www.expresscomputeronline.com
edit
BOLSTERING CYBER SECURITY ith increase in the quantity and value of electronic information that lubricates our system of government and economy, there has been a dramatic escalation in the efforts of the malicious actors in launching sophisticated cyber attacks. More and more attacks are coming to fruition, producing a steady stream of high-profile, sophisticated breaches. A growing array of state and non-state actors are compromising, stealing, changing, destroying information, and causing critical disruptions to our system of government and economy. In future, the cyber attacks are likely to increase in frequency and ferocity. Yet when it comes to cyber-preparedness, India is not in the best position. It is a challenge to get all users in the government and the private sector, even the sophisticated ones, to become aware of the threats and do all that is needed for improving security on an ongoing basis. Technical and public policy measures have to be put in place to create incentives for the major stakeholders in the Internet economy to invest in security. Cyber criminals succeed because they have developed tremendous collaboration with each other—they share tools, expertise and information around the world. In face of such complex criminal rings, the traditional systems of protection—antivirus, firewall, secure logging systems—may not work. It is important to deploy advanced network and analytics based security tools for identifying and preventing unknown attacks, or those that use advanced malware. There has to be the capability of detecting minor and major anomalies, and responding quickly in case a security incident is detected. Among the good guys there is talk of better collaboration for improving security, but not enough is being done to achieve the objective. The IT teams in most companies and even the security agencies in the government rely on unverified threat data. They lack the credible information to recognise the critical incidents, which can indicate the trend for future attacks. It is important to breakup of the silos and ensure that there is real-time collaboration between the private companies and the government’s cyber security agencies. Also, there is serious shortage of cyber security specialists in the government and the private sector. Recruiting cyber experts and plugging them into the right slots is a key challenge that we face. We can’t win the battle for securing the cyber space when the good guys lack real-time information and sophisticated technology, and are outnumbered.
W
THE CYBER CRIMINALS ARE SUCCEEDING BECAUSE THEY HAVE DEVELOPED TREMENDOUS COLLABORATION WITH EACH OTHER—THEY SHARE TOOLS, EXPERTISE AND INFORMATION AROUND THE WORLD
anoop.verma@expressindia.com
EXPRESS COMPUTER
SEPTEMBER, 2015
3
contents
10
INFORMATION TECHNOLOGY& THE PACE OFLABOUR REFORM “We are making it easier for the employees to transfer their PF account when they change jobs,” says Shankar Aggarwal, Secretary, Ministry of Labour & Employment, Government of India
feature
DEFENDING THE CYBER FRONTIERS OF DIGITAL INDIA Reliable security solutions are needed to protect the nation’s assets in cyber space
12 4
SECURITYANALYTICS SYMBIOSIS We live in a complex digital world where the organisations face rapidly changing risk landscape. The exponential growth in the number of sophisticated cyber attacks means that even the best security system can now be breached
22 EXPRESS COMPUTER
SEPTEMBER, 2015
www.expresscomputeronline.com
feature 26
interviews
BANKING INDUSTRYSTAYING AHEAD OFFRAUDSTERS
7
DR. GOPICHAND KATRAGADDA Group CTO,Tata Group
Banking fraud poses a serious threat and to mitigate fraud risks, the banks are going on overdrive to deploy security solutions
30
9
KARNATAKA’S POLICE IT ECOSYSTEM Information and data are critical so demand for instant access, real time processing, enhanced service levels and faster turnaround is growing in the police departments
38
18
MAURIZIO GARAVELLO VP-APAC, Websense
ED BRANDT EVP, Managing Director, Government Services and Solutions, MasterCard
SECURING BFSI IN EVOLVING THREATLANDSCAPE Rising reliance on online channels is opening new windows of opportunity for cyber criminals
20
PAVAN DUGGAL Advocate, Supreme Court of India
Case study 34
THE HIGH-TECH STRATEGY FOR FIGHTING INSURANCE FRAUD
EXPRESS COMPUTER
36
EYES IN THE SKYSMART SURVEILLANCE 2.0
45 RAJIV PRAKASH SAXENA Ex-Deputy Director General, NIC
SEPTEMBER, 2015
5
MUMBAI Shankar Adaviyar The Indian Express (P) Ltd. Business Publication Division 2nd Floor, Express Tower, Nariman Point Mumbai- 400 021 Board line: 022- 67440000 Ext. 527 Mobile: +91 9323998881 Email Id: shankar.adaviyar@expressindia.com Vol 26. No. 9. September, 2015 Chairman of the Board Viveck Goenka Editor Anoop Verma* Chief of Product Dr. Raghu Pillai Delhi Mohd Ujaley, Ankush Kumar Mumbai Jasmine Desai, Abhishek Raval DESIGN National Art Director Bivash Barua Deputy Art Director Surajit Patro Chief Designer Pravin Temble Senior Graphic Designer Rushikesh Konka Layout Vinayak Mestry, Rajesh Jadhav Photo Editor Sandeep Patil MARKETING Regional Heads Harit Mohanty - West and East Prabhas Jha - North Dr. Raghu Pillai - South Marketing Team Shankar Adaviyar Navneet Negi Ajanta Sengupta Amit Tiwari Mathen Mathew Circulation Mohan Varadkar
Branch Offices NEW DELHI Navneet Negi The Indian Express (P) Ltd. Business Publication Division, Express Buliding, B-1/B Sector 10 Noida 201 301, Dist. Gautam Budh Nagar (U.P.) India. Board Line: 0120-6651500 Fax: 0120-4367933 Mobile: +91 8800523285 Email id: navneet.negi@expressindia.com CHENNAI Dr. Raghu Pillai, Mathen Mathew The Indian Express (P) Ltd. Business Publication Division New No. 37/C (Old No. 16/C) 2nd Floor, Whites Road, Royapettah, Chennai- 600 014 Mobile: +91 9886293667 Email id: raghu.pillai@expressindia.com Mathen Mathew Mobile No. +91 9840826366 Email: mathen.mathew@expressindia.com BANGALORE Dr. Raghu Pillai The Indian Express (P) Ltd. Business Publication Division 502, 5th Floor, Devatha Plaza, Residency road, Bangalore- 560025 Mobile: +91 9886293667 Email id: raghu.pillai@expressindia.com HYDERABAD Dr. Raghu Pillai The Indian Express (P) Ltd. Business Publication Division 6-3-885/7/B, Ground Floor, VV Mansion, Somaji Guda, Hyderabad – 500 082 Mobile: +91 9886293667 Email id: raghu.pillai@expressindia.com
Scheduling Mitesh Manjrekar PRODUCTION General Manager B R Tipnis Manager Bhadresh Valia
KOLKATTA Ajanta Sengupta The Indian Express (P) Ltd. Business Publication Division JL No. 29&30, NH-6, Mouza- Prasastha & Ankurhati, Vill & PO- Ankurhati P.S.- Domjur (Nr. Ankurhati Check Bus Stop) Dist. Howrah- 711 409 Mobile: +91 9831182580 Email id: ajanta.sengupta@expressindia.com KOCHI Dr. Raghu Pillai, Mathen Mathew The Indian Express (P) Ltd. Ground Floor, Sankoorikal Building, Kaloor – Kadavanthra Road Kaloor, Kochi – 682 017 Mobile: +91 9886293667 Email id: raghu.pillai@expressindia.com Mathen Mathew Mobile No. +91 9840826366 Email: mathen.mathew@expressindia.com COIMBATORE Dr. Raghu Pillai The Indian Express (P) Ltd. No. 205-B, 2nd Floor, Vivekanand Road, Opp. Rajarathinam Hospital, Ram Nagar Coimbatore- 641 009 Mobile: +91 9886293667 Email id: raghu.pillai@expressindia.com AHMEDABAD Shankar Adaviyar The Indian Express (P) Ltd. 3rd Floor, Sambhav House, Near Judges Bunglows, Bodakdev, Ahmedabad - 380 015 Mobile: +91 9323998881 Email Id: shankar.adaviyar@expressindia.com BHOPAL Navneet Negi The Indian Express (P) Ltd. F-102, Inner Court Apartment, 1st Floor, GTB Complex, Behind 45 Bungalows, Bhopal - 462 003 Mobile: +91 8800523285 Email id: navneet.negi@expressindia.com JAIPUR Navneet Negi The Indian Express (P) Ltd. Business Publication Division, Express Buliding, B-1/B Sector 10 Noida 201 301, Dist. Gautam Budh Nagar (U.P.) India. Board Line: 0120-6651500 Fax: 0120-4367933 Mobile: +91 8800523285 Email id: navneet.negi@expressindia.com
IMPORTANT Whilst care is taken prior to acceptance of advertising copy, it is not possible to verify its contents. The Indian Express (P) Ltd. cannot be held responsible for such contents, nor for any loss or damages incurred as a result of transactions with companies, associations or individuals advertising in its newspapers or publications. We therefore recommend that readers make necessary inquiries before sending any monies or entering into any agreements with advertisers or otherwise acting on an advertisement in any manner whatsoever.
Express Computer® Reg. No. REGD.NO.MCS/066/2015-17, RNI Regn. No. MAHENG/49926/90 Printed for the proprietors, The Indian Express (P) Ltd. by Ms. Vaidehi Thakar at Indigo Press, (India) Pvt. Ltd. Plot No. 1c/716, off Dadoji Konddeo Cross Road, Byculla (E), Mumbai 400027 and Published from Express Towers, 2nd Floor, Nariman Point, Mumbai - 400021. (Editorial & Administrative Offices: Express Towers, 1st Floor, Nariman Point, Mumbai - 400021) Editor : Anoop Verma (*Responsible for selection of News under the PRB Act.) Copyright © 2015 The Indian Express (P) Ltd. All rights reserved throughout the world. Reproduction in any manner, electronic or otherwise, in whole or in part, without prior written permission is prohibited.
6
EXPRESS COMPUTER
SEPTEMBER, 2015
INTERVIEW
www.expresscomputeronline.com
DR. GOPICHAND KATRAGADDA TATA GROUP
BUSINESS GROWTH THROUGH DIGITAL INNOVATION “Given the inclination of the Group company CEOs for technology implementations and the enthusiasm for innovation in the Company CTOs, I am confident that the Tata Group is on its way to creating breakthrough innovations by leveraging technology synergies among the group companies,� says Dr. Gopichand Katragadda, Group CTO, Tata Group. In conversation with Abhishek Raval You are the first CTO of the Tata Group. How do you see the role that you have to play in the organisation? My role is basically to partner with Tata Group Companies and raise the innovation quotient across the entire group. This would include working at the interface of the businesses and the technologies with the aim of delivering technology ideas that are pathbreaking on a global level. As the first CTO of the Tata Group, what is your vision for creating new technology synergies for the group? Cyrus Mistry has challenged the Group CTO office to bring the Tata Group in the league of top 10 technologically innovative companies globally. To accomplish this goal we have to innovate for developing better mechanical systems in the auto industry, material systems in the steel industry, processes in the chemical industries, and digital system across multiple industries. At the same time, we also need to develop the appropriate differentiation at the intersection points of these technologies. For instance, digital systems and mechanical systems (V2X communications, factory floor automation); material systems and chemical systems (Fuel Cells, Graphene); mechanical systems and chemical systems (Precision Agriculture, After Treatment). The Tata Group comprises of over 100 operating companies, with operations in more than 100 countries. Do you think that it will be challenging to implement the agenda of innovation due to the sheer size and diversity of the group? Given the inclination of the Group company CEOs for technology implementations and the EXPRESS COMPUTER
SEPTEMBER, 2015
7
INTERVIEW
www.expresscomputeronline.com
DR. GOPICHAND KATRAGADDA TATA GROUP
Cyrus Mistry has challenged the Group CTO office to bring the Tata Group in the league of top 10 technologically innovative companies globally. To accomplish this goal we have to innovate for developing better mechanical systems in the auto industry,material systems in the steel industry, processes in the chemical industries,and digital system enthusiasm for innovation in the Company CTOs, I am confident that the Tata Group is on its way to creating breakthrough innovations by leveraging technology synergies among the group companies. We have executed a consortium model for project delivery on synergy projects. The Group Technology Office has also partnered with companies to identify key innovation programmes and track them over the next three years. In addition, we have facilitated university relationships through the CTO forum, and enhanced the focus on IP creation. What is your view of the technological innovation that is currently happening in the Tata Group companies? According to the recent Boston Consulting Group report, the Tata Group is among the top 50 most innovative companies in the world. In fact, many Tata Group companies are at the forefront of investing in R&D and innovation. I am particularly excited by the work that Tata Group is doing on the allotrope of carbon, 8
EXPRESS COMPUTER
(L-R) Cyrus Mistry, Chairman, Tata Group; Dr. Gopichand Katragadda, Group CTO, Tata Group
“Graphene,� which is about 200 times stronger than steel by weight and conducts electricity and heat with great efficiency. Tata Steel is able to develop cost-effective technologies for manufacturing graphene. This is a major development, one that can have important impact on many sectors, including electronics, communication, automobile, and steel. You have been impressed by the educational culture in Israel. Please tell us about it? The moment you walk into Israel, you are struck by the confidence of the Israeli youth. The confidence in these youngsters, I have come to know, gets developed at a very young age due to the military training they undergo. Serving in the armed forces is mandatory for few years before they can join the University for further education. By the time they go to the university, they have already lived a tough life in the armed forces and are in a better position to appreciate the value of education.
