Getting it right – at the Nucleus of content securityRajesh Garg, Vice President and Head – Information Systems Support, Nucleus Software

Vol 1Issue 2

Supported by

Security PracticesKnowledge Circle

Contents

It’s not everyday that an organization can claim to be a door-opener in their space or chosen initiative. But Nucleus Software, featured in our lead story in this issue of Security Practices Knowledge Circle (SPKC), can safely say that of their web and data security initiative. Nucleus partnered with Websense to find the right web and data security solution, which not only helped them keep their IP and data protected even with a mobile workforce but also opened up the Internet access for business leverage. Interestingly, it also threw up a number of facets that the Nucleus ISO hadn’t tracked. But not before Websense also challenged itself to define and deliver a solution like never before. Learn more about that in this issue. Taking a cue, other organizations are eager to protect their confidential data, and also look to allow free Internet access enterprise wide but only after ensuring

Editorial

From the Team at SPKC

Getting it right – at the Nucleus of content security

Rajesh Garg, Vice Presidentand Head – InformationSystems Support, NucleusSoftware shares how hefound the answers to both, protect the company’s intellectual property and keep his global workforce happy and productive by opening upthe internet access enterprisewide.

Three must- haves to securing the social web

A whitepaper by websense describes the three must haves for securing the social

web.

Reasonable security for sensitive personal information

Parag DeodharChief Risk Officer and Vice President – Process Excellence & Program Management,Bharti AXA General Insurance Company Limited describes ‘reasonable’ security, its impact, and its implications.

3

6

7

protection from real time web-threats and malware for their employees. Which is why, our second story throws light on the types of security you should look at, as you do this. We close with an interesting piece by Parag Deodhar of Bharati AXA General Insurance Company Limited. Parag throws light on the recently formalized IT Rules 2011 by the Government of India and explores areas of security that are impacted by these rules. Data capturing, storing, transfer, and destruction all fall under the purview of these laws and this story equips you to handle these sensitive areas in your organization. As always, we continue to dig for stories that will add value to your role and enterprise. Look out for the next issue, as we announce workshops that will enlighten CIOs on security trends. Do write to us with feedback, suggestion, and initiatives that you would like us to cover.

Getting it right – at the Nucleus of content security

Taking the bull by the horns Most businesses know that opening up Internet access is soon going to be an imperative; more so as it is linked to sales and marketing, recruitment, HR practices, and attrition. Companies therefore, need to be proactive about putting in place solutions that permit easy access without affecting their security policies. Rajesh Garg nods in agreement.

But just over a year ago, the story at Nucleus Software was similar to that of many other Indian IT products and services companies. As a key player in the lending software space, Nucleus financial software solutions are used by many leading global financial institutions across the world. The enterprise is in turn, responsible for handling sensitive and confidential information customers (read loans, credit cards, and cash management solutions from some of India’s most prominent banks.) With 1600 people across the globe, the enterprise needed strong, error-proof data leakage prevention strategies. This naturally meant no Internet access through laptops and desktops until data security could be assured.

Necessity spurs inventionHowever, closed access meant lost opportunities. Specially for the enterprise’s 10 sales and marketing offices in Singapore, Mumbai, US, UK, Dubai, Netherlands, and Korea.

The enterprise initially toyed with free access through laptops, using a proxy server to monitor their use. Laptop users had access to the Internet, but they also carried some amount of source code on their machines for customizations at customer sites, making it difficult for Nucleus to track the loss of the Intellectual Property (IP). The proxy logs were hardly simple or effective, and were at least 100 MB each in size; thus hindering their sanitization. It was almost impossible to restrict access based on department, employee profile, website content, or keywords. Says Rajesh, “Access at Nucleus was of a binary nature – you either had it or you didn’t. But everyday, we would get requests for Internet access for business reasons. Sooner or later, we knew that, even if we had no way of auditing the use, we would have to open up access,” he quips. But the IT strategist was not a man to give up easily.

Belling the catBefore throwing open the doors, he decided to explore web and data security solutions. While the traditional anti-virus solutions existed and could be deployed to meet some needs, Nucleus wanted a water-tight solution to help the enterprise handle the security

CIOInsights

It’s a catch-22 situation for many CIOs and Senior IT managers, who manage security today. Opening up their Internet access seems equivalent to inviting trouble in this ever competitive world, while limiting access amounts to a restrictive, even retrograde practice, which could affect hiring, marketing, and attrition levels. How then, does one achieve the elusive balance? Rajesh Garg, Vice President and Head – Information Systems Support, Nucleus Software, smiles through such questions. For he has found the answers to keep their global workforce happy and productive with restricted Internet access while reducing the number of security breaches by almost 95%; and these too are blocked. We ask him to tell us how he made it happen.

3

4

comprehensively. Through the evaluation emerged a solution that seemed like a perfect fit: Websense. Before he knew it, Garg had commissioned a Proof of Concept (PoC). “Three months later, the enterprise had a detailed report of the security breaches and unplanned data sharing activities across the enterprise – data being posted on various sites, resumes being shared, carrying source code on the laptops, copying data to the USB, and what have you,” adds Garg who managed to get senior leadership approval in no time. “After the report came out, we got approvals to purchase the solution in few minutes!”

