Information security can only be managed when significant emphasis is placed on securing data
Ruchin Kumar, Principal Solution Architect, India and SAARC, SafeNet India Pvt Ltd
Online space is a blessing, but it can lead to sensitive information falling into wrong hands. It might be possible to query the system to collect data on the top ten transactions in the last seven days. This may facilitate someone with criminal mindset to make demands on parties involved. There have been many instances where the published information in a public website or any other public media has led to an uncomfortable situation for someone or the other.
These days it has also become possible to query the system to show the list of individuals with the highest number of properties in a certain area.
This may again facilitate someone with a criminal mindset to misuse the information for his or her personal gain. Cases where misuse of data has led to uncomfortable situation often come to light.
There has to be a system in place where the machines are correctly able to interact through a foolproof system of identification
In our IT Act, it is mentioned that if a corporation is storing critical data, which gets misused or compromised, then the corporation will be liable to pay damages to the person or entity affected. It can also lead to financial penalties to the corporation and loss of importance. So security is now becoming very important in terms of safeguarding the integrity of the data and the confidentiality of the sensitive information. The idea of nonrepudiation is also important when it comes to data storage.
Integrity of data means that an unauthorised entity should not be able to tamper with the data. Maintaining the confidentiality of the sensitive information means that the data should not be leaked to unauthorised entities. Non-repudiation means that the person who owns the data should not be able to deny a transaction after having conducted it. Not every piece of data is sensitive. So there should be some system of classifying the data to find out what data requires what level of security.
There is a need to control access. Not every piece of data is needed by everyone. Data should be accessible only to the genuine users. At every point of time the amount of information that can be fetched needs to be controlled.
Security is an ongoing process; it should be running continuously. There has to be a proper audit trail and reporting, so that there can be a timely review of the security of the critical data. How do we authenticate the identity of a person? There is legal validity given to the system of PKI, which uses certificate based authentication to establish my identity. Apart from the system of username and password, which is easy to break, there should be another system of authenticating the identity of the person who is accessing the data.
Then there is the aspect of machine to machine level authentications, where a lot of transactions for mobile governance are being conducted. There has to be a system in place where the machines are correctly able to interact through a foolproof system of identification. SafeNet is one of the oldest security companies in the world. The company employs a large number of encryption engineers, and enjoys presence in every part of the globe. SafeNet’s security systems are being used not only in the government, but also in the finance sector.