Calculating the RoI of new technology implementations has always been a difficult subject. What is your view on the RoI that can be garnered from innovations and technologies? We look at the RoI, in terms of the revenues and profits that get generated from new products and services. Lead measures include disclosure, patent applications, patents granted, and patents in product. India needs to get savvier at IP generation and protection. While increasing patents, we should also focus on creating portfolios of quality patents. Individual patents can be worked around, hence the need to generate portfolios in strategic areas of importance. Quality measures for a patent including forward citations indicate the value of a patent. We need to put innovation capability at the core of our operating structures and appropriately invest in R&D. abhishek.raval @expressindia.com
SEPTEMBER, 2015
INTERVIEW MAURIZIO GARAVELLO WEBSENSE
www.expresscomputeronline.com
“Cyber-war is the reality of our times—such attacks are frequently being launched against commercial entities,” says Maurizio Garavello, VP-APAC, Websense. In conversation with Jasmine Desai
Defend, Detect, Decide and Defeat What benefits are you expecting from the coming together of Websense and Raytheon? The joint venture will enhance the scope of the technology for security that we are providing to our customers. Raytheon will benefit from 5,000 and more partners that we have in more than 50 countries. It would have taken Raytheon many years to build a commercial infrastructure of this size with the partner ecosystem and technical teams. In a world where the commercial environment is getting more and more complex, Websense will benefit from Raytheon’s technology. However, there will not be any major change in the way we conduct our business, we will continue to work with our channel partners.
The power of integration is when completely different co-ordinates like URL and email security system understand the nature of attack and stop it at the right time. We define an attack in seven stages. We do not assure that we can catch hundred percent of attacks on all stages, but if an attack goes through all the stages and we catch 99.999% of the cases, then the exposure to a potential attack is extremely limited. If a solution just looks at one layer, then the potential for an attack increases manifold. What steps can the organisations take for developing a holistic and long lasting system of data security? The organisations that understand data security seldom talk about technology. Technology is the last piece of their problem. Data security is a complex subject, it should not be seen solely as a holistic problem for which there must exist a holistic solution. There are factors like volume of the data, if the volume is too high then the data can become unmanageable. But with right kind of technology there will be no problem in scanning terabytes of data. The problem lies in deciding who can access the data and who can do what with it. One has to prioritise critical information. If there is the view that every bit of information is critical, then there will be failure. So categorising of the data is important. A broad approach is needed to tackle different kinds of attacks.
How will the joint venture affect your existing customer-base? Our customers will have access to technologies that were previously available just for defence sector. Even the SMBs can deploy this system. Different sides are coming together and post the merger it will be one single solution. Presently most attacks are against the military and defence systems. Hackers can take the solution that was used to attack the defence system and make it commercial. The next generation of the attack is going to be on such high level. The algorithm and understanding of it is already in existence. Cyber-war is the reality of our times—such attacks are increasingly being launched against commercial entities. Therefore it is important for commercial enterprises to deploy advanced security solutions. The overall integration of security solutions is important, yet organisations continue to have different security solutions within their environments.What is your view on this? You have put your finger on what is the most problematic part of the situation. From a vendor standpoint, it is not easy to demonstrate what integrated security looks like. In Triton architecture, integration is visible in areas like spam. With spam becoming more targeted and sophisticated it is getting harder for solutions to quarantine it. EXPRESS COMPUTER
Data security is a complex subject,it should not be seen solely as a holistic problem for which there must exist a holistic solution
What kind of impact is BYOD having on the overall security of the organisations? Due to BYOD, the security problems are getting aggravated. Organisations need to know what systems are there in their environment. The information from security products need to be quickly analysed to ensure that the organisations have actionable insights. Through our collaboration with Raytheon we have came up with four the Ds: defend, detect, decide and defeat. Decide and defeat are two aspects that we will add to the Websense portfolio post the joint venture. jasmine.desai@expressindia.com
SEPTEMBER, 2015
9
INTERVIEW SHANKAR AGGARWAL SECRETARY, GOVT OF INDIA
10
EXPRESS COMPUTER
SEPTEMBER, 2015
www.expresscomputeronline.com
INFORMATION TECHNOLOGY & THE PACE OF LABOUR REFORM “We are making it easier for the employees to transfer their PF account when they change jobs. Every employee has a portable UAN (Universal Access Number), which acts as an umbrella for multiple member IDs allocated to an individual by different employers. We have already issued around 4.2 crore UAN,” says Shankar Aggarwal, Secretary, Ministry of Labour & Employment, Government of India What initiatives are being taken to implement labour reforms in the country? There are a number of challenges that must be overcome for implementing labour reforms. However, the government is serious about pursuing these reforms and we are very consistent—we are looking into each and every labour law with the objective of making these laws in sync with the time. While carrying on with the reforms, we are also trying to ensure that the interests of the employees are safeguarded in terms of safety, security, hygiene, health and social security net. We have banned child labour in the country—any child below the age of 14 cannot work. What kind of labour laws is the government trying to develop? The labour laws must be such that they encourage enterpreumers to set up new enterprises and create jobs for the people. The entrepreneurs in the country should be encouraged to set up small enterprises that provide jobs to 5, 10, 20, 100, 500 or even 1000 people. The fear of labour laws should not stop our entrepreneurs from starting new businesses or expanding their existing businesses. The aim of the labour laws is to safeguard the interests of the employees, and provide them a decent amount of protection from arbitrary job losses. However, the interests of the employees can only be protected when there are enough jobs. EXPRESS COMPUTER
The IT Industry is one of the largest employers in the country.This industry is also highly competitive and subject to sudden technological changes.What steps can the ministry take to develop labour laws that will ensure that the IT industry keeps growing? The bigger IT companies are keen to ensure that they should be able to comply with labour laws electronically. They want the laws to be clear, so that they are not penalised for flimsy reasons. We are now trying to ensure that the labour laws are easy to comply with. We are also working to enable the IT companies to retrench employees at times when the company does not have sufficient work. Some IT companies face the problem of female employees working in the night. We are trying to help them deal with all these issues.
our compliances. Every compliance must be routed through an IT platform, and every piece of information must be in public domain. If any company is putting its information in the public domain and if it is indulging in some fraudulent activity or mischief, people will come to know and someone will file a complaint. However, the businesses should not be prosecuted for flimsy reasons, only when there is evidence of a major crime being committed, the prosecution should be launched. We are making it easier for the employees to transfer their PF account when they change jobs. Every employee has a portable UAN (Universal Access Number), which acts as an umbrella for multiple Member IDs allocated to an individual by different employers. We have already issued around 4.2 crore UAN.
What should be done ensure the safety and security for female employees working at night shifts? We are proposing that the female employees should be allowed to work in all shifts. There is no valid reason to deny women the right to work in night shifts. Only thing is that adequate security must be to the female employees so that they can commute from their place of stay to the place of work and back safely.
Tell us about the websites that the Ministry has started to serve the needs of the employees? We have the website for EPFO (Employees Provident Fund Organisation) and ESIC (Employees State Insurance Scheme of India). We are also having the portal for Chief Labour Commissioner. A number of tasks can be easily carried out at these portals. Such web based facilities are important, when the employees tend to change jobs quite frequently and they have to transfer their PF accounts. In case the employee is facing any problems in his PF accounts or on any other issue, he can file an electronic complaint.
What steps are being taken to deploy IT for reaching out to the employees? We at the Ministry of Labour & Employment are determined to ensure that IT is deployed for taking care of all
SEPTEMBER, 2015
11
COVER STORY
TECHNOLOGY
»
DEFENDING THE CYBER FRONTIERS OF DIGITAL INDIA With the progress of the Digital India and Smart City programmes, as governance and businesses make the shift online, it is high time to consider security solutions that will preempt hacking and protect the nation’s cyber assets from potentially crippling attacks BY MOHD UJALEY
INSIDE 12
EXPRESS COMPUTER
KARNATAKA’S POLICE IT ECOSYSTEM
SECURING BFSI IN EVOLVING THREAT LANDSCAPE
Sanjay Sahay, Additional Director General of Police, Karnataka
P Sitaram, Executive Director, IDBI Bank Ltd.
SEPTEMBER, 2015
www.expresscomputeronline.com
DEDICATED LEGISLATION FOR CYBER SECURITY Pavan Duggal, Cyber Law Expert, Advocate, Supreme Court of India
EXPRESS COMPUTER
SECURITY ANALYTICS SYMBIOSIS Growth in the number of sophisticated cyber attacks means that even the best security system can now be breached
SEPTEMBER, 2015
13
COVER STORY
TECHNOLOGY
»
R
The Digital India initiative calls for a collaborative effort that draws on global innovation, experience, ITtalents and expertise Chris Lin APJ Sales Leader, Veritas
Security considerations have to be taken care of right from planning stage to the actual implementation of technologies Altaf Halde Managing Director,South Asia Kaspersky Lab 14
EXPRESS COMPUTER
ecently the website of the Indian Space Agency’s commercial arm, Antrix Corporation, was hacked. The hackers succeeded in defacing the home page with an article about 300 kids from Cape Town getting American Major League jerseys at cheap prices from China. This incident shows that how vulnerable India is to cyber security attack. The nation has to develop better network filters and early warning devices. We must add new firewalls around the computer systems that arw used by the government organisations.
Embedding security at planning stage The websites are the public face of government undertakings, and if the hackers succeed in defacing these websites, it can lead to erosion of public trust in these undertakings. In the Digital India programme, the government seeks to connect all parts of the country with a digital highway. But what stops the hackers from using the same digital highway to steal vital information! Security experts are of the view that malicious cyber attacks are possible on power grids, telecommunication, air traffic control, banking system and all the computer-dependant enterprises. “The information and the infrastructure needs to be secure. That is why security must be firmly embedded at the planning stage itself of ‘Digital India’ rather than as an afterthought or for that matter, as a reactive step,” says Deepak Maheshwari, Head–Government Affairs, India Region, Symantec. In the last five years, there have been a number of the incidents in which the online systems owned by government departments and public sector undertakings were targeted. With the progress of Digital India programme and the Smart City initiatives, there will be very high level of digitisation. Unless sufficient security measures are taken by the government, there can be a rapid escalation in the problem of security breaches. Altaf Halde, Managing Director, South Asia, Kaspersky Lab, is of the view that Digital India will involve different technologies communicating with each
other in different ways, hence the prediction and elimination of all possible security issues can happen only when the government considers security to be an integral part of the digital journey. “Security considerations have to be taken care of right from planning stage to the actual implementation of technologies,” he says. In today’s world cyber security has become integral with national security. Government engages with the citizens through the websites, mobile devices and even in the social media. As the Digital India programme progresses, the level of online interaction between the government and citizens will go up further. Sidharth Malik, Vice President and Managing Director, Akamai Technologies, says that the aim should be to attain maximum digital penetration with minimum cyber risks. The cyber risks can only be minimised when innovative and credible solutions are developed and deployed from the beginning. In any project, security must not be an afterthought. The best results can be achieved only when the security systems are holistic part of the overall infrastructure. Emphasising on the need to embed security at every stage of Digital India and Smart City initiatives, Chris Lin, APJ Sales Leader of Veritas says, “With technology as its pivot, the Digital India initiative call for a collaborative effort that draws on global innovation, experience, IT talents and expertise. In order to realise its true potential, such an effort requires an entire ecosystem of support and an apparatus for implementation that has to be developed and matured since very first day to over a period of time.” “Whatever government does under the umbrella of Digital India, it must set the minimum acceptable standard of security for data in the beginning of the project itself. It will not only help the stakeholders involved in the project to understand the various risks involved but also help in effectively marching the project,” says Ranndeep Chonker, Director, Global Solutions Provider, Fire Eye. Echoing the concern raised by Chonker, Surendra Singh, Country Director, Raytheon I Websense asserts SEPTEMBER, 2015
www.expresscomputeronline.com
that there is the need for setting up robust data security practices. The government has to secure citizen data related to land records, PAN and Aadhar numbers, etc. The leakage of such data can cause considerable hardships and losses to the citizens. Therefore it is important for the government to set the security standard; it is also important for the vendors who are dealing in these projects to adhere to the best security practices.
Fixing vendors responsibility It is true that all good initiatives are as good as the governance model established around ensuring that the services are used in the right way and also that the risks are adequately understood, monitored, and managed. In Smart City and Digital India, government will be working with different vendors for implementation of different aspects of the projects. Much of the success is likely to depend on how effectively government can channelise the capacity and potential of the private vendors. Anil Bhat, Associate Vice President, Platform Development, MetricStream, points out, “Government has to work with a diverse set of vendors to bring Digital India initiative to fruition. The success, depends on how effectively the government is able to manage the risks around evaluating, monitoring and controlling vendors.” Sunil Khanna, President and Managing Director, Emerson Network Power, India, explains “In order to ensure that Digital India is a success, the government will require infrastructure, mobile operators, system integrators, and solution providers. The telecom sector and the government will require data centers and Data Center Infrastructure Management (DCIM) solutions on a larger scale than ever. Therefore, a greater synergy between government agencies and private companies is needed at every stage of this ambitious project.” Some experts have different opinion on the system that needs to be adopted for effective management of vendors for government projects—they are of the view that no network is 100% secure and possibility of breaches are always there in any system, hence more than fixing of the EXPRESS COMPUTER
onus, it is important that stakeholders work together for mitigating the security challenges. “No matter how much money is spent on security, no network is 100% secure from breaches. There should be an incident response plan to ensure that there are processes, procedures and skilled resources to quickly identify and mitigate threats as soon as they hit a network. Leaders from across the country who have a stake in this issue — industry, technology companies, law enforcement agencies, consumer and privacy advocates, law professors who specialise in this field, and students — must collaborate and explore partnerships to develop the best ways of bolstering cyber security,” says Rajesh Maurya, Country Manager, India & SAARC, Fortinet.
Creating healthy regulatory environment From a regulatory point of view, the government needs to look at cyber security holistically. A well articulated and robust cyber security policy is needed to prevent security breaches and ensure responsibility. The country has Cyber Security Act of 2013, but this has not been fully implemented. One of the core strategies outlined in the Act is to appoint a CISO (Chief Information Security Officer) who shall be responsible for cyber security efforts and initiatives, for public and private organisations. But this policy is yet to be fully implemented. “One of the first steps towards improving security is to ensure that a regulatory framework is created around Cyber Security Act of 2013 and a good governance structure established,” says Bhat of MetricStream. “The fact is that we have ignored security issues for too long. Last year more than 150 .GOV and .NIC domains were hacked. We have poor regulations in privacy protection, data protection, cyber law, e-governance, e-commerce etc. All initiatives pertaining to delivering public services in an efficient manner through electronic governance will see lack of momentum and growth unless we tackle security issues and work towards citizen data protection,” says Singh of Raytheon | Websense.
Security must be firmly embedded at the planning stage of ‘Digital India’ rather than as an afterthought Deepak Maheshwari Head–Government Affairs India Region,Symantec
All the stakeholders must collaborate and explore partnerships to develop the best ways of bolstering cyber security Rajesh Maurya Country Manager,India & SAARC, Fortinet SEPTEMBER, 2015
15
COVER STORY
TECHNOLOGY
»
“CYBER SECURITYIS OFPARAMOUNT IMPORTANCE” Critical awareness related to the do’s and don’ts in the age of Digital India is needed Ambarish Deshpande Managing Director,Blue Coat Systems,India
We should aim at attaining maximum digital penetration while incurring minimum cyber risks Sidharth Malik Vice President and Managing Director,Akamai Technologies 16
EXPRESS COMPUTER
CERT-In has hosted the website “secureyourpc.in” wherein the guidelines have been prescribed for online users not only to secure their system and also the name of the agency which can be approached in case of any incident or cyber security issue. says R S Sharma, Secretary, DeitY, Government of India
D
epartment of Electronics & Information Technology has undertaken specific projects to safeguard and to promote online security particularly for home and Internet users in the country.CERT-In is engaged in setting up a ‘BOTCleaning Centre’for cleaning the infected systems in the government, public sector,industry and home users.It may be mentioned that CERT-In is tracking the infected systems in the country through different channels and sharing of information by various agencies. At present,CERT-In advises the Internet Service Providers about compromised systems who in turn are required to take up with the concerned users.Such arrangement is becoming little more cumbersome as service providers are not geared up to inform the owners of the infected systems.‘BOT Cleaning Centre’will monitor the infected system online and issue notification to the owner of the system to clean their infected system.Side by side CERT-In is also expanding its activities to provide scanning facilities to the users to clean their systems online.‘BOT Cleaning Centre’and the tools hosted on the CERTIn site to clean system will form the comprehensive system to provide a step towards online security in the country. CERT-In has also hosted the website “secureyourpc.in”wherein the guidelines have been prescribed for online users not only to secure their system and also the
name of the agency which can be approached in case of any incident or cyber security issue.The said website is being accessed by more that 100,000 users everyday. CERT-In also scans the websites particularly in the government and the public sector from the point of view of defacement.Such a task is undertaken in collaboration and cooperation with other agencies including the search engine.The owners of the website are advised about the infected/defacement of the website on a daily basis and the guidelines provided to clean up and protect their website.The mandate has already been issued that all the government websites need to be audited with respect to the security before hosting on the servers.Such a mandate is being followed strictly. To help the organisations in this regard,CERT-In has already empanelled more than 40 cyber security auditors to audit the systems as per the users requirements and help them to implement security on their ICT information.Such a service is being used by the organisations throughout the country.CERT-In is also conducting cyber security mock drills in the country.So far CERT-In has conducted nine such drills and about 200 organisations had participated in the drills.The objective of the drill is to prepare the organisation to detect,mitigate and recover the system in case of cyber attacks of different nature.
SEPTEMBER, 2015
www.expresscomputeronline.com
Ambarish Deshpande, Managing Director – India, Blue Coat Systems, has different points of view on regulatory frameworks. He says that India is in no way lagging behind in regulation but the problem lie in their implementation. Country does have a strong IT Act, but more than an Act, we need an aware and professionally trained security workforce. Agreeing with Deshpande, Altaf Halde of Kaspersky Lab points out “India has already started moving in the right direction when it comes to regulations and privacy protections. We have seen and observed a lot of action from governments across countries. They are doing their best, to get the infrastructure needed to counter cyber-attacks.” He also explains that as a part of Digital India, government has planned to launch ‘Botnet cleaning centers’. Botnet is a network of malicious software that can remotely gain control of devices, steal information and carry out cyber attacks like Distributed Denial of Service (DDoS) that prevent access of websites. The facility will be under supervision of the national cyber security watchdog – Indian Computer Emergency Response Team (CERTIn). Chandra Sekhar Pulamarasetti, CoFounder & CEO, Sanovi Technologies, points out that the area of IT disaster recovery might be of greater importance. He says, “One area that lacks strong regulatory mechanism is IT disaster recovery preparedness when outages occur. There has to be strong regulation in this area to ensure that all agencies and vendors, which are operating the Digital India infrastructure, must deploy effective and automated business continuity and IT Disaster recovery management solutions, ensure they are tested regularly and complied with. Government can take the cue from Reserve Bank of India which has addressed this concern by bringing in comprehensive regulations in this area for all banking institutions in the country.”
Awareness is the silver bullet Awareness is the key when it comes to fighting cyber crime, but we do not see EXPRESS COMPUTER
Greater synergy between government agencies and private companies is needed at every stage of Digital India Sunil Khanna President and Managing Director, Emerson Network Power,India
private companies taking initiatives to conduct awareness campaign for cyber security. They would rather leave the task to the government agencies. The truth is that cyber seurity is a major challenge for enterprises as well as government departments. “Private companies cater to cyber security to the level of compliance. We are yet to see large investments for improving cyber security in India. Having said that, the recent incidents of cyber espionage have made the corporate world realise the importance of cyber security. Private companies are now working for creating awareness of best practices in cyber security and on the adoption of advanced data privacy technologies for protection against zero day attacks,” says Surendra Singh of Raytheon I Websense. Maheshwari of Symantec adds, “Private sector has also been driving awareness campaigns, but these campaigns are having limited reach and impact.” While the government has numerous initiatives for information security awareness and education, it cannot manage the task of securing the entire Digital India infrastructure. The programme is too vast for its security to be centrally managed by the government. Public-private partnerships are crucial.
As most of the security solutions are developed, manufactured and deployed by the private sector, the country must create an enabling atmosphere for the private security companies to collaborate with the government organisations for implementation of security solutions in Digital India projects “Awareness of cyber security threats in India is low but it’s improving in part due to quality research. Greater awareness drives more organisations to adopt technologies which help them respond to advanced attacks. We need to increase our supply of cyber security talent and share critical threat intelligence that provides the information needed to gain the upper hand against cyber threat groups,” says Chonker of Fire Eye. “You can have the best of technologies in place, but if the awareness is not there, the usage of technology is not properly handled, it is going to be a challenge. Currently, generic awareness is there but critical awareness related to do’s and don’ts in the age of Digital India is needed,” adds Deshpande of Blue Coat Systems. “More and more enterprises are hiring CISOs who are trained to build the necessary infrastructure as well as train employees on cyber security. This is a continuous learning and enterprises are getting better over time. However, to speed up the process, leveraging CIO/CTO/CISO gatherings for sharing best practices and steps that should be adopted to mitigate the attacks need to be held on a regular basis,” says Sidharth Malik of Akamai Technologies With its archaic governmental system, India has not been able to spare funds and time for ensuring adequate cyber security—this needs to change. The Digital India and Smart City initiatives can’t succeed unless the cyber infrastructure is fully secured. It is time to realise that the cyber space is as much a national asset as the physical space. We can have improvement in the security of cyber space only when government agencies and the private sector join hands and work as a team. mohd.ujaley@expressindia.com
SEPTEMBER, 2015
17
INTERVIEW ED BRANDT MASTERCARD
ACCELERATING FINANCIAL INCLUSION THROUGH CASHLESS TRANSACTIONS “E-governance is important for developing countries, as the transparency, trust and efficiency created through e-governance systems can lead to vast improvement in the nation’s economy,” says Ed Brandt, EVP, Managing Director, Government Services and Solutions, MasterCard. In conversation with Ankush Kumar What kind of success is MasterCard having in executing projects for governments around the world? During the last few years there has been a major transformation in the way in which MasterCard works with governments in various countries. We provide services that are useful for addressing issues related to development of payment systems for financial inclusion. In 2012 MasterCard had programmes in 18 countries, and now we have expanded our reach to 56 countries. Currently about 700 of our programmes are running globally. What is your view of the extent of adoption of plastic money in developing countries? The developing countries are on the cusp of plastic money revolution—the barriers of access and identity are now being rapidly broken. Adoption of digital technology for payments is accelerating as lower cost mobile phones are becoming the vehicles for access in rural areas. Digital biometrics is leading to trusted identities, which is the foundation of every viable financial system. Trust is also building as governments, businesses and citizens are now recognising that the cost of transactions is too high, and that there are manifold benefits in being included in the formal economy. In Egypt we are working on a terrific programme, which will link the virtual MasterCard wallet with the government identity for an 18
EXPRESS COMPUTER
expected 54 million citizens. Since it is secure and efficient, the Government of Egypt will be making payments through this system. When funds start arriving digitally on the phone, people have an incentive to keep it digital and thus the cashless journey begins.
At MasterCard,we see digital technology as the financial lifeline for helping people achieve their full economic potential
Tell us about the challenges that are generally faced while working with the Government of any country? The opportunities in this area are tremendous. Governments are the single greatest enabler of change—they can provide access and scale as about 30 percent of the income of the citizens who are financially marginalised comes from them. This tremendous scale is evident in many MasterCard programmes. For instance, in South Africa we reach one in every three adults with the SASSA MasterCard and in Russia we reach one in every five adults with a government benefits card. The efficiency that has been created is quite remarkable. The operational costs have come down and the leakages are plugged. In South Africa, the government has eliminated 850,000 social grants and enabled redeployment of those funds to deserving individuals. How important is e-governance for developing economies like India? In what ways it can be successfully implemented? E-governance is important for SEPTEMBER, 2015
www.expresscomputeronline.com
developing economies, as the transparency, trust and efficiency that can be created through e-governance systems can lead to vast improvement in the nation’s economy. The governments can play an important role in enabling the businesses and the citizens to adopt electronic payment systems. Once a large section of the society adopts the digital payment systems, it can have a multiplier effect on the economy. For instance, a fully electronic procurement process can drive businesses to accept electronic payments and this will lead to much more transparency. What role is MasterCard playing in promoting digital payments in developing countries? At MasterCard, we see digital technology as the financial lifeline for helping people achieve their full economic potential. MasterCard is a technology company and we are investing globally to innovate even better solutions. We are leveraging our investment in technology in over 200 countries. People often underestimate the complexity and the cost of keeping technology current. We continually invest for ensuring that our network provides safe, simple and secure transactions. We have large investments for innovation labs around the world that are turning out powerful solutions for deployment in different markets. We enter into partnerships with government or private entities to deliver our products. MasterCard has global experience as a market organiser, and we are capable of bringing together local and global participants for implementing solutions. How do you think last mile delivery and payment systems innovations could help transform India’s economy? It is the transformational potential that makes the advancement of digital payment technology so exciting. One easy illustration is the impact on small businesses. Through electronic payments, a business’s marketplace expands beyond its local village and it can source materials from the best and most efficient suppliers. Further, once EXPRESS COMPUTER
We have approx. 10% of our global workforce in India
■
$250 MILLION In 2014, we spent US$250 million to invest in scaling up our technology footprint here in India
CURRENTLY ■ ■ ■ ■
■ ■ ■ ■
EXPANDED
■■■ ■■ ■■■ ■■ ■■■ ■■ ■ ■■ ■■ ■■ ■■ Countries ■ ■
■ ■ ■ ■ ■ ■ ■ ■
■ ■ ■ ■ ■ ■ ■ ■
■ ■ ■ ■ ■ ■ ■ ■
■ ■ ■ ■ ■ ■ ■ ■
■ ■ ■ ■ ■ ■ ■
In 2012 MasterCard had programmes in 18 countries, and now we have expanded our reach to 56 countries.
