Telecos are handling a mountainload of consumer data, safeguarding which needs a host of cutting edge IT solutions.
As the telecom services industry makes a quantum jump from being a purely voice oriented sector to an essentially data based revenue model, it has to gear up for facing a large amount of risks and the possibility of escalation in fraud cases. The security policy and framework in this industry needs to undergo a seminal change. Given that there are 742.12 million telecom subscribers in the country, there can be no dearth of challenges that the telecom segment faces. The task of handling the data of so many consumers is by itself exceedingly complex.
The telecom providers are bound by the IT Amendment Act, which entails clear mandate for ensuring privacy of the customer information, which if breached, calls for penalty of up to Rs 5 crore. In such a scenario, the security challenges for the service providers are bound to escalate. The service providers cant do without being on their toes while deploying most stringent policy measures.
Priority area amidst challenges
The CISOs have their security priorities laid around managing risk of the third party and outsourcing activities. They must also endeavour to have comprehensive data security, the ability to manage third party-related vulnerabilities, and they should be able to meet internal and external compliance requirements, such as UASL license conditions, and all the IT Act and Rules. The whole idea is to ensure safety of customer information, while also ensuring that the information keeps flowing seamlessly through designated channels.
Challenges for Shirish Dandekar, Head-IT, Tata Teleservices Ltd., has been in regards to the increasing risks from outsourcing activities, given that the entire IT is outsourced to a third party. There exists the risk of data loss due to vulnerabilities that chart out new routes and this might result in damage of organisations reputation. Such a scenario gives sleepless nights to Dandekar even as he works on new solutions.
Enhancing organizational security culture and awareness has been the top challenge for Felix Mohan, Sr. VP & CISO, Bharti Airtel Ltd. Mohan must grapple with issues related to things like growing consumerisation of IT, increased user base in the organization, and the risks arising out of the increasing trend towards virtualisation and cloud computing. He must devise solutions to detect and neutralise threats as soon as they emerge.
Solutions that can help
As Airtel migrates to a data based revenue model from being a voice based one, Mohan opted for a host of advanced security solutions, which address all kinds of challenges. We operate in 13 circles in the country and have 29 certifications and largest to implement ISO270001 globally and we carry out periodic stringent audit by BSI to make assessment of the security framework, says Mohan.
The key implementation for Airtel has been the adoption of BS-25999 certification across 7 circles. Now the company is in the process of extending this certification to other circles, besides implementing enterprise wide LAN zoning. Mohan opines that it does not make sense to repose too much trust in a mediocre solution. He has framed up strict SLAs with IBM. He also carries out on-site security reviews of partners and makes it compelling for partners to obtain Type I and Type 2 SAS 70 certifications.
The service provider has ensured end-user security through implementation of comprehensive IAM, including single sign-on, network access control (NAC), IPSec, VPN, two factor authentication, end point security and DLP at gateway and endpoints. Airtel drives regular security awareness and training as an on-going initiative to ensure end user security.
Tata Teleservicess prime task was to set up security operations centre (SoC) to achieve the return on security investment, which runs into a few crores. Dandekar has implemented multi-factor authentication solution to control fraudulent activities and segregation of duties within applications by integrating identity management solution with SAP-GRC.
Dandekar had the issue of increasing complexity of IT infrastructure, multiple threat vectors and demand for a uniform and single view. Besides concern around improper implementation of access controls, users granted with conflicting and overlapping privileges resulting in fraudulent activities causing financial and reputation loss, prompted him to go in for risk certain evaluation tools as well.
Another problem area for Tata Teleservices was diverse user base comprising employees, business partners and government agencies connected via different networks including PDSN, broadband and intranet. Dandekar zeroed in on deploying SIEM tools from RSA, VPN based multi-factor authentication technology and identity management and governance risk and compliance from SUN and SAP-GRC.
To implement the above solutions, Dandekar had the challenge of integrating complex and heterogeneous network with SIEM solution and customizing as per TTLs requirements. Ensuring stability of product was important, besides non-availability of details in applications like role description, user details etc., and technical challenges of integrating non-SAP applications with SAP-GRC solutions could not be ruled out.
Amidst resistance from business users during initial stages and adhering to deadlines Dandekar and team saw the benefits. I could see better information security incident management with zero or less business disruption improving user satisfaction, admits Dandekar and adds, Secured access to IT users, reducing fraudulent activities and saving significant cost by leveraging upon existing IT investment and technology with reduced time and resources.
The CISOs have been making significant investments into new technology deployments and standards to streamline the policy framework. According to Dandekar, the company spends about 5 to 10% of the IT budget into security deployments.
Airtels Mohan opines that on an average about Rs 60 lakhs is required towards certifications and it is recurring cost. For instance, the BSI standard audit cost per day would be about Rs 20,000, to just look at peripheral applications and one can assess the total cost of audit or assessments, informs Mohan.
However, the security heads are encouraged by the telecom services growth in the Indian market, which IDC has estimated to be around $57 billion in 2012. To ensure that the customer data is well protected, Dandekar has signed up master agreement with its the companys outsourced partner TCS, with proper background verification carried out and regular perimeter assessment check done at service providers onsite facility.
Whats in store
The Rs 67,000 crore TTL, which has just gone in for ISO27001 certification standard and will be extending to other business streams to develop a security policy framework. Mohan observes the trend of integrating DLP, DRM and content management solutions with endpoint security and encryption. Virtualised computing is getting ubiquitous and these render traditional security solutions blind to risks that exist at the hyper visor and virtual machine layers. Cloud security solutions based on robust IAM and encryption technologies are emerging, confirms Mohan. Airtel plans to deploy DRM, mobile security, data base IPS, enterprise encryption and data masking tools in future to bridge the security gaps.