANY…”

After NEXT100 Award, my life is changed as this award has helped me gain more respect. People now understand my capabilities to become a CIO and to stamp that, I am now the

“Champ of the Year-2011” of my company. NEXT100 AWARD RECIPIENT 2010

CHITRANJAN KESARI Head IT, Advanced Enzyme Technologies Ltd.

DO YOU WANT TO BE NEXT?

If your answer is “YES!”, then we invite you to participate in NEXT100, an annual awards programme from IT NEXT.

APPLY NOW For the NEXT100, 2011 at www.itnext.in/next 100 Principal Partners

Event By

IT Security Special

cover story | community view: Murtaza E Bhatia

he evolution of the IT sector is linked to the changing business landscape and growing security threats. Thus, it’s critical for IT professionals to keep pace with the technical innovations or run the risk of being rendered obsolete. A changing environment is always a security threat and a secure infrastructure is no longer only about protection. It’s a holistic approach incorporating people, processes and policies to put in place a complex, multilayered defence system. With mobile and wireless technologies seeping in to modern life, an enterprise’s perimeter has become vulnerable. Add to that the consumerisation of IT, which create multiple entry points increasing the network’s vulnerability further. Because of the liquid parameters and multiple entry points, current day networks are more like airports than fortresses. It’s time that enterprises realise this and develop a more sophisticated system of security.

basic

ingre E adien

Before risks a re add and ev ressed aluate , they n d. Cutt eed to ing-ed to ferr be iden ge too et out tified ls have not ju to be d st the also t eploye origin he exte d of the nt of d risk, b amage ut that it can cau se

Itnext | j u ly 2 0 1 1

photography: jiten gandhi imaging: binesh sreedharan

Securing the Infrastructure Owing to increasing regulatory pressures, CISOs are trying to adopt more and more secure selfdefending networks and infrastructures with builtin features. Organisations are implementing rules to quarantine or restrict network access depending upon the status of security and user’s and device’s identity. Market dynamics, technological advances and changing threats have necessitated a fresh set of strategies. To achieve a more holistic security posture, enterprises need to integrate physical protection, infrastructure security, identity management, threat modelling and vulnerability management under one set of guidelines. Firms need policies that clearly define protection and compliance strategies, and a security architecture that implements and

supports these. Enterprises have to implement operational processes for a more layered, comprehensive approach.

How to Build a Secure network Built-in vs bolt-on approach to security: Safety should be a key design consideration to avoid escalating costs later. Point solution security products will not suffice: Instead of selecting a single security component (Firewall) go for the best end-to-end solution.

“The basic formula for IT security is that... there’s noNE. Threats are constantly evolving and so should strategies. So, be proactive rather than reactive when it comes to threats” Murtaza e Bhatia National Manager (Services, Security & PO), Dimension Data India limited

Embedding security capability in network operating fabric: Implement end-to-end security in standalone and embedded security solutions which should work in flawless unison. Self-defending or healing: Networks will have features that enable self-defending postures for security. This introduces complexity in operations and places inter-working requirements on elements that contribute to the end-to-end system security. Adaptive Secure Infrastructure (ASI) Framework: This enables a virtual, isolated network environment and mitigation of risks by controlling communications and classification of devices based on identity in a virtual environment.

Best Practices A) Secure IPT Service: It comprises assessment of a client’s IP Telephony environment—a firm’s existing environment is compared against a documented set of guidelines and best practices. B) ASI Framework: This risk management framework is dynamic and it builds an impenetrable secure infrastructure. It has the functionality to grant appropriate and controlled levels of access to users, who might be performing both internally and externally.

Top 10 errors

in the information security domain 1 Not having an information security strategy 2 Failing to get executive support for security programme 3 Thinking that security is only a technological or IT department problem 4 Equating compliance with security 5 Authorising reactive short-term fixes 6 Failing to recognise the importance of security

awareness programmes 7 Failing to recognise the demise of traditional perimeter security 8 Failing to protect laptop and corporate home-use computers 9 Failing to understand the relationship of IT security in relation to business processes 10 Failing to institute effective change management

C) Secure Network Operating Systems (NOS) and Maintenance: Enterprises running on Internet Work Operating System (IOS) that drives a majority of routers and switches, need to be aware of recent increases in notifications of potential vulnerabilities in IOS-based routers. Organisations that don’t implement vendor recommendations for maintenance and configuration of their IOS are particularly at risk. D) CxO Security Assessment: The CxO Security Assessment is designed to provide senior executives the opportunity to conduct an intensive assessment of the firm’s information security programme. Best practices are adopted in a weighted process that assists CxOs assessing and then identifying areas for improvement. E) Expand Perimeter Technologies: These need to be expanded and focus needs to be on internal security measures: internal segmentation, intrusion prevention, vulnerability management and admission control.

Business Benefits Secure infrastructure to maximise processes and minimise downtime A structured approach to security Cost-effective embedded security appliances or convergence technologies suited for an organisation’s specific security environment Compliance and risk management requirements Reduced operational costs in overall IT infrastructure (maintenance, management and staffing costs) Better guidelines to a secured connectivity for mobile users Murtaza E Bhatia, National Manager (Professional Services, Security & PO), Dimension Data India limited

j u ly 2 0 1 1 | Itnext

etter risk evaluation is related to positive practices in governance. Once a firm efficiently assesses risks, it’s in a position to decide preventive actions in case there’s a disruption in the security framework. These actions enable CISOs to understand the cost structure, effectiveness of a risk control system and whether strategies adopted are aligned with the need. Evaluation also helps detailed analysis of a business process, which leads to an understanding of the way a business works and the way to procure key tangible benefits.

“A well-defined business impact analysis and scenario development not just helps resolve a risk, but also prevents it from recurring” Julen C Mohanty, Manager, Compliance & legal technology, CoE, Citicorp Services

evaluation Criteria Risk evaluation process involves three stages — data collection, risk analysis and maintenance of risk profiles for future references. Data collection is the primary stage. In it, risks are identified, analysed and reported with specific tools. Activities involve establishing and maintaining a model for the collection of data and information on operation environment and on the risk events. Analysis is aimed at developing useful information that makes it easy to run a business safely. The process involves defining the scope of the risk, providing a cost estimate in terms of loss occurred, spot risk response options and perform a peer review check. Risk profiling, the next stage, takes into account complete inventory of known risks, attributes such as expected frequency, potential impact and disposition, IT resources, capabilities and controls. Risk evaluation exercise can be carried out in two ways: by studying business impact and by creating a risk scenario.

Business Impact Risk evaluation parameters need to be unambiguous. They need to be in the business language to foster understanding between CISO and business head. Also, stakeholders should be able to understand how adverse events will affect business objectives.

COBIT Information: It explains IT business aspects and conditions in which information provided through IT may prove to be beneficial for the enterprise. By describing the impact, it becomes an intermediate technique, not fully describing the impact. COBIT business goals and balanced scorecard, an enhanced cobalt feature, are structured with four, classic, balanced scorecard perspectives: financial, customer, internal and growth. Extended BSC: This criteria links the BSC dimensions to a limited set of more tangible criteria to evolve cause-effect results, which exhibits customer satisfaction or dissatisfaction levels and competitive platforms. The key is to highlight risk in terms of share-value, profit, revenue and capital cost, customer service, regulatory compliance, growth and reputation. Westerman 4As: Is an alternative approach to express business impact across four As—agility (capacity to change with managed cost and speed), accuracy (providing correct, timely and complete information affecting the stakeholders), access (to data and systems distancing unauthorised elements) and availability (smooth operation of business processes).

k s i r t h g ri e c n a n r e v go

Methods of Business Review

The recommended industry criteria include COBIT information, BSC, Westerman’s 4As, COSO ERM and FAIR.

risk tter n e b ptio ate erce por p r t o inc rea s th that ion’ ces t i a t c s ni pra rga nce ss an o rna dne o e e t v r y o a e g p k e he pr itive re t and Pos on a i t a u eval

Itnext | j u ly 2 0 1 1

IT Security Special

cover story | community view: JulEn C Mohanty

COSO ERM: It’s an integrated framework supporting strategies, operational risk management, reporting and adherence to compliance laws. FAIR: It’s a method of ensuring safety dwelling upon the impact of IT-related risks on productivity, response, legal and replacement costs, and an organisation’s reputation.