200 COUNTRIES
INVESTMENT IN TECHNOLOGY We are leveraging our investment in technology in over 200 countries.
Currently about 700 of our programmes are running globally.
■
connected to the formal economy, business’s can raise capital to fuel an entrepreneur’s growth and creation of new jobs. What are the expansion and investment plans of MasterCard in India in next few years? While it would be difficult to quantify on
our precise investment plans, it is fair to say that MasterCard sees tremendous opportunities in India, and we are excited to play a larger role in the market. For example, on the side-lines of the Vibrant Gujarat summit held in January this year, we signed an MoU with the Gujarat state government to collaborate on a number of strategic areas, including digitizing and streamlining the procurement payment process in various government departments and develop a mobile-based solution for the transfer of government benefits to beneficiaries. We have also implemented various projects with the state governments of Chhattisgarh, Madhya Pradesh, DMRC, and National Skill Development Corporation (NSDC). Tell us about the newly launched Technology Hub in India? The India tech hub unveiled in February, the largest such facility outside of the US, is a key part of MasterCard’s strategy to drive the development of cutting edge payment technologies aimed at enabling a cashless world. It allows us to engage with technologists, engineers and developers collaborate with customers, and puts MasterCard at the Centre of India’s rich talent pool. The Tech Hub comprises of two facilities – one in Pune, which represents our Centre of Excellence for our processing businesses) and Vadodara, which serves as our Centre of Excellence for mobile payment solutions and digital wallets. Today, we have approx. 10% of our global workforce in India. In 2014, we spent US$250 million to invest in scaling up our technology footprint here in India. We want to leverage the diverse talent pool of highly skilled workforce in India to accelerate the development of global innovations and product development. On the whole, this is an exciting time to be in India and under the Modi-led government; we are seeing a confluence of opportunity between business and the government’s push towards Digital India and accelerating financial inclusion. ankush.kumar@expressindia.com
SEPTEMBER, 2015
19
INTERVIEW PAVAN DUGGAL CYBER LAW EXPERT
DEDICATED LEGISLATION FOR CYBER SECURITY “The push towards building massive IT infrastructure that will transform the country into a connected economy and realise the vision of Digital India, necessitates the need for strong cyber security mechanism to keep the citizen data safe and secure,” says Pavan Duggal, Advocate, Supreme Court of India. In conversation with Mohd Ujaley Amassive digitisation drive is underway currently under the Digital India programme. Is the cyber security system in India robust enough to safeguard the public data that will go online under this programme? In today’s world, the word crime has become inseparable from the word cyber. Under the Digital India programme lot of vital information and public data will be put online for providing all kinds of services to the people. One of the touchstones on which the success of Digital India programme will be analysed is the aspect of cyber security. Ultimately, the Digital India programme can only be as secure as its weakest link. Unfortunately not much is happening for ensuring that proper security is in place for all the IT systems that we are creating. Presently our focus is not on cyber security. I would say that we should try to learn from China; in July the country came up with a new law, which states that cyber sovereignty is an integral part of national security. India has also made some laws in the area of cyber security, but we need to do a lot more. Our National Cyber Security Policy of 2013 is only a paper document, lot more needs to be done in this area. You are saying that not much has happened in the area of Cyber Security Policy of 2013, so what should be done to improve the situation? India requires a new legislation that is wholly dedicated to cyber security. It is not sufficient to merely put cyber security as a part of the IT Act. We have to see cyber security not only from the 20
EXPRESS COMPUTER
ITAct of 2008 lacks the basic parameters to make Digital India a success.India requires a distinct new legislation dedicated to cyber security sectoral perspective, but also from the national perspective. In our country, the critical IT infrastructure is primarily in the private hands, hence it is imperative to define the duties of the private sector, and also the government entities, in the area of cyber security. Even the IT Act of 2008 does not do much in this area. A dedicated cyber security legislation is a key requirement for us. Once again, I will reiterate that we need to learn from what China has done in this area. In your view what is the reason for India being unable to pass a dedicated legislation on cyber security? Such legislation has never been a priority for the country. In 2002, when we passed the IT Act 2002, the focus was on having a legislation to promote e-commerce. As a nation, we were not concerned about cyber security then. After the Mumbai terror attack, the government amended the 2002 Act in 2008 and this led to an
enlargement of the umbrella of cyber crime. From 2008 to 2015, lot of water has flown under the bridge. Today the cyber criminals are capable of launching much more sophisticated attacks as compared to those in 2008. We need to take our fight against cyber crime to a new level in order to meet the challenges of 2015 and the coming years. Unfortunately, we are not able to move forward in the direction of having stringent legislation. So are you saying for robust security framework in Digital India, a dedicated legislation is must? Absolutely, because legislation will be the important component for the new government to move forward if it has to make its digital India programme a success. IT Act of 2008 lacks the basic parameters to make Digital India a success. But I agree, you can't blame the law because it did not have even the vision in year 2002. But now as the focus on participating governance increases, the priority of the government is to ensure that governance delivered on mobile platform to ensure the emergence of a knowledge economy. And, for all these we do need a new legislation in the area of cyber security. Other than having a dedicated legislation to combat cyber crime, what else can the nation do to fight this menace? We need to do far more than what is being currently done on capacity building among the law enforcement agencies for cyber security. We need to realise that we SEPTEMBER, 2015
www.expresscomputeronline.com
days. People in our country do not report about cyber breaches, because they feel that they may not get a conducive response from governmental agencies. They also fear that if they report a security breach, the reputation of their company might take a hit. Also, currently it is not mandatory for companies to report the breaches. Are you of the view that a regulatory body like SEBI should make it mandatory for companies to report cyber breaches in the same way that they report other aspects of their performance? The primary responsibility is of the government. They need to come up with strong provision. The IT Act 2000, recognises the concept of intermediaries or service providers who provide any service on the network— they are mandated under Section 79(2)(c) of IT Act to conduct due diligence while they discharge their obligation. Now the government needs to specify the protection and preservation of cyber security as an integral part of the due diligence conducted by the intermediaries. Also, the sectoral regulator must play a proactive role. For instance, on 6 July 2015, SEBI came up with new set of guidelines for all the repositories and depositories in the context of their protecting cyber security. This is a very limited exercise, but it is a small step in right direction. are behind the curve on handling cyber security. In the current scenario, the cyber security breaches are not being given enough attention by the law enforcement agencies. This needs to change. We can’t have national security unless we pay adequate attention to cyber security. A successful attack on the IT systems of a vital infrastructure like power grid, airport, etc., can have an impact on the economy of the country. Many of the cyber attacks on private enterprises and government organisations go unreported.What can be done to ensure that the security breaches get reported and investigated? EXPRESS COMPUTER
SEBI guidelines on cyber security for all the repositories and depositories is a very limited exercise,but a small step in right direction Unfortunately, the under reporting of cyber security incidents is a norm these
Do you think that India needs to come up with a system to compensate people when they make losses due to cyber security breaches? Absolutely, we need to define the rights, duties and obligations of all the key stakeholders. The government should come up with cyber security guidance for breach victims. It can list steps that an organisation should take to prepare for potential breach . Currently we have some limited ground under the IT Act 2008 but those are not adequate as it was never really drafted keeping in mind exigencies of protecting cyber securiy. mohd.ujaley @expressindia.com
SEPTEMBER, 2015
21
FEATURE
SECURITY ANALYTICS
Âť
SECURITY ANALYTICS
SYMBIOSIS We live in a complex digital world where the organisations face rapidly changing risk landscape. The exponential growth in the number of sophisticated cyber attacks means that even the best security system can now be breached BY JASMINE DESAI 22
EXPRESS COMPUTER
SEPTEMBER, 2015
www.expresscomputeronline.com
T
he Data Breach Investigations Report (DBIR) 2015 by Verizon shows that in 60% of the cases, attackers manage to compromise the organisation within minutes. As the “detection deficit” is critically high in most organisations, many of the attacks are successful. The growing sophistication of the attacks is now forcing the businesses to deploy security analytics solutions. According to Ionut Ionescu, Director, Cyber Threat Management, Wipro, security tools can detect only the known vulnerabilities—this is primarily because these tools operate on the basis of what is already known. They can only offer defence against attacks that are similar to the attacks that have occurred in the past. But in case of security analytics, Machine Learning Algorithms are deployed. These Algorithms can detect vulnerabilities and attacks that are mostly unknown. Sonit Jain, CEO, GajShield, says, “Analytics-driven security enables realtime monitoring of network traffic, it also helps in consolidating and coordinating event data from applications and network logs. This helps enterprises set up intelligent security models rather than just rely on IPs and usernames that often are without any context.” He is of the view that security analytics can bring in-depth information to the network flow and security incidents. Analytics-driven security can give a definite form to the data flowing through the enterprise and by doing that the technology can help in preventing breaches. Context-based deep inspection technologies help identify threat vectors and the type of information, external identity and risk level. All this can help in identifying the source of data breaches and data leaks. Michael Smith, APJ Security CTO, Akamai Technologies, says, “Most security tools are built around individual log events. What you get out of SIEM, Big Data platforms and related operational processes is the ability to correlate different events into a bigger picture, which I refer to as a meta-event. When you go into a data analytics platform and teach it to recognise the traffic pattern, EXPRESS COMPUTER
then you are essentially mining for the information on the attacker.” Elaborating on the issue from the perspective of users, Leela Krishna Munnangi – Head IT, Broadridge Financial Solutions, India, says, “Security analytics offers significant enhancement in security breach detection capabilities. It provides the much needed value add.” He is of the view that security analytics has greater accuracy in real-time breach detection (primarily in external malware threats). It can lead to improved TAT on detection and the prioritising of the action plan. It results in low false positives, which is relatively higher in most security intelligence and SIEM systems.
Execution of Security Analytics Framework The driving of such technologies within the organisations requires a certain roadmap. Avinash Kadam, Advisor – ISACA India Cybersecurity Initiative, says, “Integrating security analytics into governance, risk and compliance (GRC) processes allow security and business teams to build a common language and discussion framework around risk scenarios. When framed in the GRC taxonomy, analytics provides the context, which the businesses can understand and use while making decisions in areas ranging from improving business processes to making necessary security investments. It is this fundamental need to mature from risk identification to risk analysis and, finally to risk intelligence that drives the maturity of security analytics programs.” In the enterprise models, where users access applications, development platforms and network infrastructure as a service over the Internet, a successful deployment can happen only when a holistic view is taken of the existing infrastructure and the needs. All the factors may not be in the direct control of the IT departments, but if anything goes wrong they are expected to fix it. Therefore, it is important that IT and the business work together to establish a process and methodology that orchestrates the adoption of SaaS applications into the enterprise.
It is this fundamental need to mature from risk identification to risk analysis and, finallyto risk intelligence that drives the maturity of security analytics programs Avinash Kadam Advisor – ISACAIndia Cybersecurity Initiative
Quite a few organisations have invested in security data analytics but they are yet to realise the value of their investment Michael Smith APJ Security CTO,Akamai Technologies SEPTEMBER, 2015
23
FEATURE
SECURITY ANALYTICS
The deployment of security analytics solutions has the effect of moving the security analyst to a forward position in the attack lifecycle Vivek Chennamaneni CTO,Netxcell Ltd
It is important to enhance scope of security analytics to include more data points,which can further improve the accuracy of detecting a breach Leela Krishna Munnangi Head IT,Broadridge Financial Solutions,India 24
EXPRESS COMPUTER
»
According to Ionescu of Wipro shares the details of a case where Wipro has provided security analytics services to a large energy company. He informs that Wipro used Big Data Analytics to perform an off-line analysis of the energy company’s access and identity management systems. After the analysis, Wipro identified patterns of behaviour in ICT infrastructure use that necessitated a deeper investigation, which, in turn, yielded some interesting DLP protection use-cases and insights. The client could fine tune their existing security system to ensure that there was overall reduction in the misuse of data or data leakage.
Getting the Best from Security Analytics The most effective way of getting the best out of security analytics is to fully utilise its capabilities of real time breach detection. Says Munnangi of Broadridge Financial Solutions, India, “It is important to enhance scope of security analytics to include more data points, which can further improve the accuracy of detecting a breach.” Vivek Chennamaneni, CTO, Netxcell Ltd., says, “The deployment of security analytics solutions has the effect of moving the security analyst to a forward position in the attack lifecycle. Proactive analysis becomes part of the security operations. In my view, CIOs should start by focusing on proactive analytics; based on the insights that are gained, they can device a better risk management strategy.” It is also vital that CIOs understand how and where investments can be applied to strengthen security and mitigate risks. Jain of Gajshield says, “CIOs should focus on deploying contextbased security. It should be a comprehensive adaptive platform and the organisation should secure business information using risk management with context-based security.” Yuvraj Pradhan, Sales Engineering Manager, India & SAARC, Intel Security, is of the view that it is important to ensure that while the enterprise solution is being deployed, the adaptive platform of security analytics must also be put in place so that the system works well with other business security applications.
