Creating
and managing a secure organization is fast becoming a nightmare for enterprises.
Increasing levels of automation and e-enablement have enhanced vulnerability to
security breaches. It is not just infrastructure that needs attention,
corporates also need to tackle internal threats and human errors, which
constitute over half of security breaches. Employees need to be sensitized to
the issue and proper security policies put in place. How far are enterprises
prepared to meet this challenge? Are they conscious of the risks they face? Are
employees told what they can and cannot do with their computers, in keeping with
the company security document? Come to that, does the company have a security
document?
At
the second DATAQUEST CIO Panel Discussion in New Delhi, CIOs from five leading
enterprises in varying fields of business–power, manufacturing, dot-com,
banking and finance–were invited to thrash out these issues. The participants
(from left): Aseem Agrawal (Indiabulls.com), CR Narayanan (Alstom
Power), Prasanto K Roy (chief editor, Dataquest Group), Rajesh Uppal
(Maruti Udyog), SD Tyagi (National Thermal Power Corporation) and Venkatesh
Mahadevan (Cola-Cola India). Also present were industry representatives from
companies like Cisco Systems, Microsoft, Hewlett-Packard and NIIT, interacting
with the panelists, outlining problems and practices in their organizations. The
conclusion: The panelists agreed that security was not an IT problem, but a
business issue. Interestingly, everyone also agreed that Indian businesses were
not taking the issue as seriously as they should. Excerpts:
Security: How important is it?
Aseem Agrawal (Indiabulls.com): Security is critical for
us. We are in an area where user data and privacy cannot be compromised at all.
If that happens, not only will we lose customer confidence, but our very license
to practice may be cancelled. We have defined our access mechanism, but only a
very select group, people in whom we have a high degree of trust, knows the
codes. If there were to be malicious intent on the part of those people, there
is little we would be able to do. One concern area is VSNL, where our servers
are located, because it has no physical security at all. When I use my password
access there, there are ten other sites that are co-hosted. If I don’t like
the next guy or his site, I can just pull out the plug. There is absolutely no
one to monitor me…there are no cameras, no accountability, absolutely nothing!
The other ten guys can do the same to me and my site.
"We have different access levels for data and applications and only authorized people can access these on a need-to-know basis" |
|
Aseem Agrawal executive V-P, Indiabulls.com |
|
PCs: 50 Servers: 6 Major PC brand: Assembled Major server brand: Compaq Number of locations: 15 Bandwidth: Hosting bandwidth at datacenters amounts to 100 GB data transfer per month. Internet bandwidth is 128 Kbps Major applications: l Internet trading application on NSE (CTCL). l Financial portal (Website) IT model being used: In-house/outsourced: Both Employees: 135 IT employees: 15 |
|
Background: A BTech in electrical enginnering from IIT Delhi and an MBA with honours from IIM Calcutta , Agrawal worked with Growth Clients Group of ICICI from 1998 to 2000. He joined Indiabulls in February 2000, when the company started out |
Money transfer is another problem area for us, where money could
be diverted from one account to another. An interesting problem we faced last
year was in the stock game we host. It is played for live prizes and we had a
nominal weekly prize of Rs 10,000. Just to get that prize, some people hacked
into our system and kept winning. We discovered an application level error only
later, and plugged it at once, but it is worrying.
SD Tyagi (NTPC): We are concerned on three fronts–one
is our commercial and operating performance, because it is closely linked to the
regulatory mechanism and availability-based tariff. Any data related to these is
sensitive and the stakes involved run into thousands of crores. One decimal
wrong and there’s chaos. I won’t say hacking is our problem, but leaking of
data by employees to competitors is a big concern. A second cause for worry is
contracts–we have large contracts that involve huge amounts of money. A
typical boiler or turbine contract runs into crores of rupees spread over two or
three years. In the process, there are lots of places where pricing or rates
could be tampered with. The third critical area is finance and costing. Over and
above that, we have also found out that within the organization itself, there is
a lot of IP number hacking. These are big challenges.
"We have insulated our LAN from external networks. The idea is to cut off any outsider from our central network" | |
SD Tyagi executive director (IS), NTPC |
|
PCs: 7,000-8,000, excluding process control Servers: 75-80 UNIX and NT servers Bandwidth resources: Microwave connects power plants (15 thermal plants, 7 gas power projects), 5 regional offices. Invested close to Rs 50 crore, own VSAT network. SW applications deployed: Mix of UNIX servers. 7-8 databases. Standardized on SW apps Recently deployed PeopleSoft, with PwC, for HR practices |
V Mahadevan (Coca-Cola): Our problems relating to
security are isolated. For instance, you are trying to collate figures and
suddenly, you look at the receivables and it shows a very high or a very low
figure from what you saw the previous evening. That is what I would classify as
a human error. Or there could be a small LAN failure or hardware problem due to
which the update did not happen. What’s really bothering us is the perception
that security is an IT problem. I think we need to grow beyond that. And that’s
our role as CIOs to get the organization to buy into security. Because right
from the average user to senior management levels, everyone feels security is an
IT problem. The reality is that it is a business problem.
"We have a disaster recovery plan, but it is not aimed at hackers or external influences. It enables our employees to understand the security needs of the company" | |
V Mahadevan director (IS), Coca-Cola India |
|
PCs: 1,500 plus Major PC brand: Compaq Major server brand: Compq Servers: 25 Locations: 100 Bandwidth resources: Heavy investment in VSATs, now eyeing leased lines Applications: SAP, sales and distribution, production planing IT model being used: Partly outsourced (SA) Employess: 3,000 plus IT employees: 60 |
Rajesh Uppal (Maruti Udyog): We have a largely e-enabled
supply chain system. Many critical applications are running on the network and
the web, so they need high availability and security. I will take an example of
an application we developed for our dealers and vendors. They need to login to
my servers to get information on order placements, checking status and so on.
The data flowing on the Net should be secure, nobody should be able to take out
data and gain sensitive information about new model launches and sales figures.
Therefore, we not only have to prevent the general public from accessing this
data, but also have to maintain security among dealers.
"We use hardware locks, data encryption technology and store copies of e-mails in our server to ensure safety of sensitive information" |
|
Rajesh Uppal GM,information systems Maruti Udyog Ltd |
|
PCs: Approximately 1,400. Servers: 50 Major PC brand: Compaq Major server brand: Digital/Compaq Number of locations: 1 factory, 1 corporate office, 9 regional offices Bandwidth resources: Intranet: 10/100 Mbps Ethernet ; 155 Mbps ATM WAN: 2 Mbps Radio, 64 Kbps Radio, 20 Kbps VSAT,Internet: 128 kbps leased line Major applications:
IT model being used: Mixed |
|
Background: A mechanical engineer, Uppal joined Maruti Udyog Ltd in February 1985. Since then, he has been working in the information technology division at MUL. Joining the division as an executive, he today heads it as general manager. During his stint at MUL, Uppal has been witness to the nascent wing growing in stature and reach to become what it is today. Before joining Maruti Udyog, Uppal had worked with BHEL in the public sector unit's IT department |
LOOPHOLES/Corrective Steps
CR Narayanan (Alstom): Being a global organization, we
need to be connected round-the-clock with our international counterparts.
Earlier, we used to be connected to the Internet through gateways in more than
50 different countries, and this proved to be a security threat. For the past
two years, this problem has been taken care of with only three international
gateways being used for access–at Atlanta, Paris and Singapore. Access is
given to subsidiaries depending on their geographical proximity to any of these
gateways. Security mechanisms like firewall are present at the gateway itself.
We are also trying to create a business continuity or disaster recovery process.
Business operations should not be hampered and they should continue. That is our
main concern. According to our global guidelines, I am not supposed to connect
my WAN within the country to the Internet. This, of course, takes care of most
of the security problems that come from the Internet. Most security problems are
internal, from disgruntled employees. If we were able to take care of that,
Internet-related security is anyway a lesser problem. On that front, we have
tried to evolve some policies.
"Something as fast changing as security needs to be handled by an expert. We are considering the option of outsourcing security management"Â | |
CR Narayanan manager (IT), Alstom Power |
|
PCs: 500-550 Servers: 50 Major PC brands: IBM/HP Major server brand: IBM Number of locations: 10 including project locations Bandwidth resources: mix of SCPC and TDM/TDMA VSATs Major applications: Lotus Notes, SAP, Oracle IT model being used: Mix of both Employees: 700 No. of IT employees: 13 Approximate IT budget (as a percentage of turnover): 0.8- 1 |
|
Background: A BE in electronics and communication and an MBA in finance, Narayanan has been with BHEL for 16 years, with ABB for five years and with Alstom for two years |
Indiabulls: We have got different access levels defined
for different data and applications and only authorized people are able to
access them. Any kind of user access is cleared only on a need-to-know basis.
Also, sites like ours, which are live all the time, can’t really afford to be
down, especially during peak market hours. With this in mind, we have created a
disaster recovery plan to prevent hardware failures. For instance, we use a
combination of servers such as Compaq and SQL–in case one machine goes down,
the other takes on the entire load.
Coca-Cola: We are going in for a centralized architecture
and I am hoping that we will grow out of many issues in the next six months with
SAP, especially in India. In order to create awareness among our people, we are
also conducting training programs and have covered 40% of our staff strength,
with the remaining to be completed by the end of the year. A good thing is that
we have a steering committee, with the senior management meeting every month to
discuss security issues. We talk about what we need to do; and though we may not
be spending millions of dollars on security right now, we do recognize that
security is a concern, especially as we are implementing large-scale enterprise
solutions.
MUL: We have built our supply chain system in such a way
that all security issues are explicitly addressed using hardware locks, data
encryption technology and other similar solutions.