One of the challenges in IT risk management is identifying relevant risks. Given the pervasive presence of IT and a business’s dependence upon it, the scope of the task is expansive. One of the techniques to overcome this challenge is the development and use of risk scenarios. It’s a core approach to bring reality, insights, organisational engagement, improved analysis and structure to the complex matter of IT risk. Once scenarios are developed, they’re used during risk analysis to study risk frequency and business impacts. Risk scenarios can be derived via two approaches: Top–Down: Starting from the overall business objective. It analyses the most relevant and probable IT risk scenarios. Bottom–Up: A list of generic scenario used to define a set of concrete and customised scenarios. These approaches should be used simultaneously, as risk scenarios should be relevant to real business risks. Generic risk scenarios help to ensure that no risks are overlooked. Once the set of risk scenarios is defined, it can be used for analysis, during which a scenario’s frequency and impact are assessed. An important component of this assessment is the risk factors that influence the frequency or the business impact of risk scenarios. They can be classified in two categories environmental factors and capabilities. A well-defined business impact analysis and scenario development not just helps resolve a risk, but also prevents it from recurring. The cost of putting up tools and using methods to evaluate risks should cost around $1 million approximately for a typical financial services company. It’s benefits are, however, multifold.

photo gra phy: s.radhakrishna i maging: binesh sreedharan

Creating Risk Scenario

julen C Mohanty, Manager, Compliance & legal technology, CoE, Citicorp Services

j u ly 2 0 1 1 | Itnext

e r u c S e ith e a s e w

m syste urity c e s t t r ien the-a n effic e-ofd on a e A stat s must a b s ly be T head I . l e o can on mod tise t ement exper g l a ia n ed r a m nage ement eir ma a impl d n e g use th a tly urity ficien he sec and ef y have t l s s e seaml

“The cost of putting a good security management ISMS process would be in the range of $100,000 to $400,000 depending upon an organisation’s size” Bhavanishankar Ramarao Sr Group Manager, CISO, IS, iGatepatni Systems 54

Itnext | j u ly 2 0 1 1

IT Security Special

cover story | community view: Bhavanishankar raMarao

nformation assurance is a need today and firms understand the benefits of implementing a security management system that’s capable of providing information assurance to them and their customers. Rise in hacking, phishing, defrauding and spamming, have made an effective security management system, which protects confidentiality, integrity and availability of valuable data, mandatory.

A security policy is a master and a living document that lists down an organisation’s best practices and protects information assets. It’s reviewed and updated to cover the latest risk assessments. Risk analysis enables a security team to capture accurate inventory of assets and determine scopes of conducting analysis. Once the scope is determined, they need to be classified based on the confidentiality, integrity and availability of the information. Vulnerability assessment is also conducted to find out the likelihood of What needs to Be Done risks. One of the most-used method to do so is “Failure Security heads needs to think, and think hard, about providing Mode Effect Analysis” (FMEA). Risk assessment enables information assurance, user awareness, appropriate technola team to identify potential controls, conduct cost benefit ogy, investing on security taskforce and ensuring operational analysis (it doesn’t make sense if the cost of protecting the efficiency. Information assurance is the practice of managing asset is greater than the cost of the asset), prioritise controls usage risks and information processing, storage and transand select the right statement of applicability (SOA). The mission. It includes processes provided by implementing analysis also contains controls of the ISMS framework an Information Security Management System (ISMS), along and specifies whether controls are applicable or not. Risk with Risk Management and Information Classification and mitigation helps develop the “implementation plan” by Defence-in-Depth approach (a combination of technical assigning responsibilities to concerned stakeholders who implementations that slows down a threat till it ceases). implement controls, test and validate whether the controls Security can’t be the responsibility of a singular are mitigating risks through audits and come department and the ISO27001 Standard covers out with a residual risk calculation document. responsibilities of every function in an The residual risk is that survives despite organisation. Keep in mind that internal controls. Figuring it out helps review and threats pose more challenges compared strengthen controls. A controls review is to external ones and that people are the the final stage in which potential controls weakest link in the security chain. There’s are identified and prioritised. no way one can put a “memory degasser”, security Getting the controls in place is the that render disks or magnetic devices s l o r t n primary challenge, especially in startunreadable, on people. To prevent data co e ups, as is getting stakeholders to be a part leaks, firms should implement security to b of the security system. Discovering and technologies (IPS, IDS and firewalls). ed consider identifying assets is a time-consuming Operation’s the front-end of the security in ISMrnS process, which most firms don’t take architecture. Implement, maintain, monitor ational ximus inte source: ma seriously. Selection of tools is also a and review it to neutralise risks. Ideally, a challenge given the options available. firm’s operations team must have: a. Security Steering Committee consisting of senior management people that who supports and Cost Benefit Analysis approves ISMS implementation. Organisations that decide to go in for sec rity management b. Security Taskforce which conducts risk analysis, assesssolutions can look at six-month timelines to put in place a ment and mitigations to implement a layered security control policy framework, after going through the ISO27001 stanor defence-in-depth model. dard implementation. c. Security Alarm or Incident Management Team which is The cost of putting a good security management ISMS responsible for incident management and review. process would be in the range of between $100,000 to d. Security Leaders or employees in projects or processes $400,000 depending upon an organisation’s size. A 50-staff associated with ISMS implementation. firm should invest between $100,000 and $200,000 e. Crisis Management Team to observe and assist in in setting up the standard. Auditing, reviewing and business continuity, disaster recovery including fires certification would cost approximately Rs 7 lakh. Deploying and floods. The phase-wise approach to implementrequired security tools would cost another $50,000. ing security management process involves defining a policy, risk analysis, assessment Bhavanishankar Ramarao, Senior Group Manager, CISO, IS, iGatepatni Systems and mitigation.

photo graphy: s. radhakrishna imag ing: anoo p p c

133

j u ly 2 0 1 1 | Itnext

IT Security Special

cover story | community view: vishal salvi

photography: jiten gandhi imaging: binesh sreedharan

n the banking sector, payments, balance transfers or loan disbursements are increasingly being done online: escalating security risks for both the clients and banks. In such a scenario, information security risk management (ISMS) is mandatory. But, it’s important while implementing ISMS to strike a balance between cost and use of technology. Currently, the banking sector has no uniform policy on implementation of ISMS resulting in flaws in the prescribed format. Inconsistent methodologies, combined with the lack of knowledge results in poor security.

Best Practices

Risk Management

The model starts with the definition of assets such as services, products, processes, applications, OS, databases, networks, endpoints, storage, third party services and people,

The sector needs a “hybrid model” that combines the best points of every model to create a qualitative and quantitative risk assessment system, based on frequency of vulnerability exploitation and probability of attacks. It also needs integrated business and risk management framework, which is non-technical and motivates discussions on security safeguards. Once, policies have been drawn up for each asset value category, assets must be inventoried. The responsibility for determining the value must be assigned to an individual who has an understanding of the asset’s role. After the valuation, the corresponding security specification can be produced and a plan can be formulated. Scenario analysis involves construction of scenarios and those deemed of greatest severity are then used as the basis for developing a risk mitigation strategy.

Basic premise is that conformance to a set of best practices will ensure protection against negligence-based liability lawsuits in the event of a breach. Proponents of this approach would define best practices as the policies and safeguards of a majority of industry participants. Experiments around the development of framework have resulted in evolution of COSO, FISMA , FAIR, IRAM, OCTAVE, ISO, TARA, FMEA and PMBOK — these drive a hybrid model of risk assessment.

Solutions Proposed

g n i d r gua inst a g a

k s i r

. lth wea ity s ’ r cu ple e o s e ss of p ut wle ns fla itho dia a s r w a e o v u d ard a g n’t egu ld h are a f u c s a o k or ts sh Ban ect tes hey he s e la e, t T h c . t n l He tem g al sys tin n e lem imp

Itnext | j u ly 2 0 1 1

IT Security Special

cover story | community view: vishal salvi and articulated risks. Therefore, the start of any risk assessment process should be identification of the list of assets in the categories. Practical experience teaches us that it may not be possible to list down all assets in a go. One could start small and build the inventory over a period. Defining the organisation hierarchy (defined in terms of firm, business, function, department, etc.) from where the assessment will be performed, using COSO Enterprise Risk Management, model is vital. Once the hierarchy is defined, assets need to be mapped according to the hierarchy, as it provides the management with “risk views” across functions. Risk measurement involves seven stages. It may include factor analysis of information risk (FAIR) that estimates a threat’s event frequency, capability, control strength,

“Banking sector needs a ‘hybrid model’ that combines the best points of every model to create a qualitative and quantitative risk assessment system” Vishal Salvi, CISO, ISG, HDFC Bank ltd

vulnerability value, loss event frequency, probable loss magnitude and helps derive and articulate risks. Change management with internal and external user awareness is critical. The overall ISRM framework should also cover the ongoing requirement to improve the maturity of information security controls practiced.

Reviewing A bank’s primary requisite is to address security incidents through security operations center (SoC) and CERTs. A security incident dashboard is an indicator of evolving risks. As banks often depend on business partners for operations,

Business Benefits Reduces gaps between theoretical approach and practical classification to approach Makes classification approach relevant to the business users Improves transparency for users and senior management The proposed framework and risk measurement model aims to address

all these drawbacks and provides clear directives to: Align information security with banking industry’s business risk appetite Prioritise and reduce information risk exposures to acceptable levels Provide secure information infrastructure guidelines and safety to its users

it becomes critical to manage risks of outsourcing by instituting similar information security (IS) controls even in their partners’ systems by developing a standard security checklist and partners and vendors should be subjected through on-site or remote review. The outcome of this process provides a list of third-party risks which can be fed into the IS risk register. DR or BCP and information security classification is imperative, as it covers compliance to business impact analysis, system and process readiness and testing calendar. With the growing instances of attacks on applications, it becomes critical to build secure applications. Most organisations aim to achieve this by developing an application security standard and make the new application meet those requirements. The application compliance database lists the critical list of vulnerabilities, which is an indicator of future risks and needs to be integrated with the IS risk register. Just like application security standard, there are operating system and database security standards. Traditionally these have been treated as minimum baseline controls across operating systems and databases. Once the standards are integrated with the asset register, a risk-based approach for implementation of these can be applied. The information security teams perform security tests on assets (read: applications, networks, operating systems and databases). These help identify future risks. Third party networks are important because they perform risk analysis on all third-party connections in the bank networks. Vishal Salvi, CISO, ISG, HDFC Bank ltd.

j u ly 2 0 1 1 | Itnext

g n i k

n a b efense d n o

m ste e sy h t t n bu ly o ol, ntr t on to o o c g n sin tive nds u a e s r p i t r de inis ity ome adm cur ust e s c t s i s e er ion t th nkâ&#x20AC;&#x2122;s und act tha A ba ies ms ans l e r t t t s t tha duc n sy oo con als

nlike traditional banking, in which transactions happens through personal interaction, modern banking conducts operations over the mobile phone or internet. Under this new system, banking operations can be conducted more efficiently, but chances of fraud are also magnified. Mostly frauds happen because the sectorâ&#x20AC;&#x2122;s security requirements are spread beyond the IT infrastructure, and applications owned and managed by the bank. The bank may make

Itnext | j u ly 2 0 1 1

IT Security Special

cover story | community view: viJay MahaJani

“Malicious entities often conduct identity theft by sending phishing e-mails to users or by hacking popular sites” Vijay Mahajani, Senior Manager, Wipro Consulting Services

all efforts to secure the IT infrastructure, applications and databases within their administrative domain, but security requirements at the end-user level is as important. These days it’s easier to rob a bank, as the thief doesn’t have to visit the space physically. And helping him out is the technology that’s the key enabler, if not implemented properly.

threat Footprint Studies show that malicious entities often conduct identity theft by sending phishing e-mails to users or by hacking popular sites. People believe that they are safe and secure when they connect to their bank website over the internet using office or home internet connection, because they use SSL, or because their browser shows a padlock with details of the latest PKI Certificate obtained from a reputed security firm. But users fail to realise that attackers can easily bypass client-side security mechanisms and exploit vulnerable web applications on the server side and gain unauthorised access to bank sites. ZeuS Trojan’s been used for MITB attacks: a user is persuaded to download the Trojan by mechanisms such as “Drive by Download”; the user clicks on a seemingly authentic link and unknowingly downloads the Trojan. The link is essentially to a malicious website that’s already compromised. ZeuS Trojan then can bypass existing client-side security mechanisms (SSL, PKI and two-factor authentications).

photography: yus uf kh an imagi ng: a noo p pc

Countering ZeuS Current anti-malware solutions may not have capabilities to prevent Trojan attacks. However, there are ways to mitigate such risks. Use out-of-band mechanisms for transaction verification. It’s a secondary verification mechanism of a user, outside the client-web server network. Improve user awareness. In May 2011, ZeuS sent an e-mail which resembled a security mail from Microsoft asking the user instal a patch attached in the e-mail. Users who downloaded it failed to realise that Microsoft never sends such patches over the e-mail.

Users must be sensible while using social networking sites (Facebook, Twitter or Orkut), as most infections come from casual browsing or from downloading free utilities—songs, videos. Increase browser security by disallowing browser-based helper objects and dynamic link libraries.

APt, Mitigation Advanced Persistent Threat (APT) is an attack that is wellplanned, co-ordinated, skilled and well-funded. It’s typically not done by individuals, but by group of experts as a part of corporate espionage. It may be at times state, government or country-sponsored with a motive. It can be targeted at big financial institutions. This kind of attack uses advanced intelligence gathering techniques and goes on for a prolonged duration. To prevent ATS: build and maintain information security and use regular user awareness programmes on security.

Getting Past xSS Attacks Cross Site Scripting Attack is a common threat that websites are vulnerable to, because service providers believe that XSS (Cross Site Scripting) vulnerability does not directly compromise the server-side resources. Though this is true to an extent, however, it does impact the banks’ customers, as it can lead to a loss of user names and passwords. APT allows the attacker to login to a bank’s website using the victim’s credentials. To prevent it: Establish secure systems development lifecycle approach Conduct vulnerability assessment and penetration-testing through sources and patch-identified vulnerabilities Check vendor’s sites for zero-day vulnerabilities and apply patches as soon as they’re released after testing Use appropriate input validation and output checks Establish strong incident reporting and investigation mechanisms

SQL Injection Attack Banks’ websites depend heavily on backend applications and database servers that store customer’s confidential information (transaction details, ID, contact details, credit or debit card details). SQL attack exploits web application vulnerabilities such as poor input validation or output sanity checks. SQL injection occurs when the web application receives an input from the user that includes SQL command. The command is executed and the output is sent back to the user without any sanity check. This leads to the disclosure of the information. To counter it: Use appropriate input validation into application, default deny rule and regular expressions Configure appropriate permissions and role-based security to prevent from the execution of privileged commands by unauthorised users Vijay Mahajani, Senior Manager, Wipro Consulting Services

j u ly 2 0 1 1 | Itnext

IT Security Special

cover story | community view: ravish Jhala

T governance and risk management are the focus areas for CISOs across industries. Applying an enterprisewise risk management system is to not only safeguard data, but also to bring in efficiency and reduce costs. Tools allow firms to integrate and manage IT operations that are subjected to myriad regulations. According to Forrester Research, the Indian IT GRC industry comprising software, consulting and related services is slated to grow by 24 per cent from $2.6 bn in FY 2009 to over $24 bn over the next five years. With just 30 per cent penetration, there is significant room for growth for these tools. One of the studies has revealed that in 2010, only 27 per cent of CEOs and company heads were involved in security policy decisions. This figure arose to 34 per cent in 2011. As for CFOs, 56 per cent were involved with security spending in 2011, a growth from 52 per cent in 2010.

Security Systems

becomes critical and training is an ongoing process. To address these criticalities, it’s mandatory to set key security metrics and KPIs. Security heads need to measure the value of information and create programmes to plan for the secure growth of organisations. An organisation’s security metric helps establish the best practices. For instance, the new amended act on ISO27001 Audit Compliance and the IT Act Amendment of 43A on compliance audits can be adopted. Plethora of indicators needs to be observed, and these include: Routine checklist or measures to manage security A meaningful company metric Designed processes for security scorecard Keeping in mind that not everything can be measured Information on continual improvement

p u ep

Some basic security systems that can be measured under the governance and risk will include: Intruder detection and prevention systems CCTV surveillance Electronic access control Physical security practices such as China wall, building live electrical fence, blast protection film, door frame metal detector and bagger, physical-hand and vehicle scanner. At time of threats, security heads ; river also need to consider tools which could wing o l e f r atu astial n eaf do the following: r k u i c l p r u me me pe is . This dsca to co Investigate the frequency of particular s n s e y a d r g l a a T he et chan The I budg on IT disasters ntly n e i a s r h t t u t s i a s n sw thre pres it co ction Determine the degree of predictability of e of n r uble u a o f c d that king puts tem disasters ll ta a sys e sti l h i t h i w ts w Determine the speed of the onset of disasters rain onst c Determine the amount of forewarning associated them Gauge their impact Identify consequences Assess required redundancy levels built-in to accommodate critical systems Estimate potential financial loss Foresee legal complications It’s important for firms to take cognisance of the regulatory and compliance needs under the IT Rules Act-2011, which increases offenders’ liability. Managing security compliance

Pwith it grm

Itnext | j u ly 2 0 1 1

IT Security Special

cover story | community view: ravish Jhala Awareness programmes, new updates, regulation changes and compliance information need to be updated by asking some basic questions: What is the level of risk? How strong is the security process? What is the overall cost and is it in control as far as the security infrastructure and processes are concerned? Reporting and action Priorities as per budget allocation Measure of security should be done by periodic audits and according to the framework defined by industry standards (COSO, CobiT, ISO or IEC17799-2).

Risk Analysis on Cloud, SaaS Scenario Risk analysis and positive governance is imperative under the Cloud or SaaS model, with data residing at a third-party location. Enterprises are familiar with traditional on-premise model, where data resides within the enterprise boundary, subject to policies. There’s, however, discomfort when there’s a lack of control over data, as is often the problem in the SaaS model, chief concerns being data breaches, application vulnerabilities and availability that can lead to financial and legal liabilities. Key security elements that should be considered under the SaaS model deployment process should be:

“Security heads need to measure the value of information and create programmes to plan for the secure growth of organisations” Ravish Jhala, Systems Manager, Trident Hotels

effective Risk Management Scenario A critical part of security investments in the risk management scenario is around absorbing certifications. The cost of mitigating risks is high. For instance, approximately Rs 10 lakh goes in for user training. In such a case, the IT infrastructure cost amounts to Rs 20 lakh. If equipment (CCTVs) is taken into account, it goes beyond Rs 1 crore. It’s essential to understand the governance aspects of network security to help implement a climate of change.

photog raphy: jiten gandhi i magi ng: bines h s re e dharan

Clarity on the SaaS deployment model Data security Network security Regulatory compliance Data segregation Backup Identity management and sign-on process Factors of application vulnerability assessment, which could secure the SaaS platform, should be considered by IT heads.

Ravish jhala, Systems Manager, Trident Hotels

j u ly 2 0 1 1 | Itnext

IT Security Special

cover story | community view: dhananJay rokdE

everal forces influence the use and development of information security-related technologies, products and services. There’s no one-size-fitsall solution out there. Information security has gained importance over the years. Information systems, regulations and certification bodies have also matured to address the issue of information security and its requirements. Organisations all over the world have shown their commitment towards effective security by: Increasing information security spending per annum Hiring dedicated information security professionals Segregating duties for the information security teams from routine business operations Globally increasing the numbers of certified organisations Increasing public and staff awareness There are some off-the-shelf solutions out there and forces that influence the use and development of information security related technologies, products and services.

Statements such as “the report states such-and-such product is better or more secure” is misleading. But no firm is more secure just because they have the best, latest or the most popular product. Management teams fail to realise that a single product or technology is not good enough to secure an organisation. In my opinion, do not depend on a single product instead use data, trends and comparisons presented by research reports as a supporting guideline, but never make it a Bible.

Modern CxO’s Bible Gartner and Forrester, two of the leading analyst firms that track IT trends, produce the most influential reports on trends and insights that help CXOs take informed decisions. These research reports are taken as decisive guidelines by senior management and this can often mislead them. Personally I believe that as far as information security goes, the mantra “if it works for them, it’ll work for us” is wrong. That’s why dozens of initiatives pushed from the top are eventually trashed. In India, multi-million dollar projects have been scrapped because the people who authorised them didn’t know what they were talking about.

k c i u Q o

s e x i F ot yn rit hy u c dw se n n a a o f re ati hel the orm the-s s f I n i ? t ave off uld no t-h sho ented s ps u y a h m r m Wh a e P e le imp rnanc llet? be u e v b o ver is g sil

Itnext | j u ly 2 0 1 1

IT Security Special

cover story | community view: dhananJay rokdE

photography: jiten gandhi imaging: anoop p c

Silver Bullet Offers Keeping in mind that every organisation and geography is unique and there cannot be a one-size-fits-all approach towards information security. With an increasing number of technologies, products and service options, modern day information security manager is swamped with a huge number of vendor options. So which is the right otpion? Vendors often cite examples of compromised systems or security lapses to make an upsell. These information security breaches are often magnified and overblown to accommodate the features of one product and we’ve clearly come a long way since the Heartland Payment Attack. The general tone of any information security vendor is: “This could happen to you unless you use XYZ (product or technology)”. Rarely have I come across a vendor who promotes a product in a positive manner and who speaks only about the product’s advantages. Most try to score brownie points with comparison sheets highlighting the shortcomings of their rival’s products. This is also because an information security manager often asks, “What do you have that they don’t?” Yes, vendors are an influential force, pushing products into the market, a talent that I appreciate. Lately, information security vendors are increasingly using the “fear factor” to push information security managers into deploying unnecessary technologies and products. Why have we never heard a pitch claiming responsibility for the failure to protect a company’s infrastructure? Since DLP and DRM are talks of the town, I would like to highlight these as examples of why off-the-shelf is not always off-the-hook, and why governance is still the key. Most DLP or DRM vendors promote the fact that by deploying these

solutions, one can achieve SOX, HIPAA or GLBA compliance. Honestly, this is little more than a false promise, often a blatant lie. Also, locking down and physically removing DVD-RWs, USBs and Floppy drives (if any) doesn’t solve the problem. Any DLP software is nothing more than a mere programme and at best can restrict an employee from printing, editing, revealing data in locked areas. Let’s look at what a DLP tool cannot do: It can’t stop hard copies from being taken out of the organisation’s facility It can’t prevent the use of mobile cameras or scanner software It can’t prevent a HDD or tape from being taken away For argument’s sake, let’s agree that DLP can’t be achieved easily with only insubstantial software. It’s a tough task that requires controls, governance and vigilance. If you need more convincing, here’s an addendum: these software can’t implement a clear, screen or desk policy or physical security controls, they can’t remove unnecessary rights from administrators or domain owners and impose restriction on social media. The moral of the story is: irrespective of vendor claims, there’s really no silver bullet.

need for Governance

Once deployed technology and products need to be integrated with a firm’s DNA so that they are not underutilised or wrongly utilised. Insufficient testing or the lack of Proof of Concept (PoC) could be the reasons behind under or failed utilisation. PoCs test the actual product, but never check how a product addresses business components (people, process or technology). Another error made is procuring multi-functional products to address a single business need. Personnel attrition remains an underrated cause, but it tops my list. While undertaking any project, an organisa“Do not depend tion typically deploys a manager and a support team to initiate a project. However, this team does not stay till the project on a single product. completion. And the cause is eventually lost. Most often instead, use trends, data and this is the reason for poor implementation. While inforcomparisons presented by mation security often imposes restrictions, these are often overridden by the top, killing the project’s cause. research reports as a supporting Lack of integration with existing workflows and serguideline, but never vice management environment is also a cause behind the under-utilisation. A new product or technology make it a Bible” should be accommodated within the existing service Dhananjay C Rokde, management environment and never vice versa. It should Independent Consultant on never change the way you work. Information Security Yes, a product can fail—it can fail to meet business, performance or technical requirements, despite what its brochure states. While most teams work under the assumption that if it succeeded in the test-bed or in a 30-40 per cent sample environment, it will eventually go all the way. However, always place an exit strategy to address failures. Dhananjay C Rokde, Independent Consultant on Information Security

j u ly 2 0 1 1 | Itnext

insight | security rules

IT Rules 2011

WhaT IT Means foR CIsos The IT Rules 2011, under the IT act 2008, define privacy and sensitive information for the first time. Cso forum analyses some of the key clauses of the new law

he long awaited privacy policies for the country have finally been put in place under the IT Rules, 2011. The law that came into effect from 11th of April, 2011, clearly defines what can be termed as personally identifiable information or PII and what measures organisations need to take in order to protect this information from being compromised. The elements defined as the sensitive personal data or information of a person under the law are:

ITnexT | j u ly 2 0 1 1

(i) Password (ii) Pinancial information such as Bank account or credit card or debit card or other payment instrument details (iii) Physical, physiological and mental health condition (iv) Sexual orientation (v) Medical records and history (vi) Biometric information (vii) Any detail relating to the above clauses as provided to body corporate for providing service, and (viii) Any of the information received under above clauses

i maging : by suneesh k

By Varun aggarwal

security rules | insight being able to come out with the first ever privacy law in the country, there are many issues within the new law that need to be addressed. To start with, the law states, “Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.” According to Dr Kamlesh Bajaj, CEO, Data Security Council of India, “This is an ambiguous statement and doesn’t clarify whether the company that keeps user data needs to take user’s consent or even the companies processing the data need to take user’s consent before processing it.” This, according to Dr. Bajaj, would put double pressure on data processing companies including the BPOs, KPOs and other services organisations. The law doesn’t define the term, ‘provider of data’ creating ambiguity. “While international laws like HIPAA and EUDPA clearly define the provider of data as the owner of data, in IT Rules, 2011, this clarification is not provided,” opines Kaushal Chaudhary, VP-CIO, NIIT Technologies Ltd. Explaining the legal interpretation of the statement, Advocate Prashant Mali, President, Cyber Law Consulting says, “The Act talks about following Best

Rules foR DIsClosuRe of InfoRMaTIon

by body corporate for processing, stored or processed under lawful contract or otherwise: Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

What’s amiss? While Government of India needs to be congratulated for

isclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider, who has provided such information under lawful contract, unless such disclosure has been agreed to in the contract between the body corporate and provider, or where the disclosure is necessary for compliance of a legal obligation: Information can be shared without obtaining prior consent from provider of information in case of investigation, detection, verification against offences or prevention of cyber incidents with Government agencies as per the mandate. The Government agency shall send a request in writing to

the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person. Notwithstanding anything contained in sub-rule (1), any sensitive personal data or Information shall be disclosed to any third party by an order under the law for the time being in force. The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further. — Source: IT Rules, 2011

j u ly 2 0 1 1 | ITnexT

insight | security rules Security Practices or either ISO 27001. When IT security policy is drafted to follow best security practices, Data owner, Data user, Data custodian, etc., get defined there and organisations can do that at their own peril.” The new law requires organisations to put up their privacy policy on their website and provide for: (i) Clear and easily accessible statements of its practices and policies (ii) Type of personal or sensitive personal data or information collected (iii) Purpose of collection and usage of such information (iv) Disclosure of information including sensitive personal data or information (v) Reasonable security practices and procedures While this may sound good for the owner of the data as he would clearly know what information provided by him is being used for what purpose and whether it is safe or not. However, Chaudhary argues, “Putting up information like ‘what personal data the organisation collects’ and ‘what security practices it follows’ on the company’s website, could put the company under the potentially threat of targeted cyber attacks.”