They should ensure that the security solution has the right tools like analytics, encryption, etc., at each layer of data transfer. This will make it easier for the IT teams to identify attacks and reduce risks. As enterprises increasingly rely on mobile, internet and the connected ecosystem for productivity and competitive edge, they generate huge volume of complex data. With the right set of security big data analytics, enterprises can take advantage of valuable insights into business risks far beyond the realm of IT. Smith of Akamai says, “Organisations need to start small, by planning goals that are achievable. Quite a few organisations have invested in security data analytics with big ideas, but they are yet to realise the value of their investment. What they are facing is essentially the classic CIO problem of properly deploying people, processes, and technology. The best strategy is to start mall and then keep adding resources as you learn.” At Akamai, they have a WAF (Web Application Firewall) that is sold as a service. During the last two years, the company created a Big Data solution known as Cloud Security Intelligence (CSI) to consume all the events from the WAF as unstructured data in “attribute:value” pairs. This leads to the ability of analysing 30+ days of events.
Role of CIO Ajay Dubey, Regional Sales Manager, Websense says, “The scope for CIOs in context of security analytics is broad and it can help them identify information breaches and reduce the impact of cyber attacks. Innovations within security software have automated many of the tasks that are related to detection and blocking. There is better protection from next-generation firewalls and intrusionprevention systems.” He is of the view that the security analytics platforms are most suited for bringing awareness about security events by gathering and conducting analysis. Such solutions can ensure that the events that can be a security threat to the organisation are detected and neutralised with better accuracy. SEPTEMBER, 2015
www.expresscomputeronline.com
The issue of skills is of primary importance for ensuring fruitful security analytics deployment Sid Deshpande CIOs have to develop a security program that addresses the organisation’s unique security risks and requirements. By developing a unified security analytics framework, the organisations can analyse massive amounts of behavioural data and other indicators to distinguish between malicious and legitimate business activities. Essentially, the security analytics solutions have to generate the ability for correlating the events based on time and user behaviour across networks and devices in the organisation. Dubey explains the idea by giving the example of the issue being faced by one of Websense’s clients. He says, “Recently one of our clients received an infected email from a recognised sender. It later came to light that the sender’s email ID had been compromised by a hacker who then used the account to send the email to our customer. When our customer clicked the link that he received in his email, he got redirected to a malicious site from where a zero-day malware got installed into his machine. All this happened while the customer was waiting for some information to download.” “Our customer closed the window but the malware was already installed. Next day when the customer was in his corporate office, the malware encrypted some critical data (like Intellectual property) and tried to send it to someone EXPRESS COMPUTER
outside. As the customer was using DLP, this was blocked and our engineers found that there was an infected machine. They immediately swung into action and neutralised the malaware.” Annie Mathew, Director, Alliance and Business Development, BlackBerry, says, “CIOs are responsible for choosing and deploying the security solution, which is most suitable for meeting the needs of the enterprise. During the deployment of enterprise solutions, adaptive platform of security analytics should be put in place so that it works and coordinates well with other business security applications.” Skill-set is another parameter which is tied closely with the success of the solution. According to Sid Deshpande, Principal Research Analyst, Gartner, the CIOs must be aware that the effectiveness of any analytics backed security technology can only be as good as the skill of the analysts or operators who are managing the tool. “The issue of skills is of primary importance in case of security analytics deployment,” he says. He is of the view that we can expect better implementation of security analytics by a broad range of enterprises in India when the vendors of such solutions start aligning their solution to the business requirements of their customers. jasmine.desai@expressindia.com
Principal Research Analyst Gartner
While the enterprise solution is being deployed,the adaptive platform of security analytics must also be put in place Yuvraj Pradhan Sales Engineering Manager Intel Security SEPTEMBER, 2015
25
FEATURE
BANKING INDUSTRY
Âť
BANKING INDUSTRY
STAYING AHEAD OF FRAUDSTERS Banking fraud poses a serious threat to the customer confidence, efficiency of the payment system, and the bank’s bottom line. To mitigate fraud risks, the banks are going on overdrive to deploy security solutions BY ABHISHEK RAVAL
A
n RTI query has revealed that depositors in India have lost close to Rs. 27000 crore in the last five years due to fraud. But this amount is just an estimate, the final figure of the loss is much higher. Recently, the Parliament was informed about the RBI data, which shows that close to 9,300 cases of fraud involving ATM cards, internet banking were reported in April-December 2014. Internet Banking/ ATM fraud, e-Banking fraud and Identity fraud are the three key areas of concern for bankers today.
Know Your Customer While there is significant rise in the number of sophisticated cyber attacks, 26
EXPRESS COMPUTER
SEPTEMBER, 2015
www.expresscomputeronline.com
the frauds are also happening due to the flouting of Know Your Customer (KYC) norms. There are increasing instances of fraudsters using forged/tampered documents. Banks have detected many cases of document forgery where the fraudsters pose as genuine customers. Speaking at a BFSI event in Mumbai, Sanjay Rai, Additional Director, Special Frauds Investigation Office (SFIO), said,”There is lack of care on the part of banks on whether KYC norms are followed.” He also spoke about a case where a single customer managed to defraud multiple banks by flouting the KYC guidelines. Arun Gupta, Managing Partner & Director at Ingenium Advisory and Technology Advisor, UNIKEN, says, “The issue fortunately or unfortunately is about scale. Banks are adding new customers at a faster pace. In the rush to enrol new customers there can be a slippage. Even few such mistakes can lead to fraud. Auditors scan random samples; they do not review every form. KYC being done by some junior officer or outsourced staff leads to mistakes, which can be genuine or intentional.” “The major part of the KYC defaults happen in the private sector, where the focus is entirely on business development. The business development model is partly outsourced. Even the frontline counter staff have targets for opening accounts. People are forced to cut corners,” says Diwakar Gupta, Senior Advisor, Aditya Birla Financial Services and Former MD, CFO, State Bank of India (SBI).
The Enemy Inside The security framework can become much weaker if there is a culprit working inside the bank’s perimeter. What if the bank employees join hands with external fraudsters! They can take advantage of the blind spots in the system to siphon money. At times, the fraudsters target the dormant accounts. “There are old people with significant balance in their account, which is mostly inoperative. They rarely come to the bank. The bank employee who knows about such inactive accounts can withdraw the money. It is possible that no complaint may get filed in such cases,” says Diwakar Gupta. EXPRESS COMPUTER
The risk of frauds engineered by their own employee is one of the biggest challenges that banks face. In order to curb instances of insider frauds, banks have started adopting Privilege Identity Management Solution (PIM). “Some of the top Indian Banks - both public and private have implemented PIM. We are working on about a dozen RFPs floated by banks, “ says Anil Bhandari, Director (Chief Mentor), ARCON. PIM allows banks to protect the critical Information assets like databases, servers, network devices and storage devices from unauthorised access. The solution runs a dynamic password generation algorithm which changes and rotates the passwords on IT assets and stores them in a secure vault, which is protected by several layers of proprietary technology. Further access to all critical devices or applications through any super user-id is controlled and access is provided only on need basis. The solution maintains a complete session recording of all user activities and is also vaulted for future reference. PIM and Privilege Access Management (PAM) reins in the super user in terms of access rights. The kind of applications he can enter. “The root user or the super user of a system, has total control over a system, and this is where most of the traditional security technologies failed. The need was to control and monitor the actions of this super user. This is where the PIM/PAM solutions come in handy.” says Devendra Parulekar, Practice Leader, India Information Security and Privacy, E&Y. Many organisations are moving towards mapping who their users are, what they are accessing and what they need or don’t need to access. The companies don’t want to find themselves in a position where, they are breached by an insider, because the applications are misconfigured with reference to access rights.
ATM & Card Frauds According to the data from the Banking Ombudsman scheme (BOS), released by the RBI, the complaints regarding ATM / Debit / Credit cards in the year 2013-14 amounted to 18,474 vis-a-vis 17,867 in 201213. ATM fraudsters are coming up with innovative ways of hijacking the
Typically,there are three types of attacks on ATMs that are common, namely black box, man in the middle and malware Navroze Dastur Managing Director,NCR India
Fraudsters are using Social engineering techniques, especially in the rural areas to defraud innocent villagers Bharat Panchal Head- Risk Management and Audit CISO,National Payments Corporation of India SEPTEMBER, 2015
27
FEATURE
BANKING INDUSTRY
The bank has implemented rules, based on statistical models developed in-house,for monitoring transactions on credit and debit cards
Some of the top Indian Banks, both public and private,have implemented PIM and we are working on about a dozen RFPs floated by banks
Analytics tools monitor and manage alerts across multiple systems,correlate them with one another,and feed them into enterprise case management system
Sameer Ratolikar
Anil Bhandari
Anmol Singh
CISO,HDFC Bank
Chief Mentor,ARCON
Principal Research Analyst,Gartner
ATM – there have been instances where they have installed malware in the machines to conduct their frauds. Some fraudsters are also using social engineering techniques. Bharat Panchal, Head- Risk Management & Audit, CISO, National Payments Corporation of India (NPCI), says, “Fraudsters are using Social engineering techniques, especially in the rural areas to defraud innocent villagers.” Here is one of the scenarios by which the scam is often carried out—A villager goes to an ATM—he has no clue about how to get cash out of the machine. The fraudster, who is loitering close by, offers help. He takes the ATM card from the farmer and changes it with a fake card that he already has. He inserts the fake card in the machine and asks the farmer to enter the PIN. The fraudster sees the PIN being entered and he remembers it. When the farmer leaves the ATM, the fraudster withdraws the money from the farmer’s account. In case of malware attacks, the ATMs get delinked from the bank’s network. The system will not recognise that the cash 28
»
EXPRESS COMPUTER
chest has been emptied. In a recent malware attack on an ATM, the fraudster connected a USB to the front panel of the machine. He switched it off and then switched it on again. The ATM was then booted up with the malware—this resulted in the complete decoupling of the machine from the bank’s network. The fraudster subsequently gave certain commands and the ATM flooded the money out from the chests! In case of such crimes, no debit entries are generated as the system doesn’t recognise that the transaction ever happened. NCR Corporation is India’s largest ATM manufacturer and service provider. Navroze Dastur, Managing Director, NCR India, says, “Three types of attacks on ATMs are becoming common, these are: black box, man in the middle and malware.” He informs that the malware fraud has been reported from several countries: Russia, Mexico, Malaysia, Europe and India. Man in the middle attack involves the compromising of the network infrastructure and placing of the malware within a bank’s network. In a black box attack, the fraudster bypasses
the ATM’s core processor and connects an electronic device to the cash dispenser. He then sends unauthorised commands to dispense cash from the ATM.
Controls, Processes & Technology IT can play a critical role in minimising and combating fraud, but there are many other aspects that the banks have to take care of for ensuring overall security in their establishments. Arun Gupta of Ingenium Advisory says, “Banks should have the required controls, processes and technology in place. It is a combination of these three that will finally succeed because one without the other does not work.” This approach can be applied by banks to manage KYC and document-tampering related frauds. A number of technology tools for detecting fraud are available, but the best results can only be achieved from these devices when there is a comprehensives system for red-flagging the issues and alerting the employees. Diwakar Gupta provides information on the centre for investigation of suspicious transactions that is being run in SEPTEMBER, 2015
www.expresscomputeronline.com
Many organisations are now mapping who their users are, what they are accessing and what they need or don’t need to access Devendra Parulekar Practice Leader,India - Information Security & Privacy,E&Y
Jaipur by a prominent public sector bank. “There are about 100 people working there. The list of suspicious transactions is generated by the software. The officials analyse the transactions and decide what kind of action should be taken in each case.” The IT solution can only throw out the suspicious transactions based on set rules. The rest has to be done by the respective personnel. Diwakar Gupta is of the view that a common registry, from which the KYC delinquencies can be reported to all the banks, is a must. The challenge in case of such systems lies in creating the pool of skilled manpower to track these cases. RBI is expected to issue norms for setting up a central fraud registry to share information on unscrupulous borrowers and wilful defaulters.
Analytics for Safe Banking Analytics can play a crucial role in unearthing and filtering out suspicious transactions. A survey by Deloitte shows: “One in three survey respondents were not entirely satisfied with their current fraud detection / analytics solution.” EXPRESS COMPUTER
Banks should have the required controls, processes and technology in place Arun Gupta Managing Partner & Director at Ingenium Advisory and Technology Advisor,UNIKEN
The new analytics tools not only support detection, analysis and management of fraud across users, accounts, channels, products and other entities (e.g., kiosks), they also monitor user’s activity and behaviour inside an application and watches what transpires inside and across accounts using any channel available to the user or program. “Analytics tools monitor and manage alerts across multiple systems, correlate them with one another, and feed them into enterprise case management systems,” says Anmol Singh, Principal Research Analyst, Gartner. HDFC bank has implemented rules, which are based on statistical models developed in-house, for monitoring transactions on credit and debit cards. “The model takes into account various transactional & customer demographic related attributes along with the fraud trend. Periodic review of these models is carried out in terms of false positives and relevance to the existence of the fraud trends and necessary actions are taken,” says Sameer Ratolikar, CISO, HDFC Bank. The Bank has invested in enterprise level
Big Data creates new opportunities to mine transactions and behaviours for potential patterns that followmost fraudulent activities Diwakar Gupta Senior Advisor,Aditya Birla Financial Services and Former MD,CFO,State Bank of India (SBI)
solution for digital banking, such as monitoring of net Banking, credit, debit cards and merchant acquiring transactions with the capability to decline transactions with the fraud trend. Big Data is another technology that can protect the bank from fraudsters. “Big Data can be used for mining transactions to develop information on behaviour patterns that are likely to follow most fraudulent activities,” says Diwakar Gupta. According to Gupta, a suspicious transaction may not necessarily be a fraud but it puts up your antenna to suggest that something seems to be wrong. The exception reports should be looked at to make sure, the customer is not doing exceptions again and again. There is a big role for analytics and reports to tackle frauds. The banks are realising that they have to join hands to curb instances of fraud. IDRBT has started Indian Banks- Center for Analysis of Risks and Threats (IBCART). It is a portal based centralised repository of information security incidents reported by banks. abhishek.raval@expressindia.com
SEPTEMBER, 2015
29
FEATURE
IT ECOSYSTEM
Âť
KARNATAKA’S POLICE
IT ECOSYSTEM Information and data are critical for decision making, user references and business communication not only in corporate world, but also in public administration. Demand for instant access, real time processing, enhanced service levels and faster turnaround is growing in the police departments BY SANJAY SAHAY, ADDITIONAL DIRECTOR GENERAL OF POLICE, KARNATAKA
T
he Karnataka State Police (KSP) has been pro-active in adopting new technology for meeting the organisational challenges and improving its operations and service delivery capabilities. For KSP it has been a long journey of transformation from the manual paper based FIRs to endto-end digital investigation of crime. The police IT eco-system developed in Karnataka and the operational and governance structure that has been created for this purpose is the key to the robust functioning of the system. All components of the system can be replicated.
Going for ERP Police-IT was conceptualised in the year 2000 by the Government of Karnataka for implementation of a state-wide IT solution for the Police Department. The Karnataka State Police needed centralised and comprehensive software application, which can cater to various functions of the 30
EXPRESS COMPUTER
Police. An ERP was the solution that the police department needed. Easy maintenance, real time availability and ease of integration were some of the benefits that fuelled this vision. It was realised that any ERP system would need centralised hosting infrastructure and robust network, which necessitates the
setting up of KSP Data Center and KSP Wide Area Network. Special attention was given to build internal capacity so that external dependency would be kept as minimal. Internal resources were trained on professional IT skills for smooth operation and maintenance of the Police IT systems. The roll out started in April 2010 and was completed in a year. The software is now operational at all 931 police stations, 221 circle offices, 121 sub-divisional police offices, 30 districts, 5 commissionerates and all higher police offices in the state. It is modular in nature based on centralised architecture. The police department looks forward to scale greater heights through introduction of advanced technology such as cloud, crime analytics and mobility. Today the Karnataka State Police functions on the Police IT ERP Software. In 2014, every single FIR in the state was generated through this software. In the CCTNS, Karnataka was one of the advanced states and was thus permitted to SEPTEMBER, 2015
www.expresscomputeronline.com
continue with its own software. Thus Police IT is the front end of the CCTNS in Karnataka. Crime and Criminal Tracking Networking and Systems (CCTNS) was conceived and incorporated in the Eleventh Five Year Plan as one of the Mission Mode Project under the National eGovernance Plan. Police-IT system has been enhanced to add new capabilities envisaged under CCTNS project. The functionalities and features are broadly indicated in the following diagram: There are 12 modules in the software: ◗ Crime ◗ Law & Order ◗ Traffic ◗ Finance ◗ Administration ◗ Stores ◗ Armed Reserve (AR) ◗ Motor Transport ◗ Training ◗ Wireless ◗ Forensic Science Laboratory ◗ MIS
adopt the latest technology to cater to faster and easier mode of communications within this network to achieve the day-today information exchange of the Karnataka state police force. KSPWAN is combination of 45 MPLS and 1465 VPNoBB connection. It is the only fully functional broadband networking owned and operated by any state police force in the country. It is fully online system and Police IT does not have an offline mode. a. NMS for complete monitoring of Network b. Automatic link failover protection c. Implementation of Fixed IP at all VPNoBB location and Router hardening to avoid unwanted traffic.
KSP Wide Area Network
KSP Data Center and Disaster Recovery Site
KSPWAN was created in 2009, exclusively for connecting Police stations, Circles, SDPOs, and other offices of special units spread across length and breadth of Karnataka into one network. The basic purpose of creating such vast network is to
Karnataka State Police has its own state of art green data-center services at KSRP 3rdBatallion, Bangalore. This is the only Data Center created and run by any state police in the country. The data-center built in 1400 Sqft. of area which includes Data
POLICE ITSOFTWARE – FUNCTIONALOVERVIEW Core Functionalities
11 Modules
● Crime ● Law & Order ● Traffic
417 Reports
MIS
64 Roles
Administration ● Administration ● Finance
522 Screens
POLICE ITECOSYSTEM Stabilization
Enforcement
Governance Structure
Police IT ERP
Training for End-Users Creation of Skilled Internal Resource Pool Training for 75 System Administrators
● Stores
Data Center
EXPRESS COMPUTER
Ancillary Support
Technical Modules
● Armed
● Wireless
ReserveMotor Transport ● Training
● Forensic Science
Network
Laboratory
SEPTEMBER, 2015
31
FEATURE
»
IT ECOSYSTEM
Center Server room, NOC room, and Electrical & UPS room. The Data Center has the capacity of hosting 5 server rack and 3 network racks for all KSP IT requirements. Started in Jan, 2011 KSP DC is hosting the following services to department. ◗ Police IT ◗ E-Mail ◗ Website ◗ SMS gateway ◗ Active Directory ◗ EMS ◗ Antivirus and Patch Management
KSPWIDE AREANETWORK CAPACITY
44
Locations 1,2 & 4 Mbps leased line
155 Mbps aggregation bandwidth
KSPDC
The KSP Data Center is managed professionally by dedicated team with best practices in place such as 24/7*365 NOC operations, Proactive Monitoring, Preventive Maintenance and Backup/ Restore policy. Disaster Recovery (DR) Site has been set up in New Delhi at National Data Center under maintenance of NIC. The DR site will provide alternate hosting facility at remote site as backup of data and application at KSP DC which will ensure uninterrupted operations in case of exigencies. Link between KSPDC and DR site is already established and data of KSP DC has been replicated to DR site. The hosting infrastructure is shown in the diagram below:
1425 Locations 512 Kbps and 1 Mbps VPNoBB
16
Training Creation of well trained technologically enabled human resources to create and maintain the Police IT Ecosystem critical components has been the cherished goal of capacity building in Karnataka. KSP has taken innovative approach to capacity building with initiatives like Training and Certification of Police
Mbps Internet leased line
CORE INFRASTRUCTURE – KSPDC AND KSPWAN KSP DISASTER RECOVERY CENTER DATABASE APPLICATION
FTP
KSP DISASTER RECOVERY CENTER
WEB
POLICE IT
DATABASE APPLICATION
@
FTP
WEB
@
POLICE IT
4 Mbps INTERNET CLOUD
CORE SWITCH
16 Mbps INTERNET CLOUD
CORE SWITCH FIREWALL
FIREWALL
INTERNET GATEWAY
INTERNET GATEWAY
FIREWALL
FIREWALL
@
512 Kbps 4 Mbps
155 Mbps CHIEF OFFICE
TYPE OF CONNECTIVITY 16 Mbps ILL Link 156 Mbps Aggregation Link 44 No’s MPLS Links 1425 No’s VPNoBB Links
32
EXPRESS COMPUTER
BSNL MPLS
VPNOBB SP RLY
COD COP 29 FSL FPB
PS/CIRCLE/SDPO
VPNOBB
COP 2 COP(3)
COP 1
PS/CIRCLE/ SDPO PS/CIRCLE/ SDPO
PS/CIRCLE/ SDPO
SEPTEMBER, 2015
www.expresscomputeronline.com
Personnel in System Administration and Change Management Workshops for Senior Police officers etc. KSP also has established its own Training Infrastructure at regional levels. The Program involved creation of a detailed and effective training strategy, user groups and classifications, training plan and guidelines, detailed training material, training program designed for customised delivery to the target groups. The main challenges to be addressed were the geographically dispersed trainee base, wide variability in education and computer proficiency. The training program was well planned and executed as shown in the diagram below: In the days of creation of the Police IT system was the innovative training of 75 selected police personnel in MCSE and CCNA which provides is at the base of complete IT functioning today also. They are known as system administrators and have done yeomen service to the computerisation of Karnataka State Police. The creation of band of Police IT module trainers over a period of time has been another great accomplishment and they are spread over the state. The CCIS provided for the training of large number of police staff which was used in this project providing the linear progression of talent. The following training programmes are being run by KSP. ◗ Basic IT Training – designed for basic IT orientation and skill development ◗ Role – based Police IT Application Training – designed to increase user’s familiarity with software ◗ Basic System Administrator Training - designed to build professional skills for O&M support ◗ Train the Trainer – designed to create internal pool of skilled trainers Each Training ends with an online Evaluation test for the trainees. KSP provides an online test tool which is installed in each training centre. All trainings are given along with the certification from the system integrator. Change Management workshops are conducted to build appreciation of change within KSP. EXPRESS COMPUTER
Following Best Practices have evolved over years of innovation and experiential learning. ◗ Dedicated Core team for software to create SRS, Perform UAT and run police IT application and provide support to end users ◗ Technical man power created to run all tracks of CCTNS ◗ Knowledge based empowerment of manpower ◗ Centralized architecture with complete online ◗ Project Management: Karnataka has delivered successful Police IT Application ◗ Centralized Helpdesk and call management software ◗ Centralized patch management and Antivirus management ◗ Failover Protection ◗ Integration – With Public Services and SMS Gateway
Final Words Unlike any large enterprise IT enabled transformation program, KSP computerization project has been a herculean task that required interventions at all the organizational components; be it People, Process, Technology, Infrastructure and most importantly Governance through tireless drive of leadership and clear vision of what lies ahead. The development of comprehensive software package has been possible only through constant collaboration of police personnel across levels of hierarchy and sound project management by the Police Computer Wing. The software today allows users at all the police stations to register crime online and undertake end-to-end investigation through Police IT software. While KSP data center and virtual private network has provided a solid backbone for 100% project coverage, presence of certified internal resources at district levels, domain champions at SCRB and thought leaders among senior ranks of KSP have been the critical success factor in the IT led transformation of the State Police. The Project is dedicated to the employees of Karnataka State Police who have envisioned, driven and adopted the change!
CAPACITYBUILDING PLAN Police IT Training for End-Users & Handholding Training for Technical Teams of all Units
Training for Nodal Officers of all Units
Training Curriculum Basic IT & Police IT
Basic Training for End-Users Training for 75 System administrators Deployment of Trainers
Mapping of End-User
Training Infrastructure
SEPTEMBER, 2015
33
CASE STUDY
IT FOR INSURANCE FRAUD
Hit by several fraud-related losses every year, the insurance industry is now deploying data analytics to detect policies filed under false information BY ABHISHEK RAVAL
»
O
ne of the biggest challenges that the insurance sector faces is that of fake claims. According to industry experts, the insurance industry is annually hit by fake claims to the tune of 20-22%. The latest amendment in Section 45 of the Insurance laws Amendment Ordinance means that no life insurer can repudiate a claim from a policy holder three years after the issuance. This means that a policy can’t be canceled on the grounds of miss-statement of facts—even fraudulent claims are protected.
