CIO Panel Discussion: Enterprise Security

Creating

and managing a secure organization is fast becoming a nightmare for enterprises.

Increasing levels of automation and e-enablement have enhanced vulnerability to

security breaches. It is not just infrastructure that needs attention,

corporates also need to tackle internal threats and human errors, which

constitute over half of security breaches. Employees need to be sensitized to

the issue and proper security policies put in place. How far are enterprises

prepared to meet this challenge? Are they conscious of the risks they face? Are

employees told what they can and cannot do with their computers, in keeping with

the company security document? Come to that, does the company have a security

document?

At

the second DATAQUEST CIO Panel Discussion in New Delhi, CIOs from five leading

enterprises in varying fields of business–power, manufacturing, dot-com,

banking and finance–were invited to thrash out these issues. The participants

(from left): Aseem Agrawal (Indiabulls.com), CR Narayanan (Alstom

Power), Prasanto K Roy (chief editor, Dataquest Group), Rajesh Uppal

(Maruti Udyog), SD Tyagi (National Thermal Power Corporation) and Venkatesh

Mahadevan (Cola-Cola India). Also present were industry representatives from

companies like Cisco Systems, Microsoft, Hewlett-Packard and NIIT, interacting

with the panelists, outlining problems and practices in their organizations. The

conclusion: The panelists agreed that security was not an IT problem, but a

business issue. Interestingly, everyone also agreed that Indian businesses were

not taking the issue as seriously as they should. Excerpts:

Security: How important is it?

Aseem Agrawal (Indiabulls.com): Security is critical for

us. We are in an area where user data and privacy cannot be compromised at all.

If that happens, not only will we lose customer confidence, but our very license

to practice may be cancelled. We have defined our access mechanism, but only a

very select group, people in whom we have a high degree of trust, knows the

codes. If there were to be malicious intent on the part of those people, there

is little we would be able to do. One concern area is VSNL, where our servers

are located, because it has no physical security at all. When I use my password

access there, there are ten other sites that are co-hosted. If I don’t like

the next guy or his site, I can just pull out the plug. There is absolutely no

one to monitor me…there are no cameras, no accountability, absolutely nothing!

The other ten guys can do the same to me and my site.

Money transfer is another problem area for us, where money could

be diverted from one account to another. An interesting problem we faced last

year was in the stock game we host. It is played for live prizes and we had a

nominal weekly prize of Rs 10,000. Just to get that prize, some people hacked

into our system and kept winning. We discovered an application level error only

later, and plugged it at once, but it is worrying.

SD Tyagi (NTPC): We are concerned on three fronts–one

is our commercial and operating performance, because it is closely linked to the

regulatory mechanism and availability-based tariff. Any data related to these is

sensitive and the stakes involved run into thousands of crores. One decimal

wrong and there’s chaos. I won’t say hacking is our problem, but leaking of

data by employees to competitors is a big concern. A second cause for worry is

contracts–we have large contracts that involve huge amounts of money. A

typical boiler or turbine contract runs into crores of rupees spread over two or

three years. In the process, there are lots of places where pricing or rates

could be tampered with. The third critical area is finance and costing. Over and

above that, we have also found out that within the organization itself, there is

a lot of IP number hacking. These are big challenges.

V Mahadevan (Coca-Cola): Our problems relating to

security are isolated. For instance, you are trying to collate figures and

suddenly, you look at the receivables and it shows a very high or a very low

figure from what you saw the previous evening. That is what I would classify as

a human error. Or there could be a small LAN failure or hardware problem due to

which the update did not happen. What’s really bothering us is the perception

that security is an IT problem. I think we need to grow beyond that. And that’s

our role as CIOs to get the organization to buy into security. Because right

from the average user to senior management levels, everyone feels security is an

IT problem. The reality is that it is a business problem.

Rajesh Uppal (Maruti Udyog): We have a largely e-enabled

supply chain system. Many critical applications are running on the network and

the web, so they need high availability and security. I will take an example of

an application we developed for our dealers and vendors. They need to login to

my servers to get information on order placements, checking status and so on.

The data flowing on the Net should be secure, nobody should be able to take out

data and gain sensitive information about new model launches and sales figures.

Therefore, we not only have to prevent the general public from accessing this

data, but also have to maintain security among dealers.

LOOPHOLES/Corrective Steps

CR Narayanan (Alstom): Being a global organization, we

need to be connected round-the-clock with our international counterparts.

Earlier, we used to be connected to the Internet through gateways in more than

50 different countries, and this proved to be a security threat. For the past

two years, this problem has been taken care of with only three international

gateways being used for access–at Atlanta, Paris and Singapore. Access is

given to subsidiaries depending on their geographical proximity to any of these

gateways. Security mechanisms like firewall are present at the gateway itself.

We are also trying to create a business continuity or disaster recovery process.

Business operations should not be hampered and they should continue. That is our

main concern. According to our global guidelines, I am not supposed to connect

my WAN within the country to the Internet. This, of course, takes care of most

of the security problems that come from the Internet. Most security problems are

internal, from disgruntled employees. If we were able to take care of that,

Internet-related security is anyway a lesser problem. On that front, we have

tried to evolve some policies.

Indiabulls: We have got different access levels defined

for different data and applications and only authorized people are able to

access them. Any kind of user access is cleared only on a need-to-know basis.

Also, sites like ours, which are live all the time, can’t really afford to be

down, especially during peak market hours. With this in mind, we have created a

disaster recovery plan to prevent hardware failures. For instance, we use a

combination of servers such as Compaq and SQL–in case one machine goes down,

the other takes on the entire load.

Coca-Cola: We are going in for a centralized architecture

and I am hoping that we will grow out of many issues in the next six months with

SAP, especially in India. In order to create awareness among our people, we are

also conducting training programs and have covered 40% of our staff strength,

with the remaining to be completed by the end of the year. A good thing is that

we have a steering committee, with the senior management meeting every month to

discuss security issues. We talk about what we need to do; and though we may not

be spending millions of dollars on security right now, we do recognize that

security is a concern, especially as we are implementing large-scale enterprise

solutions.

MUL: We have built our supply chain system in such a way

that all security issues are explicitly addressed using hardware locks, data

encryption technology and other similar solutions.

NTPC: We mostly rely on the password security

mechanism for applications and users are quite conscious, particularly in

reference to financial and procurement applications. They are being made aware

with courses and interaction with vendors and know the stakes involved. While

creating a network, we evaluate and identify the business applications that need

to be totally insulated from external sources. As and when we connect to

stakeholders or suppliers or partners, we plan a separate solution. In the power

sector, there is a network created by the late minister P Kumarmangalum and all

central power units are connected to the ministry of power. But for security

reasons, we have insulated that network from our LAN. We will follow a similar

approach when we connect our suppliers–for we feel it is safer to keep the

environment more selective. We have to ensure that our business does not stop as

a result of web-enabling.

E-MAILS: How vulnerable are they?

MUL: In our organization, a copy of each outgoing

e-mail is saved in the server and two people have the authority to read any

e-mail if there is any kind of suspicion of anyone. One of our employees was

sacked because he had sent out sensitive information via e-mail.

Indiabulls: We did consider this option, but being a

start-up where most of the team has been with us right from the very beginning,

we realized that the negative impact on employee morale would far outweigh the

security benefits. If a person needs to take data out, there are ten other ways

for him to do so. We can’t frisk everyone for floppies and stuff every once

they go out. If a person is determined, you can’t really stop him by checking

e-mails or anything else.

Alstom: All the e-mails that move into and from our

systems are monitored. We have a document in place, which clearly states that

e-mail should be used for official purposes only and that anyone misusing the

facility can be removed from service. We all have a document that clearly

explains that chain e-mails, which are likely to load the server, would not be

permitted. We have automatic filters for this.

POLICY: Do you have security audits?

Indiabulls: We don’t have a formal security document

in place, but it is understood as to what employees are supposed to do and what

they are not supposed to do. We’ve also got in touch with consultants, but the

deal has not been concluded, so right now it is only internal. However, we

observed a very strange thing with the couple of consultants we met. They said

they maintain firewalls between clients, but while doing their selling they told

about the security set-up of our competitor. So I couldn’t really trust them.

We would like to get the tools from these consultants but we would like to rely

on our internal team as we have done for all mission-critical things.

NTPC: Right now we don’t have a policy document, but

we are in touch with consultants like PwC, E&Y and KPMG to frame a policy

framework. The awareness is there right from top management to down the line and

we are trying to frame a security policy. And as we are planning to move into

e-commerce and e-procurement, digital certificates and digital signatures will

have to come into place.

Coca-Cola: We don’t have a formal security document,

but we have a disaster recovery plan. The objective of this plan is not to track

hacking from outsiders, but to determine how our own employees view security and

what they should do in terms of the number of times they log into the network,

the password length and so on. Internally, what we have done is called

information classification, which classifies every document that goes out from

each desk irrespective of what level of seniority the person is at. From our

office, nobody can even fax restricted documents.

MUL: From the usage point of view, we have a security

document approved by our MD in place, and this has been communicated to all

employees. We use the advice of consultants like Ernst & Young for auditing

compliance on a regular basis.

Alstom: Security is an issue that our organization has

always considered very important and we have global guidelines in place. But we

realize that our guidelines are not specific to any country and thus can’t

cover every possible area of intrusion. At the moment, we do not have a security

document, but we are in the process of making one. We are also considering the

option of outsourcing security management. Security is something that is fast

changing; it is not possible to be maintained by internal people.

Various types of hacking and the possibilities of leakage are

increasing and only a person solely dedicated to this task can tackle this. He

would be professionally trained, an expert at the job and aware of the all kinds

of security threats–highly suited to suggest the best strategy to achieve the

requirement.

CIO Quotes

Indiabulls: One concern area is that our servers are

at VSNL, where there is no physical security. When I use my password to access

the system, there are ten other sites that are co-hosted and I could pull the

plug on and walk away.

There is no one to monitor me…no cameras, no

accountability, nothing!

Coca-Cola: What bothers me is the perception that

security is an IT problem. We need to grow beyond that. Security is not an IT

problem, it is a business issue.

MUL: Till the time we have a certifying authority,

cyber-laws are no good. Any business that I do on the Net is at my own risk.

NTPC: We mostly have a password security mechanism for

applications and users are quite conscious of their responsibilities,

particularly in the use of financial and procurement applications.

Alstom: How are you going to ensure that the information

being provided to any person is the right one? What if this information falls

into the wrong hands, where it can be misused and hurt your interests? That is

my biggest concern.

CIO Tips

Alstom: Most security problems are internal, stemming

from disgruntled employees. If we tackle that, Internet-related security issues

are minor in comparison.

Indiabulls: For live sites like ours, we have a

disaster recovery plan to prevent hardware failures–we have a combination of

servers and if one goes down, the other takes on the entire load.

Coca-Cola: It is imperative that senior management of

companies meet every month and thrash out security issues.

MUL: In our organization, a copy of each outgoing

e-mail is saved on the server and two people have the authority to read any mail

if there is a doubt. This practice has already led to the exposure of one

employee who was leaking information, and was sacked.

NTPC: While creating a network, we evaluate and identify the

business applications that need to be totally insulated from external sources,

thereby protecting classified information.

A Dataquest report

Are

your own employees a bigger threat than hackers?