Architecting Security's FutureExpert Panel on Key Challenges of Securing Digital India
Prime Minister Narendra Modi's recent launch of his Digital India initiative - aimed at connecting all gram panchayats by broadband internet, promoting e-governance and transforming India into a knowledge economy - has spurred discussions among various industry leaders. Security experts believe that the smart cities and other integrated digital footprint created by Digital India are likely to create an increasingly large attack surface for cyber criminals.
Even the prime minister acknowledges the risks. During the Digital India campaign launch, Modi said, "We must assure the world through innovation that if it is a product of India, the world is secure in the cyber world. The world is so worried about cybersecurity. One click can change a lot of things."
So, how do security leaders ensure that new projects are protected from cyber-attacks with a model that future-proofs networks, data and infrastructure?
That question spurred lively debate at the recent Data Security Council of India Best Practices Meet 2015 in Bangalore, during the plenary session "Architecting Security for transformation to Digital India."
In this July 10 panel discussion, experts debated security challenges and discrepancies in the processes, as well as effective ways to secure their projects against growing attacks.
The session was chaired by Dr. N Sarat Babu, executive director, C-DAC. Panelists included Ashalatha Govind, general manager & CISO at State Bank of India; Sanjay Sahay, additional director general of Police, Karnataka Police; and Sunil Abraham, executive director, Centre of Internet Society.
Security leaders expressed concern that the government initiative, seeking digital transformation in the country, can be successful only when a well-designed security architecture is assured. They believe that protecting the existing digital data and processes within the enterprises is critical.
Bangalore-based Babu said that a holistic approach to addressing security is critical, as every aspect is prone to cyber threats.
Babu raised the concern around insecure codes in the software engineering environment. "Since digital India is open to common man, the security challenges are going to be immense due to poor awareness among people in doing secured transactions," he says.
Bangalore-based Sahay of Karnataka Police argued that the revolutionary ideas of Digital India would bring in greater threats, despite the best security controls being put in place.
"Since the software does not have security built into its development lifecycle, it would be hard to even guess what kind of security controls are required or anticipate what kind of data would be stolen by the hackers and from which region," Sahay said.
"It is proven that the antivirus industry is unable to cope with even five percent of the breaches," Sahay said. "Where are we in terms of detecting or pre-empting the breaches where the hackers become central to the digital universe?"
Mumbai-based Govind of SBI believes that insider theft is going to be increasingly critical. "Particularly with the rise in digital banking where the world doesn't sleep," she said, "it is important to take into account that bad guys are ahead of you and are well equipped to penetrate into your system and network with ease."
"Whatever robust security systems one brings in, if there is no awareness and hygiene factor around security, it is going to be a nightmare for the security heads in the digital transformation era," she says.
Bangalore-based Sunil Abraham says despite all the cyber security risks, the movement towards digital India is inevitable. "The challenge here is that approach towards establishing security has been on a piecemeal which adds to the complexity in the people, technology and processes within the enterprise," he says.
"The complexity associated with securing infrastructure when there is no smart structure will only add to the cost," says Abraham.
The leaders agree that cost plays a vital role in the business transformation that is required in the Digital India initiative. Among the must-haves: secure penetration test methods, integrated approach to software testing, stakeholders' involvement in securing enterprise.
Foremost, Govind recommends spreading awareness among employees and external consumers about safe and secure transactions. "Enterprises should make a concerted effort in putting a framework to train and educate the users as a first step."
C-DAC's Babu recommends investing in resources at various levels within the organization and ensuring that security is embedded at the design stage of the software development.
'Since the prime minister is laying greater prominence to 'Make in India' projects and products, embedding security at the R&D stage can help in detecting the vulnerabilities early and the teams can work out a better patch management strategy," Babu said.
Abraham advises security professionals to lay importance to data privacy issues in building a security framework, which demands understanding the nuances of the organization, culture and processes.
"Every security professional should focus on the preparedness of the sector or enterprise to the new risks and thereby implement schemes to incentivise teams and build required capacity of teams," Abraham said.
Sahay agrees with his peers that security codes should be written at the development lifecycle stage.
And while compliance policies may vary with each industry or organization, security teams now have greater responsibility to consider security as an integral part of their work, rather than an afterthought.
"The most important security practices include building a risk-aware culture, and managing and responding to incidents as quickly as possible," Sahay said.