Barun Roy, CIO, Magma Shrachi Finance, in conversation with Biztech2.0, discusses the steps he has taken to maximise Magma’s security and elaborates on the emerging role of a CISO/CSO in the Indian enterprise.

Can you outline the IT Infrastructure at Magma Shrachi Finance Ltd.?

At Magma Shrachi Finance, we have centralised systems that consist of Itanium based servers, SAN storage boxes and dual processors with a number of scalable servers. We follow a 3-Tier architecture that consists of the database as the bottom layer, the application servers, which are horizontally scalable as the next layer and the front-end web client as the topmost layer.

Along with this, we have centralised document management systems. The proposals that are received are scanned and stored at a centralised location and we can access these documents from any given location.

We also have an intranet that is an IP based MPLS network from VSNL, with re-routing done through a centralised internet gateway. The other branches connect through the Internet and get their information through web-based solutions, so that they do not have direct access to the database.

We have a separate DR site, which is under implementation, with only the hardware needing to be physically moved into location.

How do you manage security at Magma Shrachi Finance?

In the financial vertical, security of operational data is a must. With the advent of the Internet, the number of vulnerabilities has increased tremendously. The security problem is two fold, the first aspect being external security.

At Magma Shrachi Finance, we have enterprise wide Trend Micro anti virus solutions available at the gateway level as well as the server and desktop level. This enables any infection to be quarantined straightaway and remote damage clean up to be done.

We have also put the database in a separate VLAN, so that the only access is through programmes in the production environment, that is, in the application servers. Thus, even if someone is smart enough to write malicious code, the rogue programme will not be able to access the database.

The second threat avenue is from the in-house staff. Once employees acquire IT expertise or user experience, they start experimenting and eventually are successful in finding a number of loopholes to break into the system or circumventing the policies that the organisation would like to enforce through the system.

To counter this threat, we have deployed domain servers, which are used to enforce enterprise-wide policies.

What is your opinion on the role of a CISO/CSO in the Indian enterprise?

Apart from the banking sector where having a CISO is an RBI mandate, in my opinion, the role of a CISO is being promoted mainly by consultants. In reality, I’m not sure whether this role will find acceptance within Indian enterprises. It’s probably a little too premature in our country.

The second problem lies in the lack of talent. With the scope of security being vast and the technologies manifold, a CISO has to be really knowledgeable or else he will not be able to fulfill that role. I do not think that such manpower will be easily available.

Another aspect is that duly qualified personnel might not be interested in the role. Anybody identified for such a position may find the task a little tiresome. The job is rather restricting, in the sense that the CISO will need full management backing in terms of security investment, which, in this country is lacking.