Unique Initiative to Fight Insurance Fraud Sunder Krishnan, Chief Risk 34
EXPRESS COMPUTER
Officer, Reliance Life Insurance, decided to take up the issue of ‘fake claims’ head-on. With many years of experience in handling claims in the insurance industry, he was in a position to understand the general strategy adopted by the filers of false claims. “I was heading claims temporarily, post the exit of the COO a few years back. While having got the chance to work in the department, I came to know about the factors that generally lead to false claims. My conclusion was, we will have to go after the fraudsters from the very beginning. I designed an investigation process based on certain parameters—location, occupation, age, products, etc. A risk matrix was SEPTEMBER, 2015
www.expresscomputeronline.com
prepared based on this criteria. We embarked on an initiative known as Post Issuance Risk Verification (PIRV),” says Krishnan. According to Krishnan, this was the first of it's kind initiative in the life insurance industry. They were planning to take the potentially fake policy holder by surprise. Under this system, the suspect policy holder would be detected by the help of Information Technology and after that the investigator from Reliance Life would do a reality check— verifying the details of the policy holder by visiting him at the location. Usually the insurers begin their investigation after the claim has been filed, but by then the fake claimant is prepared to prove himself innocent. A surprise check is important as it leads to the fraudster being taken by surprise. It should be noted that filing of fake claims is in essence a team effort— the doctor, pathological labs, lawyer, hospital all work in tandem to perpetrate the fraud. At times, surveyors, investigators and agents too get involved in the shady deals. However, the possibility of Krishnan's pro-active strategy of going after the fraudsters, having an impact on the honest customer could not be ignored. The drive could lead to the cancellation of the account of a genuine policy holder. To ensure that such mistakes did not happen, Krishnan used cutting edge IT to evaluate the customers. The company is now using SAS data analytics to develop information about the locations from where frequent bad claims are generally generated. “The total investment on PIRV is Rs. 50 lakhs—this includes the cost incurred on investigation. But we have able to save a significant sum by cancelling the fraudulent policies upfront and not waiting for the claims to be filed. The total savings in the first year is about Rs. 20 crore. We follow the IRDA regulation while cancelling any policy in which the customer has given false information. We do our homework and collect evidence against the potential fraudster,” says Krishnan. He is hopeful that in the second year, PIRV will lead to savings of close to Rs. 50 crore. EXPRESS COMPUTER
The companyis now using SAS data analytics to develop information about the locations from where frequent bad claims are generally generated Sunder Krishnan CRO,Reliance Life Insurance
Hunting for Bad Claims The maximum number of fake claims are being filed by organised syndicates operating out of selected pockets in the country. The first priority is to identify the locations from where they are operating, and this must be followed by the verification of their details like occupation, age, product, etc. Krishnan says, “SAS data analytics helps us mine the data and it throws up the list of the most likely negative locations, from where customers who plan to file fake claims in future are operating.” The risk teams across the country constantly engage with the underwriting team. The underwriting department is responsible for checks and verifications of the details in the customer forms filled by the agent. They escalate forms with suspicious details back to the central retail team. The suspicious cases are coloured in red, amber, green, based on the risk matrix, which is linked to the parameters of location, age, occupation, product. “We go after the red and amber cases. We don't go after the green cases,” says Krishnan. Earlier the colour coding of the suspicious cases was being done manually, but now the process has been automated. Every month, the investigators are finding 4-5 cases of Insurance policies of people who are dead and yet have policies named after them. Cases of
impersonation are also being discovered. These cases are forwarded to the ethics committee and after the assessment, appropriate action based on the disciplinary matrix is taken. Recently the system detected a fraudulent policy, which was worth more than 10-15 lakhs. The business type was not mentioned and the other parameters were also unconvincing. The location also seemed suspicious. “On the basis of the sum assured, location, area, occupation, we picked up that case and sent the investigator who found out that the person in whose name the policy was taken was dead even before the policy had been purchased,” says Krishnan. The fraudsters were planning to pad the company with a claim, but as the investigators took them by surprise, they could not place their claim and the fraudulent policy was canceled. Now the underwriting processes have been tightened in all the negative locations. “We have put cameras in the pathological labs to capture images of all the insurance applicants to check if the person who has come for the check is the same person who applied for the policy,” says Krishnan.
The Way Forward Having successfully deployed PIRV to detect insurance fraud, Krishnan now wants to take the system to the next level. He is in favour of the Insurance industry putting up a collective fight. "I have organised joint meetings on fraud prevention. We have brought this to the regulator's notice to look into this area. We have also done a lot of spade work for putting in common systems for the Industry so that the system gives lag and lead indicators," says Krishnan. The lag indicator is based on past data. For instance, the data on disproportionate claims from certain locations, which is higher then the LIC table. Lead indicator is predictive in nature, based on analytics systems, which predict the persistency issue about who is more likely not to pay the claims next year. a bhishek.raval@expressindia.com
SEPTEMBER, 2015
35
CASE STUDY
MAHINDRA DEFENCE
Âť
Smart Surveillance 2.0 E Y E S
I N
T H E
S K Y
Mahindra Defence has joined hands with Cisco Systems for developing and implementing the Lucknow Smart City Surveillance project BY ANKUSH KUMAR
T
he prominent defence and security company, Mahindra Defence Systems Ltd., a strategic business unit owned by the Indian multinational conglomerate, the Mahindra Group, has been working for defence forces and various police departments since 1947. Recently, the company joined hands with Cisco Systems for designing and implementing the Smart Surveillance 2.0 system at Lucknow city. The implementation happened in just six months. The aim of the project was to enhance the safety and security of the citizens and improve the infrastructure for providing aid during emergency.
Aim of the Project Uttar Pradesh, India’s most populated state, is home to 21 crore residents. According to a report titled, Crime in India 2013, which was released by the National Crime Records Bureau (NCRB) in June 2014, large number of crimes and violations had happened in Uttar Pradesh. 36
EXPRESS COMPUTER
The NCRB report also states that there are only 78 policemen per lakh of people in Uttar Pradesh, as against the UN recommended ratio of 222 policemen. Also, the police force is armed with outdated systems for tracking and fighting crime. With the objective of improving the security situation in the capital city of the state, Lucknow, the State
Government of Uttar Pradesh and the Uttar Pradesh Police decided to implement Smart Surveillance system. The project has been aptly given the name Drishthi and it comprises of 280 IP CCTVs deployed at more than 70 locations, ANPRs, Video Analytics, Mobile Surveillance System, Command Control Centre and Data Centres.
Security Through Surveillance On 12th April 2015, the Chief Minister of Uttar Pradesh unveiled the Smart City Surveillance project. Lucknow Police is now working for developing the CCTV cameras installed by commercial establishments with the Smart Surveillance system to ensure the entire city is covered without excessive financial pressure on the government. The police department in the state feels that the installation of the cameras will ensure better public order, crime control and traffic management on the streets. Mukul Goel, Additional Director General, SEPTEMBER, 2015
www.expresscomputeronline.com
with UP Police for smooth running of the system.”
Advantages of the Project
Law and Order, Uttar Pradesh Police, says that earlier it was impossible to survey large events due to the shortage of traffic policemen on the roads. Mobile surveillance vans equipped with night vision cameras have been deployed as a part of the project. The cameras can be extend up to three metres over the vehicle to capture members of a violent mob. SP Shukla, Group President, Mahindra Aerospace and Defence Sector, says, “The Uttar Pradesh Police has set a new benchmark in getting this world class technology system operational in just six months with support from Mahindra Defence as its implementation partner. We thank the Uttar Pradesh government for the support that they have provided to help us achieve this milestone of implementing a world-class public safety and security technology solution. This project has been an important part of the Mahindra Group’s initiative to support the government in creating Smart and Safe Cities. We are committed to partnering EXPRESS COMPUTER
Of the 280 high-resolution cameras, set up at strategic locations across the city, 40 of have been incorporated with ANPR (Automatic Number Plate Recognition) technology. The control room staffers have been awarded ISO certificates. On the day of the launch itself, the system was used to issue 500 electronic challans to traffic offenders. The Lucknow police has already found leads for more than a dozen cases through the data from this CCTV system. Vehicles that enter or exit Lucknow are tracked by the surveillance cameras and details of those belonging to wrongdoers is recorded on the ANPR. These details will remain on the server for a year. Mukul Goel says,“The Smart City Surveillance project will be helpful in nabbing criminals. It will also prove very useful in managing traffic violations. We have encouraged businesses to setup CCTV cameras. More than 1,000 systems are already in place.” “We can track down the driver of a vehicle that is responsible for the accident. We can identify and nab a chain-snatcher on the run with the help of ANPR. Law enforcement becomes much easier with such system in place,” says Durgesh Kumar, Additional Superintendent, Traffic, Uttar Pradesh Police. Dinesh K Pillai, CEO, Mahindra SSG, says, “We are delighted to achieve this critical milestone. We were able to complete this project within a tight schedule primarily due to the fact that we had very good support from Uttar Pradesh Police.” Lt Cdr Jasbir Singh Solanki (Retd.), Head-Homeland Security and Smart Cities, says, “We worked in partnership with the UP Police to deliver one of the largest and fastest Smart City Surveillance project, which now being viewed as a major success story in the overall area of homeland security. This model can be adopted by police departments across India for creating a safe and secure environment in our cities.” ankush.kumar@expressindia.com
We are delighted to achieve this critical milestone.We were able to complete it within a tight schedule due to the enormous support we got from the UPPolice Dinesh K Pillai CEO,Mahindra SSG
This model can also be adopted by various police departments across India in order to create a safe and secure environment in our cities Lt Cdr Jasbir Singh Solanki (Retd) Head-Homeland Security and Smart Cities,Mahindra SSG SEPTEMBER, 2015
37
FEATURE
SECURING BFSI
Âť
SECURING
BFSI IN EVOLVING THREAT LANDSCAPE To meet the all-round banking and financial needs of the new age consumers, the BFSI industry has deployed a range of Internet and mobile solutions. However, the rising reliance on such systems is opening new windows of opportunity for cyber criminals BY ANKUSH KUMAR
T
here is a rise in the complexity of the attacks being launched against the BFSI industry. While the financial institutions are taking a number of steps to safeguard their IT infrastructure, they continue to be challenged by the pace of innovation and rising sophistication of the attacks. Traditionally the phishing type of attacks have been more common,
38
EXPRESS COMPUTER
but now the attackers are launching new attacks using complex APT, DDoS, and other sophisticated strategies. The 2015 Internet Security Threat Report from Symantec shows that there is a significant rise in the targeted attacks aimed at the BFSI sector. The volume of targeted attacks against BFSI went up from 11.1 percent in 2013 to 17.1 percent in 2014. The report indicates that the cyber
criminals are now breaching the defences of BFSI institutions by using innovative technologies, which enables them to avoid detection. Ransomware attacks have soared 113% in 2014. The Symantec report also reveals that fake versions of the mobile phone apps owned by the financial institutions are being used to make people give up their account details. SEPTEMBER, 2015
www.expresscomputeronline.com
Mitigating Risks P Sitaram, Director, IDBI Bank, considers DDoS attacks to be the most dangerous threat for the BFSI sector. “DDoS attacks have grown in complexity, volume and sophistication. In such attacks spurious or fake packets are sent to the victim in abnormally large numbers. DDoS attempts to block important services running on victim’s server by flooding the victim’s server with packets. A DDoS attack does not originate from a single host or network, but from multiple hosts or networks which might have already been compromised,” says Sitaram. He informs that the IDBI Bank has tied up with internet service provider for the DDoS/DoS mitigant. The bank is closely working with regulators and government agencies like CERTIn and IDRBT to identify such attacks and thwart them in time. According to Sitaram, the security of IDBI’s online banking is achieved through prudent security practices i.e., security access codes (user-ID & password), privacy of data transfer through encryption (SSL128bit encryption protocol from Entrust), firewalls (allows customers access to particular services, while at the same time deny access to systems and databases with classified bank data and information), security of personal information, session time-out, etc. IDBI Bank uses two-factor authentication mechanism, via OTP, to ensure that the transactions are fully secured. Privacy of customers’ information is secured from internal and external accesses. The bank has implemented Data Loss Prevention (DLP) tool to send alerts in case of any leakage of information. It regularly conducts awareness sessions for educating the employees about safeguarding customer’s privacy and data. IDBI Bank has also deployed a Data Leakage Prevention tool to check and prevent any data leakages from the bank’s environment. Arbor Networks has a major focus on DDoS and advanced security threats. “Today’s networks need integrated multi-layered DDoS protection solution, EXPRESS COMPUTER
i.e., at the data centres – inline, real-time, always on, DDoS Mitigation for protecting against low and slow attacks, state-exhaustion, application layer DDoS attacks including encrypted services like SSL & TLS. This onpremise DDoS protection integration communication to upstream service provider In-Cloud or Overlay cloud DDoS protection would ensure protection against all types of DDoS attacks,” says Samuel Sathyajith, Country Manager – India & SAARC, Arbor Networks. On the issue of advanced threats, Samuel is of the view that they are the opposite of a DDoS attack, as they are not high profile. These attacks target an organisation, study their defences and their people and look for a quiet way inside, either due to a weakness in defence, or through an employee. Once the attacker gets inside the network, their goal is to stay undetected for as long as possible. Research shows that sophisticated attackers can stay hidden inside a network for an average of 200 days. Once inside, they move around, escalating their access to ultimately finding the information that they are looking for, and then they steal it. These attackers are patient, deceptive and difficult to stop.