Bulls eye, and how!The two-part Websense solution included pre-defined rules as well as customization features to ensure IPR (Intellectual Property Rights) protection for Nucleus.

Based on 200 patterns of source code from Nucleus, Websense created a series of security patterns to be deployed at the gateway level. Further, all critical HR policies, financial documents and annual reports, and marketing collateral, were fingerprinted. This meant that the gateway would screen these documents and clear them for sharing via mail only after receiving relevant approvals.

Today, the same policies apply across the organization as well as when the users are mobile and not within the office premises. Each time the gateway blocks data and mails, a copy of it is quarantined, as well as sent to the department head for approval. Another copy is returned to the sender, while yet another one goes to the IT department. Within few minutes, an approval is sought and the document duly released, if approved.

The Nucleus of IT securityGarg’s team has a unique distinction. They leverage their internal IT expertise to service customer requirements worldwide. This has resulted in successfully mining his team’s talent into a profit center. From infrastructure support and remote management to data center hosting services to consulting services in Oracle apps, IBM Websphere, Weblogic, and even Open Source servers and Apache, Garg’s team provides a range of services to clients today. This brings on a responsibility to ensure 99.998% availability of their services at all times. Opening up the access to the Internet, further added to these complexities, as his team of 80 had to ensure the success of both initiatives.

Nucleus’s path to web & data security:

Proof of Concept

Implementing Websense content security software

Leveraging pre-defined policies

Monitored Internet access to the whole company

Sensitive data monitoring and its blocking if not meant for business purpose

Based on 200 patterns of source code from Nucleus, Websense created a series of security patterns to be deployed at the gateway level.

5

The early bird…Nucleus has been one of the early adopters of such a solution in the IT industry. We ask what has it brought them? Open – but restricted Internet access across the board, to begin with. Nucleus has also been able to free-up 35 computers that were exclusively marked as Internet browsing kiosks at their Noida development centre. The HR department has benefited largely while the marketing team now has access to the business-related social media they need. With the solution in place, Nucleus has been able to sanction the availability of certain sites, based on various internal functions.

Besides saving INR 10 lac by de-allocating computers from the Internet browsing kiosk, Nucleus now has 100% end-user Internet browsing. However, Garg is quick to add that the time people were spending on non-business sites has been restricted, thereby improving productivity and saving man-hours per employee.In terms of URL filtering, the enterprise has saved 30% of bandwidth.

Of course, the ISO had to deal with initial change management issues, but they were easily overcome. And, now, the solution “Has resulted in the non-compliant events reducing to 10-15 today, from 50-100 earlier; and these too are successfully blocked,” beams Garg. He claims that lack of acceptance of the procedure is only a mind-block in people who have not experienced it. His department, which had already been following the ISO 27001 standards for security, have now secured one of the most critical levels of control

an IT team needs on the infrastructure; and this indeed, is a much-coveted feather in their cap!

Nothing ventured, nothing gainedToday, Garg’s advice to CIOs/CISOs is unambiguious where the quest for security is concerned, “Do not hesitate to take the risk, if at all you can call it that. Even if you haven’t explored it earlier, a solution provider can help you in technology innovation only if you take the first step.”

Truly, fortune favours the brave. And with an enterprise’s data security and policies at risk, there is indeed a lot to be gained by proactively seeking smart solutions.

Websense solution implemented:Websense Web Security Gateway & Websense Data Security Suite What it gave Nucleus:l Customized design patterns for tracking and monitoring IPRsl Comprehensive and current policy templates, centralized policy and incident management, and reportingl Discovery of confidential data in local and network data repositoriesl Automated real-time enforcement options across network and discovered data repositoriesl Real-time content classificationl Real-time security scanning

6Security Files

Three must- haves to securing the social web

The social web Social networking and Web 2.0 are all the rage. With Facebook, Twitter, Bebo, YouTube, Google, Yahoo,Flickr, LinkedIn, WordPress, and more, there are over a billion socially active people today — a number thatcontinues to grow at an astounding rate. The social webhas emerged as a valuable business tool for the modern enterprise, touting rich applications with real-timeinteraction and user-generated content.

But along with its enormous popularity come significant risks. So in the race to maximize its potential, enterprises must take due care to protect the business. The following are three must-haves to securing the social web:

Acceptable use policy controlThe URL is no longer sufficient for acceptable use policy controls. Web is the content the employee sees on the page. Facebook, for example, is a social networking site, but the content on any given page within it could be entertainment, gambling, pornographic, or a security risk. So to provide acceptable use policy controls in today’s social web, you need technology that scans the content on the page (not just the URL) in real time, as the user accesses it, and can control access to discrete portions of content (not just the entire page), as well as applications (e.g., Farmville, MafiaWars) used within it. This is calledreal-time content classification and must be done at the Internet gateway for both HTTP and HTTPS protocols(since Facebook and many other sites support SSL). Only with real-time content classification can you getvisibility and control to enforce acceptable use policy in the social web.

