In light of the recent DRDO/NDA security debacle, Amuleek Bijral, country manager, RSA speaks to Biztech2.0 about the status of information security and incident response management amongst Indian governmental organisations.

In this current scenario of heightened security, in the post 9/11 era, what implications does such an event have?

I want to highlight that information security is a very critical aspect of an overall information infrastructure. If somebody was to get access to critical information, via the online route and use that information to access critical data, it could have physical implications from an infrastructure standpoint. Therefore it is absolutely critical to ensure that the online information infrastructure and the critical information that resides within the government’s IT setup is totally secure.

How safe is citizens’ private data?

One really has to look at the specific systems where citizen data resides. The important thing when one is talking about data security is that you need to be aware of a very clear-cut strategy for protecting public or citizens’ information. This strategy can have multiple aspects.

In light of the recent DRDO/NDA hacking, Identity Access Management is very important. Firstly ensuring that critical data is accessed by only the person who is meant to access that data and secondly also ensuring that the channel through which the data is being accessed is secure.

What I’m essentially implying is that the password approach of accessing critical information needs to be further strengthened. One cannot rely on static passwords to access information; instead organisations need to have a layered approach.

One of the recommendations that most enterprises and certain governmental departments are adopting is two-factor authentication. While this solution is specific to the incident where passwords were hacked, information security has multiple aspects to it. It needs to be a strategic decision or a process driven mandate and then you can subsequently apply the right technology to enforce this policy.

What does this breach say about security levels amongst government agencies in India?

I don’t think it’s fair to make a sweeping statement. Through RSA’s experience with dealing with Indian governmental departments, we have seen that some of them have a very sophisticated approach to protecting information. I want to highlight that the level of awareness within government and public sector concerns needs to improve by leaps and bounds.

The whole process of information security evangelism needs a rethink. In my experience across several sectors including the private sector, security is predominantly seen to be a perimeter level decision in the infrastructure. Even where layered security is concerned, most implementations have a perimeter approach. The general idea is that if layers of security surround sensitive information, the content is secure. I do not think that this is the right approach especially in light of this recent episode.

Security must be viewed from an information centric standpoint. If you take the example of a governmental department with 300 plus employees and offices across the country, which has people from outside and inside the organisation which have access to sensitive data. What are the measures to be taken to ensure that the data is accessed by authorised personnel only?

This is a different paradigm from the concept of layered security vis-à-vis perimeter security. This involves securing data that resides within the organisation, encrypting critical databases, encrypting file systems, bringing internal access systems that are more refined than static, password driven approaches. This again ties in to the two-factor approach that I spoke about earlier and extending that to a three or more factor approach for very critical data.

When you talk about security you are not only talking about firewalls or routers or the perimeter of your organisation, but overall, in-depth views of an organisation's security activity are absolutely essential.

Two days after the disclosure was made, more than 20% of the passwords on the list were still valid. What does this say about the incident response management capabilities of the Indian government?

If this is true, then before technology, it is a people-process failure. When such a breach occurs, and there has been no action taken for over two days, more than technology, this alludes to the total lack of processes to deal with such a situation.

Any security measure, physical or digital, to information related security needs a well defined and clearly laid out security process or policy. Ultimately you are dealing with people, who use systems and IT as a tool. But if those people are not geared to handle such a scenario, no existing process or policy can come into play and be of help to you.