What it means for the security Industry

“similar to business impact analysis based on which BCP is done, organisations need to take up a privacy impact analysis to assess the degree of protection required” Kaushal Chaudhary VP, CIO, NIIT Technologies ltd

“awareness is the key to the IT act and steps need to be taken by the government as well as corporates to incorporate IT law and rules in corporate culture”

IEC codes of best practices for data protection, shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.” This would allow for best practices frameworks including the DSCI framework to be attested by the government. However, in case these best practices are not followed, the law creates liability for non-compliant organisations. Mali explains, “If an organisation neglects to implement reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. The figure of damages is not mentioned by the law and depends on the loss caused, loss promulgated by the lawyer and calculated by the judge.” Th e r e f o r e, for e f f e c t ive implementation of the policy, organisations need to take up privacy awareness campaigns to educate their employees, business partners as well as clients and end customers. Moreover, Chaudhary suggests, “Similar to business impact analysis based on which Business Continuity Planning is done, organisations need to take up a privacy impact analysis to assess the degree of protection that is required.”

The Act requires organisations to have Conclusion a comprehensive documented informaThe IT Rules 2011 is a good headstart to tion security programme. resolve the growing privacy concerns in The good news is that this would the country. While the law is expected compel organisations to take security to boost the market for encryption and seriously. This would greatly other security solutions in the country, increase the importance of security in it would also help CISOs get a manageadvocate Prashant Mali organisations and most enterprises ment buy-in for their new initiatives. President, Cyber law Consulting would be compelled to appoint a CISO Since these rules have clearly to handle the IT security infrastructure. identified what can be termed as CISOs would now be required to make their systems ready sensitive information, financial institutions now need to for security audits, even if they are not required to meet improve their validation process in which all you need to compliance requirements of ISO 27001, HIPAA SOX etc. provide them in order to get every single information about Moreover, organisations would require the audit of your account is your date of birth. Notably, the date of birth reasonable security practices and procedures by an auditor is not mentioned as a sensitive information under law as it is at least once a year or as and when the body corporate or a publicly available on many municipal corporation websites. person on its behalf undertake significant upgradation of its “Awareness is the key to IT legislation and steps need to be process and computer resource. The law states, “Any industry taken by the government as well as training departments of association or an entity formed by such an association, whose corporates to incorporate it so that innocent people dont fall members are self-regulating by following other than IS/ISO/ prey to penal legislation,” concludes Mali.

ITnexT | j u ly 2 0 1 1

“I WAS RECOMMENDED FOR A PROMOTION….”

NEXT100 AWARD RECIPIENT 2010

After having 15 years of experience with same company, NEXT 100 award was one of the most cherished felicitations for me and my management. I not only got

the recommendation for my promotion, but also feel like a

true troubleshooter in both external & internal matters. SARITHA KAZA Manager- IT Vijai Electricals Ltd.

DO YOU WANT TO BE NEXT?

If your answer is “YES!”, then we invite you to participate in NEXT100, an annual awards programme from IT NEXT.

APPLY NOW For the NEXT100, 2011 at www.itnext.in/next 100 Principal Partners

Event By

interview | Scott chaSin

“Cloud is about serviCe management” there is growing interest in cloud-based computing solutions amongst large enterprises. however, security concerns remain the biggest obstacle in its adoption. Scott Chasin, cto, SaaS, Mcafee, in an interaction with Jatinder Singh, shares some interesting insights on the same

What are the trends that are driving the security needs of enterprises? At present, the entire industry is going through a major transformation. There are a slew of new technologies that businesses are evaluating. Also, as the workforce is going mobile and enterprises are pushing at collaboration solutions for scaling up, the risk of managing endpoint security has grown exponentially. For businesses, there are challenges related to duplication of infrastructure, users bringing their own devices with different platforms and heightened usage of virtualised technologies. Security too is often being driven from different silos within businesses — from mobile devices, PCs and tablets, to mission-critical networks, servers, hosted applications, cloud services, virtual machines, and databases—bringing dozens or hundreds of different security technologies and disparate

itnext | j u ly 2 0 1 1

management paradigms with them. Hence, identifying the right blend is a process that involves selecting, cataloging, monitoring and embracing control mechanism.

How challenging is it for it managers to keep the infrastructure secure and safe? The challenge for IT managers and CIOs is to consistently monitor if the right policies are in place, without reducing the performance optimisation. The IT teams of today need to deal with a larger variety and volume of threats. Businesses need a customised approach that gives control over application behaviour. As cloud adoption among enterprises is gaining new heights, a well-planned security ecosystem is extremely important. Once all the security systems and policies are in place, the onus then rests on the IT managers to keep reviewing and updating it so that newer threats are nullified.

You said enterprises need a better ecosystem. What are the ingredients of well planned cloud ecosystem? Security in the cloud is still pretty new. One needs to understand that cloud is not just a way to scale your business, but also an opportunity to protect your enterprise. The major transformation that is happening on the cloud front is not just about asset management anymore. It’s related more with how to really focus on service management. Which are the innovations that you can do with cloud computing? How to shift the focus of your business? As the maturity in cloud deployment grows, there needs to be a new way of deploying the cloud and ways to determine as to what goes first and how you can structure the process. The main reason for moving towards the cloud is because it is economical, especially for Small and Medium Enterprises (SMEs).

interview | Scott chaSin

Can you share the best practices that it managers must adopt in deploying cloud-based solutions ? For an IT manager, it is important to adopt a platform or framework for security that conforms to industry specific needs. Another important aspect is education, as it is a key element for effective cloud deployment. One needs to make sure that all the employees in the organisation know the do’s and don’ts of security framework. It’s also critical that people responsible for security are closely aligned with business requirements, otherwise the security policy will not succeed. Over the last few years, the market is really focussed on what’s real and what’s hyped. It’s important to ensure that IT managers understand the benefits as well as the risks associated with the emerging cloud models. It’s critical that businesses should look for providers who can show that their environments are not only free of root access accounts, but also encrypt all client data with keys that they themselves do not have. In the next two years, you are going to see leverage of the economic business model. What is mcafee’s strategy in the cloud space? With over 500 customers in India, our strategy is largely based on three components. The first is security from the cloud, second is security in the cloud and the third is security before the cloud. That means data should be protected at all the possible points. We also have cloud security certification services, which are tailored for existing security controls, processes and certifications, plus future cloud security standards. In addition, it also has automated auditing,

itnext | j u ly 2 0 1 1

remediation, and reporting — certified cloud vendors that pass automatic daily scans and other checks, gain the right to display the credible, third-party validation of the security status of enterprises. In the past 12 months, we have activated over five datacenters to meet and support the growing global demand for email and web Software-as-a-Service (SaaS) security solutions. With threats rising swiftly in quantity and complexity, an uncertain economic environment and an insatiable desire to deploy new, more competitive computing models, it’s difficult for IT organisations to sustain the traditional model of taking on new security products for every new threat.

“A well-planned security ecosystem is extremely important, given the growth momentum in the adoption of cloud computing”

Find other interviews online on the website www.itnext. in/resources/ interviews

McAfee’s cloud transparency programme is able to provide security combined with internal process certification with daily control panel. McAfee is very well positioned in providing the SaaS mobile offerings in the cloud. We have customers today who have infrastructure as a service with amazon but have security as a service with us. McAfee’s perspective is to provide high grade of detection in the DNA of the organisation.

Photo graPh y: Jayan K narayanan

Scott chaSin | interview

j u ly 2 0 1 1 | itnext

Photo graPhy: Jayan K narayanan

interview | Scott chaSin

itnext | j u ly 2 0 1 1

IT SeCurITy

the big

buildiNg robust security model EXPERT PANEl

SATISH PeNdSe, PreSIdeNT, HIGHbAr TeCHNOLOGIeS LImITed

The SiTuaTion...

CuT IT FrOm He re

“i understand that the vision statement of the company emphasises making every transaction secure and keeping the data protected, but due importance has to be given to evolving a good business model for information security,” said Prithvi to his senior, the company’s CFO, when they were having an informal conversation. The CFO is concerned about the security aspect. The company, a logistic solutions provider, has already roped in several customers and it has a multitude of transactions happening everyday. Now it devolves on Prithvi, who is responsible for IT at the company, to work out an effective information security framework in a scenario where the business is seeing a multi-fold growth. The company’s main appeal lies in its customer friendly operations, and in its capability to keep data confidential and take care of other security related aspects. Prithvi’s tasks do not stop at just deploying some

Your response counts. Log on to www.itnext.in/bigQ to submit your replies. The best entry will be published in the next print edition.