NTPC: We mostly rely on the password security
mechanism for applications and users are quite conscious, particularly in
reference to financial and procurement applications. They are being made aware
with courses and interaction with vendors and know the stakes involved. While
creating a network, we evaluate and identify the business applications that need
to be totally insulated from external sources. As and when we connect to
stakeholders or suppliers or partners, we plan a separate solution. In the power
sector, there is a network created by the late minister P Kumarmangalum and all
central power units are connected to the ministry of power. But for security
reasons, we have insulated that network from our LAN. We will follow a similar
approach when we connect our suppliers–for we feel it is safer to keep the
environment more selective. We have to ensure that our business does not stop as
a result of web-enabling.
E-MAILS: How vulnerable are they?
MUL: In our organization, a copy of each outgoing
e-mail is saved in the server and two people have the authority to read any
e-mail if there is any kind of suspicion of anyone. One of our employees was
sacked because he had sent out sensitive information via e-mail.
Indiabulls: We did consider this option, but being a
start-up where most of the team has been with us right from the very beginning,
we realized that the negative impact on employee morale would far outweigh the
security benefits. If a person needs to take data out, there are ten other ways
for him to do so. We can’t frisk everyone for floppies and stuff every once
they go out. If a person is determined, you can’t really stop him by checking
e-mails or anything else.
Alstom: All the e-mails that move into and from our
systems are monitored. We have a document in place, which clearly states that
e-mail should be used for official purposes only and that anyone misusing the
facility can be removed from service. We all have a document that clearly
explains that chain e-mails, which are likely to load the server, would not be
permitted. We have automatic filters for this.
POLICY: Do you have security audits?
Indiabulls: We don’t have a formal security document
in place, but it is understood as to what employees are supposed to do and what
they are not supposed to do. We’ve also got in touch with consultants, but the
deal has not been concluded, so right now it is only internal. However, we
observed a very strange thing with the couple of consultants we met. They said
they maintain firewalls between clients, but while doing their selling they told
about the security set-up of our competitor. So I couldn’t really trust them.
We would like to get the tools from these consultants but we would like to rely
on our internal team as we have done for all mission-critical things.
NTPC: Right now we don’t have a policy document, but
we are in touch with consultants like PwC, E&Y and KPMG to frame a policy
framework. The awareness is there right from top management to down the line and
we are trying to frame a security policy. And as we are planning to move into
e-commerce and e-procurement, digital certificates and digital signatures will
have to come into place.
Coca-Cola: We don’t have a formal security document,
but we have a disaster recovery plan. The objective of this plan is not to track
hacking from outsiders, but to determine how our own employees view security and
what they should do in terms of the number of times they log into the network,
the password length and so on. Internally, what we have done is called
information classification, which classifies every document that goes out from
each desk irrespective of what level of seniority the person is at. From our
office, nobody can even fax restricted documents.
MUL: From the usage point of view, we have a security
document approved by our MD in place, and this has been communicated to all
employees. We use the advice of consultants like Ernst & Young for auditing
compliance on a regular basis.
Alstom: Security is an issue that our organization has
always considered very important and we have global guidelines in place. But we
realize that our guidelines are not specific to any country and thus can’t
cover every possible area of intrusion. At the moment, we do not have a security
document, but we are in the process of making one. We are also considering the
option of outsourcing security management. Security is something that is fast
changing; it is not possible to be maintained by internal people.
Various types of hacking and the possibilities of leakage are
increasing and only a person solely dedicated to this task can tackle this. He
would be professionally trained, an expert at the job and aware of the all kinds
of security threats–highly suited to suggest the best strategy to achieve the
requirement.
CIO Quotes
Indiabulls: One concern area is that our servers are
at VSNL, where there is no physical security. When I use my password to access
the system, there are ten other sites that are co-hosted and I could pull the
plug on and walk away.
There is no one to monitor me…no cameras, no
accountability, nothing!
Coca-Cola: What bothers me is the perception that
security is an IT problem. We need to grow beyond that. Security is not an IT
problem, it is a business issue.
MUL: Till the time we have a certifying authority,
cyber-laws are no good. Any business that I do on the Net is at my own risk.
NTPC: We mostly have a password security mechanism for
applications and users are quite conscious of their responsibilities,
particularly in the use of financial and procurement applications.
Alstom: How are you going to ensure that the information
being provided to any person is the right one? What if this information falls
into the wrong hands, where it can be misused and hurt your interests? That is
my biggest concern.
CIO Tips
Alstom: Most security problems are internal, stemming
from disgruntled employees. If we tackle that, Internet-related security issues
are minor in comparison.
Indiabulls: For live sites like ours, we have a
disaster recovery plan to prevent hardware failures–we have a combination of
servers and if one goes down, the other takes on the entire load.
Coca-Cola: It is imperative that senior management of
companies meet every month and thrash out security issues.
MUL: In our organization, a copy of each outgoing
e-mail is saved on the server and two people have the authority to read any mail
if there is a doubt. This practice has already led to the exposure of one
employee who was leaking information, and was sacked.
NTPC: While creating a network, we evaluate and identify the
business applications that need to be totally insulated from external sources,
thereby protecting classified information.
A Dataquest report