Ram Narain, Deputy Director General (Security), Department of Telecommunications, Government of India
Give us an overview of the policies that the department has developed to take care of the security related challenges in the telecom sector?
The most critical issue from the security aspect of the telecom infrastructure is reflected in our 31st May 2011 guidelines issued to All Unified Service Licensees. The guidelines state that the Licensee shall be completely and totally responsible for security of their networks. The network elements have to be security tested as per the international standards. From 1st April 2013, they have to be work certified by labs located in India. The licensees need to have the organisational policy on security and security management of their networks. Network forensics, network hardening, network penetration test, risk assessment, actions to fix problems and to prevent such problems from recurring, etc., should be part of the policy and they should take all measures in respect of these activities. We have also asked all the telecom service providers to conduct security audit for their telecom network.
These days people are using tablets, laptops, notebooks and mobile phones to log into the telecom networks and do their work. While such proliferation of devices is leading to more productivity, it might also be making the network vulnerable. How do you tackle this problem?
It is difficult to regulate so many devices as the numbers are too vast. Some kind of standardisation of devices and equipments is required. If only the devices and equipments that have been tested as per the existing standards are being used by the people, it will greatly contribute to the safety and security. If people are using security checked devices, they will also be in a better position to safeguard their private information and data. The security of the telecom infrastructure is dependent on the cooperation that is received from the people, who are the end users of the system. People need to understand that if the network security is at risk, even their own information and data can be at risk. So they should only use devices and systems that have been properly audited for security.
How do you go about developing the procedure for security auditing devices and software? By the time you develop the procedure for one set of devices, the same might become obsolete. The world of technology is changing at a very fast pace.
This is true. This is an ever growing game. The security has to keep evolving with the technology. I would also like to point out that absolute security is a utopian concept. It cannot be achieved; even the most sophisticated security system can be breached. But that does not mean that we need not take adequate measures to secure our infrastructure. We have to try our best to optimise the security so that we are in a position of guarding the network against the existing threats. You never know in this world who might attack the network. It can be a random hacker, who wants to penetrate a network and prove his prowess, it can be an anti-social element, and it can even be a state actor. There can be stealing of information, blocking of information or even the telecom network might come under attack. The Department of Telecom has evolved guidelines to cover all these areas.
If you have too much of security, you run the risk of slowing down the system. The connectivity can be slower. The implementation of new technology might get delayed, if the process of vetting the new technology becomes cumbersome. How to you address these concerns?
It is not necessary that things should get slowed down while we are addressing the security related concerns. For instance, if you are using safe devices and placing safe infrastructure in the network, it is only a one time exercise. You don’t need to change your systems frequently. Only at the time of installation or at the time of security audit, you need to run a few tests. This does not slow down the system as such. But there can be certain type of security measures that might take longer time to execute. An example of that is the new set of guidelines that have been issued for proper identification of those who are purchasing new SIM cards. You will agree that proper identification of telecom users is necessary. What you ultimately need is a healthy balance between the needs for speed and security.