The use of two-factor authentication, end-to-end encryption of the channel,leads to effective identity authentication Kunal Pande Partner - ITAdvisory Services KPMG in India
Safeguarding Customers Data According to the data release by Reserve Bank of India the total number of bank accounts in India is around 58 crore, from this about 2.2 crore bank account holders use mobile banking applications. While mobile banking transactions have jumped from Rs 1,819 crore in 2011/12 to Rs 10,000 crore in 2014/15. There has been a corresponding rise in mobile fraud cases, which have jumped from less than Rs 10 crore in 2011/12 to around Rs 70 crore in 2014/15. “Security needs to be embedded in the mobile and online payment services with careful design which includes all the intermediaries, their respective processes and technologies. Financial, payment and network service providers need to follow appropriate safeguards and privacy and security governance
Business Continuity and ITDisaster Recoveryconstitute the most important components of the securityframework for banks and financial institutions Chandra Sekhar Pulamarasetti Co-founder & CEO Sanovi Technologies SEPTEMBER, 2015
39
SECURING BFSI
»
MOBILE BANKING TRANSACTIONS
KEYSTATS
The bank is closely working with regulators and government agencies like CERTIn and IDRBT to identifyattacks like DDoS and thwart them in time P Sitaram Executive Director,IDBI Bank
11.1% 2013
17.1%
2014
2.2 Cr About 2.2 crore bank account holders use mobile banking applications out of 52 crore bank account holders
`10000
■ Around 1467 financial institutions in 86 countries were targeted with financial Trojans
■ India ranks 6th globally and 2nd in Asia for Dyre Trojan infections.
crore
`1819 crore 2011/12
TARGETED ATTACKS AGAINST BFSI
2014 /15
FEATURE
AROUND
70cr
MOBILE FRAUD CASES
The best solution for detecting insider threats includes identity and access management (IAM) coupled with information protection Vic Mankotia Vice President,Security and API Management,Asia Pacific & Japan CATechnologies 40
EXPRESS COMPUTER
Rise in mobile fraud cases, which have jumped from less than Rs 10 crore in 2011/12 to around Rs 70 crore in 2014/15.
programs. Industry standards such as PCI-DSS, data privacy controls and Cyber Security controls will not only prevent frauds, but also help in enhancing customer confidence,” Kunal Pande, Partner - IT Advisory Services, KPMG in India. Pande of KPMG elaborates on the importance of transaction based security, “In mobile payments solutions it is crucial to keep in mind that a number of customers may be using
‘rooted’ devices, which if not considered in the design of security solution can render the same under-effective. The use of two-factor authentication, end-to-end encryption of the channel, leads to effective identity authentication for the consumer and higher identity assurance to the merchant and the bank.” “It is crucial to understand the security features available in new mechanisms. For example, in case of NFC transactions, protection from SEPTEMBER, 2015
www.expresscomputeronline.com
Multi-factor authentication should be mandatoryto deter standard attackvectors
Many people don’t realise that the root cause of many cyber security breaches is the user himself
Sajan Paul
Dr Sriharsha AAchar
Director Systems Engineering India & SAARC,Juniper Networks
CISO & CPO,Apollo Munich Health Insurance
Critical securityrisks facing customers using online and mobile banking include identitytheft and malware related losses via clone sites Arnab Kumar Chattopadhyay Senior Technical Director,MetricStream
transactions originating from unauthorised users or bogus mobile phones can be accomplished by use of dynamic card verification values (CVVs). NFC chip-enabled mobile phones support dynamic CVVs as compared to the static CVVs used on chip and magnetic stripe cards. The transactions from bogus mobile phone will be rejected as it will not have the CVV,“ adds Pande. Arnab Kumar Chattopadhyay, Senior Technical Director, MetricStream, says, “Critical security risks facing customers using online and mobile banking include identity theft and malware related losses via clone sites in which users reveal sensitive information to websites created by cyber criminals in order to gain access to user accounts.” “The best practices for customers is to become more vigilant and aware. Multi factor authentication systems, systematic bank account monitoring, deployment of a personal firewall and using verified and secure sites can reduce the chances of falling prey to cyber-attacks.” adds Chattopadhyay. Dr Sriharsha A Achar, CISO, Apollo EXPRESS COMPUTER
Munich Health Insurance, says, “It is important to develop a security culture in the organisation by sensitising the employees of the security risks. Many people don’t realise that the root cause of cyber security breaches is the user himself. We need to relook at the organisation wide information security programs, which provides a framework for ensuring that the risks are understood and that effective controls are selected and implemented.”
Beyond Detection And Prevention The competition in the BFSI sector is ensuring that the traditional industry players have to innovate constantly to meet the emerging demands of the market. There is a constant quest for low cost, secure and reliable financial services. But when the pace of change is high, and there is acceleration in the processes for new product developments, the issues related to security can lag behind. According to Anmol Singh, Principal Research Analyst, Gartner, “The rise of mobile banking, mobile payments and
cloud computing has magnified the threats. The main problem is that there continues to be a lack of customer awareness on information security issues. Visibility of the critical infrastructure and operations outsourced to external third-party service providers and management of third-party risks are other major security challenges for the banking industry.” Vic Mankotia, Vice President, Security and API Management, Asia Pacific & Japan, CA Technologies, asserts that Reactive Security is a big market for providers of the protection systems. “The best solution for detecting insider threats includes identity and access management (IAM) coupled with information protection which enable CISOs in drawing up a comprehensive program to reduce insider threats. The way people communicate, collaborate and do their business in the digital world is changing. It is highly imperative today to ensure that the ‘Security of No’ has to become the ‘Security of Know’.” says Mankotia. SEPTEMBER, 2015
41
FEATURE
SECURING BFSI
» www.expresscomputeronline.com
Research shows that sophisticated malware can stay hidden inside the network for an average of 200 days
Platforms like bitcoin and mobile payment systems are the new targets for cyber criminals
The rise of mobile banking,mobile payments and cloud computing has magnified the threats
Samuel Sathyajith
Shrikant Shitole
Country Manager – India & SAARC Arbor Networks.
Managing Director,India Symantec
Anmol Singh
In a world where data breaches have become a major risk for companies, the general insurance companies must offer cover against the financial losses that arise from cyber threats. In India, there are at least three general insurers that are already providing insurance against data breeches. Indian banks are seeking insurance against online transactions, including those involving credit cards, as there is a rise in the use of plastic money. Insurance policies in previous years did not cover computer related frauds, but since there has been a rise in mobile banking, most banks are willing to complement these insurance schemes.
Combating New Age Vector Threats According to the “State of Financial Trojans Report” by Symantec, India ranked fifth highest amongst countries with most financial Trojan Infections in 2014, up from rank seven in 2013. The same report highlighted that around 1467 financial institutions in 86 countries were targeted with financial Trojans and that the stolen bank accounts were sold for 5-10 percent of 42
EXPRESS COMPUTER
the balance value on underground cybercrime forums. Symantec has recently detected a new financial malware, the ‘Dyre’ Trojan, which is now regarded as one of the most dangerous financial Trojans. This Trojan had been configured to defraud customers of more than 1,000 banks and other companies worldwide. While financial institutions in the USA and UK are most targeted, India ranks 6th globally and 2nd in Asia for Dyre infections. The danger lies in the fact that the financial malware have evolved to bypass newer security measures, such as two-factor authentication (2FA) and mobile banking. As threats continue to rise, the financial institutions are forced to opt for a vendor who can serve beyond just providing an array of products for fighting cyber criminals. Shrikant Shitole, Managing Director, India, Symantec, says, “Cyber criminals are using Trojans to commit large scale financial fraud. They are targeting institutions and high profile targets across the globe. Platforms like bitcoin
Principal Research Analyst Gartner
and mobile payment systems are the new targets for these cyber criminals.” Chandra Sekhar Pulamarasetti, Cofounder & CEO, Sanovi Technologies, believes that Business Continuity and IT Disaster Recovery constitute the most important components of the security framework for banks and financial institutions. While security solutions are deployed for threat detection and prevention, these solutions are never foolproof and organisations have to deploy effective business continuity solutions to deal with the threat impacts and IT outages. Sajan Paul, Director Systems Engineering - India & SAARC at Juniper Networks, says, “The average age of the Indian population will be 29 by 2020— this young generation will need internet banking as a primary banking option. But internet banking and consumer security awareness must go hand in hand. From the technical standpoint, multi-factor authentication should be mandatory to deter standard attack vectors.” ankush.kumar@expressindia.com
SEPTEMBER, 2015
BUSINESS AVENUES
www.expresscomputeronline.com
R
EXPRESS COMPUTER
SEPTEMBER, 2015
43
BUSINESS AVENUES
44
EXPRESS COMPUTER
www.expresscomputeronline.com
SEPTEMBER, 2015
INTERVIEW
www.expresscomputeronline.com
RAJIV PRAKASH SAXSENA EX-DDG, NIC
www.expresscomputeronline.com
TRANSFORMING INDIA THROUGH e-GOVERNANCE Rajiv Prakash Saxena, Ex-Deputy Director General, NIC, has recently written a book on e-governance, ‘Government of the future in the ICT era’. In this freewheeling interview with Mohd Ujaley, he provides his views on various aspects of e-governance in the country Your book on e-governance,'Governments of the Future in the ICTEra’, has recently been published.What inspired you to write this book? I joined NIC in the year 1983, since then I have been working on projects related to computerisation and e-governance. In 1998, I had the opportunity of going to Egypt, Tunisia and Dubai to work on a project for the UN body, UNCTAD, which is headquartered in Geneva. During my stay in these countries, I had the chance of interacting with many people who were working in the area of e-commerce. I could learn a lot from them. After returning to India, I was invited by the Delhi University Faculty of Management Studies to teach MBA students on the subject “Business on Internet.” At that time, the Government of India had also started to formulate the IT Act. I decided to write this book to bring more awareness about the benefits that can come from using ICT in governance. The book is also a kind of gift for my students. Even though I am a civil engineer and my major studies have been in the designing of earthquake resistant buildings, I have a passion for teaching on the ways by which technology can be used for improving governance. What is your view of e-governance in the country? Do you think that the e-governance projects are moving in the right direction? We have made substantial progress in the area of e-governance. It is now widely accepted that e-governance is must for bringing efficiency and transparency to the delivery of services to the people. With the growing popularity of mobile devices, we are now moving towards m-governance. India is a young country. EXPRESS COMPUTER
SEPTEMBER, 2015
45
INTERVIEW
www.expresscomputeronline.com
RAJIV PRAKASH SAXSENA EX-DDG, NIC
Our youth is mobile and computer savvy, they want to have the facility of e-governance. Unlike the older generation, today’s youth is not ready to wait for years for good services to become available. They are impatient for change. Earlier people used to wait for many years for a telephone connection, but now these things are available in a matter of hours. I see a huge potential for e-governance, m-governance and the use of digital media in the country. There is a huge expansion in the use of ICT for providing government services to the citizens. What are the major challenges in the implementation of e-governance projects? Connectivity is obviously a major challenge. Without proper connectivity, it is not possible for us to provide e-governance services. At times, the topography of certain states leads to its own set of challenges. For instance, in North - East, where the terrain is mountainous, so it is difficult to lay the cables for connectivity. In these areas, m-governance can be a better option. In major cities also there is the problem of connectivity. There is the challenge of bandwidth. Smartphone users eat up lot of bandwidth as they download graphic contents. Due to poor connectivity, the people experience of accessing government services on the go has not been as smooth as it should have been. Call drop has become a major issue. When it comes to usage of online services by the people where do you see maximum amount of progress being made? It is obvious that the banks and mobile payment system companies are increasingly taking the lead in technology deployment. Companies such as Paytm, which deal in mobile payments, are doing an average transaction of about Rs. 700 crore per month. This by itself is a proof of the fact that people are ready to transact online. The e-governance services must also develop similar solutions that bring convenience to the people. Paytm is planning to use data analytic tools to understand the consumer needs and behaviours in order to provide customised 46
EXPRESS COMPUTER
companies are spending huge money for educating their own engineers in the new areas of statistics, which can be applied in computer science. The Digital India and Smart Cities programmes will create huge data footprints, therefore it is important to have enough data scientists who can help us formulate the policy for the overall welfare of the people.
‘Governments of the Future in the ICT Era’ by Rajiv Prakash Saxena is an informative book that deals in the use of technology for improving people’s life. The book covers IT as an enabling technology, various challenges across different sector for IT, e-applications & digital security and how technology can shape the future.
solution. Going forward, the data is going to be the currency; therefore it is important that even in e-governance, we should use all the modern technologies to understand the needs of the people whom we are trying to serve. We have to use technology to make sense of the huge amounts of data that government has at its disposal. You have spoken about using technology to derive important information from the data, but currently there is shortage of data scientists in the country.How do we address this challenge? This challenge can only be addressed by nurturing data scientist in our country. We need to overhaul our computer science curriculum. A good data scientist has to have a very sound understanding of statistics, they are trained to discover relationships that exist between different strings of the data. These days big
Your book talks about digital divide in the country.What steps can we take to bridge digital divide? In my opinion, mobile phones are the best tools for bridging digital divide. Today large numbers of applications are being built for mobile applications. We need to utilise the penetration of mobiles across the country to the best of our ability. The mobiles are also equipped with cameras. They are the virtual eyes on the move. Of course, we also need to ensure that people in the country have adequate training in modern computing systems. Currently it is more challenging to provide services in rural India than in urban India. If we can address the challenge of digital divide, we will be able to reach large number of people. In your book you have given list of the government's departments in which technology could be used to enhance efficiency.In your view what is the key area where we must deploy technology The facility of booking railway tickets through mobile devices can be very helpful for the common man. The service is already active, but it should be made easier and awareness should be created about it. Even though ticketing is computerised, people face many challenges in getting their ticket booked. Especially in rural areas, where connectivity is a major problem, ticket bookings through mobiles will be great help. Also, the state governments across India run buses, which are used by many people. Right now we hardly have a proper digital system for booking tickets for these buses. I think there are huge opportunities for the state transport departments to modernise the bus services with the help of technology. mohd.ujaley @expressindia.com
SEPTEMBER, 2015
REGD.NO.MCS/066/2015-17, PUBLISHED ON 28TH OF EVERY PERVIOUS MONTH & POSTED AT MUMBAI PATRIKA CHANNEL SORTING OFFICE, DUE DATE 29 & 30 OF EVERY PREVIOUS MONTH, REGD. WITH RNI UNDER NO. MAHENG/49926/90
Sometimes I’m blunt. But never pointless.
Creativeland Asia
The Indian Express. For the Indian Intelligent.
#IndianIntelligent