KAmAL S HArmA, CIO, mINdL ANCe

T G dHANdAPANI, CIO, T VS mOTOrS

protection tools —- such as anti-virus, firewalls, etc. It involves many other complications. He has to build a business model for information security that not only assures effective security management, but also takes into account all the parameters in the company’s operations. He also cannot afford to ignore the human factor. This is not a simple task. A number of questions occupy Prithivi’s mind: Which aspect of the organisation should I take into account while designing a security model? How important role will people play in this security policy framework? What kind of risk management strategies should I work on? What kind of processes must be evolved to have a good interface with the security? What kinds of tools do I need to deploy? Given the plethora of solutions, tools and systems available, Prithvi is in a dilemma about the best ways of creating an effective business model. He is looking for some creative solutions to the issues he faces, to build an effective and zero risk security framework.

J u ly 2 0 1 1 | itnext

the big q

The big queSTionS... WhAT ARE ThE kEy ElEmENTs ThAT PRiThvi NEEds To iNcludE iN ARRiviNg

? ?

AT AN EffEcTivE busiNEss modEl foR iNfoRmATioN sEcuRiTy?

WhAT kiNd of TEchNologiEs ANd Tools PRiThvi should EvAluATE ANd dEPloy To AddREss ThE chAllENgEs?

here are The anSwerS... “Periodic SecuriTy review iS viTal” FiRSt AnSWeR

SatiSh PendSe President, highbar Technologies limited About me: An industry veteran with a vast experience in critical iT implementations. Played a key role in driving iT innovations and taking vital business decisions

There has to be a healthy balance between levels of information security and efficiency at workplace. If security becomes excessive, then it will prevent an organisation from accessing information and this will lead to inefficiency. On the other side, low security can lead to rise of many kinds of threats. The level of security must depend on the type of business. Another important aspect is the cost of information security versus the value of information. Information security can be divided into two categories — discretionary and non-discretionary. Aspects such as virus protection software with regular updates, a firewall, password protection with reasonable built-in rules, etc., fall in the non-discretionary category. One cannot do without them. Discretionary information security comprises various aspects such as data-encryption, biometric security for physical access or control of data centre and other sensitive areas. One needs to identify functions/locations that are extremely sensitive, and these from a data security perspective need to have highest possible information security protection. For the rest it can be substantially lower. The model must be configured to have a holistic overview of information security. Prithvi also needs to keep in mind that addressing information security is not going to be a one time affair; new threats keep emerging at regular intervals. Therefore, review of the effectiveness of the model has to be conducted from time to time.

Second AnSWeR It is difficult to address this question because there are numerous tools to select from. ISO 27001 provides a good framework for information security. Most organisations implement solutions in terms of Firewall, Endpoint, Network Access Control, Antivirus software, intrusion prevention system, etc. In order to have a viable security framework one should look at implementing the Security Information and Event Management (SIEM) system. SIEM provides organisations with an integrated 3-in-1 log management solution for simplifying compliance, enhancing security and risk mitigation, and optimising IT and network operations, through the automated collection, analysis, alerting, auditing, reporting and storage of the logs. There would be business benefits such as: Greater value from the investment in security technology Comprehensive and efficient reporting Reduced capital and operational costs Reduced risk of non-compliance Early detection of security incidents

itnext | J u ly 2 0 1 1

the big q

“SecuriTy aligned wiTh buSineSS” FiRSt AnSWeR The basic requirement of the business has to be taken into account for developing a suitable information security system. Overdose of security tools in the system can lead to hampering of the basic operations that the business conducts. The model has to be 100 per cent business oriented, so that, it facilitates a balance between security and business oriented goals. The compliance to the standard has to be implemented across the organisation. Few of the basic elements that Prithvi should keep in mind before implementing the model would be —organisation’s design and strategy, head count, and also the processes and technologies that are used. It is not enough if the model is developed to secure the elements, it is also necessary to have the Dynamic Interconnection factors. The critical factors affecting the dynamic interconnections, which need to be addressed, are Culture of the organisation Architecture of the organisation Governing authorities Evolutions Human Factors

Kamal Sharma cio, mindlance About me: selfmotivated leader, visionary, result oriented and business savvy. has extensive experience in iT strategy, engineering, business management, operational

Second AnSWeR There is no single tool, which can address all the issues. Prithvi must endeavour to build an end-point security system. Using a single tool will either overdoses the security environment or would under achieve the target in some critical areas. A combination of systems, which can be customised with the help of Microsoft Security Assessment Tool (MSAT), is required. The combination tools will requirePhysical security resources Intrusion prevention and content filtering with respect to Internet channels Creation of high encryption remote access channels for VPN users WIFI access across all locations should be implemented with the help of a wireless controller mode Two factor authentication for all devices that are not on the wired LAN or in the premises. The model should ensure a smooth functioning of the enterprise.

Potential cost-saving areas in the it security budget

it Sec

best of breed security solutions combined with consolidation in vendor engagement is largely preferred to cost (% in nos) 50

consolidate vendor egagements (deal with fewer

31% vendors using the same technology) discussion at renewal (same vendor same 30% Price technology but at a better price) 18% opt not to secure some critical areas 12% outsource security task to a security service provider 9% Reduce internal skills and resources for iT security

0 Note: respondents represent financial ser vices institutions from Australia, China, India, malaysia, New Zealand and Singapore. SOurCe:

IdC

SeCurIT y

S u r V e y,

2011

J u ly 2 0 1 1 | itnext

the big q

â&#x20AC;&#x153;cia-Key aSPecTS o f SecuriTyâ&#x20AC;? FiRSt AnSWeR

tG dhandaPani cio, Tvs motors About me: veteran in iT, deployed key technologies and involved in iT strategy development. As a finance controller, he had been instrumental in driving greenfield project in its manufacturing units

Information security has three main aspects: confidentiality, integrity and availability. Confidentiality means that only authorised people can access information. Integrity ensures that the data remains unchanged as it goes from the sender to the receiver. Availability ensures that the business runs as desired by stakeholders. Here is a list of some of the typical security issues and solutions: 1. Malicious attack by hackers can result in system exploitation, system breakdown, or application failure. A strong firewall, intrusion prevention and detection system is necessary. The organisation can also go in for ethical hacking to discover and plug loopholes. 2. Sniffing of the network may result in theft of personal information belonging to many customers. With SSL protocol, a system of encryption can be developed to protect information. 3. Hardware, spyware, malware can be downloaded along with files. By providing for the download of proprietary software to avoid risks.. The weakest link in the chain determines overall efficacy of the security system.

Second AnSWeR Primary security should be built in the business process. Over and above that there should be information security system which takes into account the review of security polices and practises. It is also necessary to conduct regular security audit and assurance. Some of the products are the leaders, while others are laggards in dealing with different aspects of security. Product selection will depend on the specific needs.

NOTeS noteS

More resources

itnext | J u ly 2 0 1 1

SLA Best Practices: http://www.cisco.com/en/us/tech/tk869/tk769/technologies_white_paper09186a008011e783.shtml What about SLAs?: http://www.itbusinessedge.com/cm/blogs/all/saas-bpo-convergence-what-aboutslas/?cs=38590

PHOTO GrAPHy: APH y: J JAyAN K NArAyANAN

the big q

J u ly 2 0 1 1 | itnext

cube chat | Prajwal S Kumar

I Like to be on My toes “ it is challenging and one is sure to find opportunities in it to grow,” says Prajwal S Kumar, Senior Manager, IT, ACG Worldwide By Ano o p Ve r m A

M My sucess

Mantra Welcome the challenges with an open mind

itnext | J u ly 2 0 1 1

ost of us are drawn to an easy life. But not Prajwal S Kumar. He has a different outlook. He entered IT field because of the constant stream of new developments in the sector. Prajwal feels that every change encompasses a new opportunity and a new challenge, and he says he enjoys the thrill that can only come from working in an atmosphere where things are always on the move. “Survival is toughest in IT,” Prajwal reveals. “You have to constantly upgrade yourself with new technological know-how. The systems have to be state-ofthe-art. But it is these challenges that you face on a daily basis that make this kind of job so enjoyable and satisfying for people like me. Every day you face a new issue. It keeps you charged up.”

Prajwal says he draws inspiration from Narayana Murthy, co-founder of Infosys, a company that has been instrumental in changing the way the world looks at India. Once upon a time, Prajwals says, India was perceived as a land of snake charmers. Since the advent of Infosys, it is seen as an economic giant populated with software engineers and ambitious entrepreneurs. “Narayana Murthy is an iconic figure for all Indians,” Prajwal says. “His success is proof of the fact that anyone can become a millionaire through vision and hard work.” Simply hard work will not do, he cautions: one also needs to be innovative to get the maximum advantage from new technologies that are constantly becoming available. When he is not busy at the office, Prajwal loves watching cricket. He also has a yen to travel. One of his favourite international destinations is New

cube chat

Fact FILe nam e Praj wal S Kum ar

Photo graPh y: ji te n gand hi

“The field of IT is very satisfying as it is constantly throwing up new challenges. One should learn to face these challenges with an open mind” York. As far as India is concerned “there is no place like Kashmir,” he says. He prefers to maintain a healthy balance between his professional and personal commitments. Wherever he goes, he remains in touch with his office through his BlackBerry and laptop. With the help of these tools, he says he is able to troubleshoot most issues that crop up. Being filled with passion for experiencing new challenges, it is natural that he should also aspire to branch out on his own. “Some day I would like to head my own company,” he says. “It is my dream to run a successful business of my own.” ACG Worldwide, the company in which he works as Senior IT Manager, is deeply involved with the international pharmaceutical industry. Before Prajwal joined the company, there were lots of

legacy systems. He played a pivotal role in implementing SAP, to bring more efficiency and speed to the enterprise’s core functions. As a result, workflows have improved. The information within the company flows electronically. POs (purchase orders) are delivered directly to the BlackBerry devices of relevant staff. This means less paperwork and time-saving. Prajwal also implemented Lotus Notes, an emailing solution, at ACG. Prajwal accepts that with information flow becoming completely electronic, and part of the data being stored in clouds, there is a great threat from hackers. Also, as the company he works for belongs to the pharmacy sector, the threat of dataloss to ACG is a especially serious one. He has been part of the core team that has designed the company’s firewall.

