Monday, July 7, 2008

The importance of security in e-Governance

Technology has proliferated in all spheres of life. Accompanied by the rapid growth of the Internet there has been a concomitant rise in online transactions. The government sector has been no exception to these facts and it has wholeheartedly embraced IT in general and Internet-based technologies in particular, of late, in order to extend the benefits of governance to all citizens—urban and rural—through a slew of e-Governance projects.

At the Sabha, Anil Sagar, Additional Director, Indian Computer Emergency Response Team (CERT-In) said, “As computer systems have become more user friendly and easy to access, their adoption has grown phenomenally. As a result, we have a scenario wherein multiple operating systems and infrastructure components co-exist. This has increased the potential for security threats.”

Too often, security is described as something necessary to keep you out of trouble. It is more than that. When your information is secure, you can use it to accelerate your business. Amuleek Bijral, country manager, RSA Securities commented, “Despite massive investments in security technologies and services, few companies can claim that all their data is adequately protected.”
Like any other IT-enabled project, an e-Governance project also runs on a network. A government department deals with a considerable amount of information that may be critical to several other government departments concerned as well as external parties and citizens.

Security without borders

In the past, guarding the perimeter against external threats was sufficient, but today’s organizations are virtual, global, and dynamic. Simply deploying perimeter-based security is no longer enough to protect data, as information does not reside within static boundaries. On the contrary, a perimeter-centric security model hinders the frictionless movement of information between users spread across the globe what with users accessing data from a variety of devices such as PCs, PDAs, mobile phones, laptops, etc. Anil Sagar emphasized, “Attackers and users, both, are not confined to a particular geographical location so it becomes difficult to trace back the attacker. Also users are not always aware of and do not give sufficient importance to security measures.” The weakest link in the system is the human one.

As Bijral put it, “Data cannot be confined to one place; the importance of data lies in sharing it. When you share your data, it is spread across several devices including PCs, laptops, data centre servers, mobile phones etc. You need to secure the end-point. Rather than securing the environment, greater emphasis should be given to secure the information that is flowing across several networks.” Information-centric security binds security directly to information and to the people who need it.

The aim of attacks is changing from ‘preserving oneself and wiping out the enemy’ to ‘preserving oneself and controlling the opponent.’ Cyber attacks involve collecting the tactical information and using the same to overpower enemy systems, which brings down servers and thereby, business activities to a standstill. Hemal Patel, MD & CEO Elitecore Technologies, predicted the possibility of cyber warfare, which he defined as ‘an attack on information in the information age’.

A full-fledged Cyber attack involves gaining control over networks and there are four steps in it. They are:

1 Gain control over Network of Government and Defense Establishments.
2 Bring down the Financial Systems: The Stock Markets and Banks.
3 Take Control of a Nations’ Utilities (Power, Telecom etc).
4 Take control over personal identities (Passport data / Driving License / PAN No. / Ration Cards etc).

Today there are numerous threats—malware, bots, key-loggers, phishing and spoofing to name a few common ones. Lack of security awareness was cited as the biggest cause for attacks.

Control strategy

CERT-In (computer emergency research team-India) along with NIC and other IT vendors has been working towards improving the security levels of IT systems. CERT-In had recently tied up with Quick Heal to deploy the company’s anti-virus solution on government PCs. Bijral said, “If we can identify the data that we care about and where that data resides, then we need a model to discuss risks and threats.”

Draft amendments to the IT Act 2000 lack strong protection against cyber terrorism or cyber war. Patel said, “There should be a combined effort from intelligence agencies, NIC, CERT and the industry to collectively fight a Cyber War.” A central nodal agency is required, one that can frame a national strategy for countering insurgency in cyberspace. The creation of national nodal agency for IP Security deployments is vital.

There is a need for security solutions that not only cover security threats from end-to-end but also result in low CAPEX and OPEX. Another important aspect of adopting a security solution is to comply with regulations. Regulations, however, are dynamic and keep on changing. It is to handle this eventuality that the ISO 27001 and ISO 27002 standards had been developed. These adopt a framework approach combining the solutions that are required to cover end-to-end system security. ISO 27001 and ISO 27002 deliver a common language communicating security on a global basis to protect customers, outsourcers, business partners, regulators, auditors and non-security staff.

In a framework-based approach, the key areas of risk are identified to begin with, after which the solutions to counter those risks are taken into consideration, and in the next step technology controls are applied, as are policies and procedures. A review of the implementation of controls ensures that they align with an organization’s security policy and that there is consistency across data classification categories.

Furthermore, there is also the need to inculcate security awareness amongst users about recent threats/attacks as well as the dos and don’ts of using Internet. Security has become a key issue that needs to be addressed. Since government deals with sensitive information of national interest, securing data is of utmost importance. The key to securing information, however, does not lie in infrastructure security but the data and information security that are shared over various systems. That is why the need for securing such information has become a priority.

No comments: