Event

Securing the BFSI sector

Aladdin Knowledge Systems and Information Security conducted an event to examine the issues and challenges faced by the BFSI sector

Yanki Margalit, CEO, Aladdin, talked about security trends

Alladin’s event was attended by IT heads from the BFSI segment and issues such as phishing, endpoint security, sustaining competence, identity, data security and implementation problems were discussed. Certain solutions and security trends were also highlighted.

Security priorities

Listing the top three security priorities, Sunil Dhaka, Head Information Security Group, ICICI Bank, said that the information security risk priorities are dynamic and change based on the environment. The three information security risks that ICICI Bank faces are phishing, endpoint security and sustaining competence in light of attrition levels. Phishing is a significant threat as it impacts customers. Through social engineering, lack of customer awareness is exploited. Information Security in organizations has matured beyond firewalls and there are various state-of-the-art security solutions available to secure the perimeter. However, emerging strategies focus on endpoint security.

He added, “When we talk about information security—technology, processes and people are the three aspects that come into play and with respect to people, competence is an essential aspect contributing to the strength of the chain link.”

“Our main concern is phishing. We are facing problems involving malware and have implemented a PKI-based process and are looking at identity management,” said Vivek Dharia, CIO, KNP Securities.

Sona Saha Das, Head-IT at TSR Darashaw believes that data security is crucial. She added, “We receive data from the shareholder, whom you do not know, and the challenge that we face is how do you go about securing this data. People feel that the corporations should address all these problems which is difficult. We are digitally signing documents but the problem is one of social engineering” Manoj Chandiramani, Senior VP, Head IT and OP’s, MF Global said that it is critical to look at how well the business can be run.

The importance of security frameworks

Information Security is an enabler of business. Margalit said that these are the most common challenges and issues that every CIO faces and suggested that a security framework that starts at the sub-device level from PDAs to desktops, network, gateway, devices, USB drives, hard copies et al. This framework will look at data security at all levels including the Internet.

He added, “Security has always been a people issue. Education alone cannot work. People look at security as building fences but it is about connecting devices in a secure way. The problem is that organizations are looking at securing only a particular device and not at building a security framework which would lead to securing all the devices.”

V Babu, Head Shared ATM network (Cash Tree and Banks), eFunds said, “People are the creators and destroyers of technology.” According to him, implementation is also an issue. People should be aware of technology and hence educating them is essential.

Dhaka believes that the information security threat environment will always be dynamic and that it is essential to have a robust security framework. He said, “We look at security through the triple D principle—security through Design, during Development and in Deployment. Our information security framework is built around three broad functional areas—security architecture with a holistic view, security operations for our day-to-day requirements and risk management. This framework provides for end-to-end security.”

He added, “Metrics are important to measure the performance of an organization’s security program. It is essential that metrics measure the effectiveness of controls.”

Smart cards: a reliable option

The use of smart cards does not require user names or passwords which people tend to forget and hence smart cards are relatively reliable solution. Aladdin believes a time will come when passwords will die.

Margalit added, “We started with usernames and passwords and then biometrics came into existence and now a time will come where identity will not rely on these mechanisms. Identity will rely on certified smart cards. The BFSI sector requires signature authentication and certificate-based smart cards will be beneficial for them.”

Chandiramani wanted to know how secure digitally signed document are vis-a-vis physically signed ones.

Margalit said, “There is no foolproof solution but we do our best. There are many cases where even physically signed documents are not secure. India is the country that does not allow digital signatures but the government is looking at it. In the next 20 years we will have electronic identities.”

Babu agrees that smart cards are the best solution available today.

According to Dhaka when considering a security solution, he would like to invest in something which is future proof. He asked, “Every certificate has a cost attached to it and we have millions of customers. If the certificate carrying USB device is lost or malfunctions, when the customer is traveling then how do we ensure business continuity?”

Margalit said, “We can offer your several solutions. For instance we switched the [high net worth] customers of a bank to smartcards and in many cases even the employees are using smartcards.”

Is compliance an issue?

According to Chandiramani, people waste time finding out whether their systems are compliant.

Dhaka added, “Compliance is not negotiable. Why should we remain in catch up mode with compliance? Why can we not be one step ahead and have an assurance program that gives us the confidence of being in a constant state of compliance? I think we need to contribute more actively in the development of compliance standards along with the regulators.”