C urrent d eS ignatio n S eni or m anager, it C urrent role head ing it i nfraStruC ture exPertiSe S erver ad m i ni Stration net worK m anagem ent S eC urit y, i t i nfraStruC ture l an, C onneC ti vit y dePloym ent and oPerationS worK exPeri enCe 13 yearS Started with j indal i ron & Steel, m aharaS htra (5 yearS ) PreSent em Ployer aCg worldwi d e favouri te BooK You C an Win By S hi v Khera favouri te d eStinati onS new yorK, KaS hm ir favourite S Po rt C ri C Ket

J u ly 2 0 1 1 | itnext

update

off the shelf

A sneak preview of enterprise products, solutions and services

Toshiba Thrive toshiba seeks to thrive in the tablet market Key features * Android Honeycomb (3.1) * WiFi and bluetooth * Removable battery * Number of useful slots and ports * Wide Screen display (1280x800 pixels) * V 2.3 Android Gingerbread * Comes in 8Gb, 16Gb, and 32Gb

mobility | If your sweet dreams centre around flaunting a versatile tablet, you are going to be spoilt for choice. The market was already overcrowded with companies like Apple, Samsung, RIM and few others, and now Toshiba has entered the fray with the Thrive. This is a 10.1” multi-touch device with high-resolution wide screen display (1280×800 pixels). Powered by dual-core NVIDIA Tegra 2, the Thrive happens to be one of the first tablets in the world to ship with Android Honeycomb (3.1). On the top there is a 2 megapixel camera, while the main camera with 5 megapixel is at the back. Along with GPS functionality there is a built-in Gyroscope and Accelerometer. If you are a video game buff, this machine will not let you down. It’s a tragedy that the device does not offer 3G; perhaps Toshiba will take care of that in its later models. Right now for connectivity, you have to rely mostly on WiFi and Bluetooth. However, lack of 3G could also turn out to be a plus factor for those who don’t want to be encumbered with mobile bills every month. There is always a silver lining. Toshiba has incorporated one USB 2.0, one mini-USB, a HDMI connector and a SD-card reader. With the HDMI connector, you can plug the device right into your HDTV. That is definitely good news. The device comes in three models: 8GB, 16GB and 32 GB. The battery under the back cover is removable, which means that you can keep an extra batter handy to take care of the power failure situations. You can view social updates as alerts and view them in a single window. It is powered by the v.2.3 Android Gingerbread OS with HTC 3.0 user interface.

itnext | j u ly 2 0 1 1

HtC Sensation this is one of those phones that will entertain you like never before. Even when the phone is switched off, you can have a degree of enjoyment by looking at its attractive design. No exaggeration. Crafted from high-quality metal, glass and plastic, the device feels solid in the hand. At 5 by 2.6 by 0.4 inches, this is certainly a big phone. yet, you get the feeling that you are handling a device that is much smaller – that is perhaps because of the rounded edges and the lack of bumps. the interface consists of a 4.3-inch, 960-by-540 Super lCD, which is incorporated with qHD display. movies, videos and albums will look great. they will sound great too with Hi-Fi audio technology. inside the device we have 768mb of RAm and a 1.2 GHz Qualcomm Snapdragon dual-core processor with an Adreno 220 GPu. the Sensation is the most powerful HtC smartphone till date. you can expect lot of conveniences from this device. For instance, when the phone rings, and you pick it up to see who has called, the ringer volume automatically goes down. to shut the ringer completely you only have to flip the phone over. the video quality is said to be much superior as compared to other products. Product features • Android oS • 960-by-540, 16m-color tFt lCD capacitive touch screen • High-Speed Data through GPRS, EDGE, umtS, HSDPA • 1.2 dual core GHz processor

update

Kingston’s Wi-Drive

features * Supports all file types that ioS will support * 16Gb or 32Gb of storage * WiFi functionality

AuDio | Get hold of the Kingston Wi-Drive to make file sharing for Apple devices, including iPod, iPhone and iPad, a breeze. The device comes integrated with WiFi functionality and it can add another 16 GB or 32 GB, depending on the model, of space for being accessed wirelessly through your digital device. With most Apple devices coming with limited memory and without any expansion slots, the WiDrive can prove really useful for storing large multimedia files. You could have a movie file on the Wi-Drive and stream it directly to your iPhone. For that matter you can even stream the same movie to the iPhone or iPad of two of your buddies. At one time, the Wi-Drive is capable of streaming to as many as three devices. As of now the video codec support in the device is fairly limited, but even so it will support all the video, audio, or image files that your iOS device would support.

PlayStation Vita AuDio | In Latin, ‘Vita’ means life. According to the statement in Sony’s official blog, Vita was chosen as the name for their “next-generation portable entertainment system because it enables a revolutionary combination of rich gaming and social connectivity within a real world context.” This amazing device will blur the line between reality and entertainment further. The specs are interesting as the device sports two cameras, motion-sensors, 5” multitouch OLED screen, two analogue sticks and rear touchpad. This light device Vita, does conjure a feeling of bulk, so you might not feel really comfortable while holding it in your hand for long periods of time. The click buttons look great, and comfortable to press. The D-pad on the left side will allow you to tackle the challenges of even the most intricate game. The device is also incorporated with a Party Mode that allows users to chat with their friends. There is a Near Mode

roomba 770 Vacuuming Robot using an old fashioned broom is passé. About time you got hold of a smart robot like Roomba 770, which is capable of humming away on its own across the floor while picking up all sorts of debris and detritus. Features like HEPA filters and improved battery life vastly enhance the functionality of this device. incorporation of a special Dirt Detect technology allows the robotic vacuum cleaner to concentrate on the areas of the house that are most dirty. then there is the iAdapt responsive cleaning technology that allows the robot to reach the most hard to reach areas of the floor. it will add to the appeal of your house by not only keeping it clean, but also through its stylish and futuristic looks. the product comes with new features such as concentrated dirt sensors as well as acoustic detectors to tell where the dirt is and when the bin is full. the vacuuming robot can listen and see the dirt as it picks up.

Key advantages * two cameras * 5” multi-touch olED screen * Rear touch pad * ARm Cortex-A9 core processor

that shows friends and discoveries in your vicinity. The multi-touch screen in the front and the touch pad at the rear are geared to pick up your every motion. Internally, the device features a quad-core ARM Cortex-A9 core processor. Three of the four cores are going to enable varied functionalities and applications.

j u ly 2 0 1 1 | itnext

update

indulge

The hottest, the coolest and the funkiest next generation gadgets and devices for you

Summers are usually the time for vacations. So, before you depart make sure that you are armed with the right gadgets to take care of your communication, time keeping and photography related needs. Here are a few suggestions:

hot

motorolA droid x2 Surf net at high speed. Super-fast page loads. 4.3 inch scratch-resistant screen with glarereducing coating

ViewSonic 7 inch tAblet

Price: $350

3G ready 7â&#x20AC;? Android Tablet Voice and WiFi 200,000 apps Price: 30,000 (aPProx.)

new Aiptek pocket cinemA t25 Compact mobile projector for on-the-fly meetings. Works with PC via uSB with with 73 inches HD image Price: NA

denondn S3700 Adorned with nine inch vinyl spinning platter and music capability on digital and analog. Has uSB and MIDI control Price: $799

like something? Want to share your objects of desire? Send us your wish-list or feedback to editor@itnext.in

itnext | j u ly 2 0 1 1

update

open debate

booK For you A platform to air your views on the latest developments and issues that impact you

Should personality traits be considered in IT recruitment?

Manish sinha, HeAd IT, On dOT COurIers

sudesh KuMar, PArTner, sPPn Hr COnsulTAnTs

sheela Gusain, IT MAnAger, IMPeTus

It is extremely critical to understand and assess the personality of an individual before hiring for the IT department. It is vital to get an understanding of the individual’s social engineering skills and his/her exposure levels in the industry. Evaluation around the individual’s opinion about teamwork and his/ her capabilities to work in a team environment or groups is imperative. IT executives need to be even tempered with optimum patience. Since IT is a support function, they need to display the highest level of patience and discernment.

