> Inperso > Full Story
market in India is warming to the fact that security is
an important factor"
the need to provide E-Security solutions , Global Telesystems
Ltd (GTL) has floated a separate company, Global E-Secure
Ltd. (GESL) to cater to needs of end-to-end security solutions,
addressing the security market in India and abroad. Dr.
Atanu Rakshit Chief Technology Officer, spoke with Network
Magazine about the future of E-Security and its viability
as a business in the Indian context
top-level management has to be part of the security policy
exercise and also endorse the final policy document”
are developing our own software, which will digitally verify
each transaction using proprietary digital key generation
algorithms, and authenticate using these keys”
and Security Audit is one solution from your company,
but given the fact that hackers are becoming more intelligent
each day and are able to break into all kinds of systems,
how do you ensure that your security audit has time validity?
hacker breaks in through specific areas, which are entry
points to the resource being targeted. We follow patterns
and trends here. If you look at hacker patterns, what comes
out from the mindset is not to attack products, but exploit
weaknesses in the protocols used during the execution of
the product. These protocols are the basis on which services
run and form the basic entry points into the product.
What we do within our audits is to look for these entry
points in the targeted resource. Once these entry points
are effectively barricaded, entry becomes that much more
difficult and more time consuming, and that means more varied
probes are tried which are easier to track down for an organization.
These basic initiatives make our audits time independent,
the independence would vary from client to client and depend
on how fast they use our reports to secure the systems,
but we are able to predict at least a decent timeframe within
which my clients would remain secure.
An acknowledged fact is that hackers are becoming more intelligent
day by day, but then an acknowledged fact also is that protectors
are becoming intelligent too. Also, we have our own teams
which indulge in ethical hacking to exploit unknown vulnerabilities
in existing software and products, which is where we do
suggest to clients more protection that they need to keep.
What factors need to be considered while doing security
policy review and design?
are a lot of factors, which come into play for Security
Policy design. All of them need to be considered. However,
there are some important ones, which are the first and foremost.
The top-level management has to be part of this exercise
and also endorse the final policy document.
The organization needs to identify all its services/business
The organization needs to define its Acceptable Risk
Levels. These are the threshold values, which are the
bare minimum for any organization to work on.
In the mobile world new initiatives like MeT are being
unveiled in order to provide a platform for secure mobile
are your thoughts on this?
The mobile delivery bandwidth is too low to get into everything
at this stage. We do have a group working on this but MeT
is still on paper for some time till we have 3G networks
rolled out. It is good that such initiatives are being talked
about, but we would wait for some time before getting into
Security is a hot area in technology. How is global E-secure
planning to gain a share of this lucrative market and what
kinds of solutions have a market in India?
The market in India is slowly maturing and warming towards
the fact that security is an important factor and needs
to be considered. This is thanks to the fact that a number
of sites in India and Indian sites hosted abroad have been
vandalized. However, there are a lot of organizations out
there, who till date have a CUN (Closed User Network) and
are not connected to the public network in any way. Global
E-Secure is right now auditing some of the ISPs and IDCs.
This is necessary for the CUNs to come out and outsource
their bandwidth and infrastructure requirements with ISP/IDC.
The kind of solutions we offer are three-fold:
Consulting Services: Security Audit, Policy design,
Ethical Hacking which are the advisory roles we perform
for the client. These help them to identify what is essential
to be done and what not.
Implementation Services: Network redesigns, Configuring
and Hardening Equipments, also supporting them through
so that any hack attempts can be repelled very easily.
Integrating / Interfacing security product/technology with
user's application to provide secure solution.
What in your opinion would be the right kind of approach
to selecting an enterprise level PKI? What kind of consulting
services would you be providing in this field?
To select an enterprise level PKI, you would always need
to assess your existing business and technology first. PKI
is the means to manage business with the help of technology,
and it allows you to enhance business and build more trust
in the business than before. For this, we always offer our
PKI consulting services first, which does a business level
overview and also does a pilot
implementation so that the organization is prepared and
under stands what lies ahead.
2 Peer computing products are able to pass firewalls by
using a technique called HTTP tunneling (Simple Symmetric
Transfer Protocol over TCP/IP). How do you intend to solve
this issue especially since your company is looking at providing
firewall based security solutions.
Yes, we do offer firewall based security solutions, but
as you rightly said, they are firewall based, not firewall
centric. Our solutions comprise a whole gamut, and we take
pride in the fact that our solutions harden the existing
assets first. The kind of tunneling attacks you refer to
are commonplace with misconfigured systems, but not withWeb
servers, which are properly configured. Also, we are developing
our own software, which will digitally verify each transaction
using proprietary digital key generation algorithms, and
authenticate using these keys. This is being worked on in
our software factory at present. This is a proactive approach
on our side, and this is the outcome of our research labs,
and would also answer your question (1), which wants us
to stay ahead of the hacker.
Enterprises now expect the Internet to deliver on the
promises made by EDI service providers 10 years ago - complete
integration between enterprises to remove the need for paper
documents. Do you think XML signatures along with PKI represent
a major technical opportunity in this context?
Document Management Systems still have some way to go worldwide.
Also, XML is still maturing. It is too early to say for
us, but we feel this is definitely a great technical opportunity.
As of now, we are concentrating on keeping hackers at bay
over the network. But we will be ready for them by the time
they reach EDI system.
Firewalls alone are no longer sufficient protection,
because they' re static devices that enforce a particular
rule set. One must use additional tools for complete protection,
especially for Windows NT and the TCP/IP protocol. As a
CTO what would be your approach to this issue?
Finally everything boils down to dos and don'ts for a user.
We could have the most sophisticated tools in place, and
they could be turned off or configurations changed which
render them meaningless
and useless. What we do is always to train people
and make them aware of the toys they are playing with and
also what could happen if their actions are mistaken.
Our approach always is to analyze, deploy, and
then train. We do ensure the tools are in place to protect
the system, but then we also ensure that the people using
the tools are adequately trained to use them and also have
A truly flexible Internet payment gateway must support
multiple payment instruments, connect to all relevant back
office payment processors, and be packaged for easy integration
into front office Web applications. Ideally, the gateway
should also offer uniform interfaces to payment functionality,
permitting users to deploy payment applications that can
be easily switched between alternative financial instruments,
institutions, and payment processors. Does your payment
gateway conform to this feature set?
As you have rightly mentioned, a payment gateway must support
various payment modes, instruments and backend integration
with various payment applications to be truly effective.
The Global Payment Gateway provided by Global Telesystems
Limited (GTL) supports:
a. Web Shopping, Electronic Bill Presentation and
Payment (telco, Insurance, Power sectors), Financial Services
b. Business to Business Segments such as Supply Chain
Relationship or Sales-Distributor Relationship Businesses,
etc. (Pilot project undertaken of HLL and Telco),
c. Interactive mobile payment options over WAP
d. Various kinds of debit and credit cards at POS
e. Electronic Wallets, etc.
Apart from the payment services are you looking at providing
value added services like Functionality for fraud detection
and risk management, multi currency support etc?
Some functionality for the various value added services
such as fraud detection, risk management etc is already
built-in the Payment Gateway. Also, we provide consulting
and professional services in the areas of risk management,
fraud detection. We have appointed Price Waterhouse Cooper
(PWC) for audit purposes.
The author is with Plexus Technologies.
Write to him at email@example.com