Malware protectionAttackers are now social too, which is why we’re seeing an increase in security threats on social networking sites, both old-style attacks being reborn in the social Web medium as well as new and sophisticated threats that target vulnerabilities in the browser and gaps in antivirus solutions. The social web is built on a platform that is dynamic and script-based, and so too is the modern malware that lives within it. Like real-time content classification used for acceptable use policy control, enterprises must be able to perform real-time security scanning for malware on the social web. This includes scanning all code on the page in real time, at the Internet gateway for both HTTP and HTTPS protocols, going beyond signature and reputation-based scanning(since sites like Facebook, for example, are reputable) to decompile Flash, JavaScript, and the rest of the codeon the page, on the fly, to inspect for both legacy and modern attacks. Only with real-time security scanning can you get protection from modern malware in the social web.

Data loss prevention39 percent of malicious web attacks include data-stealing code. And one of the prime benefits of social networking is that users can share content. Of course, with all the malware out there and user’s ability to share content, comes big risk. While your first instinct may be to block all posts to Facebook, this can erode the utility of the application. What’s more, how you identify data loss is critical to stopping it. Using basic keywords and regular expression-based detection can often lead to false positives and negatives, and may lack the necessary workflow and reporting to contextually-aware controls for DLP. This approach allows you to, for example, prevent sensitive and regulated customer information from being uploaded to any social networking, personal email, or personal storage site, but lets that same data be posted to SalesForce.com, your CRM solution. With accurate data identification and contextually-aware controls (i.e. controls that tie user, data, and destination policy objects) you can safely enable use of social networking and cloud-based applications simultaneously.

Excerpts from a white paper by Websense

Reasonable security for sensitive personal information

In the information security (info-sec) realm, we generally get to hear the prefixes ‘total’, ‘comprehensive’, ‘best in class’, etc. I had never heard the prefix ‘reasonable’ (in context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.

‘Privacy’ is another term, which was very rarely used in the Indian context. True to the Indian fondness for ‘imported’ stuff, we were well-versed with laws like HIPAA, EU data protection, PCI-DSS. But we continue to lack indigenous data privacy legislation.

On 11 April 2011, the Government of India brought about a sweeping change in one stroke – the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011. This, in my view has changed the rules of the game. But what does it mean for Indian organizations?

Sensitive personal informationTo begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective/current customers, partners, and suppliers. It may be at the point of acquiring the customer or when doing a promotional event

7Author Speak

Parag Deodhar isChief Risk Officer and Vice President – Process Excellence & Program Management,Bharti AXA General Insurance Company Limited.

(outsourced to a marketing company), or a contest on the website. As per the rules, password also constitutes sensitive personal information. So, if you require a customer or partner to create an account on your website with user id and password, you are required to comply with these rules, though you may not be taking any other personal information like financial details, debit/credit card/bank account numbers or health information, etc.

Privacy policyAll organizations in India, collecting, storing or transfering sensitive personal information will need to put in place a privacy policy and make it available publicly i.e. on the company website.

Information collection and retentionThe Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or email. This could turn out to be a very challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled/information is collected online e.g. online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear whether ticking the ‘I Accept’ box on terms and conditions on the website will be good enough. If organizations choose to take this consent over email, will this electronic record held valid only if digitally signed in accordance with the IT Act?

Organizations will be required to educate the information owner on the purpose, intended recipients as well as agency, which will retain the information. This means, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.

Organizations are also required to allow the information owners to review the information stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the website.

The information owner can also withdraw this consent (in writing of course) and the personal information will need to be taken off from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their record, if required by law for a particular period. Seems to be a contradiction and will need some clarification.

Data transferIf organizations want to transfer the sensitive personal information to any other organization, e.g. outsourced data processing unit, call center, data center, then they need to ensure that such third parties should also have same levels of security as maintained by the organization. It will be imperative for organizations to mandate the level of security and also ensure that the standards are met by the partners through regular audits.

Data destructionOrganizations should not store data for a period longer than is required for providing the product/services unless required by law. Organizations will need to implement secure data deletion processes for all data including backups store on tapes, offsite locations, DR sites, not to forget the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites also.

Reasonable security Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they need to get their measures approved by the Central Government.

Privacy policy should include:lOur commitment to privacylThe information we collectlHow and where do we use, store, share this informationlOur commitment to data security lHow to access or correct your information lHow to contact uslGrievance redressal

8

Organizations will also be required to get security measures audited anually by an independent auditor approved by the Central Government. In the event of an information security breach, organizations must demonstrate that they had implemented reasonable security processes.

Checker-board Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. However, in my opinion these rules should be practical and ‘reasonable’ to implement. In their current form, some of these rules pose multiple challenges in implementation in true spirit. Again, what constitutes ‘reasonable’ security will remain matter of interpretation and I suspect would be an area of major debates in the coming days.

Tapan Garg Founder and CEO World CIO Council and CIO Association of India E: tapan@cioindia.org | W: www.cioindia.org

Supported by