One could observe that most of the problems occur due to lack of proper co-ordination between individuals and sometimes owing to lack of people management skills. The IT manager has to be extremely sound in his judgment. For any job role, it is imperative to have good communication skills—both written and verbal. IT is not an exception to this rule. It is the smartness, the way people present themselves and their potential to work as a team that makes the difference. Problem solving skills along with dependability are the key for IT.

Many a times, an IT Manager has to deal with situations in which a small error in his judgment can create challenging issues. For instance, guiding the employees of the organisation through a crisis is critical. In the scenario of a server crash, any downtime will result in project failures. An individual needs to have the skills to take decisions and look through the remedial measures immediately. An individual who is in a position to anticipate crisis and deal with it with greatest dexterity is most sought after.

New Business Tips from Jobs ileadership on its way to influence upcoming businessmen AuThOr: jAy EllIOT, WIllIAM l SIMOn PublIShEr: jAIcO PublIShIng hOuSE PrIcE: rS 250

With his white-hot passion for gadgets, and staggering success at the stewardship of Apple, Steve jobs has been a popular figure in business books. now we have a book called The Steve Jobs Way, which offers an insider’s view of Steve jobs and his famed leadership style. As jay Elliot enjoyed a close personal relationship with jobs during the years when he worked as senior vice-president in Apple, his amiable account contains some fascinating nuggets of information. The style is rather intimate and reflective. The authors call the unique leadership style of Steve jobs as ileadership. There is something individualistic in the manner in which jobs leads Apple. he fostered a culture of creativity and innovation, resonating with contemporary market place. The authors opine that jobs believed in hiring like minded people to change the world. IT NEXT Verdict The intimate portrayal of steve Jobs will help Indian businessmen gain an understanding of the spirit of enterprise that drives the world’s

your views and opinion matter to us. Send us your feedback on stories and the magazine to the Editor at editor@itnext.in

top technology company. STar Value:

j u ly 2 0 1 1 | itnext

my log

ShaShwat DC associate Editor, It Next

Il lu Str atIoN: P hotoS.C om

Another Bountyhunt .com?

Domain names are big business, at least, for the bounty hunters who are registering dot coms

itnext | j u ly 2 0 1 1

3 EssEntial

REads

INTERVIEW | SCott ChaSIN

“CLOUD iS ABOUt SeRViCe MAnAGeMent” there is growing interest in cloud-based computing solutions amongst large enterprises. however, security concerns remain the biggest obstacle in its adoption. Scott Chasin, Cto, SaaS, mcafee, in an interaction with Jatinder Singh, shares some interesting insights on the same

management paradigms with them. Hence, identifying the right blend is a process that involves selecting, cataloging, monitoring and embracing control mechanism.

itnext | j u ly 2 0 1 1

Cloud is about protecting your enterprise too, says Scott Chasin, CTO, McAfee Pg 68 SECurIty rulES | INSIgHT

INSIgHT | SECurIty rulES

being able to come out with the first ever privacy law in the country, there are many issues within the new law that need to be addressed. To start with, the law states, “Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.” According to Dr Kamlesh Bajaj, CEO, Data Security Council of India, “This is an ambiguous statement and doesn’t clarify whether the company that keeps user data needs to take user’s consent or even the companies processing the data need to take user’s consent before processing it.” This, according to Dr. Bajaj, would put double pressure on data processing companies including the BPOs, KPOs and other services organisations. The law doesn’t define the term, ‘provider of data’ creating ambiguity. “While international laws like HIPAA and EUDPA clearly define the provider of data as the owner of data, in IT Rules, 2011, this clarification is not provided,” opines Kaushal Chaudhary, VP-CIO, NIIT Technologies Ltd. Explaining the legal interpretation of the statement, Advocate Prashant Mali, President, Cyber Law Consulting says, “The Act talks about following Best

it RULeS 2011

WHAt it MeAnS FOR CiSOS

RULeS FOR DiSCLOSURe OF inFORMAtiOn

the it Rules 2011, under the it Act 2008, define privacy and sensitive information for the first time. CSO Forum analyses some of the key clauses of the new law BY VARUN AGGARWAL

I magI N g: By Su N EESh K

Even so, finding a domain name to your liking is almost impossible. The case is no different for three-word combos, some 17,576 possible three-letter sequences; again all booked. As of now, there are some 130 mn active domain names, wherein some 1,00,000 are added every day. The most common letter to start a domain is S, while the most common numeral is 1. Thus, if you weren’t lucky enough to be born in the 70s, or sensible enough to book a domain name for free, now either you won’t find it or you’ll have to pay through your nose for the one you desire, say like some $16 mn for insure.com or $14 mn for sex.com. Or, like Salesforce that paid some $1.5 mn for data.com. The scarcity of domain names coupled with the low prices for registering them, have made it a big market for bounty hunters, who register for a few bucks and sell them for some millions. But then, don’t hook all your hopes on ICANN’s latest move. While domain names can be registered for a few bucks, the stakes are high for domain endings. For instance, the application process for domain endings, like say dot google will cost $185,000 and $25,000 per year. So, my dreams of having a domain that is spelt, shashwat.dc will remain a dream till ICANN modifies its rules.

What’s amiss? While Government of India needs to be congratulated for

isclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider, who has provided such information under lawful contract, unless such disclosure has been agreed to in the contract between the body corporate and provider, or where the disclosure is necessary for compliance of a legal obligation: Information can be shared without obtaining prior consent from provider of information in case of investigation, detection, veriﬁcation against offences or prevention of cyber incidents with Government agencies as per the mandate. The Government agency shall send a request in writing to

itnext | j u ly 2 0 1 1

j u ly 2 0 1 1 | itnext

April 11, 2011 IT Rules Act mandates privacy of customer information Pg 64 CUBE CHAT | PraJwal S Kumar

CUBE CHAT

I like to be on my Toes

FAC T F I lE Na m E P r a J wa l S Ku m a r

“ it is challenging and one is sure to find opportunities in it to grow,” says Prajwal S Kumar, Senior Manager, IT, ACG Worldwide

“The field of IT is very satisfying as it is constantly throwing up new challenges. One should learn to face these challenges with an open mind”

BY AN O O P V E RMA

M MY SUCESS

MANTRA

Welcome the challenges with an open mind

itnext | j u ly 2 0 1 1

Photo gr a Ph y: J I tEN ga N Dh I

Quite recently, Internet Corporation for Assigned Names and Numbers (ICANN), the governing body that oversees the domain name system, has unshackled the web name business like never before, paving the way for scores of new domain endings that could be as different as ’Mumbai’ for businesses in Mumbai or as bizarre as ‘nerd’, like some are proposing. The end of dot (.) com dominance would be a great relief for many millions who have just linked up to the Web only to realise that the party (as in domain name allocation) was over ages ago. It was on March 15, 1985, that the first domain name (Symbolics.com) came into existence, thanks to a computer manufacturer that made Lisp machines in the US. Though, domain names could be registered for free, it took two years, eight months and 15 days for the first 100 domain names to be registered. But then followed the tech avalanche, starting with the dotcom bubble of the 90s, and driven by hundreds and thousands of entrepreneurs from Silicon Valley and beyond. According to estimates, around 45 per cent of all registered domain names are dot com, followed by dot net and the rest. There are currently 22 generic top-level domain names (gTLDs) like dot com, dot net, etc., as well as, about 250 country-level domain names such as dot in, dot us, dot it, and others.

York. As far as India is concerned “there is no place like Kashmir,” he says. He prefers to maintain a healthy balance between his professional and personal commitments. Wherever he goes, he remains in touch with his office through his BlackBerry and laptop. With the help of these tools, he says he is able to troubleshoot most issues that crop up. Being filled with passion for experiencing new challenges, it is natural that he should also aspire to branch out on his own. “Some day I would like to head my own company,” he says. “It is my dream to run a successful business of my own.” ACG Worldwide, the company in which he works as Senior IT Manager, is deeply involved with the international pharmaceutical industry. Before Prajwal joined the company, there were lots of

C u r r ENt DES Ig Nat Io N S ENIo r m a Nag Er , It C u r r ENt r o l E h Ea DINg It INF r aSt r u C t u r E EXP Ert IS E S Er V Er a Dm INISt r at Io N NEt wo r K m a Nag Em ENt S EC u r It y, It INF r aSt r u C t u r E l a N, C o NNEC t IV It y DEP loy m ENt a ND o P Er at Io NS wo r K EXP Er IENC E 1 3 y Ea r S Sta rt ED w It h J INDa l Ir o N & St EEl , m a h a r aS h t r a ( 5 y Ea r S ) P r ES ENt Em P loy Er aC g wo r l Dw IDE FaVo u r It E Bo o K YO U C A N W IN By S h IV Kh Er a FaVo u r It E DESt INat Io NS NEw yo r K, KaS h m Ir FaVo u r It E S P o rt C r IC KEt

j u ly 2 0 1 1 | itnext

It is my dream to run a successful business of my own, says Prajwal S Kumar, Sr IT Mgr, ACG World Pg 78

ADDL. C.P. NO. F.2(I/24) PRESS /2009

Photo graPh y: JayaN K NarayaNaN

my log

itnext | j u ly 2 0 1 1