-
-
   Home
   Archives
 About Us
   Advertise
 Feedback
 Subscribe

Home > Inperso > Full Story

"The market in India is warming to the fact that security is an important factor"

Recognising the need to provide E-Security solutions , Global Telesystems Ltd (GTL) has floated a separate company, Global E-Secure Ltd. (GESL) to cater to needs of end-to-end security solutions, addressing the security market in India and abroad. Dr. Atanu Rakshit Chief Technology Officer, spoke with Network Magazine about the future of E-Security and its viability as a business in the Indian context

“The top-level management has to be part of the security policy exercise and also endorse the final policy document”

“we are developing our own software, which will digitally verify each transaction using proprietary digital key generation algorithms, and authenticate using these keys”

Network and Security Audit is one solution from your company, but given the fact that hackers are becoming more intelligent each day and are able to break into all kinds of systems, how do you ensure that your security audit has time validity?
Any hacker breaks in through specific areas, which are entry points to the resource being targeted. We follow patterns and trends here. If you look at hacker patterns, what comes out from the mindset is not to attack products, but exploit weaknesses in the protocols used during the execution of the product. These protocols are the basis on which services run and form the basic entry points into the product.

What we do within our audits is to look for these entry points in the targeted resource. Once these entry points are effectively barricaded, entry becomes that much more difficult and more time consuming, and that means more varied probes are tried which are easier to track down for an organization. These basic initiatives make our audits time independent, the independence would vary from client to client and depend on how fast they use our reports to secure the systems, but we are able to predict at least a decent timeframe within which my clients would remain secure.

An acknowledged fact is that hackers are becoming more intelligent day by day, but then an acknowledged fact also is that protectors are becoming intelligent too. Also, we have our own teams which indulge in ethical hacking to exploit unknown vulnerabilities in existing software and products, which is where we do suggest to clients more protection that they need to keep.

What factors need to be considered while doing security policy review and design?
There are a lot of factors, which come into play for Security Policy design. All of them need to be considered. However, there are some important ones, which are the first and foremost. They are:

  • The top-level management has to be part of this exercise and also endorse the final policy document.
  • The organization needs to identify all its services/business deliverables.
  • The organization needs to define its Acceptable Risk Levels. These are the threshold values, which are the bare minimum for any organization to work on.

In the mobile world new initiatives like MeT are being unveiled in order to provide a platform for secure mobile transactions. What are your thoughts on this?

The mobile delivery bandwidth is too low to get into everything at this stage. We do have a group working on this but MeT is still on paper for some time till we have 3G networks rolled out. It is good that such initiatives are being talked about, but we would wait for some time before getting into this.

Security is a hot area in technology. How is global E-secure planning to gain a share of this lucrative market and what kinds of solutions have a market in India?
 The market in India is slowly maturing and warming towards the fact that security is an important factor and needs to be considered. This is thanks to the fact that a number of sites in India and Indian sites hosted abroad have been vandalized. However, there are a lot of organizations out there, who till date have a CUN (Closed User Network) and are not connected to the public network in any way. Global E-Secure is right now auditing some of the ISPs and IDCs. This is necessary for the CUNs to come out and outsource their bandwidth and infrastructure requirements with ISP/IDC. The kind of solutions we offer are three-fold:

Consulting Services: Security Audit, Policy design, Ethical Hacking which are the advisory roles we perform for the client. These help them to identify what is essential to be done and what not.

Implementation Services: Network redesigns, Configuring and Hardening Equipments, also supporting them through so that any hack attempts can be repelled very easily.

Application Integration: Integrating / Interfacing security product/technology with user's application to provide secure solution.

What in your opinion would be the right kind of approach to selecting an enterprise level PKI? What kind of consulting services would you be providing in this field?
 To select an enterprise level PKI, you would always need to assess your existing business and technology first. PKI is the means to manage business with the help of technology, and it allows you to enhance business and build more trust in the business than before. For this, we always offer our PKI consulting services first, which does a business level overview and also does a pilot implementation so that the organization is prepared and under stands what lies ahead.

Peer 2 Peer computing products are able to pass firewalls by using a technique called HTTP tunneling (Simple Symmetric Transfer Protocol over TCP/IP). How do you intend to solve this issue especially since your company is looking at providing firewall based security solutions.
 Yes, we do offer firewall based security solutions, but as you rightly said, they are firewall based, not firewall centric. Our solutions comprise a whole gamut, and we take pride in the fact that our solutions harden the existing assets first. The kind of tunneling attacks you refer to are commonplace with misconfigured systems, but not withWeb servers, which are properly configured. Also, we are developing our own software, which will digitally verify each transaction using proprietary digital key generation algorithms, and authenticate using these keys. This is being worked on in our software factory at present. This is a proactive approach on our side, and this is the outcome of our research labs, and would also answer your question (1), which wants us to stay ahead of the hacker.

Enterprises now expect the Internet to deliver on the promises made by EDI service providers 10 years ago - complete integration between enterprises to remove the need for paper documents. Do you think XML signatures along with PKI represent a major technical opportunity in this context?
 Document Management Systems still have some way to go worldwide. Also, XML is still maturing. It is too early to say for us, but we feel this is definitely a great technical opportunity. As of now, we are concentrating on keeping hackers at bay over the network. But we will be ready for them by the time they reach EDI system.

Firewalls alone are no longer sufficient protection, because they' re static devices that enforce a particular rule set. One must use additional tools for complete protection, especially for Windows NT and the TCP/IP protocol. As a CTO what would be your approach to this issue?
 Finally everything boils down to dos and don'ts for a user. We could have the most sophisticated tools in place, and they could be turned off or configurations changed which render them meaningless and useless. What we do is always to train people and make them aware of the toys they are playing with and also what could happen if their actions are mistaken. Our approach always is to analyze, deploy, and then train. We do ensure the tools are in place to protect the system, but then we also ensure that the people using the tools are adequately trained to use them and also have some expertise.

A truly flexible Internet payment gateway must support multiple payment instruments, connect to all relevant back office payment processors, and be packaged for easy integration into front office Web applications. Ideally, the gateway should also offer uniform interfaces to payment functionality, permitting users to deploy payment applications that can be easily switched between alternative financial instruments, institutions, and payment processors. Does your payment gateway conform to this feature set?
 As you have rightly mentioned, a payment gateway must support various payment modes, instruments and backend integration with various payment applications to be truly effective. The Global Payment Gateway provided by Global Telesystems Limited (GTL) supports:

a. Web Shopping, Electronic Bill Presentation and Payment (telco, Insurance, Power sectors), Financial Services Portals.

b. Business to Business Segments such as Supply Chain Relationship or Sales-Distributor Relationship Businesses, etc. (Pilot project undertaken of HLL and Telco),

c. Interactive mobile payment options over WAP

d. Various kinds of debit and credit cards at POS terminals

e. Electronic Wallets, etc.

Apart from the payment services are you looking at providing value added services like Functionality for fraud detection and risk management, multi currency support etc?

Some functionality for the various value added services such as fraud detection, risk management etc is already built-in the Payment Gateway. Also, we provide consulting and professional services in the areas of risk management, fraud detection. We have appointed Price Waterhouse Cooper (PWC) for audit purposes.

The author is with Plexus Technologies. Write to him at bhavishsood@netscape.net

>>
- <Back to Top>-  
© Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD